MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, triggered upon opening, uses Shell() calls to execute code. The document also contains a lure to enable content, which is a common tactic for macro-based malware.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 174835 bytes |
SHA-256: a237e368a49943aead28a9fabeea6acc53204b4664bd46cea68b54402cdce4d4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" ' S icbc.n.SuI I.n hiei icunb n eTnuEi uunn oh h boEnoinnhIcThtibdn hueF.ftcn nnn S Suf ' IFn n teb IhFbneTEfeb ISu tbuET EnIiI IntnSffFudnnT bnoebneeh I eohbd d. ioIeT bb d hof FfuSdc ' nu F t.Icdduen uuu nn ecd i n.Iu fd bdnF .un EnItIeuiTe.SFSndo.E u ' .nFceT Scub n u f Sdnib.iucnn.nnntu oitnSIcn di ' u nuiuEciSubehn bi FSnnhe Tnn.n FnFE uEuttn dn FEEnnFScnbnSdciicio.tEFu ' fn Func nu.i fn nnnITn i EFnen nEnof E fc TnS fnnd In. h ' Ino otenf Shitn.bcShnfounSnbucnno.bdueF ' ofecS fIfd EEinnTie f tcc hE. ufnfS un b.obI cn TEEcb nSInSnu bEtfdnuSInu ' E.S .SnSc chneeon EideST..hoIh onEI ud.nn ' SIbdn nfei ndT o Scdo ntfebnth dinEueFebSncfuTb dbnI hT.I o.uco Ih IIn .Eun cu c ' SE F. u obETtcdeuhnnnfiTnE tbIn nn c bodSbo.F TddIFIuhSfuefn FooubeddT tn eIdnn S ' n t.nuE ti TniEndn bcneTc.F hfb tnn uuofocIo nu nuh.ducbn oSoIbi E f uneniobTt.ie ' nd uei nS ou E FnS. e enEnTuE fEE .Fount.tuduc n u E.nfn.ohunnnud he ' ncncenToionuno Ion u u. n f uebSi nIiFnFd S tcu hi it dnToib . .f ' SoTndi nhedE.htEtTcEcond ou Td ut u nn ' nTf u Ttu fnhnuht nSIF Ic . dinTu u buItT dtSI.n c SndI Enf.SE ' uduScT.n E uoo nhonhinEfcnbo dfuT . nn fuiIn nn uEne hueoIoh Sn ft hn odEFnuh n ' tnoSnS d n.nbhbnunde ninundSin Tnn cnFniSbthunn d nbF uuou ' t..nefneFdt.Eb hftE nncFeono.nfnh eofofT ' .id .ouoSnSiiEcItooTfI b ftbu ' FiT cFtcEineFhnh u.bn Iuu Tnbbn St EnEu dnnuihefo ' T fE.FSfnnh d oFtIIuo.tntSEn n.TuhI F TcdccIbbnih ud cnon IbTdncinu ue.cn dhtnu nhSicE ' n t tnfcc t nfEnS c .uduSh FtbeE dn ' uteSutei.e T h tniennnh e. ebbeInFhfb duTonIenudnEoTSi.fTnboi o hnh c.d n nhibhe ' tnnSn T nTtIu edu onnnhn ttnnnE ' nSdn .nESunn.u diInnd fd uTn dtci d ffn onni iISFno. ondtnniS nFfEt i ' nF en EFfocofITttIuEo hTf EeSn dEnn n bc cEbiihcTnthtEbFT .F e.IS ' .h iutfIddfu fTf TTfc F ThuoniIeTEncfu I icn ieSIntn nebn nIFEtSuSnI E.n Te bcc... ienn obh.eE S ' oFu.iehccTnuSSunIbdcnSE nt inoE ' n.T d n nhiSdnefIiu EnnhEnt SuThSnb.hoE ST nnEnnnFbd d ' EcnbnTb Inn uennduiTunui.EnncnbnTI Tfnnn dSnftuuboc idu htontdd unEun ui.enES hnbbbufSf ' cfuiS. u .chcobhIbFo Fno nnnSntcT dud I TnnunbfnIce nnunuo .nSnefhn f nIhhnun ubnhto u FbfcTInEn. ' b.edh.hFS . Shnhhnto bundbnoun n ifh uunnnbtu.udnnubiFnf hin ThS .nSSi ' do FS nbScFb hindff.uIt noSE Snd. fFcIITeE ndionn tFnh ' ndnneoIihenbnbiniFcb nonfIb c S Fc.bnuuc SIe btuEFnutnnib t ou un Tf Eufnb cTh d hh dhfefebu ' b u .EEouFohSeonFT bntEoFoeI Ff.u ef.bId dtuF .h bShEb bfnf otE.cnfbcuduEne ' EEun fIobnhdFn T hEn nuIITu.S uueTnToo bI bi.Fiiu.IIf ee EEheonnTeuEt nESfnnf cnnbS bebFnon . ' .nbthnT Eb dnIdIcd Efn fiTS nnFnu.nu.tttd itnSIE i.S inibuuhd ' Tn fund E Eh.fTnf TtEInbucTIuontESSui FncdcT.uInFo ' .IEiocti FnTSnI n . nnho .dtd nuFTnnftnuTh u ' h nSTEFniu Iu nd.oIndEEi.uId iIE Fdu ' iduIE uobn uhu . E cSn bncob ncEo uInincTT tnIIdtu ' S ddofof. fc.nnTnFnIe. Ebenc n e.F f FoEfF ' noFFi do iuIEnn tndnin hbnIeho duInT ' bSnhSETI e .FbcnTned Sut E uhdoIu n SI f nb.FoTnuS. ..ni .ISfh .nenuSIFbi eI nunfnFF tine u ' n.n.ToutttnFnThonuEnnnF uT nTiheF IFEeub .u.iudu.nfIfFnn ' thnShSfS TFnIEndE diFnIndinoedfnFISuonI TdInd n hT hbicote bn uIoffE SohIE.enctnfn ' i.u dF hIh nn dIn nnIuInbtdf n oInhI uuehncuFtTStddFf ' uc nSncnoiu .ennSnno ntdiT .deh. c dnf .fbncf bE oIhfTE uinF cEne SuEuub TfbTbE hu nt ihTnufnh EdSE ' Ihdh Eef . ndnf fd. ie nnTF nIdnESnntI Eb h nnInSbdESfeb ' .etiutncFohhiSend hht nEIc Euecn.t nnnbnn c.n nhn nTFuunnbItnn Suoffnb biFTIeb ' d dfu bdSehc eninoSFb unSSI Tc tE du noIEnS nnchut.nin ecub edou unioE S inni Sh ' i uuThuobit.nunnb n utdnnSi cFffITuouhnu o uEh b TE n ' E SncEuFnEdocEct noi.tonnS nhcheit FIbtnuin .fIdnec .u ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.