MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6568107-0. The document body contains a lure to enable macros, and heuristics indicate the presence of VBA macros, although the actual code was removed. This suggests the file is a dropper designed to execute malicious code upon user interaction.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6568107-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6568107-0
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2101 bytes |
SHA-256: 3dd76daa471789b3bba443914baa854e030cdee5ff9bfae327184c10b4a099be |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "priampriam"
Attribute VB_Base = "0{33E6DD8B-A4B8-4342-BDF5-A90257E1E7EA}{107C261F-CEFF-42D7-802B-858DC52562A3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "sergant"
Attribute VB_Base = "0{44E27AAC-99EC-4B36-AE22-00A10D43BA2A}{2B310B7A-AF37-49BE-85DF-2DC511D7F818}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "vogotave"
Attribute VB_Base = "0{BC4FF290-C131-4292-A181-7C2ECDA1DF79}{DEBF66C1-7883-4A40-9DEC-9B2DDED40E26}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "wwwpasswd"
Attribute VB_Base = "0{ECCDE1CF-18AE-4932-A451-921565858A75}{19536DFA-58FA-4402-8252-AC4B63D14A38}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "avehcnaK"
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "doobidoo"
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "neouswer"
'Macro code was removed by Symantec Disarm
Attribute VB_Name = "qiang3210"
'Macro code was removed by Symantec Disarm
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.