MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros, including an auto-exec loader in the Document_Open macro. Heuristics indicate the use of CreateObject and CallByName, common for executing arbitrary code. The ClamAV detection name 'Doc.Malware.Sload-6699713-0' suggests a known malware variant, likely a downloader.
Heuristics 8
-
ClamAV: Doc.Malware.Sload-6699713-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6699713-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9240 bytes |
SHA-256: 1ab1d90e0a8e6d9ec1686dc7f40d6b8d79cd582ed86415ed15b7ca9ba9237240 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub LoadAndPrintBoard()
Dim CurrentBoardMember As CEmployee
Dim PrintBoardMember As CEmployee
Dim arrayBoardMemebrs() As CEmployee
Dim WSBoardMembers As Worksheet
Dim lngTotalRecords As Long
Dim lngRecordCounter As Long
Dim strFullNameAndTitle As String
Set WSBoardMembers = Worksheets(“EmployeeInfo.xlsm”)
lngTotalRecords = WSBoardMembers.UsedRange.Rows.Count
For lngRecordCounter = 1 To lngTotalRecords
Set CurrentBoardMember = New CEmployee
CurrentBoardMember.FirstName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 1), WSBoardMembers.Cells(lngRecordCounter, 1)).Value
CurrentBoardMember.LastName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 2), WSBoardMembers.Cells(lngRecordCounter, 2)).Value
CurrentBoardMember.Title = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 3), WSBoardMembers.Cells(lngRecordCounter, 3)).Value
ReDim Preserve arrayBoardMemebrs(1 To lngRecordCounter)
Set arrayBoardMemebrs(lngRecordCounter) = CurrentBoardMember
Set CurrentBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set PrintBoardMember = arrayBoardMemebrs(lngRecordCounter)
Debug.Print PrintBoardMember.EmployeeFullInfo()
Set PrintBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set arrayBoardMemebrs(lngRecordCounter) = Nothing
Next lngRecordCounter
Set WSBoardMembers = Nothing
End Sub
Private pWorkLogItems As Collection
Public Property Get WorkLogItems() As Collection
Set WorkLogItems = pWorkLogItems
End Property
Public Property Set WorkLogItems(lWorkLogItem As Collection)
Set pWorkLogItems = lWorkLogItem
End Property
Function GetHoursWorked(strPersonName As String) As Double
On Error GoTo Handle_Errors
Dim wli As WorkLogItem
Dim doubleTotal As Double
doubleTotal = 0
For Each wli In WorkLogItems
If strPersonName = wli.PersonName Then
doubleTotal = doubleTotal + wli.HoursWorked
End If
Next wli
Exit_Here:
GetHoursWorked = doubleTotal
Exit Function
Handle_Errors:
'You will probably want to catch the error that will '
'occur if WorkLogItems has not been set '
Resume Exit_Here
End Function
Sub CalculateRunTime_Minutes()
Dim StartTime As Double
Dim MinutesElapsed As String
StartTime = Timer
MinutesElapsed = Format((Timer - StartTime) / 86400, "hh:mm:ss")
MsgBox "This code ran successfully in " & MinutesElapsed & " minutes", vbInformation
End Sub
Sub Advanced_Filtering()
CriteriaLastRow = 4 'Last Row you have in the Criteria range
For i = 3 To CriteriaLastRow 'Loops through until the last Row
RowsCount = Application.WorksheetFunction.CountA(Range("C" & i & ":F" & i))
If RowsCount = 0 Then CriteriaRowsSet = i - 1 Else CriteriaRowsSet = CriteriaLastRow 'Checks to see if any row returns 0 and sets it to the row above's number
Next i
Range("C6:F23").AdvancedFilter _
Action:=xlFilterInPlace, _
CriteriaRange:=Range("C2:F" & CriteriaRowsSet), _ CopyToRange:=Sheets("Sheet2").Range("A1:D1")
End Sub
Sub SolverMacro()
' Example Solver VBA Macro
SolverReset
SolverOk SetCell:="$B$24", _
MaxMinVal:=2, _
ValueOf:="0", _
ByChange:="$B$16:$B$17"
SolverSolve userFinish:=True
End Sub
Function Pos_nonalpha() As Integer
'posted misc 2001-07-23 David McRitchie
Dim i As Integer
For i = 1 To Len(Cell)
Dim Number
Select Case Asc(Mid(Cell, i, 1))
Case 0 To 64, 91 To 96, 123 To 191
Pos_nonalpha = i
Exit Function
End Select
Next i
Pos_nonalpha = 0
End Function
Function AgeInYears(start_date As Variant, end_date As Variant) As Variant
AgeInY
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.