MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'SE_ENABLE_LURE' heuristic indicates the document uses a common social engineering tactic to prompt the user to enable macros. The critical 'OLE_VBA_SHELL' heuristic confirms that the VBA code executes external commands. The ClamAV detection 'Doc.Downloader.Zyklon-6261557-1' further supports its malicious nature as a downloader. The VBA macro code, though truncated, contains Base64 encoding and appears to be designed to download and execute a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Downloader.Zyklon-6261557-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Zyklon-6261557-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6085 bytes |
SHA-256: 99ce565ffa21b2b379e39d4c9fda72d4e9ec1184d55f953941aec2dc30f80f0d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Function B64Enc(StrToEncode As String) As String
Static EncodeTable(0 To 63) As Byte
Dim K As Long, OutStr() As Byte, StrIn() As Byte, Lng As Long
If EncodeTable(0) = 0 Then
For K = 0 To 25
EncodeTable(K) = Asc("A") + K
Next K
For K = 0 To 25
EncodeTable(K + 26) = Asc("a") + K
Next K
For K = 0 To 9
EncodeTable(K + 52) = Asc("0") + K
Next K
EncodeTable(62) = Asc("+")
EncodeTable(63) = Asc("/")
End If
If StrToEncode = "" Then Exit Function
StrIn = StrConv(StrToEncode, vbFromUnicode)
If (Len(StrToEncode) Mod 3) = 0 Then
ReDim OutStr((Len(StrToEncode) \ 3) * 4 - 1)
Else
ReDim OutStr(((Len(StrToEncode) \ 3) + 1) * 4 - 1)
End If
For K = 0 To Len(StrToEncode) \ 3 - 1
Lng = StrIn(K * 3 + 2) Or (StrIn(K * 3 + 1) * &H100&) Or (StrIn(K * 3) * &H10000)
OutStr(K * 4 + 0) = EncodeTable((Lng And &HFC0000) \ &H40000)
OutStr(K * 4 + 1) = EncodeTable((Lng And &H3F000) \ &H1000&)
OutStr(K * 4 + 2) = EncodeTable((Lng And &HFC0&) \ &H40&)
OutStr(K * 4 + 3) = EncodeTable(Lng And &H3F&)
Next K
If (Len(StrToEncode) Mod 3) = 1 Then
Lng = StrIn(UBound(StrIn)) * &H10000
OutStr(UBound(OutStr) - 3) = EncodeTable((Lng And &HFC0000) \ &H40000)
OutStr(UBound(OutStr) - 2) = EncodeTable((Lng And &H3F000) \ &H1000&)
OutStr(UBound(OutStr) - 1) = Asc("=")
OutStr(UBound(OutStr) - 0) = Asc("=")
ElseIf (Len(StrToEncode) Mod 3) = 2 Then
Lng = (StrIn(UBound(StrIn)) * &H100&) Or (StrIn(UBound(StrIn) - 1) * &H10000)
OutStr(UBound(OutStr) - 3) = EncodeTable((Lng And &HFC0000) \ &H40000)
OutStr(UBound(OutStr) - 2) = EncodeTable((Lng And &H3F000) \ &H1000&)
OutStr(UBound(OutStr) - 1) = EncodeTable((Lng And &HFC0&) \ &H40&)
OutStr(UBound(OutStr) - 0) = Asc("=")
End If
B64Enc = StrConv(OutStr, vbUnicode)
End Function
Private Function B64Dec(StrToDecode As String, Optional CheckInvalidChars As Boolean = True) As String
Static DecodeTable(0 To 255) As Byte
Dim OutStr() As Byte, StrIn() As Byte
Dim K As Long, Lng As Long
If DecodeTable(0) = 0 Then
For K = 0 To 255
DecodeTable(K) = 255
Next K
For K = 0 To 25
DecodeTable(K + 65) = K
Next K
For K = 26 To 51
DecodeTable(K + 71) = K
Next K
For K = 52 To 61
DecodeTable(K - 4) = K
Next K
DecodeTable(43) = 62
DecodeTable(47) = 63
End If
If StrToDecode = "" Then Exit Function
StrToDecode = Trim(StrToDecode)
If CheckInvalidChars Then
For K = 0 To 255
If Not (Chr(K) Like "[A-Za-z0-9+/=]") Then
StrToDecode = Replace(StrToDecode, Chr(K), "")
End If
Next K
End If
StrIn() = StrConv(StrToDecode, vbFromUnicode)
ReDim OutStr(0 To ((Len(StrToDecode) \ 4) * 3 - 1))
For K = 0 To Len(StrToDecode) \ 4 - 2
Lng = DecodeTable(StrIn(K * 4 + 3)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.