MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains obfuscated VBA macros with an AutoOpen entry point, indicating it's designed to execute automatically when the document is opened. The 'Shell()' call within the VBA code is a critical indicator of malicious intent, likely used to download and execute a secondary payload. The document body explicitly instructs the user to 'Enable Content', a common social engineering tactic to bypass macro security.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 149418 bytes |
SHA-256: 92026ac5b34c677100066918ab33853530bab0200c813eea2604fa8f8562d04c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" ' f dft .dTEi.unF o bd ETSineI IEndnnFnoeu b ' eif.ufSbTetu o Tdnnfdb n. .ccEdFEu InuITucn n Edinn SeSIEEnn TnEttc F icn o unT Fendo Scd ' innn fE.nSSndo e T tuS nE be hicnenntSnn o.ntI.hnoiFidefuebnISd nde ' nuun FFddc.n nt .eccn tunid Fu b ncnh no ' o IIoTEoTIcSS hioSFehnhfFuSSonoc.EFitnu TnnSId I.n EeSuInuFSndS b FodIbubihd Snoi.SIEFn.nEubeES ' fcnn tbd du t EiEcuFn.EFcn TnIuEenFnIEn.tnS ictE STnTfhdS ' u SE uoiTnuEcnnn.Fu uEenoe eEbT ' nedt e fFuidn nStcn t Tn bId b nhuFunofh u n bbhn nhd inF dFd.uTIhIo ' bEh unS dfcSIo.tbtnFIFFnhe Ee doF hu.F n budFhu ub heIScbEfedoen c nEn ' eFT Ii Iuu tISe cutIen ocFEuon.b tScF f n nuhIun TFicSnn ' bIoFdcII fu.uhnno.nc.bdndthF un bT nbon uoiu .e.inne c ndhTETFnoSTeuo cEIn Fhfho Fhnn EcITioFdt n ' n.inu f F.he b InnbuIonce udnd n fd dnEInn.fn E EotI nnETbSt c nIuhEecIdo ' nfeTb bF ocnef du FTTic .u.IIue.FnhTn uTu euntnuSn SIndfc hTdnt uFeeboSTun ocFIn n n inTIi ' fTF.ndSIn Sb I unncchFnE I ouhconu.I ' c Iin dunIcoSe FoSnnoih u nnSt tFiuenntSIeFh. nnFcT cinenno TofTdTinF .un Ffe ' ode hfntf eEuinbnIEnubucnEFhEc EE Suc F on dinnnT nE.nn Fihe Fu.FcnunTnthuun TdTn nn n ne ' nfcibneTEdnndIn InIte EdE oc neT hit ie.f.nnnoec nnnn t n. ' fFT e unuFhFhnnEESnn iuiioiETuTdubufnfo u SEentFcti f n. uh idEnTn . nnhb c.bnenT ' n Enuen nd oFnc i.tSTu ouceiuncFiu ' Etnbtcn.TSIEEbnn nu bi fS o ' nhI tt F i nn Ef onnT ST Fdnu u.oTf.I uot Iounict Ehon oIhSofuIuofubT IiuubuTnfd.b E ' tu bSbnbtub nFineSTtihtub FSnFtFdScfTcoFndnT nnnbnnIFFh cndn nI i uFeTIeEcTbtd I ' cftEuidSc nffnf .ffn hIn n nnbTnFFt EtfooFdb S tiE nd FI ' u uucf.dih hh nfoEuh uE.udhi onhe ' .toe.fnFfeEdnt i nI iun FfEnenc.dncueueh IS.fTFtIo.ninI nnffthbif ceunFdbIf.F ' III.i TF .b cSnd c u nnn uouFIniI ctu TuftnIfhtEuSn EtnunnSn buninFFiucStnnhcIbe ' .TcIdnnci nn iSceue cn. b TdeintiFuTnibu ohTiuf. en ' Io InhIuuT eunbbT be h u ino T TnuttnSb d T ' .Fid Sc.dFSd oEuE ntfbFch.nn SSdno.E nS n i IdSn n ' bTn.utcn. nnTE f .. nI oTinhicnEo n bTFniccttSnnnfInT TS.dedni ' fuE nnfhEuInnnFh.binbeS Eh n binF cuT ncnfIib IFoftI e.iucnnfu E En ' u.unonbh bonondon.n bnSuuccn eShnF nd uunIebnIddf F tu nhtddIuhcTonh. ub.nf cEcune ' hfnuhdeiEdiE EuftdEh c fIEdt uudSb S on EunE fh uf Th.c. TnF eTnheF ntSuo.nS dE ' cuiSo nu nnoneSn IT bhTiT b Su ' dnT b.EhciEnnc nudeS ue.Fcth.cnen bnt nn hcEhI IF i F b ni SFneenbTEuIdnn ' todnIhdon bni hSEudht d b.tIhffnuffeThbuEn E .b dFS. ohdeciTf ncnToee tEnnu tn .e nnS hoeEc.f ' fFSbbufn un i uuoEnEdTfFuuTfnbnntb ohhben Ff.iEunob ESfb hFdTfn ft nS hbd .nFbfn IS tftn ' Sbnnfn n uncu In obodTuTdcbSieSnhnnFnn noc uTu. dbuu infFdcfe ETFnFdEdb TebInF tSdfnf ' in Itnu nuchT dcu funfTbFi nin.uF nfoueT uoIninh ' f fn u uuFnTbce ES IInffunnFh.dT neihfdnfEcudc T u nhFhuhFnoFE tndoi ' .T c hTuEth n Ece IfSnubFeS.FoSbIhunEbESnF ucfe it nnFtF.uennuSeu iTiT ebhi.und SuiIn ' btfnofFdhcfnTuTif .ufd TucFcS fuiE nnunu huI I nufohduudSb neT . nSnhbtnde ic cdEncc F n F ' i eS u .bd.no fSn n uF.F ud neibTIhn u I.bdF ie nnIFStdnn.boSnnbn ' F Ibinh fEndun Ffhd SufnnFdntnSeFF uuE iE.InE I e c ISef.nFIcnubSuuuonbS ' dubfeduEuoItidn uIno . FSn u ' nhdIunnTu u.oh nnnh Ff ch Sn ' .TIncfcu tFFooFhn nEbnoiS de .hcfFn Fhn Tf . n ' huInfnnIuci ISEh iT TEn idnS uteSn uFo tonFn ' TIecuEninh FonFitnenhouFd icE nnn ' fn en h.ETnS tnhoc EufI uo u ne TnuIdS. tn TnE udfu. c STutnoFnddftc t c nhhEbIuubnin Tf T.chnn ' F n c hI cnnniFE uuInnuTh Sn ncunn Enh inc I.Sfii tIFb TtS. oS ' EF eehbnI n Tn uIct ebE o.T FIndun Tn tncS .e ' ITooneEnhuun dIuubIT tfIFonnTot.hbti Suctd nFu Iu.t ' dc cF Su. bhT cnFcieb.honuunci nnE T.edeo ' te. . b uffnnnn dcnfbSnne ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.